PG3 - Correct Protection Settings for Various EXEs

Discussion in 'ProcessGuard' started by LuckMan212, Nov 4, 2004.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hi--

    I am still more or less a newb with PG 3.0, and probably a lot of users are as well seeing as how the final is only a few days "out in the wild". :)

    So I was wondering, maybe scattered around there is bits of info here and there on the "best" way to configure PG for various services, but I would love for someone (Jason, Wayne, or any other knowledgable member) to post the official recommended "Protection Tab" settings for the following processes:
    Code:
    Protect From:     Authorize To:      Options:
     T   M   R         T   M   R      IGH IDS APM SMH
    ====================================================
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]ad-aware.exe[/COLOR]
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      alg.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      apm.exe
    [ ] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]ati2evxx.exe[/COLOR] [ati catalyst 4.10]
    [X] [X] [ ]       [ ] [ ] [ ]     [X] [ ] [ ] [ ]      [COLOR=DarkRed]cryptosuite.exe[/COLOR]
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      csrss.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      dllhost.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      dwwin.exe
    [X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]emule.exe[/COLOR]
    [X] [X] [ ]       [ ] [X] [X]     [X] [ ] [ ] [ ]      explorer.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      helpsvc.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      hh.exe
    [X] [X] [ ]       [ ] [X] [X]     [X] [ ] [X] [ ]      iexplore.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]javaw.exe[/COLOR]
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      lsass.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      mmc.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      msdtc.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      msiexec.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]nod32krn.exe[/COLOR]
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      ntvdm.exe
    [X] [X] [ ]       [ ] [ ] [ ]     [ ] [X] [ ] [ ]      [COLOR=DarkRed]Opera.exe[/COLOR]
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]portexplorer.exe[/COLOR]
    [X] [X] [ ]       [X] [X] [X]     [ ] [X] [ ] [ ]      [COLOR=DarkRed]procexp.exe[/COLOR] [process explorer]
    [X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]proxomitron.exe[/COLOR]
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      regsvr32.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      rundll32.exe
    [X] [X] [ ]       [X] [X] [X]     [X] [X] [ ] [ ]      [COLOR=DarkRed]securitysuite.exe[/COLOR] (Ewido)
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      services.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [X] [X] [ ]      smss.exe
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      svchost.exe
    [X] [X] [ ]       [X] [ ] [X]     [ ] [ ] [ ] [ ]      taskmgr.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      [COLOR=DarkRed]trojanhunter.exe[/COLOR]
    [X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      vssvc.exe
    99% of these are Microsoft code, part of a standard XP install. The 3rd party ones I listed in red (ati, ad-aware, nod32, etc)

    I realize it's a long list, but maybe this can become some sort of sticky thread if we can get some definitive answers. I am starting off the chart with my settings and will fill in and update it as people post. Thanks!!
     
    Last edited: Nov 5, 2004
  2. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hmm.. thought this thread would be more popular.. guess you all have your settings perfect then? If that's the case, care to share your experience for the rest of us? ;)
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    I suspect the reason there isn't much response, is the new learning mode tailors the protection to the individual system requirement, and so a one size fits all isn't really required. Individually one might fine tune a few settings like for example I know some people have disallowed physical memory access for Internet Explorer. I've chosen to leave it on. This kind of list was more necessary when you had to manually configure everything you added.

    Pete
     
  4. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Exactly... which is why a definitive list is absolutely necessary. Learning mode is GREAT but it should not be relied on (IMHO) to automatically provide the most secure or efficient settings.

    You just gave a great example -- iexplore.exe -- does it need "Access Physical Memory" or not? If it doesn't need it, why do you have it on?

    More examples, if someone, during their "Learning Mode" period, runs some app that uses services.exe to install a driver, well guess what: now services.exe will get the "install drivers/services" privilege. We have all seen the various posts here from DCS that recommend that services.exe NOT be given this permission, as it is a security risk.

    SO... yes learning mode is great but this list is still sorely needed IMHO. To help out I have updated my original post with my current settings to get this started... if anyone has changes that should be made let me know and I will update it.
     
    Last edited: Nov 5, 2004
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,

    First of all:

    This problem has been adressed by now and now it looks like this: PG can now control which apps call services.exe to have their driver/service installed. Now, programs that have the "install drivers/services" privilege can do so either by directly doing it or by having services.exe doing the job. OTOH, programs that don't have that privilege are not allowed to call services.exe to do it for them. Quite ingenious, if you ask me.

    The only thing you have to remember is that, now, services.exe does have to have "install drivers/services" allowed !
    No risk in that, because, as I said, the access to services.exe itself is now patrolled.

    HTH,
    Andreas
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Now for the specific settings:

    I suppose it's that IE works with glitches or slower when this is off. And then it's a tradeoff, to be made by the one who's using the program. I have it off, but I am not using IE anyway. (Even my firewall won't let IE pass. In PG, I have removed all allowances from both IE and OE, but left them protected so that nothing could attack them.)

    Here are some settings of mine:
    Code:
    Protect From:     Authorize To:      Options:
     T   M   R         T   M   R      IGH IDS APM SMH
    ====================================================
    [X] [X] [ ]       [ ] [ ] [ ]     [ ] [X] [ ] [ ]      Opera.exe
    [X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      emule.exe
    [X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      proxomitron.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      Almost all malware scanners i have, with the exception of:
    [X] [X] [ ]       [X] [X] [X]     [X] [X] [ ] [ ]      securitysuite.exe (Ewido)
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      trojanhunter.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      apm.exe
    [X] [X] [ ]       [ ] [ ] [ ]     [X] [ ] [ ] [ ]      cryptosuite.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [X] [ ] [ ]      procexp.exe
    [X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      portexplorer.exe
    [X] [X] [ ]       [X] [X] [X]     [X] [ ] [ ] [ ]      taskmgr.exe
    
    Also, I have explorer.exe replaced, both as a window manager and as a file manager. Therefore, it has only T+M protection, nothing else.
    The window manager has
    Code:
    [X] [X] [ ]       [X] [X] [X]     [X] [ ] [ ] [ ]      blackbox.exe
    
    and the same for the file manager.

    Those malware scanners and guard with T+M protection and T+M+R authorization include: spywareblaster.exe, sgmain.exe (spywareguard), RegRun's Onsecure.exe Watchdog.exe and regrun2.exe, SpyBotsd.exe and it's teatimer.exe and update.exe, a2guard.exe and a2scan.exe, sweepsrv.sys and wsweepnt.exe (Sophos), tds-3.exe and it's services.exe ntsvcexp.exe ntlansvc.exe mem_obj.exe, and TrojanHunter's thguard.exe autostartexplorer.exe netstatviewer.exe and processviewer.exe.

    In some of the cases, I'm not sure - e.g. whether or not teatimer.exe needs terminate priv. or why opera seems to need to install a driver (it continues to work when I have it disallowed, but I'll do more research later).
    So much for now.

    HTH,

    Andreas
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Luckman212,

    I have the same questions and posted it in a different way in another thread. There doesn't seem to be any information that answers your questions at this point. So what I am doing is just waiting and accumulating information and see what is said. When I feel like I know enough about the product to use it then I will make the purchase. I figure it will take a few months.

    In the meantime, I have adopted a more conservative web browsing behavior and I am also in the process if putting some image copy procedures in place on my computers which I feel will be the fallback of last resort if I am hit by a virus or malicious trojan again. There is so much stuff out there, I think it is very difficult for the secuirty vendors to stay totally on top of things. New holes are being found all the time. The good news is that I have noticed that the amount of malware (mostly unwanted cookies) on my computers have really subsided with a wiser surfing behavior.

    Rich
     
  8. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    First thank you for all the info.

    Where is this documented? Nowhere is this mentioned in the users manual, at least not that I could find. Nice to know, but I feel this stuff is important enough to be documented in the Help file.

    As to your specific EXE settings, I have incorporated them into my master list, above.
    except for a couple, which I have questions on:

    1) Why does Taskmgr.exe need "install global hooks" ?
    2) Why does portexplorer.exe need "access physical memory" ?

    both of these work fine on my system without the above privs.
     
  9. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i like this, posting recommended settings for various applications.. i have been wanting to suggest to dcs that they do that.. lets do make this a sticky and continue to develop it..
     
  10. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    To be honest, I don't know the answer to either question. AFAIR, not even Jason could say - without doing much digging - why PE needs Access Phys. Memory. I just noticed these two programs requesting the mentioned privileges and being blocked in my PG log. I trust them sufficiently to simply allow them what they want there and to not even risk instabilities because of being over-cautious.

    But if someone knows what happens exactly, I might as well change my mind there...

    Sorry not to be able to tell you more.
    Andreas
     
  11. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I just want to say that I support this effort and will be looking over the list and adding any information I can. Mostly, I will be using the information this thread accumulates. I hope that the moderators will support this effort.

    Peter2150,
    I think learning mode simply makes PG more "user friendly." However, I think that everyone should manually verify and configure PG to ensure that PG is configured properly. Not ensuring proper configuration and solely relying on learning mode is risky.
     
  12. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    When I installed PG 3.100 - checked the four protection tabs - rebooted. Opened some security programs etc - rebooted again.

    I had 3 windows components that are allowed to install drivers, services.exe ( wich has been explained why it is so ) and also smss.exe and csrss.exe.

    Also winlogon.exe was grated termination authority.

    Now im a PG noob and prior to installing this prog I had no idea what a global hook was... But I think more explanation needs to be done to the core windows system processes and what they should be able to do.

    I dont really need to know why explorer.exe should be granted authority to for instance install global hooks.

    An idea is to have 3 kinds of settings perhaps for the core programs PG is supposed to protect.

    1 - the Paranoids setting

    2 - the Secure setting

    3 - the hassle free setting

    You would be able to from the GUI individually set these three settings to the core processes by the default button for instance.

    Just an idea ... thats all ...


    /DaK/
     
  13. Arctic

    Arctic Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    46
    Actually a few months back I had this same question about how to configure process guard. I posted a request and got very little response. I even recommend that Diamonds make a list of most commonly used programs and what the ideal settings would be for them, but it never happened :( I know Diamonds is very busy, but I just wish there were some guide lines for inexperienced users to go by. I still love all my Diamonds products. They are the best and I recommend them to everyone. :cool:
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Arctic, We are compiling a database but it is a time consuming and long term effort.
    With 3.1 at least a lot of the heartache is taken by learning mode, very few programs are now causing incompatabilities and most of these have been discussed here with many solutions found.

    Cheers. Pilli
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Hi Artic

    Pilli's right about the effort. I started adding some of my programs to the list and it is very time consuming and I stopped because of 1st the time, and 2ndly most of my settings are the defaults, ie what Learning Mode assigns. Reading many of the posts here you get may get the impression that this doesn't provide the best security, and maybe this is indeed true, but just consider as you worry about giving to many privileges to something that before you had process guard everything on your computer had all the privileges they wanted.

    If you go with Learning mode settings you still are many times safer than before you had Process Guard.


    Pete
     
  16. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    If you follow Andreas1's updated advice in the sticky thread then you are covered for the worst of what has been discussed so far. The main thing left is the potential for a program to be "run once" during startup without prior authorisation [prior to the PG Gui being loaded]

    As Peter2150 observes, you are miles better off than someone that doesn't have PG because the simpler and quite probably more common types of exploit just won't work now

    Jason said that DCS are compiling a database of this information but that he wasn't sure when it would be ready for public consumption. Presumably that is what Pilli is referring to
     
    Last edited: Jan 7, 2005
  17. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    I think a list and recommended settings is cool and all but why not go further?

    The idea is to make PG usable for a broader customer base. I cant possibly recommend PG to most of my friends no matter how good it is simply cuz they dont have the know how to work with it.

    Learning mode is a very cool first step. But we all agree that the default settings have to be rather loose in order to get a hassle free start up for most users / systems.

    For example - Mr Noob who has PG installed and default settings enabled after learning mode gets an email from his anti virus software company stating that there is a new nasty virus out there infecting the core windows executable infectme.exe. Mr Noob freaks out, opens PG and selects the protection tab, marks infectme.exe right clicks and chooses Paranoid mode for this file.

    Now Mr Noob does not need to know what global hooks are etc etc. And the paranoids setting would be a setting for the specefied file that works but not on all systems - ie its not "hassle free".

    But perhaps it isnt even possible to make PG lets say "average" computer know how user friendly...

    Ah well whatever -- ill stop - tend to write essays full of nothing heh :)

    /DaK/
     
  18. David S

    David S Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    32
    I have the same questions as to which privileges to give programs. I think a sticky would be a great idea. Perhaps someone at Diamond could even post a snapshot here showing their PG protection settings on one of their computers. Not to give away anything confidential but just to allow us to see how to set up the Windows processes, common programs and Diamond programs correctly.
     
Thread Status:
Not open for further replies.