LnS & RegRun Process

Discussion in 'ProcessGuard' started by Jazzie1, Feb 11, 2004.

Thread Status:
Not open for further replies.
  1. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Hi all!
    I have LnS and Regrun 3.90 protected with PG using the default Block and ALLOW all unchecked. I have BOTH looknstop.exe and watchdog.exe with Close Message Handling enabled. The problem I have is when I go to manually shut down LnS, (taskbar) I get the
    "Human confirmation Required" Window as I should, and then I click on cancel "TWICE" it goes away and Lns EXITS. Which by rights, shouldn't happen! With Regrun I get the same "HCR" window and instead of canceling the request, I put in the code that it shows and the window goes away and regrun crashes with the following in PG logs: c:\windows\system32\dwwin.exe [3476] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\greatis\regrunsuite\watchdog.exe [2036] Which is part of the Microsoft Application Error Reporting process. Has anyone found a work around for this or a possible solution?

    Thx
    Jazzie
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Look'n'Stop has his own protection against WM_CLOSE attack, you don't need to enable Close MEssage Hnadling on it, just go in LnS options, and find the "Lock configuration" (or something like that).
     
  3. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    I realise this gkweb! That is not the point.. If LnS exits on it's own without the PG granting it, then something is not right! (especially if you click on cancel twice!) I also realise that nothing is perfect. But, still remains the truth that two processes of mine exit without desired results!!!

    Jazzie
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I'm sure DCS will provide you answers, but as far as i know, CMH is still in developpement and not completly finished.
    Moreover, each security application developper could by far easier protect their product while the developpement stage since the WM_CLOSE message is a gracefull _ask_ to terminate, the app just has to answer NO.
     
  5. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The next version of PG has some Close Message Handling changes that will probably fix a lot of issues regarding it.

    -Jason-
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, as gkweb said, close messages are virtually the only termination method that processes can handle on their own, as it's a graceful termination request. When you press the "X" button in the top-right-hand corner of an application to close it, a message is sent to that window, basically just saying "Close". The application can then respond Yes or No, and in the case of security programs, it should return No.

    However, one could also argue that in-built protection against close messages is useless seeing as a trojan could just forcefully terminate the process instead, but if it means that the process is protected against one attack, then something is better than nothing.

    Just one thing to be aware of ... even if an app protects itself from close message handling, unless it uses a form of human verification it will still be vulnerable if it simply displays a messagebox saying "Are you sure you want to close? Yes/No", because a trojan can then intercept the creation of that messagebox and click on the Yes button, all without the user seeing.

    So even if a security app does have some protection against close messages (you can test simply by pressing the "X" button in the top-right-hand corner of each window), it's still a good idea to let Process Guard provide CMH protection as it can then provide human verification. :)
     
  7. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Thx for the reply Jason, will wait to see if this problem or bug is fixed in a newer version! Thx for the Drawn out reply Wayne! :D

    Jazzie
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Look'n'Stop found the solution Wayne, when the application is locked, there is no popup, nothing, you have to go to option and to enter your password to unlock it :)
     
  9. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Actually no it didn't geekweb! I guess you miss the point I was was trying to make! If "any" app has the human verification window and it is canceled a few times and "it" dissapears and so does the app you were going to close. Then it is an internal bug in the process handling of process guard! Doesn't mean that just because an app has that protection allready and it reacts buggy withing process guard, that you simply, "push it under the rug and ignore it!" because there are a lot of other apps that die the same way that don't have this built in protection!" But hey, at least you get WARNING flag right?
    :rolleyes:

    CU
    Jazzie
     
  10. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Well, despite Jazzie1's quite uncalled-for aggression towards gkweb, I can confirm that there does seem to be an issue with PG's close message handling.

    I, too, have tried with a number of apps to cancel out of PG's prompts, only to find they reappear repeatedly until a point is reached at which PGs confirmation prompts become unresponsive, as does the app in question. The only way out seems to be to kill the app via Task Manager (presuming, of course, that you have already given terminate privileges to Task Manager, otherwise you have an altogether more difficult situation).

    It is for this reason I don't use PGs close message handling at all.
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think there still issues with the current CMH, hopefully the next version will fixe all bugs.
     
  12. Jazzie1

    Jazzie1 Registered Member

    Joined:
    Dec 5, 2003
    Posts:
    174
    Steve--
    I am sorry you feel that I was being aggresive toward Geekweb or anyone else the above applies to. I don't know too many people on the board! So I will not react "aggresively" towards anyone for anyreason over a meer program or for any reason for the matter. I was just trying to prove a "buggy point"! :)

    Cheers
    Jazzie
     
  13. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    :cool:, Jazzie.
     
Thread Status:
Not open for further replies.