Disable the PG_MSGProt.exe service?

Discussion in 'ProcessGuard' started by nameless, Jan 28, 2004.

Thread Status:
Not open for further replies.
  1. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I have nothing configured within Process Guard to use WM_CLOSE handling. So, I don't need PG_MSGProt.exe, and don't want it using memory and CPU time unnecessarily.

    However, I realize that whether or not I need PG_MSGProt.exe personally has no bearing on whether or not Process Guard needs it. Can I hack this service into disabled mode, without wreaking havok? (I realize that Process Guard tries to prevent the service from becoming disabled, but there are of course ways around that.)
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    If you're not using any Close Message Handling protection then yes you should be ok to not use PG_Msgprot.exe. I haven't tried this, but it should work:
    - From inside PG, Disable All Protection (it's literally like an On/Off switch)
    - Then close PG, so that procguard.exe is no longer running
    - Now, terminate PG_Msgprot.exe using a tool such as Task Manager or our own APT.
    - Then, rename PG_Msgprot.exe to something else (PG_Msgprot.bak for example)

    Try that and see how it goes. Good luck! :)
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Thank you, Wayne! I found that I was able to disable the PG_MSGProt.exe service after disabling protection and closing procguard.exe. If I find out that Jason has sneaky code ( :D ) in there to automatically re-enable the service, I'll rename the file itself as you suggest. The heart of the question was "Is it safe...?" and you answered that.
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    And hopefully no malware-writers will be able to finagle that info into a way in. Pete
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Well, even with protection enabled, issuing the following command was enough to stop close message interception:

    net stop "DiamondCS Process Guard Message Protection"

    Try it--issue the above command from Start > Run.
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    This issue has already been submitted in the beta forum.
    I admit to haven't try yet if the pb were corrected or not.
    It should have been thought for 1.200 version, do you have the last ?

    If it's not corrected, may be it will be fixed in the next release.
     
  7. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I'm running 1.200. The "net stop" command works with that version.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    That doesn't sound particularly re-assuring?

    Is that only a command you can give at the computer - or can that command somehow be forced from the outside? Pete
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    It is like any other EXE on your system. NET.EXE is a local program.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    That wasn't the question.

    I don't care if I can shut it down by sitting here and typing something on my computer - I would expect to be able to do that.

    Can someone in the outside world (who's not physically sitting in front of your computer) do the same thing from outside? Pete
     
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    But I did answer the question you asked. The command (net stop) uses a local EXE. It can be "forced from the outside" or invoked just like any other EXE on your system could: By way of a malware file you run, or by a remote-access trojan.

    You shouldn't be so quick to expect the "net stop" command to work. It can be disabled (for example, KAV won't let you do it).
     
  12. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Thanks for mentioning this.

    I thought the beta testers were refering to procguard.sys (which can't be stopped, even with net stop, etc). I will add this also to PG_MSGProt.exe so it cannot be stopped unless protection is disabled for v1.250. PG_Msgprot protection isn't THAT vital, compared to the driver, so it isn't that big an issue security wise.

    -Jason-
     
Thread Status:
Not open for further replies.