Has PGuard gone bonkers or....

Discussion in 'ProcessGuard' started by paperinik3, Dec 4, 2004.

Thread Status:
Not open for further replies.
  1. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    ...or it is me ? I really don't know if I should post here or at TDS... Well, here it is. I clicked TDS3 to get the update , the download began and suddenly PGuard jumped up and told me :
    " Are you sure you want to perform this action?
    Process Name: C:\∞...\tds3.exe
    Window Name: ThunderRT6TormDC
    Message Type: WM_Destroy"
    I performed my human identification and immediately TDS gave me three alerts ("file has changed"):
    C:\WINNT\System32\winlogon.exe
    C:\WINNT\System32\wininet.dll
    C:\WINNT\System32\shell32.dll
    I really couldn't make head or tail of these messages. Anyway, as I had remarked that the TDs site had given me an incorrect update (an old file: 42746 references etc. instead of 42955) I went to the turvamies site and downloaded manually the update. PGuard jumped up again and gave me a similar WM_Destroy message.
    What does all this mean? Can someone throw some light into the cave of my ignorance?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi paperinik, What parts of TDS3 do you have on your protection list and with what allows and blocks?

    I have TDS3 set as follows Allowed to Modify + read, Blocked from Termination and Modification and Secure Message Handling enabled and have taught it the three normal exit methods, X, exit and Close

    I do not have update.exe nor DCSmutex.exe on my protection list though they are both on the execution list.
    DCSmutex.exe changes regularly and will require you to re-allow it's execution each time that it is changed.

    HTH Pilli
     
  3. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Hi Pilli, thanks for the prompt reply. I have on the protection list: tds-3.exe; tdscrc32.exe; execprot.exe; dcsmutex.exe - all allowed to Read+ Modify and blocked from Modification+Termination.
    By the way, I received a similar message when running Opera (same Allowed and Blocked + Safe Message Hndling).
    Please explain how you "teach TDS the three normal exit methods"- I grovel in the agony of my ignorance.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I really do not see the need for tdscrc32.exe; execprot.exe; dcsmutex.exe to be on the protected list. TDS3 protects them already. As far as I know only TDS-3.exe needs to be on the protection list, if the others were to change then execution protection will tell you, as I said in my last post DCSmutex.exe is regularly updated. This is probably why you are getting all the PG alerts.
    Secure Message Handling (SMH) only needs applying to programs with a GUI that can be exited easily and should be limited to internet enabled and security programs only.
    Note: KAV and ZA do not require ZA nor will PassWord protected apps under normal circumstances.

    To train SMH for say TDS3, first clear SMH on TDS3 and reload then re-enable SMH.
    Whilst holding the Insert key down click the X - TDS may ask for an HID or just close, restart TDS and with the Insert key held down right click the tray Icon and select Exit, again TDS may close or give an HID, Restart TDS3 and then from the TDS menu select Quit with the Insert key held down.

    Rember that if you have a sub window opening and it shows an HID only click OK and NOT OK to All as this will allow the main GUI to be closed in the normal manner.

    SMH is a unique and complex concept which requires some thought when applied to any program but it does add a very strong layer to one's security.

    HTH Pilli
     
  5. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    I have tried to follow your prescriptions but as soon as I clicked the X while holding down the INSERT key I got a balloon :"dcuserprot.exe was blocked from modifying tds-3.exe" - a permanent balloon because it is still there. What should I do now ?
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    You need to give DCSuserProt the allow modify flag which should have been set by default.
    Open the main PG GUI and select the alerts tab - Click the logfile and cut and paste the section here which includes the actions you have taken today.

    Thanks Pilli
     
  7. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    <text log file attached>
     

    Attached Files:

    Last edited by a moderator: May 18, 2006
  8. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    <text log file attached>
     

    Attached Files:

    Last edited by a moderator: May 18, 2006
  9. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Something has gone awry: on the main forum page you see that there are 5 replies in this thread, the last being at 7.02 pm by Pilli - but if you open it you can see the seventh reply at 7.32pm with the log i sent!
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Are you sure that you have DCSuserProt the allow modify flag?
    Because that is what it looks like from here.
    Try your actions again with PG in learning mode, then disable learning mode and try again.
    One other thing, make sure you have not enabled "Block new and Changed applications"

    I'm off for a beer now :)

    I know nothing about the forum clock but it is based on your time zone I guess

    Cheers. Pilli
     
  11. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Pilli, a) I found out that dcsuserprot.exe was neither in the protection list nor in the execution list, so I put it in the protection list. Then
    b) I retried the processus first in normal mode and then in in learning mode and went as far as the insert key and the X: it gave me an HID, I complied and it gave a second HID.... After the twelfth successive HID i quit . I am afraid I am not up to this titanic task.....
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi paperinik, It appears to me that you may not have followed the initial set up instructions correctly but all is not lost :)

    Remove Secure Message Handling from the prgrams you have applied it to.

    In the protection window click "Reset to default" now dsable the four "General" tabs, then put ProcessGuard into learning mode, run all of your security and Internet enabled programs and reboot. Now re-enable the four "General! tabs run your prgrams again and reboot. This should correct your earlier problems.

    Now read the help and my previous posts regarding Secure Message Handling and apply with care. :)

    Pilli
     
  13. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Hi Pilli thank you for your instructions : I have perused them and tried again. There is just a point where I may have misunderstood them. What I have understood is : when I click on X (or Close or Exit) and the program asks for a Human Identification, I should only click OK and not "OK TO ALL". Well, if I do this I get a new HID and then another - ad infinitum. If instead I click on OK TO ALL the program closes and that is that.
    Did I misunderstand your instructions ?
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi paperinik, Well you may have misunderstood:)
    If you wish to close a program you do "OK to all" If, however, it is a sub window of a program then you usually only need to do an "OK" to close that sub window. Doing an OK to all on a sub window will close SMH on that program completely thus you would not get an HID when using the X, exit etc. after closing a sub window. :D
    As I said before SMH is quite complex, in fact I know of no other program with SMH capabilities apart from those that only protect themselves.

    Cheers. Pilli
     
  15. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    HI Pilli, thank you so much for your helpfulness and patience! Now everything seems to be in order.
    A last question ( if I may abuse of your patience). Would you apply SMH to each of these applications or do you think it unnecessary?
    outpost.exe
    nod32.exe
    nod32cui.exe
    pgaccount.exe
    ewidoguard.exe
    spybot.exe
    Cheers
    Paperinik3
     
Thread Status:
Not open for further replies.