ProcessGuard & Programs....

Discussion in 'ProcessGuard' started by dja2k, Feb 18, 2006.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Haven't played around a lot these days modifying the defualt PROTECTION, AUTORIZE TO, or OTHER OPTIONS in the PROTECTION tab for specific windows .exe's or other comonly used programs. Today I was noticing rundll32.exe in my protected list, which by defualt it isn't. Being trigger happy, I must have allowed it once to get added there as I always have it at allow once. Anyways besides being in my list, which I will take off, but if I have to leave it, what should it be allowed to do and not? Also what others are recommended to change and\or change in any manner? Like Spyware Doctor always wanting to modify a lot of .exe's when turned off, NORMAL or NOT?

    dja2k
     
  2. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i would leave "rundll32.exe" in PG's "protection".. (funny thing.. i just checked, and i did not have it in PG's protection until just recently) anyway, the way that it got into PG's "protection" was when i was using the ATI control panel "options" tab (for adjusting display settings).. when using ATI's "options" tab, rundll32.exe needs to be able to "install driver/service".. in some cases, if that priviledge is not given to rundll32.exe when adjusting those settings, it can cause a BSOD.. on the other hand, if you are not going to be using ATI control panel's "options" tab, then you could leave rundll32.exe without the "install driver/service" priviledge.. people may need to allow different priviledges for different things depending on what programs they use..

    i too would like some tips on settings for some things.. i had picked up some tips, over time, from reading posts in the forum, but the last time that i installed PG (build 3.15), i had forgotten all of those tips.. one "tip" that i did remember was to set "ntvdm.exe" to "allow once".. also, i have rundll32.exe set to "allow once", so i have to allow it everytime that it runs..

    it is also advised to not give any extra priviledges to "services.exe", and, if services.exe needs extra priviledges (like "install driver/service"), to only enable it temporarily.. that can be a pain, but i am trying to get accustomed to doing it..

    so, anyone with some tips on settings, let's have them.. should "cmd.exe" or "regedit.exe" be set to "allow once?
     
  3. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi guys.

    Here's what i've picked up over time.

    Allow Access Physical Memory:-

    c:\windows\system32\alg.exe
    c:\windows\system32\csrss.exe
    c:\windows\system32\lsass.exe
    c:\windows\system32\ntvdm.exe
    c:\windows\system32\smss.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\winlogon.exe

    Permit Once:-

    c:\windows\hh.exe
    c:\windows\regedit.exe
    c:\windows\winhlp32.exe
    c:\windows\system32\cmd.exe
    c:\windows\system32\cscript.exe
    c:\windows\system32\ftp.exe
    c:\windows\system32\ipconfig.exe
    c:\windows\system32\javaw.exe
    c:\windows\system32\mshta.exe
    c:\windows\system32\msiexec.exe
    c:\windows\system32\net.exe
    c:\windows\system32\net1.exe
    c:\windows\system32\netsh.exe
    c:\windows\system32\ntvdm.exe
    c:\windows\system32\regsvr32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\services.exe
    c:\windows\system32\tftp.exe
    c:\windows\system32\winhlp32.exe
    c:\windows\system32\wscript.exe
    c:\windows\system32\wbem\wmiadap.exe


    Deny install Drivers/Services:-

    c:\windows\system32\services.exe
     
  4. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks Tonyjl for the info. I already had that RUNONCE list in PG since you gave me the same list for AppDefend a while back. Made sure those others had allow physical memory as well. I have others to be allowed to access physical memory, but I guess its okay since I know what they are. For example, Ewido, DVD Shrink, Window Media Player Classic, and basically any audio\video player\editor that access memory. For some reason , also explorer.exe wants access physical memory one in a while when I change the view on a folder with audio\video files, but I allow it then disable it later. Firefox and java as well, same thing, allow temp and then disable. IE sometimes does the same thing. Limewire is another one that also uses physical memory, but I think its because it uses java as well.

    dja2k
     
  5. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Sounds good dja2k,the tricky part with physical memory and PG,is that that's PG's main weakness (don't know if it still is? you'll have ask one of the mods). Anything with access to physical memory has the potential to bring down PG. But as long as your careful to not accidently let some malware hijack one of those apps,you should be pretty safe though.

    That reminds me,should ask Jason if AD has similar weaknesses or not :cautious:
     
  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks tony..

    i noticed that, in my settings, smss.exe is allowed to terminate protected processes.. is that the default for smss.exe? i might have changed the settings for smss.exe along the way, that is why i ask..

    i also noticed that, in my settings, one of the processes that you listed above had the "install driver/service" priviledge.. (i removed that "priviledge" without taking note of what process it was) again, that might have been something that i did along the way..

    should any of the "basic" processes, like those that are first added to PG's protection when you first install PG, have the "install driver/service" priviledge?
     
  7. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i would only give a process "install driver/service" priviledge if the process needs them. i think the default list should be fine as it is.
     
  8. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    The main one you should avoid is 'services.exe' cause they can't trace the original caller. I don't remember anyone saying not to give it to any of the others,but i could be wrong though. I have given that feature to whatever asked for it (execpt services.exe).

    As for 'smss.exe' and 'terminate others',i don't have mine set to allow,don't think it's ever asked for it either. The only 'basic' services i have that are allowed to terminate others are 'csrss.exe' 'drwtsn32.exe' and 'winlogon.exe'.

    Hope that helps mate :)

    If anyone knows if i'm wrong,let us know so i can my list out aswell :D
     
  9. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
  10. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks tony.. :)
     
Thread Status:
Not open for further replies.