No biggy, but Antivirus 'Allow' Permissions

Discussion in 'ProcessGuard' started by kwesi, Aug 29, 2004.

Thread Status:
Not open for further replies.
  1. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Hi. I'm using PG Free, with my full licence on its way, & I haven't been able to find an answer to my question in the Helpfile or a thread in this forum:

    Does an AV need to have Terminate permission under PG full protection, and would this be for both resident and on-demand scanners, or for one of them, please?

    The reason that I ask is that my trial AV resident scanner (McAfee VSE 7.1) has quite a few cracks at trying to get write-terminate, etc. access on the dcuserprot.exe file, upon boot-up. I tried excluding that file from both on-demand and resident sweeps, & cancelling the startup of resident scanning, but without luck.
     
  2. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, Kwesi :)

    I believe your asking if you NEED to give your AV the Terminate Allow Flag. In my opinion, no, and here is why. It is my understanding that Allow Flags give the program in question the ability to perform actions (such as Terminate) on OTHER protected programs.

    So, take a look at the programs in your protected list. Can you see any reason your AV would need to terminate one of these apps?

    Having said that, I see no reason why you can't give your AV terminate priviledges. I don't think it will hurt anything.

    Just keep an eye on the log. When you get a BLUE PG icon, see what the log has to say, and then add permissions as required.


    EDIT: I guess one reason you might want to give your AV terminate capabilities is if one of your protected apps is infected with a Virus. In this case your AV would be able to terminte the protected but infected program. o_O
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H i Daisie, If one of my protected apps was infected and needed my AV to terminate it I would consider reformatting as that would be some infection indeed!
    Also what if your AV was the infected programm - I imagine more malware is aimed at disabling well known security apps such as AV's and forewalls than "hard to crack" Process Guard. :)

    But indeed it is food for thought ;)

    Cheers. Pilli
     
  4. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Thank you both for your replies.

    I don't yet have PG Full version, so I'm only surmising here, but overnight, while I slept, I began to think that perhaps when PG is controlling the Terminate, Read, Write, etc., functions for my AV & other security apps, then the Block flags on dcuserprot.exe will over-ride the Terminate permission for the AV, which won't anymore try to gain that power over dcuserprot.exe, upon boot-up.

    In terms of how that might occur, I'm wondering whether the basis for PG's permission-setting has no conflict with, or has exactly the same basis as the code or programming or...(?!) which McAfee have used to determine the permission-seeking behaviour of the resident scanner.

    Thanks again.
     
    Last edited: Aug 30, 2004
  5. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Actually, I'm beginning to understand that there seem to be two components to this - the permissions that protected programs have to terminate, write to, etc. other protected programs as allowed by PG, & what they have already been programmed to do by their manufacturers.

    What the little grey cells don't grasp at the moment is whether PG settings over-ride and exclude the manufacturers' ones from operating, but practical experience will give me more answers, of course (I've just installed PG full & will 'suck it and see' now!).
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Kwesi, Basically the protected list is just that when set with the first four blocks.
    Allow flags ony appertain to the protected list not any unprotected programs.
    For instance you may have AX.exe eith four blocks on your protected list and TM.exe also on your ptotected list
    TM may need to be able to Terminate AV so you would five it the allow terminate flag otherwise TM would not be able to terminate it if required.
    Under normal circumstances no other program would be able to terminate AV
    And yes it does modify the original user mode permissions that a program may have.
    Outpost2 is a classic example, without Process Guard protection it is relatively easy to terminate but not once it is on the protection list ;)

    Have fun. Pilli
     
Thread Status:
Not open for further replies.