PG fails to block an execution

Discussion in 'ProcessGuard' started by SpikeyB, Sep 19, 2005.

Thread Status:
Not open for further replies.
  1. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I was just wondering about some odd behaviour by PG which I can't explain. I wondered if anyone might be able to shed some light.

    I downloaded and installed a game (winbr34.exe, a self extracting exe containing 43 objects).

    The shortcut to the game points to a file called mvpbr.exe. When I double click the short cut or the actual file (mvpbr.exe is not on the protection or security tab) the game loads without PG blocking it (even though execution protection is enabled). Notepad also runs (an order form in notepad pops up when the game is closed).

    I checked the alerts tab and noticed that ntvdm.exe had started, command line:
    "c:\windows\system32\ntvdm.exe" -f-i3-w-a c:\windows\system32\krnl386.exe

    ntvdm.exe was in the protection tab with default allows (term+mod, mod+read) and access phys mem but not in the security tab (why does ntvdm.exe start?).

    I removed ntvdm.exe from the protection tab and set notepad.exe to be blocked on the security tab.

    Now the game loads and PG shows no alerts, other than notepad.exe has been blocked from starting (how does the game load without any alerts from PG to say it has started?).

    Anyone have any ideas?

    Thanks
     
    Last edited: Sep 19, 2005
  2. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Just set my system back before the game install.

    Removed ntvdm.exe from the protection tab and blocked notepad.exe from starting.

    The installation of the game couldn't proceed without ntvdm.exe being able to access physical memory (which it did have the first time I installed). Maybe it's the physical memory access that allows strange things to happen?
     
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    PG can be bypassed/disabled if a process can access physicial memory. We were talking about this in another thread. I have ntvdm.exe set to access physical memory. I didn't set it that way. I have been running PG in learning mode and it got set that way in learning mode. I think I will deny it access to physical memory and see what happens. I also had PG give internet explorer access to physical memory during learning mode. I have changed that as I don't want IE, of all things, to have that ability.

    See this thread. Post #4.
    https://www.wilderssecurity.com/showthread.php?t=97907
     
  4. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
Thread Status:
Not open for further replies.