Process Guard & Kaspersky Pro Question

Discussion in 'ProcessGuard' started by worldcitizen, Jun 5, 2005.

Thread Status:
Not open for further replies.
  1. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi guys and gals (reference to you Jooske),

    I need a bit of assistance.

    Now and again, while surfing, I notice my Kaspersky Pro Real Time Protection level changing. I don't know what is triggering it or what it is changing to, all I know is that when I open the Kaspersky Pro window I see an exclamation mark that my settings are no longer default. I don't know if this is Kaspersky's doing i.e. after encountering a script trying to run it may have turned script monitoring on which I think is off by default.

    Whatever, Kaspersky Pro's realtime protection level is being moderated occasionally yet Process Guard is protecting it against 'modification' so where does that leave me? Is process Guard 'not protecting' Kaspersky from modification as it is ticked? How do I prevent it from being modified when PG is already protecting it from modification but it is still 'modifying'?

    Thanks for any help.

    Dave
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dave, What makes you think that PG is the cause, do you see any alerts in PG?
    Have you asked at the KAV forums about this as it may be some thing to do with your KAV settings or a known bug.

    In KAV 5 I have kav.exe & kavsvc.exe son PG's protection list with the default allows and block and have never seen what you are describing.

    Thanks Pilli
     
  3. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi Pilli,

    All I know is that I have Kaspersky ticked in PG not to be modified but the realtime level is being modified without any pop ups from PG. Isn't PG supposed to pop up a warning if it gets modified? I asked here because PG is supposed to give me a warning but it isn't. I see it as a PG issue because PG is supposed to warn me of modifications and it's not. Even if it was a bug PG should still be giving me a warning if it's properly protecting Kaspersky. I haven't come across any known issues with Kaspersky but I still maintain it's PG's duty to warn me. What happens if an online script gives a command to Kaspersky to change it's level and it does it internally - then PG ignores the modification? Is there a workaround for this with PG?

    Dave
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    And how will that happen ? KAV has very good internal protection especially if you pasword protect it.
    The hidden KAV driver is also very well protected at the kernel level.
    I do not believe that anything is changing KAV from the outside but do believe that KAV, when running, can modify itself internally ie. it's own functions. Any change to KAV.exe would be seen by PG but not internal changes made within the KAV GUI.
    T
    here are many users of both KAV and ProcessGuard and I have not seen any posts regarding the problem you may have.

    Can you do a checksum of KAV's .exe before such so called modification and then after? If you can do this then the results would be interesting to see.

    Please check out the KAV forums for any bug reports that may be relevent. :)

    Cheers. Pilli
     
  5. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    I noticed the warning in the KAV GUI saying my settings had been changed from the 'recommended' and this is part of the report:

    Task: Real-time file protection

    Statistics:
    Task start time: 5/28/2005 6:40:54 PM
    Task completion time: 5/28/2005 6:45:11 PM
    Objects scanned: 2796
    Viruses detected: 0
    Disinfected: 0
    Quarantined: 0

    Settings:
    Protection level: High Speed


    It has changed from 'recommended' to 'high speed' on the fly without me doing anything and it is worrying. It always happens while I'm surfing. At that time I had a pop up from 'Internet Explorer' that I had been infected and to remove the infection to click on the ok button but I ignored it as I thought it was probably a sales pitch. It was after that I immediately checked Kav and saw the realtime level had been downgraded to the lowest protection. Process Guard never warned me so I don't know what I can do to prevent this. Have not found any online bugs related to this issue on Kaspersky forums.

    Dave
     
  6. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Pilli,

    How do I password protect Kaspersky Pro? I don't see anywhere to do it with the Pro version.

    Thanks

    Dave
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dave, I do not have the Pro version but in the Personal version it comes under "Settings" - "Additional settings".

    I guess whatever the link you clicked could have triggered something that altered KAV but that would be within KAVs GUI and not it's .exe which PG protects.

    If you know what link caused the problem please IM me with it for investigation. Please do not post in this thread.

    I still advise contacting KAV support or posting on their forums.

    Thanks. Pilli
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Dave,

    I bet you're being a "norty boy" and surfing as the Admin user right? ;) Kaspersky Pro adds a new user group ("Kaspersky Anti-Virus Administrators") to determine who can amend its settings and the Admin user can do this by default. Running as a user that is not part of this group should prevent any unexpected changes of settings.

    I run Kaspersky Pro and Process Guard together and have not encountered any such changes - on the other hand I am using custom settings rather than the default protection levels (I want to be prompted about suspected malware rather than having KAV nuke it straight away, but I have also excluded PG's .dat and .log files along with Outpost's logging database to reduce CPU utilisation).

    It might also be related to CPU utilisation (is it hitting 100% a lot on your system?) with KAV trying to lighten its load.
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi worldcitizen,

    I tried out KAV 5.0 Pro for a very, very brief time, and I thought it was a very unstable release. It is not surprising that there will be no 6.0 Pro. I seem to remember something similar happening to me as you are experiencing. You are probably best off discussing this problem in the Kaspersky Forum, if you want to stick with 5.0 Pro.

    I am personally using 4.5 Personal which behaves as it is suppose to. There is a new 5.0 Personal MP3 package which seems pretty decent. KAV support has posted the mechanism for shutting of the startup scan, but it still does not give you access to the supersecure database, if you are looking to use it. In any case, I would recommend either using 4.5 Personal or 5.0 MP3 Personal.

    Rich
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Hi All

    I think there is some confusion here about "modification". Process Guard will prevent xyz.exe from being modified, but if xyz has 10 different settings that it can run with Process Guard won't prevent the settings xyz runs at. There is a big difference. I use Kav 5.0 also. PG would prevent something from modifying Kav.exe or kavsvc.exe but if somehow the protection level was changed, Process Guard can't protect against that.
     
  11. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I think he meant, PG will prevent another application from modifying KAV, but not KAV from modifying KAV :)
     
  12. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    It hasn't happened for a while now so I am not overly woried about it. Protection is not being disabled or turned off, only lowered but I can live with that and it happens only very rarely so not an emergency. Thanks everyone for all the helpful ideas and suggestions.

    People here are really nice and I appreciate all your suggestions.

    Dave
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Dave, Please do not knock other products especially in the ProcessGuard dedicated forums, both NOD and KAV are excellent AV's.
    Personal opinions about other products that are not substantiated should not be posted here.

    Thanks. Pilli :)
     
  14. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    OK - Please delete that post. It wasn't important except to say that the problem never occured again.

    Thanks

    Dave
     
Thread Status:
Not open for further replies.