PG and Pest Patrol

I am posting this as a separate post even though it was mentioned in one of my previous posts. I have Pest Patrol running. I have placed all of Pest Patrol's modules in PG and set all of the Allowed elements active.

I frequently, although not continously, get a log list report that the Pest Partrol modules tried to gain Terminate access to various other items in the PG list. PPControl.exe and PPmemcheck are the Pest Patrol modules that cause most of the logging activity about Terminate.

Please take a look at this too.

 

Is it JUST Terminate access ? Can you please post a small snippet of the log

With allow access you shouldnt get a log.. hard to say without seeing it, we will look into it - thanks

 

[16:21:35] - [P] - c:\progra~1\pestpa~1\ppcontrol.exe [1984] tried to gain TERMINATE access on c:\program files\spywareguard\sgmain.exe [1700]

[09:11:10] - [P] - c:\progra~1\pestpa~1\ppmemcheck.exe [1848] tried to gain TERMINATE access on c:\program files\common files\symantec shared\ccproxy.exe [240]

Yes, it appears to be just the Terminate process.

Incidentally, I find I cannot just drag across one entry in the PG log window to highlight it and do a cntrl-C to copy. The line will not stay highlighted. My system or a bug?

 

A feature, not a bug : It is copied immediately when you select it, no need to Ctrl-C. Just try to paste your clipboard contents somewhere...

Andreas

 

ahhh..nice feature.

It does select/copy the entire log..neat!

 

Interesting. Pete

 

I think it's the way Pest Patrol works.

It's not a firewall, in fact it has a database of trusted application (MD5) and if your application isn't on it, it needs to contact the online support to transmit the file (so it has to terminate the process).
After, depending of the file is good/bad, the online database is updated as well as all pest patrol users.

I think it's a legitimate termination attempt.

 

If it's just sending the contents of a file that also happens to be running as a process, there shouldn't be any need to terminate the process simply to read the file contents, unless the process is locking read access on its own file. Under most circumstances, even if an exe is running as a process you can still gain READ access to the file (but not Write), but for file transmission, read access is all that's needed so I find it strange that it's being terminated

 

For clarification, the ppmemcheck.exe TERMINATE log entry occurs for EVERY memory resident item that I have set up in PG. PP's ppmemcheck.exe appears to do a 30-minute memory scan and this is when the TERMINATE log messages occur...every 30 minutes.

These messages also occur when I do a LiveUpdate of PP definitions. During this operation, both PPControl and PPMemcheck log entries about the TERMINATE occur even though I have all ALLOWED elements permitted on both ppmemcheck and ppcontrol.

 

@Wayne

i think it's just a security method, while you are checking the file, the potentially malicious process isn't running.

 

Have installed and set up PG 1.5. The same problem with the Terminate for ppmemcheck.exe and ppcontrol.exe exist in this new version.

 

I think its simply a case of the log message being wrong ! We will see soon possibly a bug

 

OK folks, all of a sudden the discussion ends... and several months later I buy PG and am loooking for why ppmemcheck is asking for termination of all the processes I have listed in PG and here I be. I just gave it termination rights for I find it rather unlikely that our friends at Pest Patrol are about to do anything malicious, nor do I believe that the file has been swapped by a doppleganger or the like (hope I spelled that one something like it is supposed to be), but did anyone ever find out why? I hate to be opening up a hole needlessly, I think I probably do enough of that out of stupidity.

 

And so, the 30 minute interval goes by, and now there are no red lines caused by ppmemcheck and nothing interesting has occured, PG is still running and was not actually shut down to my knowledge by it. For what that's worth, what does this mean" Further, I note OutPost (firewall) is redlining because it is refused termination rights to explorer:
27 May 22:37:31 - [P] e:\program files\agnitum\outpost firewall\outpost.exe [596] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\explorer.exe [1704]

Shall I allow OutPost to have termination ability like I allowed for ppmemcheck, or will I be creating another one of my "stupidholes"?

 

I'm not overly familiar with the inner workings of Pest Patrol, but the general rule of thumb is that if you trust a program then it's generally ok to give it full or near-full permissions.

Best regards,
Wayne