Hook & Modification Attempts

Discussion in 'ProcessGuard' started by Baldrick, Apr 18, 2004.

Thread Status:
Not open for further replies.
  1. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi there

    The exploration of Process Guard v2.000 continues.......and I much like what I see. Effective and light on resources. However, I have some further questions about Global Hook attempts and attempts to modify services/drivers.

    I run NIS2004 and since switching on the Global Hook Protection feature (with a number of the key NIS2004 components protected from modification but all allowing Global Hooks..........thanks to siliconman01 for the steer) I have started noticing instances of:

    "c:\windows\system32\services.exe tried to modify......"

    either NAVEX15 or NAVENG.

    Why should it want/need to do this? Should I protect services.exe and give it modifications rights on other processes?

    Similarly, I have noticed that:

    "c:\windows\system32\taskswitch.exe was blocked from creating a global low leve; keybooard hook "

    "c:\program Files\logitech\mousewares\system\em_exec.exe was bloacked from creating a......."

    either "global Get Message Hook "

    or "global CBT Hook "

    Again, why should it want/need to do this? Is this legitimate activity? And if so should I protect each .exe (using default Block & Allow permissions) and set Allow Global Hooks for each?

    Any thoughts or advce gratefully accepted.

    Best regards


    Baldrick
     
  2. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I have added Services to PG with ALLOW flags as Write, SetInfo, Terminate, Suspend. In OPTIONS, I have Allow Global Hooks and Allow Driver/Services Install.

    I have em_exec.exe protected by PG; however, have not seen any conflicts requiring any ALLOW flags or OPTIONS. I don't see any reason why you cannot give it OPTIONS- Allow Global Hooks.

    I have added Taskswitch.exe to PG with ALLOW flags as Write, SetInfo, Terminate, Suspend. In OPTIONS, I have Allow Global Hooks.

    I'm not sure "why" these pgms require these settings; but these are the settings I have found stops the RED logs on them. Perhaps Jason or someone else can get into the "technicals" of them.

    BE SURE TO LEAVE THE STANDARD BLOCKS ACTIVE ON THESE.
    HTH
     
  3. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi siliconman01

    Thanks as ever for the info/advice. I have followed this and will see if it does the trick.

    At present no other red logs but I will keep my eyes open.

    Best regards



    Baldrick :D
     
Thread Status:
Not open for further replies.