Services.exe, NIS/NAV 2005, and PG 3

Discussion in 'ProcessGuard' started by siliconman01, Oct 2, 2004.

Thread Status:
Not open for further replies.
  1. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Here is something that users of NIS 2005 (and I assume just NAV 2005) need to watch out for when using Process Guard.

    When you do a LiveUpdate or Intelligent Update (daily) for new definitions and rules for NIS 2005, it uses Services.exe to install/restart two NIS services. These are NAVENG.SYS and NAVEX15.SYS. I assume NIS stops these services to install the updates and then needs to restart them.

    So if Services.exe is NOT allowed to Install Drivers/Services, NIS will not have needed services restarted after an update. YUK! :p

    Another reason we need the ability to "customize" SERVICES.EXE so that we can maintain maximum security.

    Now I know we can "temporarily" allow Services.exe to do this when we manually use Intelligent Updater; however, NIS 2005's automatic update feature and new Threat Alert feature can update at any time...day or night. That is one of the very useful security features of Norton. So I do not feel it is acceptable to loose NIS's security benefits because of PG's security. Please implement a way we can "customize" Services.exe. :eek:
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    services.exe doesn't run on it's own. it has to be called by an application and this would be a trusted application I presume?:doubt:
    Dolf
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    the point is that if you definitly allow services.exe to install drivers, you allow btw any malware to install a rootkit via services.exe, that's the lastest point brought to the ligth recently.

    regards,

    gkweb.
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Then you have lost the battle anyway :rolleyes:
    Dolf
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I completly disagree.

    There is a school which say that once the malware is in, it's the end, the battle is lost.
    Then, you don't need application control, you don't need antivirus, and above all, you don't need Process Guard process protection because you have already allowed the malware to run, right ?

    Then there is another school, the one I belong to, which say that nor the user or the system have full control on the OS, but the kernel has.
    Once a malware has ran, you can contain it, prevent it to do what it wants, block it, and be warned of it's existence.

    If you belong to the first one, then don't even install security softwares, because once downloaded, you are already dead.

    gkweb.
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    :)
    I think in another way. Most common computer users use their computer the way they are used to and want to continue to do so, while protected with PG.
    In other words, they don't want to see any PG popups all the time, but most people on this board go further than that, I'll agree.
    So it's all about the level of paranoid.:D
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    yes, and I am ;)
    I love my popups, I want more :D

    regards,
    gkweb
     
  8. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    This also applies to NIS2002, so possibly the other versions as well. When I first installed PG2 around 6/7 months ago I noticed Services.exe wanting to install the two drivers/services NAVEX and NAVENG. Following general advice about watching for alerts, I gave Service.exe permission and left it at that, with no untoward results.

    After installing PG3 beta, I noticed the same thing and gave permission again. Shortly after that, in a thread somewhere, I read it is best not to give Services.exe permission to install services/drivers due to the possibility of trojans installing etc... so I removed permission. Since then my NAV has done a couple of automatic live updates and I have manually done a NIS security update.

    So I am wondering now if anything has gone wrong... it doesn't appear to have at the moment.

    It seems to me that I have to go for what is apparently the lesser of two evils - either take a risk with Services.exe having permanent permission to install services/drivers or risk messing up a virus/security update. Accordingly, therefore, I have given permission for Services.exe to install drivers/service and just hope I'm doing the right thing. At least until some definitive advice comes along.

    Which I hope it does soon..


    :)
     
    Last edited: Oct 3, 2004
  9. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,299
    Location:
    South Wales, UK
    Hi Oremina :rolleyes:

    Have done the same as you, but made a suggestions for a future enhancement that if possible and accepted would remove the 'questions' of what to do - grant or not grant. At the moment I have rescinded Install Driver/Services privileges to services.exe & smss.exe, and am awaiting an alert to see if the complaint about this manifests itself.

    Best regards



    Baldrick :D
     
Thread Status:
Not open for further replies.