ProcessGuard and SpySweeper

Discussion in 'ProcessGuard' started by Antarctica, Mar 9, 2005.

Thread Status:
Not open for further replies.
  1. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Any idea why Spysweeper wants to modify all these programs which were intercepted by PG.?
     

    Attached Files:

    Last edited: Mar 9, 2005
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi Antartica

    I not sure I can answer other than it thoroughly checks everything on the system. Since I trust Spysweeper, I just installed it, turned on learning mode, rebooted, and once the system was up completely I turned off learning mode. Everything seems happy.

    Note in Spysweeper I did turn off the memory shield as it spikes the cpu to 50% every 10 seconds. Bit of overkill inview of everything else I am running. So I am not suprised that Spysweeper peeks everywhere.

    Pete
     
  3. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    You need to give SpySweeper privileges to:

    1. Terminate Protected Applications
    2. Install Global Hooks
    3. Install Driver/Services

    JFI... the latest Spy Sweeper version is 3.5, Build 198.

    Oh almost forgot. Don't place "Secure Message Handling" on Spy Sweeper. It causes SS to not start up properly. Something to do with Spy Sweeper's built in tamper protection.
     
  4. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Hello siliconman01,
    Thank you very much for your fast answer. Problem solved. ;) It's appreciated :)
     
  5. nelamvr6

    nelamvr6 Registered Member

    Joined:
    Feb 19, 2005
    Posts:
    5
    I'm not sure it's a good idea to give Spysweeper the right to terminate protected applications. I wrote in another thread about Spysweeper attempting to terminate smss.exe, which is an important windows system process.

    Are you sure you trust it that much?

     
  6. dog

    dog Guest

    Hi Antarctica, ;)

    It's Spy Sweepers resident protection (Shields) that's the culprit here. If you disable those SS protections you won't see this behaviour. The Mad code hook injection driver ('MchInjDrv') is caused by the windows shields. MchInjDrv will try to inject a dll into all the running processes (modifying them)

    There's a good thread on the issue here -> https://www.wilderssecurity.com/showthread.php?t=47024

    HTH,

    Steve
     
    Last edited by a moderator: Mar 9, 2005
  7. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Thanks dog for the info and the link to the thread. :)
     
  8. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    After reading all this thread I am still confuse. :oops:

    Should I let Spy Sweeper to modify all these applications OR NOT??

    Thanks
     
  9. dog

    dog Guest

    Hi Antarctica, ;)

    I never did ... I decided to disable the Shields instead. ;)

    Really it's up to you ... it comes down to your 'trust' of Webroot and what you're comfortable with.

    If you decided to keep the Shields Active and not 'allow' the modifications ... PG's Attack/Alert count will climb ... which you can reset with regedit ... or you can save the attached txt file I created for you, save it, and change the extension to .reg from .txt ... Double click the file before you shutdown your system, and on reboot the count will be reset. I know this really doesn't answer your question, but it's a nice simple way to reset the alert count.

    Steve
     

    Attached Files:

    • PG.txt
      File size:
      296 bytes
      Views:
      7
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Spysweeper may check and see if it has the right to terminate Smss.exe, but it doesn't actually do so. I run with those settings and have no problems. I did turn off just the memory shield because of the cpu issue, but that has nothing to do with Process Guard. Yes I do trust Webroot, or I'd have never paid for SpySweeper. I also have run some of their other products, which is the reason I trust them.

    Pete
     
  11. nelamvr6

    nelamvr6 Registered Member

    Joined:
    Feb 19, 2005
    Posts:
    5
    Hmmm....interesting. The guys from Webroot have not yet given me an answer about why spysweeper trys to terminate smss.exe, but they didn't say that it was only attempting to do so either.

    I do like spysweeper, but I don't think I'm yet at the point of giving it carte blanche.
     
  12. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Hi guys,

    Thanks to all of you for your help. I think for the time beeing I won't let
    Spy Sweeper to modify anything.

    But still this bother's me a bit and I am not sure if I will keep Spy Sweeper. o_O Did not have this kind of problems with MS Antispyware.

    Now if I remove SpySweeper is he going to mess up my registry?
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I'll be surprised if the normal tech support guys even know what you are talking about :D , But my experience with both Webroot and Spysweeper has been one that gives me a pretty high confidence level. I gave it the necessary privileges and all is well. Also it seems to do a very good job at the spyware game.

    Pete
     
  14. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    With MS AS , you do not have this problem . At least , I did not . S Sweeper peeks my machine at upwards of 90 % every 20 seconds . Webroot told me There was a leak . If there is , it is in their crap . I uninstalled and downloaded three times . Same thing . If others have this problem and think it is ok , good luck . Webroot SAID it was a leak . However , they have yet to do anything about it . Guess I will stay with MS AS until they screw it up . Hopefully , by then , Hay59 may have something up and runnning that I can turn to .
     
  15. nelamvr6

    nelamvr6 Registered Member

    Joined:
    Feb 19, 2005
    Posts:
    5
    I've been thinking about this for a while now, and I'm a little confused. Granted I am not a programmer, buy I am fairly computer literate. I am puzzled as to how a program would "attempt" to terminate a process with no intention of actually terminating it. If I did not have ProcessGuard running, what is it that makes you think that the "attempt" to terminate smss.exe would not have been successful?

    It appears to me that SpySweeper was in earnest when it was trying to kill smss.exe. As was discussed in the other thread to which I referred, there is malware that masquerades as smss.exe, but telling the fakes from the real deal is not that hard.


    I do like Spysweeper for a few different reasons, but this appears to me to be a bug that needs addressing. smss.exe is an important windows system process the termination of which could cause stability issues.
     
  16. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    I agree with you and until then I won't use Spy Sweeper. :(
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041

    I can't answer how a program attempts to shut something down and doesn't. Maybe Wayne can answer that, but I can tell you this. I am running Spysweeper as I write, and I have given it terminate privileges in Process Guard and so far it hasn't terminated zip. smss.exe is running faithfully as is everything else.

    Me thinks you are worrying about nothing.

    Pete

    PS although a bit off topic, I have Spysweeper and Giant AS, and I think Spysweeper is a bit more thorough then Giant. As to the memory leak, I turned of the memory shield and it stopped. I don't think I need a sweep of Ram every 10 seconds.
     
  18. spiff5000

    spiff5000 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    49
    This feature was added a few months ago. It hooks into smss, csrss, svchost, lsass, winlogon, etc. because these files are often targeted by trojans. As suggested previously, just change PG to give it SS permission to do its job and you'll have no problem.

    I've been running the Enterprise version since its release. I think they do a very good job against spyware, comparable to Giant (MS) and much better than Ad-Aware and Spybot (both of which have been falling behind in recent months). The Startup shield protecting the run keys in the registry is especially effective.

    FYI... the April issue of PC World rated SpySweeper second to CounterSpy (with Giant engine) in passive scan detection. My opinion: SpySweeper is a more well-rounded product because of the tested active shield feature, which was just added to CounterSpy a few weeks ago.

    My only criticism of Webroot is the company is sometimes hasty and don't get all the bugs worked out of new builds before releasing them. The flip-side: they are very proactive when delivering new definitions.
     
Thread Status:
Not open for further replies.