protection options

Discussion in 'ProcessGuard' started by the mul, Jan 26, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    In pg there are four choices of protection, that u can enable, can u tell me is there any of the four that i should have enabled, or does pg have enough protection already without enableing these settings.

    thanks the mul
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mul, If you are talking about Protection - General protection options Then I have them all ticked. These are the ones that protect against End task, .dll injection, rootkits etc. :)
    I have had no problems using them all.

    When you list a program you will see what you need to change in the allow options by watching the window log, these allows are only active on listed programmes so that programmes can work together when listed.
    If you see that a programme in the Window log & that is not listed, trying to do things repeatedly, provided it is a trusted application, it is probably best to add it to the list and then give the necessary allows.

    Quite often a non listed programme may try to set global hooks but only a few times when started, usually these need not be listed and rarely cause aproblem.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Here is an example: Netcaptor, which is an IE addon, tries to create Global hooks at the beginning of my session today. This is the licenesed version and AFAIAA has know phone homes.
    I have noticed no detrimental effects running Netcaptor like this since PG 1.200 was installed. I have emailed Netcaptor support to see if they can tell me why these hooks are required. :)

    26 Jan 12:54:44 - [HOOK] c:\program files\netcaptor\netcaptor.exe [2572] was blocked from creating a global hook [00000007][00000000]
    26 Jan 13:02:35 - [HOOK] c:\program files\netcaptor\netcaptor.exe [2572] was blocked from creating a global hook [00000007][00000000]
     
  4. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks for all your help pilli, yes i was talking about the general protection options and i will follow your advise.



    your help was much appreciated

    the mul
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    No problems Mul, Always ask as we are all on a learning curve with PG at the moment :D A lot going on under the hood so to speak!
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I had a reply from Adam of NetCaptor :) So I will add Net captor to the PG list and give it just local allowances :) And I sent him DCS's URL for explanations.

     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hook type 7 that NetCaptor is using is the WH_MOUSE hook type (2 = WH_KEYBOARD, etc).
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Wayne, As NetCaptor connects to the net I have added it to the list, should I enable "Allow global hooks" As, if I do, I no longer get the window logging?
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I'm not familiar with the NetCaptor program myself but because the developer is only using WH_MOUSE and because the developer has responded to your support request regarding that I'd say it'd be safe to allow it to use global hooks. That's not to say that WH_MOUSE is harmless - it still allows for the DLL to be loaded into all processes that have user32.dll (at which point they might choose to terminate the process theyve attached to, as an example), so just be aware of that, but in this particular case the program seems ok to give it that privilege. :)

    Here are the documented hook types:
    -1 = WH_MSGFILTER
    00 = WH_JOURNALRECORD
    01 = WH_JOURNALPLAYBACK
    02 = WH_KEYBOARD
    03 = WH_GETMESSAGE
    04 = WH_CALLWNDPROC
    05 = WH_CBT
    06 = WH_SYSMSGFILTER
    07 = WH_MOUSE
    08 = WH_HARDWARE
    09 = WH_DEBUG
    10 = WH_SHELL
    11 = WH_FOREGROUNDIDLE
    12 = WH_CALLWNDPROCRET
    13 = WH_KEYBOARD_LL
    14 = WH_MOUSE_LL

    For a description of each Windows Hook type (WH_xxx), see the SetWindowsHookEx documentation at Microsoft
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks again Wayne,

    Think it will take a while for all the information regarding an applications use of hooks before all the necessary PG rules can be fine tuned :)

    Having said that, I shall err on the side of caution and dissallow hooks unless I find doing so is detrimental to the functions I use.

    One of the beauties of Process Guard is the ease with which one can see all various calls being made using the real time windows log and the pglog.txt file. :D
     
Thread Status:
Not open for further replies.