PG configuration, global hooks, secure handling, access rights

Discussion in 'ProcessGuard' started by Wai_Wai, Aug 11, 2005.

Thread Status:
Not open for further replies.
  1. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Hi.
    Please see my setting first. (it's at the end of the attached image)

    Q:
    1) How should I set about iexplorer.exe, explorere.exe, msimn.exe?
    Why do they need "global hooks"? Should I disable it?


    2)
    I would like to protect the following products:
    - McAfee
    - MS Antispyware
    - ZoneAlarm
    - IMSecure
    Did I set properly?

    Also I wonder if I need to provide them as well:
    - process guard ditself
    - regdefend
    Please tell me why if possible?


    3)
    When I try to protect my security products, I encountered 2 kinds of problems:
    • Even protect me from minimizing or closing the dialog!!
    It gets to be annoying. Every time I close dialog or the menu of any of my protected security product, ProcessGuard ask me for human identification. I would like to ask ProcessGuard to protect mine from disabling their functions/services, nullify their work, or shut them down; but NOT close the menu/dialog.
    Any solution?

    • Often some programs issue "close" messages
    Someitmes a dialog pop up asking for human identification. I don't remember the exact message, but the code is somewhat like "ms_close" / "mw_close" (?). I have tried to reject in one incident; allow in another. It seems there's nothing wrong - the product seems running (or maybe it's the mal-ware which give me that sort of illusion)

    Does anyone know whether this sort of messages can be valid, even if it happens all of a sudden (I'm simply doing some unrelated things, and the messages pop up)?

    If the answer is "depends", thentry to explain in which situations it is dangeorus; which is not.


    4) By the way, do I need to grant Internet Acess and Server Access to explorere.exe? It often asks me this kind of questions, and I have no ideas how to answer?

    5)
    See if my setting is correct.
    if not, please inform me aobut that.
    Thanks so much for your kindly help. :-*
     

    Attached Files:

    Last edited: Aug 12, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I'll try and answer some of your questions
    These should have been given the necessary flags when in learning mode. Blobal hooks are optional but it may effect certain program features if you disallow.

    I do not know about all of these but if you search this forum you should find your answers. I do know that MS AS needs to be allowed service/driver install

    I will not use all your quote for this. Using Secure Message Handling is a very special feature and should only be used judiciously critical security applications that do not have pasword protection.
    Read the help file regarding SMH and the human interface, taking special note of the learning feature.
    SMH is not a part of the normal learning mode.

    It depends what you are doing, Explorer is a trusted application and is part of the PG default set so it should be fine to leave it at the default settings.

    I cannot help you regarding McFee, though learning mode should have allowed the correct settings

    HTH Pilli
     
  3. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Hmm... would you mind telling me some of the uses of these global hooks?
    Temporarily, I may decide to turn them off.

    As to MS Anti-spyware, I do not allow this.
    It doesn't mean you are wrong, but just to tell you it seems to work fine in my computer without this.
    When I look at the log, it seems it doesn't ask for installing a driver/service at all.

    What is SMH?
    As you say, do you mean if the software has password-protection, we don't need to protect them by process guard?

    After all, thanks for your help.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, Global hooks are used for various functions within Windows, mouse gestures is a common one, in explorer some of the menu functions may not work correctly.

    MS-AS is a beta so it may have changed but as Giant it needs a driver install :)

    SMH = Secure Message Handling, this is what causes a Human Interface Device (HID) to be displayed when enabled on a GUI object, it does not work on any process that does not have a GUI. Password protected programs are unlikely to be closed down by windows close messages by the actions of a Trojan etc. Especially programs that already run at Kernel level such as KAV & ZA

    From the PG help file:
    Secure Message Handling

    Due to the structure of the Windows operating system, it is possible for applications to control other applications using windows messages. There are many messages which mean a lot of different things, but a few of them allow an application to close another application. This is unwanted in most cases because you only want to close an application when YOU are ready, not when some other program on your system wants to. A message is generated for instance when you press the X button on a window. All a malicious program needs to do is mimic this message and Windows thinks you actually pressed the X button yourself.

    Some malicious software can use this to their advantage, they can detect that you are running some security software that may possibly detect it and send a windows message to shut down the application. This means the malicious software can continue to run on your system even if your security software has the possibility of detecting it.


    Pilli
     
  5. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I wonder whether I should turn that off for IE and OE.
    You know hackers often target these 2 applications for malicious purposes.
    If I see there's no real loss when I turn them off, I will do so.

    Maybe...

    As to password-protected software like ZA, the probelm is when the alert first occurs, I will prompt for a password. Later on, I don't need to do so since I am logging on. The rpobelm is I can't log-on and off all the time. It will make confusing or mistakes, not to say time-consuming.
    Fortunately as you say, it is a kernel-based software, it is safe. But how about if the software is password-protected in this way AND it's not a kernel-based software.

    In fact, based on your recommendation, so I'm going to protect only:
    - McAfee
    - MS-AS


    Thanks for your quote. :)
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Whether software runs at kernel-level or not should make no difference - SMH should only be used for applications that do not offer password protection against being closed (for a specific example of an exploit which SMH can counter, see the Multiple Firewall Products Bypass Vulnerability thread).
     
  7. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I am worried about the issue relating to the operation of password-protected method. The probelm is when the alert first occurs, I will prompt for a password. Afterward I don't need to do so since I am logging on.

    The workaround may be I can log-on and off all the time, but it will make confusing or mistakes, not to say time-consuming.
     
Thread Status:
Not open for further replies.