PG and dirvers

Discussion in 'ProcessGuard' started by Chris12923, Oct 8, 2004.

Thread Status:
Not open for further replies.
  1. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Just want to make sure that I am understanding correctly. PG even in learning mode will not allow drivers to be installed. Example Cisco 4.6 when installing PG alerted saying a driver was trying to be installed. So I manually need to give permission or leave unported for a few right?

    Thanks,

    Chris-
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    In the latest betas driver /service install is added where necessary to applications etc. when in learning mode.

    Learning mode stays on for two reboots after installation unless you manually switch it off. This is to ensure the upmost compatability for protected list items.
    Reboot after installation, Process Guard picks up system and resident programmes, now is a good time to add your trusted Internet and security programs.
    First reboot after this ensures that the basic allows etc are set.
    Add whatever general tabs you want to enable
    Second reboot. Learning mode switches off but adjustments to the protection list due to the newly enabled general tabs are added to the processeses as necessary.

    This makes installation much easier for new users.

    Advanced user can still switch off learning mode immediately after the initial reboot if they so wish.

    Note: As has been stated elsewhere it is imperitive that Process Guard is installed only on Clean installations and preferably after a new windows installation.

    HTH Pilli
     
  3. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I think this answered my question. Let me rephrase and see if there is a yes or no answer. I have PG learning mode enabled while installing Cisco VPN it still says it blocked a driver install that the VPN was trying to do. So you are saying this is corrected in the new beta they are working on and won't work like this now but will when they release new beta?

    Thanks again Pilli,

    Chris
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, The new driver and learning mode should correct this, though I cannot speak specifically about Cisco VPN :)

    Pilli
     
  5. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Thanks again. :)
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    ehm. one thing tho: what Pilli refers to is the improvements in how driver installs via services.exe are handled. Chris, you didn't mention what was the application (*.exe) that was trying to add the driver. If it was any app except for services.exe (i.e. some cisco app), it should have worked right even with your version.
    Anyway, what's important to know is how Learning Mode is functioning in that respect: PG sees an action where a "Block" rule applies and it does block the action and alerts on it. Yes, even in Learning Mode. Only then, after the block, is the relevant privilege granted to the application that triggered the alert. So you will have a "blocked" alert, one block happens, the privilege is added on the protection list, and it should all be fine when the app tries to install the driver the next time.

    Does this correspond with your findings? (And which app had been reported as trying to install the driver - and which privileges does it have in your protection list?)

    Andreas
     
  7. PG3

    PG3 Guest

    It seems beta2 working like your observation relates to at-1st-driver installation attempt of an application in learning mode.
    Hope it is not wrong.
     
  8. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    glb8.tmp [1180] Tried to install a driver/service named VFILT
    dne2000.exe [132] Tried to install a driver/service named DNE

    was the alerts I received. I hope this helps and thanks everyone for responding.

    Thanks,

    Chris
     
  9. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    this should not pose a problem (at least after the first attempt). Check if dne2000.exe has "allow install drivers/services" permissions in your protection list.

    this is somewhat more difficult I'm afraid. Does that (glb8.tmp) represent an exisiting file on your system - and is it the same filename everytime? (With which settings does it appear in the protection list?)

    If that's some temporary filename which is created anew in every session, there's no way you can tell PG that *this* one (which is another one each time) is to be allowed to install a driver. Either you manage to have Cisco install its driver another way (i.e. by one and the same application every time), or you'll have to disable "block driver/Services install" (which is a bad thing to do). At least while Cisco does its thing...

    But maybe there's some more to it. Can you tell us how dne2000.exe and glb8.tmp figure in your protection list, whether it's always "glb8.tmp" and whether or not the problem is still the same after reboot. (And disabled learning mode.)

    Andreas
     
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I will have to try to reinstall Cisco because it is not compatible on my system with either beta firewall I am testing. So I have uninstalled it at the moment. I will try this again maybe tonight and let you know anyway just so when the firewall vendors hopefully correct this I will have an answer.

    Thanks,

    Chris
     
Thread Status:
Not open for further replies.