Help understanding PG actions

Discussion in 'ProcessGuard' started by dwgallien, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. dwgallien

    dwgallien Guest

    We need help in understanding what PG is doing as indicated by the log entries as follows. We searched through the forum and found a few related threads but these did not seem to adequately answer these questions.

    c:\windows\system32\services.exe [756] Tried to modify an existing driver/service named naveng

    In this case, Windows' services.exe has been called by a Norton AV admin program to change an unprotected Norton AV driver (a downloaded update). Services.exe is configured to be Allowed all priviledges.

    c:\program files\common files\symantec shared\ccapp.exe [2004] Tried to modify an existing driver/service named symredrv

    In this case, ccapp has been Allowed all priviledges; symredrv is an unprotected driver.

    We have seen similar entries with msg [516] where a PG protected Norton program "tried to modify" another PG protected Norton program. The former has been Allowed all priviledges.

    1. Does "tried" indicate that the change was attempted but failed? (We noted that the same msg is reoccuring, suggesting that a needed update is not happening.)
    2. Why is PG blocking the Allowed services.exe from modifying the unprotected driver? (The General Protection Option is set to Block Driver Installs, but we understood that Allowing a program Write priviledge overrides the General setting.)
    3. When two programs are both protected and Allowed all priviledges, can one still have Write access to another? In other words, does the Allow take precedence over the Block? If so, why the block in [516] above?

    It appears we need a bit of education.

    Thanks much in advance,

    -DWG
     
    dwgallien, Jun 25, 2004
    #1
  2. dwgallien

    dwgallien Guest

    Moderator, if you wish you can remove this thread.

    We have egg on our face . . . think we discovered our oversight. We were only looking at the Allow and Block privileges settings, and failed to consider the program specific Options settings. This would seem to address all of our questions.

    Sorry for the fire drill.

    -dwg
     
    dwgallien, Jun 25, 2004
    #2
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi dwgallien,
    Glad you worked it out, it can take a while to get your head round some of the interactions.

    Enjoy your weekend - Pilli :D
     
    Pilli, Jun 26, 2004
    #3
  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    "tried to modify" does indeed mean that it tried to modify the driver, but Process Guard blocked it from doing so.
     
    Jason_DiamondCS, Jun 27, 2004
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...