PG Security Hole?

Discussion in 'ProcessGuard' started by redwolfe_98, Mar 20, 2006.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i recently reset the "defaults" in PG's (PG 3.15) "protection", and after i rebooted, PG did not recognize my kerio firewall or ewido.. those two running processes were not automatically added to PG's protection.. i tried rebooting a second time, still in learning mode, but the two processes (and maybe also ewidoctrl.exe) were still not recognized.. i tested this a second time, resetting PG's "defaults", but had the same results..

    perhaps the reason that PG did not recognize these two running processes was because they run at the kernel level.. if so, wouldn't that mean that likewise, any malware running at the kernel level would get past PG?

    maybe PG 3.3beta is a move towards patching this security-hole?
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    why would they be added to the protection list automatically? afaik, in learning mode files are just added to the security list. and if they require special permissions then theyll be added to the protection list.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Really low services can start before PG (unless you use the option to set PG's driver to SYSTEM), but with PG active on a system you can't install services. They have to get there somehow for it to be any issue. Obviously starting the driver earlier is more secure in a sense, but there is no difference to a booted system.
     
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Wouldn't starting PG's driver at BOOT instead of SYSTEM be better (ie. meaning PG would start as early as possible) ?
     
  5. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    maybe i just never noticed before that some running processes (that i see in task manager, after logging in) were not automatically added to PG's protection when PG is in learning mode..

    many of the running processes were automatically added to PG's "protection", but a few were not..
     
  6. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi Redwolfe.

    You could try shutting down those apps,then with PG running,start them up again manually,PG should spot them this time. That's what i did a while ago when i noticed an exe or two weren't there that should have been,i also noticed they started before PG,even with PG starting as 'system'.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    BOOT is before the filesystem is active ! and also before any Win32 processes are running :)

    Perhaps at some time, BOOT will an option. Not yet, as this driver will not function as a BOOT driver. A boot driver will also be more unstable and needs more work put in for very minimal gain in real world terms. It would be nice of course.. ;)
     
Thread Status:
Not open for further replies.