Problem with PG blocking NETBT driver

Discussion in 'ProcessGuard' started by frogfoot, Dec 20, 2005.

Thread Status:
Not open for further replies.
  1. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Hello,
    I am having a real problem with this! Until now I have been using a fixed IP address on my PC however circumstances have required be to change to DHCP allocated IP. However the DHCP service fails to start when PG is running (and block rootkits is enabled). the problem is that the dependent service NETBT fails with a 'Handle is invalid' error - (this immediatly pointed me to PG as the culprit as you get this error if you decline an application from being able to run.)

    The PG logs do not reveal any blocked service or applications so I can only imagine this is happening prior to the logging component initialising.

    Does anyone know what windows component loads the NETBT.SYS driver? because I imagine I must have set its protection propertied to deny service installs. I have tried allowing Services and SVCHost the install drivers privileges but to no avail.

    Please someone help me before this PC ends up in the garden!

    Thanks
    Tom

    (The service starts up with no problems if PG is disabled.)
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    I believe it is System that will load netbt.sys

    You could try PG back in learning mode for one reboot and let it go through the DHCP process.

    Regards,

    CrazyM
     
  3. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Hmm, I had both those thoughts too. I have given system 'install driver' privs as well as done a double reboot in learning mode. The only way to get the NETBT service loaded is to disable 'rootkit protection'.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Once the trusted process is approved with the reduced protection/learning mode, does it work when you re-enable rootkit protection?

    Regards,

    CrazyM
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Which version of PG is this ? please mention which beta if it is a beta.
     
  6. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Something else you can try is to do a repair on the NIC in question. If the OS is XP (you did not say) go to Control Panel > Network Connections > the connection in question > Support tab > Repair. This will force a renew on the IP lease for that connection, make sure PG is in learning mode when you do this.
     
  7. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Sorry for the delay in posting this, I am using V3.200 full version. I am still having problems. With 'Block Rootkit/driver installations' enabled I get the following errors in the event log.

    The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
    The handle is invalid

    The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
    The handle is invalid.

    The NetBios over Tcpip service failed to start due to the following error:
    The handle is invalid.


    I have tried performing several re-boots in learning mode however this does not fix the problem. In addition there are no entries in the 'alerts' tab which should indicate if anything was blocked.

    My only option currently is to disable the 'rootkit. driver install' feature.

    Tom
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Have you ticked "block new & changed programs" ?

    If so, disable that.
     
  9. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i wonder if the problem might be with your settings in "network connections" or in "services"..

    check the settings in "network connections" and in "services"..

    i am not running PG 3.2 so i don't know if there are special problems with it.. (i am running PG 3.15)..

    in network connections, i have "netbios.." disabled, and, in "services", i just recently disabled the "netbios helper".. i am not having any problems right now.. the only thing new that i have done recently was to disable that "netbios helper" in "services"..

    my setup is basic, no network and no router..
     
    Last edited: Jan 25, 2006
Thread Status:
Not open for further replies.