Manually Enter Allowed To Run Programs

Discussion in 'ProcessGuard' started by Dobermann, Feb 23, 2005.

Thread Status:
Not open for further replies.
  1. Dobermann

    Dobermann Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    50
    My trial has since expired, and the only reason I did not wish to purchase it before was because I would have had to leave it on Learning mode for nearly three months to capture all the instances of a constantly running program. It is actually the same exe file, but found in 999 directories. It starts in 001, then in a few hours when that one is finished, it then runs the exe found in 002, then in a few hours when that one is finished, it then runs the exe found in 003, and so on up to 999. It can take up to 3 months of 24x7 to get through all 999 instances of the exe. It is the same named exe, and it does exist in each and every directory.

    If I am not there to watch and PG is not in Learning mode, when it is ready to switch to the next directory, PG stops it in its tracks (like one would expect it to do). This, however, is not good for me. I, therefore, need a way to be able to add all 999 instances to the Allowed to Run file (preferably quickly, too).

    I could not find such a way when the trial was active. Now that the trial period has expired, I really can't find a way :rolleyes: Is it possible to do this? Was I just click-impaired before and a method exists? What if I boot into Safe mode and edit pghash.dat?

    Thanks,
    Dobermann
     
  2. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi Doberman, and welcome to Wilders. You have a most unusual problem. After taking a look at pghash.dat, I'm not sure you want to edit it. It looks like some kind of unicode, but without any identification (BOM?) or formatting. If you figure out how to make a useful change, please let us know what you did and how you did it.

    When Jason was still at DCS, he indicated that he would try to implement a new feature that would allow you to name a directory under which all programs in any of its subdirectories would be allowed to run without any hash checks. It was a request for a performance enhancement, but might solve your problem too. Assuming that that will still happen, it probably won't be until version 4.0 (no scheduling that I've heard yet).

    If you're a pretty whippy programmer, you might be able to track what happens to pghash.dat as you add 001, then 002, then 003 until a pattern emerges and you can write a program to keep adding the rest of the entries. Short of that, maybe a script that creates all the directories and puts a copy of the program in each. You'd still have to add each one to PG manually, but at least you could do it in one marathon session without having to wait hours for the next program each time.

    Good luck
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    PG has no "trial" version at all now so you need to DISABLE protection in PG 2 now then close it, then uninstall it and restart. You can then install PG3FREE

    Make an ASViewer log http://www.diamondcs.com.au/index.php?page=asviewer
    Dont change anything except the 3 top tickboxes, all ON. Choose save and then copy paste it for us

    But hmm.. sounds very wrong already. It might be best to take the time or have someone backup ALL important data and format the machine. It must be a virus of some sort. Please send any TWO of the files if they are the same size, or any 5 if they are not the same size. Zip and password the files then email to us submit@diamondcs.com.au
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    If you actually have a real reason to do this then you can do it without too much hassle but as Gavin mentioned it does sound a bit fishy...

    Why do you need to have more than one copy of the same executable ?
    (it doesn't make a whole lot of sense to me, unless it is a legacy program)

    If there really is a valid reason to have this situation then you could simply run all of the executables to get them into the list (in Learning mode), see here for a way to do it, but you shouldn't use that information until you are sure you don't have a problem

    Even then, you would be better off fixing the program and firing the developer that came up with such a lame idea .....

    What is the name of the application (and what does it do)
    Also what is the name of the executable
     
Thread Status:
Not open for further replies.