help on PG free setting

Discussion in 'ProcessGuard' started by downripper, Jul 24, 2004.

Thread Status:
Not open for further replies.
  1. downripper

    downripper Registered Member

    Joined:
    May 14, 2004
    Posts:
    10
    24 Jul 12:47:48 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
    24 Jul 12:47:48 - [1 of 2] Success: Driver is active and secure.
    24 Jul 12:47:48 - [2 of 2] Success: Process Guard's Protection is currently Enabled.
    24 Jul 12:47:49 - General Protection Options
    24 Jul 12:47:49 - [1 of 4] Block End-Task is enabled.
    24 Jul 12:47:49 - [2 of 4] Block Appinit registry key is enabled.
    24 Jul 12:47:49 - [3 of 4] Block Drivers/Services is enabled.
    24 Jul 12:47:49 - [4 of 4] Block Global Hooks is enabled.
    24 Jul 12:47:49 - [P] c:\program files\agnitum\outpos~1\outpost.exe [1612] tried to gain WRITE access on c:\program files\processguard free\dcsuserprot.exe [1500]
    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\userinit.exe with commandline c:\windows\system32\userinit.exe was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\explorer.exe with commandline c:\windows\explorer.exe was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\ctfmon.exe with commandline ctfmon.exe was ALLOWED to run
    24 Jul 12:47:49 - [HOOK] c:\windows\system32\ctfmon.exe [460] was blocked from creating a global Shell hook [0000000A][00000000]
    24 Jul 12:47:49 - [HOOK] c:\windows\system32\ctfmon.exe [460] was blocked from creating a global GetMessage hook [00000003][00000000]
    24 Jul 12:47:49 - [HOOK] c:\windows\system32\ctfmon.exe [460] was blocked from creating a global CBT hook [00000005][00000000]

    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\regsvr32.exe with commandline "c:\windows\system32\regsvr32.exe" /s c:\windows\system32\schannel.dll was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\ctfmon.exe with commandline ctfmon.exe was ALLOWED to run
    24 Jul 12:47:49 - [HOOK] c:\windows\system32\ctfmon.exe [1524] was blocked from creating a global Shell hook [0000000A][00000000]
    24 Jul 12:47:49 - [HOOK] c:\windows\system32\ctfmon.exe [1524] was blocked from creating a global GetMessage hook [00000003][00000000]
    24 Jul 12:47:49 - [HOOK] c:\windows\system32\ctfmon.exe [1524] was blocked from creating a global CBT hook [00000005][00000000]

    24 Jul 12:47:49 - [EXECUTION] c:\windows\ime\imjp8_1\imjpmig.exe with commandline "c:\windows\ime\imjp8_1\imjpmig.exe" /spoil /remadvdef /migration32 was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\ime\tintlgnt\tintsetp.exe with commandline "c:\windows\system32\ime\tintlgnt\tintsetp.exe" /sync was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\ime\tintlgnt\tintsetp.exe with commandline "c:\windows\system32\ime\tintlgnt\tintsetp.exe" /imename was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\ltsmmsg.exe with commandline "c:\windows\ltsmmsg.exe" was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\progra~1\nsclean\boclean\boclean.exe with commandline "c:\progra~1\nsclean\boclean\boclean.exe" was ALLOWED to run
    24 Jul 12:47:49 - [P] c:\program files\agnitum\outpos~1\outpost.exe [1612] tried to gain READ,WRITE access on c:\program files\nsclean\boclean\boclean.exe [420]
    24 Jul 12:47:49 - [P] c:\program files\agnitum\outpos~1\outpost.exe [1612] tried to gain READ access on c:\program files\nsclean\boclean\boclean.exe [420]
    24 Jul 12:47:49 - [P] c:\windows\system32\lsass.exe [820] tried to gain READ access on c:\program files\nsclean\boclean\boclean.exe [420]
    24 Jul 12:47:49 - [P] c:\windows\system32\lsass.exe [820] tried to gain READ,WRITE access on c:\program files\nsclean\boclean\boclean.exe [420]
    24 Jul 12:47:49 - [P] c:\windows\system32\lsass.exe [820] tried to gain READ,WRITE access on c:\program files\nsclean\boclean\boclean.exe [420]
    24 Jul 12:47:49 - [HOOK] c:\program files\nsclean\boclean\boclean.exe [420] was blocked from creating a global Shell hook [0000000A][00000000]

    24 Jul 12:47:49 - [P] c:\windows\explorer.exe [856] tried to gain READ access on c:\program files\nsclean\boclean\boclean.exe [420]
    24 Jul 12:47:49 - [EXECUTION] c:\program files\eset\nod32kui.exe with commandline "c:\program files\eset\nod32kui.exe" /waitservice was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\progra~1\nsclean\boclean\bocsec.exe with commandline c:\progra~1\nsclean\boclean\bocsec.exe was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\progra~1\agnitum\outpos~1\outpost.exe with commandline "c:\progra~1\agnitum\outpos~1\outpost.exe" /waitservice was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\windows\system32\ctfmon.exe with commandline "c:\windows\system32\ctfmon.exe" was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\program files\microsoft office\office11\onenotem.exe with commandline "c:\program files\microsoft office\office11\onenotem.exe" /tsr was ALLOWED to run
    24 Jul 12:47:49 - [EXECUTION] c:\program files\processguard free\procguard.exe with commandline "c:\program files\processguard free\procguard.exe" -minimize was ALLOWED to run
    24 Jul 12:48:15 - [P] c:\program files\nsclean\boclean\boclean.exe [420] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard free\dcsuserprot.exe [1500]
    24 Jul 12:48:43 - [EXECUTION] c:\windows\system32\taskmgr.exe with commandline taskmgr.exe was ALLOWED to run
    24 Jul 12:49:39 - Process Guard GUI was shut down
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Downripper, In the full version you can give Outpost any Allow privieges it needs if it is on your protection list. The same applies to BoClean although I do not run it.

    Regarding CFTmon.exe - You could add it to your protection list and Allow it Global hooks, I have not as there have been no detrimental effects on my system. :)

    The trial version does not allow you to add more than one program to the protection list but it is just to show that process Guard is compatible with your PC

    HTH Pilli
     
    Last edited: Jul 24, 2004
  3. downripper

    downripper Registered Member

    Joined:
    May 14, 2004
    Posts:
    10
    Hi Pilli,

    If a program is added to the protection list, it is safe not to block anything? Am I right here? o_O
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not exactly :) When a program is put on the protection list it automatically has the first four block flags.
    When you add new programs you can give them allow flags, these allow flags only apply to protected list programs.
    As an example, you may have xxx.exe and yyy.exe on your list both xxx & yyy have the first four blocks by default but yyy needs to access or read xxx to work properly you then give yyy the Allow read flag, it can now read any of the programs on the protection list. So any protected list program Allow flags overide any protected programs block flags
    This is the only logical way that Process Guard could work to afford the necessary protection without compromising program functionality.

    Any none protected program such as a Trojan will not have any privileges so will be stopped from accessing protected list programs by Process Guard.
    Any changed or new .exe's will be shown by the checksum list and a request made to the user of how to handle it Allow, Allow once, Block or Block once. :D

    HTH Pilli
     
    Last edited: Jul 24, 2004
  5. downripper

    downripper Registered Member

    Joined:
    May 14, 2004
    Posts:
    10
    I just bought my copy of PG full. :)

    I have tried to add ctfmon.exe to the protection list and enable global hook for this process. Many applications require access to this process. Therefore, I removed it from the list.

    If ctfmon.exe is protected, there are lots of messages claiming the running application is trying to gain access to ctfmon.exe. But, as far as the input method is concerned, it works just fine albeit all the messages.

    Without protecting the process, the message only comes up occasionally during startup. I believe it is related to the language bar. Every time the message is shown on PG window log, the language bar is gone. There are also a couple of processes related to this, namely

    IMJPMIG.exe
    TINTSETP.exe

    These two processes are started up with ctfmon.exe without any complaint.

    If the messages are not shown in PG window log, the language bar loads just fine. o_O
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Downripper, I ignore cftmon.exe such as these:
    26 Jul 10:32:56 - [EXECUTION] c:\winnt\system32\ctfmon.exe with commandline ctfmon.exe was ALLOWED to run
    26 Jul 10:32:56 - [HOOK] c:\winnt\system32\ctfmon.exe [3732] was blocked from creating a global Shell hook [0000000A][00000000]
    26 Jul 10:32:56 - [HOOK] c:\winnt\system32\ctfmon.exe [3732] was blocked from creating a global GetMessage hook [00000003][00000000]

    I do not have cftmon on my protection list

    HTH Pilli
     
Thread Status:
Not open for further replies.