Settings Issue

Discussion in 'ProcessGuard' started by dallen, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    OK. My question is regarding Norton AntiVirus. For some reason I think that I don't have one of the many NAV processes that need protection set up correctly. I say this because everything will be fine one minute, then the next time I restart and look down, my NAV Icon has a big red X through it. Meaning that Auto-Protect is not enabled. When I try to enable it, it gives me an error. So I have to disable PG protection and restart. I think this defeats the purpose of having PG. Here is a screenshot of my protected processes:

    http://web.ics.purdue.edu/~dallen/Screenshot.jpg

    Here is a list of a portion of the log file that I think is relevant to my problem:
    [I highlighted in red what I think is relevant]
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Dallen, It looks to me as though you may need to allow the Option "Allow driver/service to install on navex15 & naveng.
    Remember that setting these options only affects what a process can do within the protected list relative to other listed programmes.
    So if you have the General protection set to Block drivers/services from installing then setting the Allow, for individual processes, will overide the General setting for the selected protected process.

    Hope this Helps. Pilli
     
  3. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    http://web.ics.purdue.edu/~dallen/Screenshot2.jpg

    I've highlighted the following screenshot to illustrate the various files that match the file names mentioned in the previous log. I am unsure how to handle this. It seems that I would have to allow each of the files that match the file name to override the general setting. And why is c:\windows\system32\services.exe trying to modify what seems to be a virus definition anyway. And it doesn't seem safe to allow any process to modify a virus definition, but I'm way out of my league here.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again Dallen, I do not have Norton but others do use it successfully with Process Guard: Hopefully another Norton user can help with your settings.

    Please read through this thread: https://www.wilderssecurity.com/showthread.php?t=21756 Which discusses some of the issues.

    Thanks. Pilli
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    All that is happening, is that NAV is telling services.exe to modify or recreate its service entry. It probably just does this on startup to make sure its service hasn't been removed - and this isnt really effective nor necessary.

    Edit
    Recommendation : DO allow services/driver install, but contact Symantec support and ask if the next version can stop doing this - or at least modify the service ITSELF, instead of relying on services.exe :)
     
    Last edited: Apr 30, 2004
  6. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    It starts, but the auto-protect feature [which is critical] is not enabled. So, to answer your question, yes it starts, but it is not functioning properly.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H Dallen which particular part is not working? Sorry but you appear to have most of NAV's critical parts on your protection list, which are therefore protected so I assume you are talking about your programmes ability to protect itself, which is probably protected by Process Guard anyway.

    Thanks for any clarification - Pilli
     
  8. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Let me be more specific. I will show you screen shots the next time it happens, but in the mean time. I start up my system and sometimes (1/3 approx.) the NAV icon has a Red X through it. Essentially, this means that the auto-protect feature is not enabled, which means that NAV is not working to automatically protect my system from virus. When I try to enable it, I get an error (which I will capture and show you a screenshot as well). In order to restore this functionality, I have to disable PG protection and restart my system (sometimes more than once). Eventually, auto protect is reenabled and then I can restore the PG protection. It seems that Gavin's explanation:
    Is accurate, but I don't necessarily agree with his recommendation to do nothing. I would really like to set PG to function in cooperation with NAV. I know that there is just some setting that can be modified or adjusted to make this happen. I'm just not smart enough to figure out what exactly to do. This is where all you people that are smarter than I come in.
     
  9. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    What Dallen is seeing with the NAV icon with the RED X on it is just like PG with RED X on it. There is no NAV virus/trojan/worm/spyware/adware protection active when NAV is disabled (RED X).

    My own experience is the same. I have to give Services.exe Options to Install Drivers/Services or NAV will randomly go inactive and also certain features of AOL 9.0 Optimized SE Beta series will not function because it can require some internal services activated when it gets turned on. Just my experience with PG 2.0 on XP-SP1 Home with NIS/NAV 2004 and lots of other stuff.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the clarification Dallen, I understand your concern and am hoping that another NAV user will jump in with some help. :D Maybe DCS will have some more suggestions also.

    EDIT: Thanks Siliconman01, We posted at about the same time :)
     
    Last edited: Apr 29, 2004
  11. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Hi Dallen

    I have followed this thread with interest as I posted a query regarding how you protect the components of NIS2004. From what I can see from you initial post you do not appear to have the key components of NAV in your protect list. Whilst it concerns NIS2004 component protection you may want to have a look at the following thread to see if it gives you any clues:

    https://www.wilderssecurity.com/showthread.php?t=28050

    Apologies if I have misunderstood your problem and am of the mark with this reponse.

    Regards



    Baldrick

    PS. What is the name of the Auto Protect .exe that you are protecting?
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi Dallen,

    i am a NAV2004 user, and in the following screenshot you can see a configuration which works perfectly for me :

    (i had to remove lines to reduce file size, not to hide my progs lol)
     

    Attached Files:

  13. dog

    dog Guest

    I'm no expert ... I had to play around in the dark - LOL to get what I thought was the proper setup ... I'm glad to see an experienced PC user like gkweb has post the attachment of his config. My PG setup for Norton AV is just about the same ... just got a few more entries for system works & NFW and probably some unneccessary one from the symantec shared folder ... but it has worked for me.

    Thanks gkweb. ;)

    dog - *puppy*
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks for jumping in GKWEB :) I dont use NAV very often and wasn't 100% sure, but yes you will have to allow the service install by the sounds :(
     
  15. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    gkweb,
    Thank you so much. It is 4:17 am here and I haven't slept, so I will check the details of this in the morning and make the appropriate changes. Thanks to all that have given the time.

    dog,
    Can you be more specific about the differences you mention in the following:
    I also use System Works. Thank you.
     
  16. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I appreciate all the help. I think that the process for getting PG set up with common programs such as Zone Alarm and Norton AntiVirus could be streamlined and made easier is one of the experts were to assemble a list of settings and post a locked posting at the top. Frankly, this is becoming very difficult. My NAV still fails randomly and now my ZA is failing. I don't know if this is related, but Spoolsv.exe will begin to consume all of my processor time when I open a program like Word. I am beginning to think that PG is a very good, but over complicated software.
    Here is one specific question:
    20 Apr 02:40:18 - [HOOK] c:\program files\msn messenger\msnmsgr.exe[640] was blocked from creating a global Low Level Mouse hook [0000000E][00000000]
    20 Apr 02:40:18 - [HOOK] c:\program files\msn messenger\msnmsgr.exe [640] was blocked from creating a global Low Level Keyboard hook [0000000D][00000000]

    What is going on here? I think that this is related to showing that I'm online, but I'm not sure. Any insight on this would be greatly appreciated.

    The following describes the screenshot below:
    Blue: I have a logitec mouse, but why is it wanting to get info and Read my Symantec file? Is there any harm in allowing it to do so?

    Green: I think this is contributing to my Zone Alarm failures. Any thoughts on what to do with this would help.

    Yellow: I think I fixed this by allowing taskmgr.exe to getinfo. There is no harm in that I hope.

    http://web.ics.purdue.edu/~dallen/log.jpg

    ****************Seperate Suggestion********************
    One suggestion that may benefit the developers would be that you take the protection one step further and allow the users to assign which programs can be modified by specific programs. I read somewhere in a thread that one user was concerned about allowing services.exe to run rampant on his system. What if instead giving services.exe permision to install drivers or modify programs you could give services.exe permission to modify only a particular program. Just a thought.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Dallen

    I use Zone Alarm and have no problems. I did for reasons now forgotten give svchost.exe all allow privileges. Since it also is protected I don't see any problem there. I also had to give services.exe allow services install under the options for AOL to work. Again services is protected so shouldn't be a problem.
     
  18. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Peter2150,
    Svchost.exe already has all allowed.
    Also I have allowed all for services.exe.
     
  19. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Sorry to make this so long of a thread, but I really want to perfect my PG settings since it is such a vital layer of security. I also see PG to be a complete waste if it's not configured properly, hence my suggestion that someone put together a list of common configuation settings to assist people. Anyway, the following is a screenshot of my current configuation:

    http://web.ics.purdue.edu/~dallen/Screenshot.jpg
     
  20. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Why are some of those Norton processes blocking READ and GETINFO ? this is not needed and you should only block the 4 default flags..

    ALLOW privs are a good thing between trusted apps, if you know all your trusted apps are fine then you can go ahead and give them all ALLOW privs. Have you only added allow privs after seeing some logging from certain processes ? It wont hurt to give them more access :)

    If you use a browser other than IE, add that too
    If you use Trillian or MSN, add those too
     
    Last edited: May 5, 2004
  21. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Gavin, did you mean GETINFO, because SETINFO is set as default for block? I will make the changes to those Norton processes, but only after you clarify this point.

    Are you saying that everything that is protected should be given all ALLOW privs.? I guess it makes sense, sense it is protected, but can you also confirm that is your meaning.

    I only use IE and did you mean MSN Messenger should be protected. I do use that service. If so, should I simply protect msmsgs.exe and how should that be set? Thanks for all your help.
     
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dallen, With Messenger add it to the protection list, as with all programmes that have access to the internet. Initialy I would just give it the default blocks and watch the logging, IE is already a default programme on the protection list.
    The logitech mouse is shown trying to create a low level global hook and is probably to do with mouse "gestures" - if you have no mouse problems just ignore the one off or few logs that are created.
    Task Manager can be listed and given all the allow privileges, although I do not give it terminate allow unless it is needed ie. to terminate a protected list programme.
     
  23. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thanks Pilli,
    I discovered what the Logitech was trying to do. It has to do with a function in the scroll wheel. Is there any harm with putting the em_exec.exe (Logitech file that is trying to create a low-level global hook) in my PG protection list and blocking nothing and allowing READ, GETINFO, and, ALLOW GLOBAL HOOKS? Please let me know if there is any real danger in that?
     
  24. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Sounds ok.. I'd recommend blocking the default blocks on ALL things you add. If anything pops up in the logging then you might need to add an additional process to stop the logging, with allows on both processes.

    There is nothing wrong with ALLOWING on trusted processes, and it in effect means that all processes in the list (as long as they are trusted) will work together without any problems. In any case, you should see they work together without adding allow privs so the choice is yours.

    Yes, add msnmsgs.exe for users of MSN Messenger, a new trojan does offer injection in MSN / Trillian.

    And I did mean GETINFO, not SETINFO :)
     
  25. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Dallen,
    Not necessarily. For the most part, PG protection is on a per-process basis (each process is protected and given privileges depending on what settings you give it in PG), so if you have incorrect or weak settings for one process, that will only affect that process - not any others. Even if you just have one process protected (such as with the free version of PG) then that process still has dramatically increased security.

    Also, the first time you run PG it'll ask you if you want to create a default ruleset for your existing system processes. If you choose Yes to that, it'll automatically protect your primary system processes for you, and you should find that there's very few (if any) modifications that will need to be made to that list - all you really need to do then is add your security programs, and then you're set!
     
Thread Status:
Not open for further replies.