Permissions to terminate

Discussion in 'Ghost Security Suite (GSS)' started by G1111, Feb 12, 2008.

Thread Status:
Not open for further replies.
  1. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I've installed AppDefend and allowed my anti-virus program (KAV). Do I need to also set permissions to allow it to terminate another program? Currently it is set for execution and network access as "allow" all the rest are set as "default." Has anyone put together a list of "recommended permissions" for programs. I have Task Manager set "ask user/allow" so I have to allow it to run. Also, set gss.exe to "ask user/block" for self terminate so it can't be terminated without permission.
     
    Last edited: Feb 13, 2008
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If you want your AV to be able to react to malware (which you presumably do) then giving it Terminate permission is highly advisable. Otherwise you could have a situation where a detected nasty is allowed to romp all over your system because GSS has suspended KAV while it waits for you to answer a termination prompt.

    This applies to process control software and anti-malware scanners generally - the scanners need to be given adequate permission to shut down anything suspicious that they detect.
     
  3. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Thanks Paranoid2000.
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Most AVs I've tried do a very poor job at removing the well written malware, you're really stuck without something like GSS or another HIPS. Either way, once KAV or something else identifies a known nasty, blocking it's execute access with AppDefend and/or changing the default execute action to "block all" would stop the self protecting malware from popping up again combined with blocking it's rewriting access to startup registry items. Or you could just do the latter and reboot.... :)
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Yes, but does that really apply when flagging malware before it executes? Here presumably a user would have (either mistakenly or through ignorance) answered a GSS prompt allowing it to run, so assuming that it is recognised, permitting the AV to kill it ASAP is the most desireable option (though most malware would trigger further GSS prompts for driver installs, registry changes or network access allowing further chances to halt it without an AV).

    I'd agree that a technically knowledgeable user (i.e. one who knows what their system should be running and only allows new items with good cause) could dispense with AV, but most are likely to continue wanting alerts on confirmed malware.
     
Thread Status:
Not open for further replies.