PG 3.0 & Dr Watson (w2k)

Discussion in 'ProcessGuard' started by poogimmal, Oct 14, 2004.

Thread Status:
Not open for further replies.
  1. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    I've been running PG 3.0 beta1 for a few weeks now and very nice, very stable, but tonight I was running new sysinternals filemon 6.12 and filemon caused some sort of error and I got a PG alert that drwtsn32.exe wanted to run, I said ok, "always run." apparently this was the first time dr watson ran since I installed PG 3.0, (a good sign I guess) and then I checked the PG alert log and saw that dr watson attempted to kill filemon but PG would not let it. so a couple of questions re dr watson: I assume that it an app that I should "always run" ? and assume that I should add drwtsn32.exe to "protection" and then what are optimal protection settings. I assume I should let it terminate protected applications. less sure about "other options" hard to experiment with as user does not really start dr watson, it is started by OS (I think -- perhaps I should also read w2k help re dr watson LOL!) ps. if anyone knows good PG settings for filemon, ok too but not too concerned about that. thanks!
     
  2. Open Source

    Open Source Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    50
    Location:
    The Net
    Isn't there a beta 3 final out?

    your two behind upgrade for best results.
     
  3. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    First, what I think happened is: Filemon wanted to install its driver and, not succeeding immediately, crashed. This lead the OS to start DrWatson to handle getting crash info on FileMon and then cleaning it up. I've seen Filemon crash this way, when I ran it (older version) for the first time while PG was in Learning Mode: While PG would add the "allow driver" authorization to its FileMon protection entry after blocking it just one time, FileMon apparently didn't retry but instead crashed immediately.

    WRT DrWatson, to operate correctly it should be given modify and terminate privs. (I'm not sure about Physical Memory access and Global Hooks.) However, I ususally only allow/deny it for single executions, so I can decide each time if I want to allow it to start and check the crashed program. Sometimes I don't want to bother and just deny once.

    Andreas
     
  4. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    I know I'm a few PG 3.0 beta(s) behind, but beta1 has been so excellent compared to PG 2.0 that I may just wait until final release.

    meanwhile, not sure about filemon, perhaps I ran v6.12 but PG still had it protected as v6.11. I think its driver installed as it ran for several minutes before the crash. Andreas, you seem to be saying that dtwtsn32 is not critical to w2k and from reading some w2k_help last night, that was the sense I get, ie, that it is a debugger but not system critical, so I can do as you suggest and set security to "permit once" and then decide on case by case basis. thanks!
     
Thread Status:
Not open for further replies.