PG v2.000 - BOCLEAN 4.11

Discussion in 'ProcessGuard' started by Oremina, Mar 31, 2004.

Thread Status:
Not open for further replies.
  1. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi Gents

    Does this ring a bell with anybody, or has anyone else experienced a similar problem?


    Since installing PG v2.00 2 - 3 days ago, BOClean 411 only intermittently opens up on boot/reboot.

    The icon does not appear in the System Tray. The two files normally present in Task Manager (BOCSEC.exe and BOClean.exe) are absent. I then have to start BOClean manually from Start - All Programs - BOClean.. It then runs OK and may/may not appear after the next reboot. I guess around 50% of the time it fails to flash up.

    I have all four BOCLEAN files in my Program Protection (BOClean.exe, BOCSEC.exe, BPC4UPD.exe and BOCEXC.exe) just from trying to solve the problem, though I don't know if that is the correct thing to do or not. Possibly someone may comment on that too?

    In General Protection Options, I have all four Options ticked (enabled). Therefore, because it was wanting to Write and set Global Hooks at various times, I have BOClean.exe set with full Allowed Privileges of Write, Terminate, Suspend and Set Info, plus Allow Global Hooks.

    Yet still, BOCLEAN only opens up on reboot very erratically and I'm just starting to get my knickers in a twist here, 'cos I really don't know what I'm doing too well - all trial and error for me and hoping for the best.

    Possibly I'm missing something obvious, or simple.
    It is only a minor nuisance, but a nuisance nevertheless. BOClean has always been well behaved for me, never the slightest problem.

    Most grateful for any advice from all you people with more experience and wiser heads than me. (I have by the way tried uninstalling and reinstalling BOClean - no difference. I am completely stumped at the moment.




    o_O
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Oremina, I do not run BoClean but I found theis post by Pikedude that may be useful to you:

    Pikedude Quote

    I just had to reboot one more time before I posted this to make sure that BoClean would load again and it has for the past 5 reboots!

    At first all I had in the Program Protection with all the options turned on was Boclean.exe but it would not load. Then I also added the Bocsec.exe with all the options turned on and that did not help.
    Now here's the crazy part (hopefully someone can explain it to me) I then added the BoClean database file (boc411.xvu) to the Protected Programs with the Allow Global Hooks and voila, BoClean loads at every boot (now at 5 boots just to be sure). I then removed the file from the Protected Programs and BoClean did not boot anymore, I had to manually click on the BoClean icon for it to load. I then placed the database file back into Protection with Allow Global Hooks and it started loading again.

    I don't know if this is normal or really the case (maybe I was just very lucky at all the various boots), but it does seem to work for the moment.

    Just thought I would pass this information along.


    Also check: https://www.wilderssecurity.com/showthread.php?t=25720
     
  3. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi Pilli

    Thanks very much for your speedy reply and for your link to the Pikedude thread. I found it very interesting and it gave me a little food for thought.

    Don't think this is going to be resolved quickly - at least not by me - but I have tried one or two things in the last few minutes. It would appear that :-

    Unlike Pikedude, putting the data file boc411.xvu into Program Protection and allowing Global Hooks made no difference.

    Disabling Block Global Hooks in the General Protection Options did appear to make a diference and I rebooted five times with BOClean firing up each time.... Coincidence?? possibly...

    I then enabled Block Global Hooks in General Protection Options and gave all four BOClean files in Program Protection Allow Global Hooks - all four of them which I hadn't done before.

    After five more reboots. BOClean fired up again each time. Again, possibly coincidence.

    Now, to be pefectly honest, none of this proves anything, but it possibly may give a glimmer of hope that it may be sorted. It's obviously not a widespread problem, as far as I am aware only Pikedude and I have complained about it.

    I'll keep watching what happens and if I find out anything concrete or positive I'll post again. Possibly Pikedude may have sussed something else out by now and may let us know in due course.

    Thanks for your help

    Best wishes
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Your Welcome Oremina :) Just keep popping in to see if someone comes up with a definitive answer.
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Are there any entries in PG's log about BOCLEAN needing any type of "driver/services" install? That's about the only thing I haven't seen you mention, either settings or log-wise. Just wondered if fooling with that would help.

    "Block Golden Hooks"? I like that! Does it do that automagically? :D Pete
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I've been having the same problem with BOClean since the 1.3 beta driver. PikeDude's idea did not work for me. Nor did Allow Driver/Services Install for all BOClean's related executables (as well as Allow Global Hooks). One new observation is that when BOClean does autostart, Process Guard exits without asking for human confirmation despite having set Close MSG Handling for it. When BOClean fails to start, Process Guard asks for human confirmation when exiting. Confirmed over several reboots.

    Nick
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pete, Maybe there is a secret "premium" version - Let me know if you find out :p
     
  8. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi all
    Thanks for the interest..

    Pete - can you see me blushing - and that's not easy at my age... I guess its what you would call a "Freudian Slip", maybe thinking about other things at the time... Anyhow, I'm pleased it raised a smile and brightened a day or two.

    I did indeed have some requests from BOclean.exe to Allow Drivers/Services, which I did, but it didn't make any difference.

    Have just tried another reboot and Boclean flashed up yet again (with "Allow Global Hooks" on all four BOClean executables). Hope I'm not kidding myself here, going to be gobsmacked now the first time it doesn't fire up.

    Nick - haven't tried CMH on it yet. What I'll do is watch is over the next day or two and post on that, either way. Can't really check anything else out until BOClean doesn't flash up again.

    Pete 'n Pilli - keep looking for those Golden Hooks (automagically)!!

    (I can't stand the embarrassment, my wife taking the
    mickey as well, so I've modified it)..

    :D
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    BOClean doesn't need driver/service privileges. The problem, which occurs with a lot of other apps besides BOClean, has been reported many times, and is a known issue. Jason knows about it.

    I believe the issue has to do with global hooks, and so two possible workarounds until the bug is fixed are to: (1) Start any applications that PG interferes with (such as BOClean) manually, rather than at startup; or (2) Disable GH blocking in PG's general protection options.
     
  10. donsan

    donsan Registered Member

    Joined:
    Feb 5, 2004
    Posts:
    149
    Location:
    grand prairie tx
    just thought i would jump in and say i run bo clean and have added all four bc exe's ticked all allow flags and allowed global hooks since i have done this i have no problem with excessive bo clean logs or any problems with bo clean not starting on reboot.
     
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I have had the "not starting on boot" issue with several applications, and allowing GH for them does not solve the issue on my system.
     
  12. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    When BOCLEAN does not start, is there anything in the log at all relating to BOCLEAN or any other app which does not start?

    PG v2.0 lists everything that has happened since the driver was activated, unlike previous versions, so this would be helpful to know.

    -Jason-
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    This is the only log entry that is missing when BOClean does not start:

    31 Mar 21:35:58 - [EXECUTION] c:\progra~1\nsclean\boclean\bocsec.exe with commandline c:\progra~1\nsclean\boclean\bocsec.exe was ALLOWED to run

    Nick
     
  14. PikeDude

    PikeDude Registered Member

    Joined:
    Aug 3, 2003
    Posts:
    45
    Hi All,

    Just wanted to post an update with how BoClean and Process Guard is behaving on my system. As I had said in the original post, what I had tried was possibly not the solution to what the real problem with BoClean not starting up is. It was just a guess and trying to figure out what it might be, but since that last post about 4-5 days ago BoClean has started up every day and after every reboot that I have done since. I left the file (boc411.xvu) in the protected applications since it was not doing any harm.

    I haven't tried to remove it for fear of putting a hex on it :D but I also can't see what the real problem could be. We probably have some software or driver that is conflicting that others probably don't have.

    Also, looking back at my other posts I somehow forgot to mention that I'm running Windows XP Professional with the SP2 Release Candidate, if you have the same let us know, then we may finally get to the bottom of what is really happening.
     
  15. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Further thoughts..

    Its a new day and I've booted twice and BOClean has fired up correctly each time. This is with all four BO executables in Protection, GH on all four but full Allow priveleges only on boclean.exe. Seems OK at the mo, but maybe just coincidence. (This is pretty much in line with donsan's experience).

    I have here XP HE SP1 and besides BOClean my security programs which open up on boot are NAV2002, NIS2002 and a² Guard. None of those have been affected.

    If it starts to play up again I shall revert to the suggestion by nameless and just disable Block GH until I hear further, but sems OK at the mo. I would suggest it isn't the proper answer vide the second post by nameless.

    For Jason... This is only the start of my fourth day with PG so I can hardly claim to be slick on this lovely bit of kit, and I am still in the steep part of the learning curve but what I have tried to do is be advised by the logs and if any of the known and trusted apps have wanted priveleges they have been granted. So if nothing else I know the different colours in the logs. nick s is quite right when he says that on the occasions that BOClean has failed to start there has been no log entries in red/purple, just the sea of green/blue. The BOClean entries are noticeable by their absence. I think that's what nick s is saying and I would agree with that.

    If anything else comes to mind that seems relevant I'll post again.
    Hi Pikedude - I did briefly try your suggestion of putting the BOClean.xvu into protection, but not the slightest effect here.. still I understand the hex problem... while its working don't fix it eh?!!

    Thanks for the input from everyone.
     
  16. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Jason

    Following a Drive Image backup a short while ago, on reboot BOC icon was missing from systray and the two entries boclean.exe and bocsec.exe were missing from Task Manager.
    I immediately rebooted with the same result but looked at the log which said:-
    [Execution] c:\progra~1\nsclean\boclean\boclean.exe with commandline "c:\progra~1\nsclean\boclean\boclean.exe" was ALLOWED to run.

    I then manually started BOC and then got two entries in the log:-

    c:\program files\nsclean\boclean\boclean.exe with commandline "c:program files\nsclean\boclean\boclean.exe" was ALLOWED to run.

    Followed by the next entry

    c:\progra~1\nsclan\boclean\bocsec.exe with commandline c:\progra~1\nsclean\boclean\bocsec.exe was ALLOWED to run.

    Hope this makes some sort of sense to you,but certainly there was only one entry when BOC failed to fireup on boot up and two entries after manual start.

    Regards
     
  17. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Since BOCLEAN.EXE launches BOCSEC.EXE, what those log entries tell me is that when BOClean failed to start correctly, it simply terminated before being able to launch BOCSEC.EXE.

    I think that speaking of multiple EXE files and other supporting files (such as the BOClean database file) needlessly complicates the matter. I have the same issue everyone is talking about here with simpler, one-EXE utilities like KatMouse, and while using nothing but LFN.
     
  18. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Have any of you guys contacted Kevin in regards to this?

    Would be helpful to find out why BOClean is failing in some instances with PG and Block Global Hooks enabled.

    I still think this is caused by using 8.3 pathnames for some things, and that there must be a small bug in PG's 8.3 pathname resolving, but Kevin would be able to verify this.

    -Jason-
     
  19. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Have just emailed Kevin and asked if he can spare a mo to have a quick looksee here, to see if he can add anything.

    I also take on board the views of nameless, who is having problems with simpler one exe programs, in which case it is hardly likely to be simply a BOClean problem.. more like Global Hooks, but I'll keep quiet now, as with my knowledge on any of this I can't possibly do any good, just groping in the dark.
    Thanks for your input nameless, Jason and everbody else.
     
  20. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Hiya ... back on March 10, Wayne requested a "full copy" of BOClean 4.11 for testing which we submitted within minutes. At that same time, we had requested a copy of the PG for our own testing but Wayne said "no need, there's a new one coming." Never did get a copy of it. Surprising since our guys and your guys have many years of cooperative history.

    I won't throw out specifics of our design in public, but I can say that all we're using is a SINGLE "HSHELL_WINDOWCREATED" hook which is used to ensure that BOClean hasn't been killed by a nasty. This in turn is used to refire BOClean should this occur. There's more to it, but I don't want to put our techniques out in public. We chose this primarily because being a DOCUMENTED Win32 procedure, it is supported on Win95/98[me=Kevin McAleavey]as well as NT/2000/XP.[/me]

    From the sound of it, messages between our DLL and our programme are getting stomped whereas this wasn't the case prior. I suspect the problem might be the use of "undocumenteds" which Microsoft has said they are culling from the OS (insert standard Microsoft disclaimer on the use of "undocumenteds" here, heh) ... contact us at support@nsclean.com and we'll try to help out. However, it does look as though things that don't NEED to be intercepted are being trapped ...
     
  21. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Kevin

    Most grateful for your timely response. It is much appreciated.
     
  22. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    *frown*
    Kevin mate, if you were unhappy about anything you could've just dropped me an email!

    I asked for a copy of BOClean for PG compatibility testing simply because you don't have a demo/evaluation version available for download from your website, so I didn't have much choice - if you did I would've just used that. When you enquired about Process Guard I told you that the free version is virtually identical to the registered version with the one exception being that the registered version can protect more than one user-defined process which is all you'd need for compatibility testing, and you were happy with that response then so I'm a bit puzzled as to why you're upset now.

    You said "but Wayne said 'no need, there's a new one coming.'", but let's put it in proper context again - here's the full paragraph:
    The start of your response:
    So I don't understand why you've had a change in heart, but you can test compatibility issues between BOClean and PG now because the free and full versions of PG are identical with the exception of protecting multiple processes, so I don't see what the problem is?
    But even though its a bit pointless as the free version does all you need for testing, I'll send you a license to the full version in the morning as a sign of good faith. So, everything AOK then? *extends hand* :)
     
  23. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    And apologies back at ya ... emailed you separately but won't go into that here - I'm sure you can verify if anyone needs to know that it's all amicable.

    I was just surprised to see the response from Jason was all. You and I (and several others of us in this "biz") hava always had a long history of cooperation with one another so the response came as quite a surprise to me as well.

    But hey, as offered, I'll hand over the source code if need be so you can see what that hook is about - it's the least harmless of all hooks in the WinAPI and certainly as a "notify hook" can't be used maliciously in any way that I can imagine.

    I'll leave it there, and be happy to help out with specifics as we've always done for each other ... after all, PRUDENT vendors such as each other want interoperability to be a "given" for our customers. It's THAT important ... but I don't need to tell YOU this. :)
     
  24. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Thanks, but not necessary. :) I'm just happy there are no problems (it would've ruined the weekend!)

    Thanks, but not required. :) But unfortunately this hook cannot be used for security purposes, I'll email you with full details. Full Disclosure lists would have a party with it :doubt:

    Anyway we'll do some more compatibility testing on additional machines with PG and BOClean today to try and isolate what's going on, hopefully we'll have an answer in the next six hours or so in which case I'll email you the details and post a summary here.

    Cheers,
    Wayne
     
  25. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Kevin,

    I was just wondering if you have any code which if something fails (I guess this hook would be the starting place) that your app gracefully doesn't start? It would be helpful for me to know that it is your program that is gracefully shutting down rather than "something weird" going on like a crash causing it to not startup.

    I will run some BOClean tests personally today to see if I can track down the issue, thanks for your timely response.

    -Jason-
     
Thread Status:
Not open for further replies.