Execution Protection problems..

Discussion in 'ProcessGuard' started by rodsoto, Sep 20, 2004.

Thread Status:
Not open for further replies.
  1. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Hi all, I disabled Learning mode on PG 3.0, and fired up a program that was not on the execution protection list..... It blocked the very first program, and asked to execute or deny.....

    The second, third, fourth program i executed that were not on the list were allowed to execute, and in the security tab, it had "Permit Once". However I was able to continue executing the program over and over, yet it still said "permit once". So two problems here, will e-mail DCS

    Rod
     
  2. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi Rod....long time no chat mate :).

    Yep, this has been reported a few times now and Jason is aware and working on it.


    Regards,
    Jade.
     
    Last edited: Sep 20, 2004
  3. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Jade!!!

    How are ya buddy?

    Yes i've e-mailed DCS, and Gav stated Jason is on the mark with this one, hope it gets resolved..... I LOVE MY PG!

    Rod
     
  4. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    I had the exact same problem as you describe in the first post. I have just done a bit of investigating and found a cure on my machine

    What I did was to remove the 'Install Global Hooks' option for the CTFMON.EXE process.

    Then reboot.

    Give this a try an see if it sorts the problem, if it does then post here and one of us can inform DCS

    Hope this helps
    Tom
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well done frogfoot, I have reported it to DCS directly, it may give Jason a lead.

    Pilli
     
  6. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Yep, hopefully it may lead to something. Nice one :).

    Regards,
    Jade.
     
  7. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    I don't even have CTFMON.exe in my protection list....bugger!
     
  8. Tatersalad

    Tatersalad Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    76
    I don't have it ether. It's an Office XP process. I'm running Office 2000
     
  9. cjtc

    cjtc Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    22
    Location:
    Swindon, UK
    Well, I have it, but I'm not running Office XP, just Office 2000.
    Global hooks weren't enabled in learning mode.
     
  10. PG3

    PG3 Guest

    I dont know whether it is the same issue as posted in this with what I have seen on my xp prof sp2 box with pg3.
    PG3 : high settings.
    With "new exe block" enabled : when try to run a new exe, log shows that exe is blocked from running. Looking at taskmrg.exe GUI, that exe is there anyway with very small "footprint" about 52KB - 60KB, and multiple such exe are in there too corresponding to how many time of trying to get it run. I have seen this symtomp since PG2 and posted on this forum but no addressing to that.
    I will try to register to be able to post images.

    Is there any "vulnerability" in such cases?
     
  11. tamquocchi

    tamquocchi Registered Member

    Joined:
    Sep 21, 2004
    Posts:
    3
    This is image to show "exe prot" issue?
    In fact, the symtomp seems to have with other exe, not just taskmrg.exe of windows, for example, with wplayer.exe
     

    Attached Files:

  12. Tatersalad

    Tatersalad Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    76
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I have found the cause of this execution problem.

    When a global hook is created by whichever program (CTFMON.exe being the one most people are likely to encounter) it seems to taint pgaccount.exe making it unable to do something it needs to work. This isn't a bug or problem with pgaccount.exe at all, it is due to the way Windows hooking works. Regardless, I managed to make pgaccount.exe untainted everytime something like ctfmon.exe taints it again, which makes it work flawlessly.

    In the meantime, simply BLOCK GLOBAL HOOKS in the global protection options, and make sure any program like CTFMON.exe does not have Allow Global Hooks. Reboot your computer and the problem will be gone. Alternatively you can just make sure those programs which create these style of global hooks don't startup at all (you can disable ctfmon.exe for example).

    This bug in windows hooking doesn't relate to ALL hooks, only some. So not every hooking program on your system needs to be removed. It may require some trial and error but you should be able to identify which programs are causing the issues.

    Hopefully a new beta will be out soon in a few days with this fix plus more.
     
  14. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Excellent stuff! Nice work Jason :cool: :D :D .

    Regards,
    Jade.
     
  15. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Well done Jason!
    Tom
     
Thread Status:
Not open for further replies.