Services.exe tried to modify....

Discussion in 'ProcessGuard' started by tonyjl, Jun 13, 2005.

Thread Status:
Not open for further replies.
  1. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi there,
    Got an alert from PG :-
    c:\windows\system32\services.exe [988] Tried to modify an existing driver/service named navex15
    c:\windows\system32\services.exe [988] Tried to modify an existing driver/service named naveng

    Forgot to say that this is my AV updating.

    This is because i removed the "allow driver/service install" feature as recomended,but the alert says "Modify" not "Install". I have the feature "allow modify" checked,so why can't it modify? and if it can't modify is there any point having this feature checked.

    Thanks

    TonyJL
     
  2. dog

    dog Guest

    Although I can't answer you're question why it can't modify the driver ... but I'd guess it's because the process would involve installing a new driver for NAV.

    You could temporarily allow it, while running Live Update if the need arises.
    The whole Notice - can be read here
     
  3. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Yes do do that, but not when my security apps do their auto updates,in which case i have to reboot if i get the msg because it's "already updated",then allow the feature,then update. Which can get to be a right pain sometimes, especially when your in the middle of something.

    Anyway,thanks for the reply,shall i remove "allow modify" or doesn't it really matter??

    Thanks

    TonyJL
     
  4. dog

    dog Guest

    I would leave it with the allow modify protected apps. I believe that is the way it is set as default.

    Steve
     
  5. dog

    dog Guest

    Just to add ... although it's a bit of a pain in your case. I believe the basic premise for removing the allow drivers flag from services ... is that malware could use services.exe to bypass PG's driver/rootkit protection by using it, instead of attempting to install the drivers etc. directly. So even though you find it a bit of a pain, IMHO you're better off tolerating it, and ensuring your protection in this area of PG.

    Regards,

    Steve
     
  6. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I do agree with you fully but..

    I've just been thinking ya know,for malware to install anything,haven't they first got to launch which you would (or should) block with PG. Or am i missing something? (i'm no computer wizkid so...)

    TonyJL
     
  7. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I run NAV and PG also and don't run into this problem. The NAV update files are in the /Program Files/Symantec folder. Make sure each of them is in your protected tab, and have the 'install driver/services' option ticked.
     
  8. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi Vikorr,which version of norton do you have? i have v2003 it's in the protection lists but i have never had an alert about them trying install drivers,the only one that does need it is lucumserver_2_6.exe.

    Thanks
     
  9. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I'm running NAV corporate edition. I have Lucomserver.exe and Luall.exe both marked for install drivers/services.

    They do modify the drivers each time.

    The easiest way though, would be to run PG in learning mode when you update. Should get rid of all the problems (I installed a clean system and ran the NAV update with PG in learning mode....so luall.exe needed the install services/drivers ability).
     
  10. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Thanks vikorr i'll try that, but i you don't need to be in learning mode to be alerted to that (the tray icon flashes red when it blocks anything). Maybe it's to do with the two versions of NAV? well i'll give it a go anyway.Cheers

    Tonyjl
     
Thread Status:
Not open for further replies.