Is this normal with ProcessGuard?

Discussion in 'ProcessGuard' started by dja2k, Oct 7, 2005.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I resently noticed that ProcessGuard was blocking some of my programs form working well. For example, Winfast WinTV, Limewire, and WinAVI all were blocked from accesing physical memory and installing global hooks yet they wouldn't work properly unless allowed to do those things when before they were not allowed and still worked fine. Is this normal for this programs to suddenly want to be allowed to access physical memory?

    dja2k
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi dja2k, If you are putting these programs in your protection list and they are trusted then allow them the flags that they need. There could be many reasons why they appear tohave changed what PG needs to allow depending on the applications state or needs at a particular time. Providing you are not getting an unexapected alert from the new or changed on your security list re. those apps then I would not worry.

    As an aside, why do you publish your list of security apps in your signature? That in itself could be deemed a security risk by some. :)

    HTH Pilli
     
  3. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks for the advice. The wierd thing is that before, these programs wouldn't ask of that? I am thinking maybe something got messed up in processguard. Would it be advicable to delete all the entries, put it in learning mode for a couple of days and make it reset itself? I am scared that one of my other security programs might have to stop something and wont be able to access memory or install hooks when it needs too. Remember, ewido did it to me and it hadn't before.

    Now explorer.exe is asking to allow access to physical memory, should I allow it?

    dja2k
     
    Last edited: Oct 7, 2005
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    "Now explorer.exe is asking to allow access to physical memory, should I allow it?"

    It should be safe to do this as long as explorer.exe has not changed recently.

    Each PC is different and the inter-reactions will vary as to what flags you may have to allow. Trusted programs should normally be given the flags that theyy need.
     
  5. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    No , no program has changed cause it hasn't asked for program change allowance. All they are doing is asking for access to physical memory all of a sudden. Like winfast wintv won't show any tv channel unless I allow it to access physical memory. Limewire doesn't run unless I allow physical memory is allowed as well.

    dja2k
     
  6. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I don't know anymore, but a lot of programs are asking to be allowed to install hooks and access memory that I am sure didn't before. Maybe all this time, processguard was not working and now it is and that is why I am seeing all the blocking stuff, don't really know, and never had this situation before. Makes me want to clean install windows and do everything all over again. I cleared everything from the lists and made it do a new list and still the same thing.

    dja2k
     
  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    explorer.exe doesn't need to access physical memory on my system (it just wants global hooks).

    I wonder if it does on anyone else's machine.
     
  8. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Well on mine it does, if not it doesn't show tumbnails, at least that is where I saw it blocking physical memory. Also should browsers be allowed to access physical memory? Also my winfast doesn't show any cable channels unless I allow it to access physical memory. Also dvdshrink doesn't preview any video unless I access physsical memory. The list goes on and on if I want, see more.....

    More:
    winlogon
    ewidosuite
    limewire
    msn messenger
    iexplorer
    firefox
    mediaplayer classic
    smss.exe
    Isass.exe
    svchost.exe
    ntvdm.exe
    alg.exe

    Should services.exe, winlogon, smss.exe, and csrss.exe be allowed to terminate protected applications? - cause that is what they have checkmarked....

    dja2k
     
    Last edited: Oct 14, 2005
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Dja2k,

    A program given physical memory access has the potential to do considerable damage and even disable ProcessGuard itself (see SDTRestore for an example) so it does make sense to be cautious about allowing such access.

    For Windows components, PG allows Physical Memory access by default to csrss.exe, lsass.exe, ntvdm.exe, smss.exe and winlogon.exe - these should not be changed unless you fancy breaking Windows.

    Other programs may require such access to function (e.g. the 3DMark benchmark and the DirectX troubleshooting tool dxdiag.exe) and should be allowed it if you consider them trustworthy.

    However the situation you describe of programs working without such access and then all suddenly requring it does sound strange (and possibly suspicious). Having said that, most of the programs on your list do have legitimate need so have things actually changed or have you simply created a new PG configuration or enabled the global "Protect Physical Memory" option?

    Browsers should never be given such access in my view (Opera tries it when its preferences are changed but continues working when blocked) since they are prime targets for malware attack and I would be leery about P2P clients as well. If these refuse to work without such access, then the problem may lie elsewhere, maybe with other software you have installed that changes their behaviour.
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I have always had all but learning and blocked new and changed applications checkmarked in the main tab for protection. I haven't changed anything else. Did try to uninstall and start over, but the same thing is happening again. Don't really know why though. Also I don't know why services.exe, winlogon, smss.exe, and csrss.exe are being allowed to terminate protected applications? - cause that is what they have checkmarked....

    dja2k
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    As mentioned above, most of what you listed has legitimate need for physical memory access. If you need to start from scratch, you can save yourself the hassle of uninstall/reinstall by just clicking the Reset to Default button in the Protection tab.
    Default settings again - they are allowed because these are Windows components and Windows does need to be able to terminate processes (not least ones that crash).
     
  12. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    The only thing I have installed that might have changed the behavior of processguard is samurai and harden-it which were installed a while back. Don't really remember if the problems with processguard happened right after that.

    dja2k
     
  13. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Well I just proved that processguard is doing its job like normal though never understood why before it didn't ask me about the access physical memory and now it does Anyways I have done a clean install of windows today and as normal used the list below for my security defense. ProcessGuard still asking for access to physical memory as before. I guess I will let it do its work and allow that and let Prevx1 and Online armor protect it. I also turned off process execution from ProcessGuard as Online Armor can take care of that.

    KAV Pro 5.0.390 (Extended Database)
    Look 'n' Stop 2.05p2 (Phantom Rules)
    Regdefend 2.001 (Full)
    ProcessGuard 3.150 (Full)
    RegRun Gold 4.10
    Prevx1 (Trial Expires 01-18-05)
    Online Armor 1.1 (Full)
    SpywareBlaster (All Active)
    Spybot Search & Destroy (Immunized)
    SafeXP
    Harden-IT (Best Config)
    Samurai (Medium\High Security)
    Sandboxie (Using with Firefox)
    Firefox 1.0.7 (NoScript+Adblock)
    MVPS Host File
    IE-SPYAD

    dja2k
     
    Last edited: Oct 20, 2005
  14. mollyman

    mollyman Registered Member

    Joined:
    Oct 12, 2004
    Posts:
    28
    Sometimes l get that with Firefox but l disallow it,l think maybe it's just some websites?
    But l'm for sure not going to allow it to access memory.
     
  15. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Its not just my browsers, its other programs as well like I said before, like dvdshrink, winfast wintv, limewire, and sometimes explorer.I think it was either safexp, samurai, or harden-it that cause that behavior in processguard. As I said, this is a clean install and still processguard acts like before. So I guess as long as I don't let my browsers access physical memory, the rest of the local programs are okay to allow physical memory? But like today I went to the tvguide site and when I clicked on a tv show link to show details, PG right away said that Firefox wanted to be allowed to access physical memory, I didn't allow it, and what do you know, Firefox shut down. I don't even know what allow physical memory is, but I am guessing it wants to read or write to some virtual space or something, though if I have all the other security programs which protect installations and running processes, then if I allow a program to access physical memory that I wasn't suppose to, the other programs would catch anything that passed by right? I might be wrong though, but what do you think? Am I still safe if ProcessGUard is doing that and I allow physical memory while I run all the other secuirty apps like kav pro 5, prevx1, online armor, and regdefend + all the hardening I have done to my system?

    dja2k
     
    Last edited: Oct 21, 2005
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You should AVOID the Samurai option to clean rootkit hooks, or deny Samurai access to Physical Memory as discussed here

    https://www.wilderssecurity.com/showpost.php?p=495163&postcount=24

    Just in case that is throwing a spanner in the works..

    It could be a problem with your many security programs, one of PG's hooks could be overwritten, or it could be an unhooking problem due to "double hooking". By the sounds of it then there is a sort of incompatibility somewhere there and my first guess is that it's caused by something like this. If you are going to experiment, then try removing a few of those programs and reinstalling one by one to see if the problem a) goes away and b) returns..
     
  17. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I am not running samurai with the Rootkit Protection on. I avoided that Rootkit protection a long time again when I heard it wasn't stable and in beta. Samurai is not allowed to access physical memory in PG.

    dja2l
     
Thread Status:
Not open for further replies.