need help on PG fullver > 100% working protections?

Discussion in 'ProcessGuard' started by newbuyer, Aug 8, 2004.

Thread Status:
Not open for further replies.
  1. newbuyer

    newbuyer Guest

    We just buy PG2 full version for home uses. After playing around and reading stuff about it, there are some concerns to have help from xp'user and xperts.

    1- On a win2k pro (uptodate), regsvc.exe could start even it was "quanrantined" into PG's "blacklist" if let it enabled (automatical start setting in services section of MMC.exe window.) - that made us worried and poped up a concern that whether PG2 starts most early and provides most protections during windows booting? In fact, regsvc.exe could start at bootup.

    2- It seems that SpySweeper (webroot.com) & PG2 having compatible issues?
    Times by times, everytime installed SpS, and at almost every boot of windows then, there are appearances of PG Secure desktop GUI with non-specific executable request to run (ofcourse, it was intercepted by PG).
    I have pix of the "issues" and I dont know what on this page provides option to upload images.

    Thx.
    :roll:
     
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The issue with #1 will never really be 100% solved. There is just no way you can guarantee when your service/driver will load with Windows. However, some program must still execute and install a driver/service which Process Guard would alert on. So it is more an inconveniance issue rather than a security problem.

    #2 will probably be fixed in the next version which will be in BETA in a few days. There have been some fixes regarding this issue .
     
  3. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I am running Spy Sweeper, V3.0, Build 129 with PG V2.0 and am not seeing any conflicts. My OS is XP-SP2-Build 2162 Home Edition.

    I have Spy Sweeper in my program list with the normal 4 block flags and then Allow Flags of Write, SetInfo, Terminate, Suspend, GetInfo, Read. I also have Close Message Handling set as an Option.

    HTHs
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi newbuyer,

    If you register an account you can attach the images, it will help a lot to understand your problem

    It could be possible you simply have old video card drivers
     
  5. nhatduongchi

    nhatduongchi Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    3
    I am using opera7.x internet browser and seems having difficulties uploading images to the server (done uploading but close windows not worked to go back to reply writing windows - it has gone away). I will try it with firefox.
    I have a video card using nvidia chipset Geforce2-MX400 with the laster nvidia driver installed.
    I have 10 images for problems happened to my pc. I dont know which one would show most close to the "problem"? What I can do to upload all images? If you dont mind, can I have one of your email address (can be a temporary email address) which I can submit all images to for you to take a glance at it if any image provides a fact to the problem on my pc?

    Thx so much.
    PS: win2k pro sp4.
    * programs installed:
    PG2 (licensed), TDS3/PE/CS (trials), Norton AV 2003, ZoneAlarmSuite 5.1.011 (with av disabled); Acronis TrueImage & DiskDirector.
    * hardwares:
    soyo-k7vmp2 mobo, adm-xp1700+, 768mb ddr266, video card nvidia geforce-MX400 (seems WinFast), Netgear FA312 NIC, Hauppaug (not sure spelling) TV-tuner PCI card...
    ------------------------------------------------------------------------
     
    Last edited: Aug 9, 2004
  6. nhatduongchi

    nhatduongchi Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    3
    Thx for the info.
    First, I did not give spysweeper3 full "power"; later on, I gave it full and such issues still happened to my box until I removed spysweeper3. It seems that at booting up, spysweep tried to install some driver "mchInjDrv" and PG caught it and asked user for approval (if disable new program exe) and auto locked it and showed entries in log (if enable new program exe); learning mode : I did not dare to try yet to see what will be going on.
    Later on, I also gave spysweeper3 right to install driver, the log entry on spysware tried to install "mchInjDrv" gone, but other misterious unspecific name of .exe shown. If I removed spysweeper3, such things are gone.
    Any ideas? Thx for help.
     

    Attached Files:

  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi for spysweeper I have the following flags set

    First four block flags
    Allow flage are: Write, Setinfo ,Getinfo and Read
    And in Options, Allow Driver / server install

    This works perfectly on my machine with no Red log entries.

    HTH Pilli
     
  8. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    MchInjdrv looks highly suspicious. I cannot find it anywhere on my system (registry included) with my Spy Sweeper V3.0 Build 129.

    It is also referred to in the following link

    http://computercops.biz/print-1-59714.html

    where the user with a problem was instructed to delete it.

    You might use WebRoot support on their website and ask them if it is valid. Of course you may or may not get a reply from them...or it might take a couple of weeks.
     
  9. pglover

    pglover Guest

    Thx for the information which someone had the same :
    mchInjDrv: \??\C:\DOCUME~1\SCOTTM~1\LOCALS~1\Temp\mc22.tmp
    If other spysweeper3 users have not had this "mchInjDrv" on their machine then probably that my box had already some bugs implanted on it before I installed PG2 (trial, full) and SpySweeper3 -> caused strange behaviors.

    I searched for another post related to this mchInjDrv which is said not bad for it:
    [http://216.239.39.104/translate_c?h...=/search?q=mchinjdrv&hl=en&lr=&ie=UTF-8&sa=G]

    How to get a clean machine?
    thx.
     
  10. pglover

    pglover Guest

    Seems that I was wrong.
    There is a post on that page which seems to show mchInjDrv to try defeat PG protection:
    Hope someone help clearly on this. thx.
     
  11. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Maybe you can send the mchinjdrv file to Diamondcs and they can analyze it to determine if it is malicious. If it is trying to compromise PG, I would think it would have the status of a virus or trojan. :eek:
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    That was the driver a² installed ? well it would be OK for you to allow that program to install a driver, since you trust it ? :) Any program which you trust should be given rights in ProcessGuard

    MCH = MadCodeHook, used by a².. I cant see the screenshot sorry but I do vaguely remember this was the name a² used for a driver..

    Ahh ok can see the screenshot.. seems like Spysweeper also uses that library too. You probably wont find the file because it gets dropped and after the install failed, it gets deleted
     
  13. PGLover

    PGLover Guest

    Re: need help on PG fullver

    Thx so much for the confirmation which relieved me from mchInjDrv at the moment. It seemed you forgot to mention that mchInjDrv is good / malicious intention (mostly not malicious since spysweeper3 probably uses it and drops it in place when neccessary?).
    There are some PG users posted on this forum that they have not seen any things like mchInjDrv when they have used spysweeper3 also. How that?
    Another concern I still should to ask again for your support, I have seen "remote registry service" - regsvc.exe although set blocked to run by PG (licensed), it still could start if it is set to start automatically in MMC setting of windows 2000. If I understand what you provided to help users to understand things better (in your first reply) , no way to be sure 100% order of services being loaded when windows booting up, right? which probably drivers of a security software can start later than some (this case, PG driver vs. regsvc.exe of windows 2000). If it is correct, how about malicious drivers can not take advantages of it to race ahead of security software installed? I am only home users, so if this is idiot concern, please help me out to understand clearly and shape my mind about computer safe/security things.
    Thanks so much again.
    .PGLover.
     
  14. PGLOVER

    PGLOVER Guest

    I forgot another thing I should report so that it can give some info might be useful for me to have help from others:
    - For a long time, I had very difficulty to install norton antivirus (2001, 2002, 2003, 2004 - dislike 2004 since activation; all free after rebates) - often got error messages like not found *.cab file - infact, it was on installation cdrom o_O - nav got some changed since something so it was disabled; sometimes, tried removing nav was tough.
    - On the same box, after installed PG, I dont have any more weird things above when installed NAV2003 and NAV2004.

    I dont really know why the story seemed concident like this. Hope to have others jump in for help.
    TIA.
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi PGlover,
    PG starts very early in the boot process, providing you have the General option to Block drivers/services from installing you should be OK, also providing that your machine was clean when PG was installed.

    Any new or changed drivers will be picked up by the secure desktop. I have even seen this when a trusted Windows service has been changed by a Winupdate when I have forgotten to disable Process Guard during the update's install process. On reboot the Secure desktop jumps in asking if I wish to allow the change or I see blocked log entry in the PG log.

    I also know that if such a vulnerability was found DCS would update PG to stop it. :)

    HTH Pilli
     
  16. PGLOVER

    PGLOVER Guest

    Thx. That rests "my paranoid"
    For a long time of using pc without a security software like PG, how I can say my box has been clean from malicious programs implanted without my knowledge? Hope there is an absolute solution to be able to protect a machine with PG2x/TDS3-4/WG3-4 even onto an unsure clean box. Is this possible?
    I have heard there have been malicious programs to be able to exist and alive even with a reformatting, reparttioning? It always come back alive after all? Is it possible or just craps?
    TIA.
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again PG lover, Unfortunately there is no such thing as 100% security, all we can do is protect against what is known or even what may occur so a layered defence, such as yours, is currently the best way. Ensuring you get the latest operating system updates and that of your security apps is the first rule.

    Pilli
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If you wipe a system properly and install from known clean backups, NO, nothing can survive.

    Boot sector viruses are those which can survive a format if you dont use fdisk /mbr to wipe the MBR (master boot record) of a disc. Boot viruses are VERY small and can only infect other boot sectors, such as a floppy disc.

    All new BIOS'es for many years offer an option to write protect the boot sector, this should be used ! When you install Windows you will get an alert that it is trying to modify the boot sector, you allow it.. you should never see that warning again - if you do then its a boot virus trying to infect your MBR and you could deny it..
     
Thread Status:
Not open for further replies.