PG and Pest Patrol

Discussion in 'ProcessGuard' started by siliconman01, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I am posting this as a separate post even though it was mentioned in one of my previous posts. I have Pest Patrol running. I have placed all of Pest Patrol's modules in PG and set all of the Allowed elements active.

    I frequently, although not continously, get a log list report that the Pest Partrol modules tried to gain Terminate access to various other items in the PG list. PPControl.exe and PPmemcheck are the Pest Patrol modules that cause most of the logging activity about Terminate.

    Please take a look at this too.
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Is it JUST Terminate access ? Can you please post a small snippet of the log :)

    With allow access you shouldnt get a log.. hard to say without seeing it, we will look into it - thanks
     
  3. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    [16:21:35] - [P] - c:\progra~1\pestpa~1\ppcontrol.exe [1984] tried to gain TERMINATE access on c:\program files\spywareguard\sgmain.exe [1700]

    [09:11:10] - [P] - c:\progra~1\pestpa~1\ppmemcheck.exe [1848] tried to gain TERMINATE access on c:\program files\common files\symantec shared\ccproxy.exe [240]

    Yes, it appears to be just the Terminate process.

    Incidentally, I find I cannot just drag across one entry in the PG log window to highlight it and do a cntrl-C to copy. The line will not stay highlighted. My system or a bug?
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    A feature, not a bug :D : It is copied immediately when you select it, no need to Ctrl-C. Just try to paste your clipboard contents somewhere...

    Andreas
     
  5. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    ahhh..nice feature. ;)

    It does select/copy the entire log..neat!
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Interesting. Pete
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think it's the way Pest Patrol works.

    It's not a firewall, in fact it has a database of trusted application (MD5) and if your application isn't on it, it needs to contact the online support to transmit the file (so it has to terminate the process).
    After, depending of the file is good/bad, the online database is updated as well as all pest patrol users.

    I think it's a legitimate termination attempt.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    If it's just sending the contents of a file that also happens to be running as a process, there shouldn't be any need to terminate the process simply to read the file contents, unless the process is locking read access on its own file. Under most circumstances, even if an exe is running as a process you can still gain READ access to the file (but not Write), but for file transmission, read access is all that's needed so I find it strange that it's being terminated
     
  9. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    For clarification, the ppmemcheck.exe TERMINATE log entry occurs for EVERY memory resident item that I have set up in PG. PP's ppmemcheck.exe appears to do a 30-minute memory scan and this is when the TERMINATE log messages occur...every 30 minutes.

    These messages also occur when I do a LiveUpdate of PP definitions. During this operation, both PPControl and PPMemcheck log entries about the TERMINATE occur even though I have all ALLOWED elements permitted on both ppmemcheck and ppcontrol.
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @Wayne

    i think it's just a security method, while you are checking the file, the potentially malicious process isn't running.
     
  11. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Have installed and set up PG 1.5. The same problem with the Terminate for ppmemcheck.exe and ppcontrol.exe exist in this new version.
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I think its simply a case of the log message being wrong ! :) We will see soon possibly a bug
     
  13. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    OK folks, all of a sudden the discussion ends... and several months later I buy PG and am loooking for why ppmemcheck is asking for termination of all the processes I have listed in PG and here I be. I just gave it termination rights for I find it rather unlikely that our friends at Pest Patrol are about to do anything malicious, nor do I believe that the file has been swapped by a doppleganger or the like (hope I spelled that one something like it is supposed to be), but did anyone ever find out why? I hate to be opening up a hole needlessly, I think I probably do enough of that out of stupidity.
     
  14. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    And so, the 30 minute interval goes by, and now there are no red lines caused by ppmemcheck and nothing interesting has occured, PG is still running and was not actually shut down to my knowledge by it. For what that's worth, what does this mean" Further, I note OutPost (firewall) is redlining because it is refused termination rights to explorer:
    27 May 22:37:31 - [P] e:\program files\agnitum\outpost firewall\outpost.exe [596] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\explorer.exe [1704]

    Shall I allow OutPost to have termination ability like I allowed for ppmemcheck, or will I be creating another one of my "stupidholes"?
     
  15. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I'm not overly familiar with the inner workings of Pest Patrol, but the general rule of thumb is that if you trust a program then it's generally ok to give it full or near-full permissions.

    Best regards,
    Wayne
     
Thread Status:
Not open for further replies.