sbserv.exe

Discussion in 'ProcessGuard' started by Oremina, Sep 29, 2004.

Thread Status:
Not open for further replies.
  1. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Any ideas about this anybody?

    Using NSW2002 and NIS2002. A component of Nortons's Script Blocking is sbserv.exe. This is a very early starter and is always the first on PG3's Alert list.

    This morning, for the first time I enabled PG's "Block new and changed programs". I then noticed on reboot that sbserv.exe was blocked from running.

    I then put it into Protection - still getting blocked, so I enabled install Global Hooks, install Drivers/Service and also to Access Physical Memory.

    Nothing has made any difference and it is still blocked from running. So at the moment I have disabled "Block new and changed programs" and it is back to normal.

    Any ideas anybody? (apart from ditching Norton that is.) I would like at sometime to use the option of blocking new/changed programs but more importantly I guess that the script blocking part of Norton is not messed up.
     
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    sbserv.exe needs to be in the security list with ALLOW ALWAYS. Any programs which have been only allowed once and hence need user interaction next time they are run are blocked.
     
  3. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Thanks Jason - sorted! Though I'm b**g***d if I know how/when I changed from Allow to Permit Once, although I must have, nobody else uses the PC.

    (O/T.. give my love to Perth.. was last there in '61 and came close to getting married to a nurse from the RPH... happy days. :) )
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Oremina,
    Probably you haven't after all. When a new or changed program launches while no one is logged in yet, it gets "permit once". This has nothing to do with learning mode, it's in normal operations. It's simply too risky to block new launches without the user being able to intervene (not yet logged in), so the launch is allowed once, but not more - and the user should look after security list and maybe change the setting to allow or block always.
    Let's bug Jason a bit to include some warning notification appearing after the user has logged in and something like that has happened beforehand (or even an option to change that default behaviour to something more restrictive). :D ;)

    CU,
    Andreas
     
  5. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi Andreas - Thanks for the advice.
    Because I hadn't been paying due attention when I should have, I mistakenly thought that "Blocking new and changed programs" had something to do with it... silly I know, but it was early in the morning when I first noticed it.

    I do in fact check the Alerts every time I boot up. . But somewhere along the way I missed sbserv.exe changing from Allow Always to Permit Once.

    We live and learn.. :)
     
    Last edited: Sep 29, 2004
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    maybe you've misunderstood me. "Learning Mode" is what has nothing to do with it, but "Blocking new and changed programs" has well to do with it - AFAIU at least -, for it seems to disable the "permit-those-early-launching-apps-just-once" policy and just blocks them. I know you didn't even mention "Learning mode" and I jumeped on it, I just thought it could be easily confused and hence wanted to make it clear. (By reading your postings, I've just realized, that that's what I wanted to be able to do all the way, seems it is possible already.)

    Andreas
     
  7. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    I think we are on the same planet here, Andreas, not a million miles apart.
    Have spent the last hour or so playing with "Block new and changed programs"
    using a few small programs that I hadn't yet put into Security and it works very well and I haven't had any further problems at all. PG now seems to be flowing as smoothly as some of your good German beer. :D
     
Thread Status:
Not open for further replies.