Process Guard Execution Protection unreliable?

Discussion in 'ProcessGuard' started by 2lazy2login, May 12, 2005.

Thread Status:
Not open for further replies.
  1. 2lazy2login

    2lazy2login Guest

    I use Process Guard 3.150 (full version) on a Windows XP system. I have the execution protection enabled in Process Guard but I never really worried about its effectiveness because I also use Abtrusion Protector Monitor.

    However, I have noticed that many programs can still execute without Process Guard giving any prompts. A good way to test this is to simply log out of your current Windows XP session and then log back in. When I did this I received many prompts from Process Guard asking if I wanted to allow programs to run, for example Spyware guard, Active Sync, Fastnet99 etc etc.

    I am concerned because all of these programs were already running and I had not given them permission to do so within Process Guard (although they were permitted in all of my other security programs).

    Any feedback regarding this is appreciated. I was looking to uninstall Abtrusion Protector monitor and to use Process Guards execution protection to as a substitute but I am not confident of this anymore.
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Were you in Learning Mode for a period of time? If so, PG gives permission to all programs until Learning Mode is turned off. The idea being that the machine is clean when PG is installed and all programs that are running at the time of the install can be given permission to run. This saves setup time.

    Rich
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    If something runs too early during boot for PG to prompt you, it will also automatically allow them to start to ensure that you can actually boot up. If you go into the "Security" tab, you will see some entries for "Permit Once (Unable to ask user)" It's good to check for these periodically, if you find something that you think might be malware, just right-click, set it to "Deny Always", and reboot.

    Other than that I've never seen an execution slip by PG.
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Something else to consider is that depending on the speed of your machine and what happens during boot can sometimes result in PG take a long time to initialise, so the duration of "too early during boot" can vary...

    For no particularly good reason I decided to enable boot time Windows File Protection scanning, using HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and setting SfcScan to 1

    As it turned out this had the side effect of consuming a fair amount of CPU and performing a fair amount of disk I/O during boot.
    Doing this causes PG to take a lot longer to initialise, actually to the point where I can easily interactively start programs and get no PG prompt

    Its just something else to be aware of, the fact that you can artificially slow down PG like this doesn't really pose much more of a threat than what can already happen during boot, it just widens the time window
     
  5. 2lazy2login

    2lazy2login Guest

    When I look through the security Tab I see quite a few ''Permit once - unable to ask user''. I do not worry about these since Abtrusion Protector Monitors ''Boot Time protection'' has been proven to work on my system with it denying any programs not explicitly permitted, regardless of how early they start in the boot process. I was just hoping to uninstall it to save on resources and to use Process Guards execution protection instead.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    If you are running Abtrusion Protection on top of PG you are wasting a tremendous amount of PC resource. If you setup up PG per the help file, nothing will get by Process Guard, unless you allow it.

    Pete
     
  7. 2lazy2login

    2lazy2login Guest

    I will be uninstalling Abtrusion Protector and hope Process Guards execution protection will do just as good a job. The main issue I have with Abtrusion is its constant churning of the Hard Disk which is inherent due to it checking DLL's and its hashing(I assume).
     
  8. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Another thing to consider, if it applies to you (the log off/on scenario you mentioned is similar), I found on my system that if I boot with a network connection enabled by default, ProcessGuard loads much later and some applications are allowed to load earlier than ProcessGuard and therefore set hooks, install drivers, etc.

    To my surprise, when I disabled my network connection and rebooted for the first time without the LAN turned on, ProcessGuard warned me applications were trying to set hooks and were being denied. I had added these all in manually before, but never allowed them set hooks. Turns out they were always loading before ProcessGuard and therefore learning mode. They were simple special button handling apps and need to set hooks to work properly on my laptop, but I learned that if I want ProcessGuard to load as early as is possible, I need to reboot without a network connection enabled. If you are on a LAN or have some sort of broadband connection always set to enabled, you might try disabling it and rebooting to see if ProcessGuard is loading earlier than the processes you mentioned. Look at the Alerts tab after a fresh reboot.

    I now routinely right click the network icon in my task tray and disable it before reboots now. The difference in how much earlier ProcessGuard loads is substantial.
     
  9. 2lazy2login

    2lazy2login Guest

    ''rickontheweb'', what you describe does indeed apply to me, thanks for the info. Surely this is of concern if any program that loads before Process Guard can create hooks, install drivers/service etc?

    Particularly for those running ''Always On'' connections. It seens to me that the solution to this would create another weak link. For example, if Abtrusion notices that an important system file has not been permitted to execute and has the potential to stop the system from booting, it warns you and gives you the option to ''Allow execution''. Further more, Abtrusion will disable itself after 3 unsuccesful boot attempts. So you get good boot time protection but after 3 failed boot attempts this protection will be disabled so potentially exploitable.

    There must be a way Process Guard can provide better boot protection while taking the above aspects into consideration.
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I also would like to see PG provide better boot time protection
    It has been brought up a few times now but not much movement has been seen

    Wayne, would you care to comment on when or if you might be considering enhancing PG so that drivers and hooks and "permit once, unable to ask" executions don't happen before PG kicks into play ?
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Remember the proposition that PG is based upon is that it is initially installed on a clean machine. Therefore, for anything to "install on boot" it must have been allowed past PG to begin with - or the machine was not initially clean. I use RegDefend to guard against any posible unauthorized registry entries which provides additional protection.

    I have not discovered a scenario yet whereby an application could get past PG and RegDefend, so that it could start-up before PG does upon a reboot. However, there may be such a hole, which is why I monitor my system using other tools (Winsonar, Process Explorer, Port Explorer, FileMon, Security Task Manager, Rootkitrevealer, etc.). But so far, nothing has gotten past KAV much less PG + RegDefend. But if someone has had such an experience, or knows of a theoretical scenario, it would be interesting to know and discuss.

    I know of people where I live who have one lock on their door, others who have two (for backup) and others who have even more. I guess at some point, each person needs to make an individual choice as to whether there is enough redundant/backup protection on a given system.

    Rich
     
  12. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi everyone,

    In my Security Tab in PG I seen: sndvol32.exe Permit Once(unable to ask user), is this suspicious? Right before I noticed it I got a prompt from PG asking to "allow" or "deny" it, because it said Microsoft, I allowed it. I hope I didn't make a booboo.

    Now all of a sudden PG is blocking any of my games from being played from Realone Arcade. Realone Arcade is listed in the Security tab as Permit Always, but when you try to execute a game from within the Arcade, it says, "game.exe has been blocked from Physical Memory", when I try to click "Allow Physical Memory", it won't work! Two days ago I was able to play games, all of a sudden I get this.
     
Thread Status:
Not open for further replies.