Some little annoyances with PGuard.

Discussion in 'ProcessGuard' started by HankPiano, Nov 23, 2005.

Thread Status:
Not open for further replies.
  1. HankPiano

    HankPiano Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    62
    I'm using now PGuard for a while (changed free for full-version), I like the program but sometimes it annoys me: to-day two seemingly unnecessary windows came up and blocked, among others, the screensaver. One window asked to permit or deny defrag.exe, the other one did the same with dfrgntfs.exe. I had to do sómething because Firefox wouldn't start anymore. Why are, all of a sudden, these exe-files so important without any defrag-activity around?

    Some more examples: I could only use the text-tool in Photoshop after enabling 'Install Global Hooks' under the protection tab. SnagIt wouldn't work either in Outlook Express without enabling 'Global Hooks'. After installing PGuard my Wacom-tablet was suddenly very slow, same story with 'Global Hooks'. I'm just wondering why? Is there any necessity for these little annoyances?
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    With Execution Protection enabled, every program requires your explicit permission to run. This includes any tasks that Windows may try to run in the background - this may seem annoying at first, but checking the "Always perform this action" box means that you will never be prompted for that program again - unless it changes (which could be the result of an application upgrade or Windows patch - or a virus infection).
    Well if convenience is your key criteria then just allow anything for everything. More seriously, programs don't expect to have their actions restricted by the likes of ProcessGuard and some may not work properly as a result. You simply need to check your PG logs whenever something goes amiss to see if a PG permission is needed.

    The thing here is that blocking these actions by default will restrict any malware that get run on your system and limit the damage they can do - e.g. keyloggers cannot see you type your passwords without a global hook, trojans cannot shut down your antivirus software without driver access or terminate privilege, rootkits cannot install and modify Windows without driver or physical memory access (see the PG Help for more examples).

    Having to deal with PG permissions can be inconvenient at first, but dealing with the effects of malware on your system can be far worse (think of how long it would take to reformat, reinstall Windows and all your software and reconfigure everything to how it was previously).
     
  3. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    It would cost a lot more if your credit card number and other personal details got pinched ;)
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi HankPiano,

    Generally speaking you should only see a popup window once with any particular event - at that stage you can simply Permit Always if you know it's legitimate, and you'll never be bothered about that event again (or Deny Once if youre not sure about it so that you can examine it more closely, or Deny Always if you don't want the event happening). You mentioned Photoshop and we know that it's a legitimate program, so most PG users would generally set up a rule allowing photoshop.exe to do everything, and you will never get an alert about Photoshop then.

    This is the beauty of Learning Mode - it watches your actions and sets up Permit rules based on what you do, so when you turn off Learning Mode you'll rarely get alerts about existing programs that you've used during Learning Mode.

    The longer you use ProcessGuard the less alerts you'll get (because you would've encountered them before), so normally after just a few days the only alerts you'll be encountering are ones you haven't seen before (for example from new programs).

    Best regards,
    Wayne
     
  5. HankPiano

    HankPiano Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    62
    Thanks for the replies. Please keep in mind I'm not a professional; I just read the manual and the help-files, installed PG, enabled learning-mode, started all my programs, disabled learning-mode and thought: that's it. So I was a bit surprised when I got these alerts about parts of the OS itself, like dfrgntfs.exe and sethc.exe. Normally, when I'm not sure about something, I have a look here or there (just two examples), but PG blocked that possibility.

    I understand what you're saying but what I do not understand completely: there is no need to start dfrgntfs.exe or sethc.exe myself, when this kind of exe-files, being legitimate parts of the OS, are started by the OS itself, why am I asked to permit them, damaging the very OS when I would deny them? I suppose Windows XP, if not infected or being threatened, is as legitimate as Photoshop, if not infected. It would be annoying to permit all legitimate parts of Photoshop to start up. Why do I have to permit legitimate parts of a legitimate OS to start up when the OS or its parts are not threatened or infected?

    Edit: When this alert 'defrag.exe' came up the first time it blocked the screensaver and, more serious, the monitor to shut down after 20 minutes. Luckily I noticed this; usually I leave the PC for what it is. Anyway, a little alert like this could easily have damaged my monitor. That's what annoyed me a bit.
     
    Last edited: Nov 24, 2005
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    That's the reason why - many items of malware try to run via Windows itself so Windows cannot be completely trusted. Ultimately PG has no idea of what is "good" or "bad" so the decision is left to you - a whitelist of known Windows processes could be created, but given the huge number involved and the need to cover all Windows versions from 2000 onwards, plus the Service Packs and hotfixes, this would be a major task. Even having such a whitelist would not necessarily solve everything since individuals may not want every part of Windows to be allowed to run - I for example do not use Internet Explorer or Outlook Express so would not wish to see these being permitted automatically.

    However PG's Learning Mode does allow it to build up a list based on your system configuration and individual habits - if you find dealing with the occasional prompt such an issue then that suggests you need to run in Learning Mode for longer (though bear in mind that this offers no protection against malware - indeed any malware run on your system will be given full privileges by PG in Learning Mode).
     
  7. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    I think we are overlooking something here. The OP has a valid point, defrag is not a process normally called up by anything else on the system. The only times it runs is if you have it set as a schedualed task or are useing one of the disk keeping softwares. Neither of which the OP has stated he is doing.

    Yes PGuard is doing its job ok but the real issue here is why is defrag wanting to run.

    I am haveing the same issue when my AVG updates and then goes to scan.
    AVG has no settings to do this action that I can find. I also don't run any schedualed defrag.

    Also in my case my firewall and AVG no longer load at start up even tho they are configured to do so. Possibly unrelated. But an indicator that something abnormal is going on.
     
  8. HankPiano

    HankPiano Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    62
    To be clear about this: I have Diskeeper installed, did use it once but never set any schedule. In spite of this, as I understand it, this alert concerning defrag.exe could have been caused bij Diskeeper. Didn't know that.
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Most likely it was Windows XP performing self maintenance. This is annoying and one of the first things I turn off. You can disable "defrag while idle" in TweakUI which gets rid of the OP problem.

    I go further, disabling Task Scheduler (I dont have any such tasks), System Restore (entire drive image is more convenient for me) and a few other services which many others also turn off.

    PG *could* include checksums of the most common version of some files (in this case defrag.exe) but if you had a different version you would be asked to confirm them CHANGING. This could even be more confusing - "why did this change, I've done nothing, I'll click deny?"
     
  10. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    I didn't mean to steal this thread sorry.
    Gavin thanks for replying.

    I also have task schedueler disabled I also used Blackvipers list and have unnecessary services disabled or set to manual.

    Only windows update and my AVG are allowed to auot update. Everything else I have to manually start.

    Dunno why this is going on it has only started in the last few days.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
  12. HankPiano

    HankPiano Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    62
    Wayne, Paranoid, Gavin, thanks for your replies, I read them carefully, realising I've still to learn a lot about this program (everything else I know already ;) )

    One of the reasons I wrote about 'my little annoyances' is that the program occasionally confuses me. It's not about programs: I know what I started up in Learning Mode. It's about unexpected windows like the one from, for instance, 'helpsvc.exe'. In my naive innocence I think; should be okay, to be sure I go to processlibrary and there, you see: it's okay! So I hit 'permit' in the little blue PG-window. Later I right-click on the very file under the Security-TAB in PG, go to information on-line and read: 'helpsvc.exe should not be in your ProcessGuard protection list, it does not need any special privileges to run correctly'. Things like this make me, as a common user, a bit anxious.

    To put it clearly: I'm not a pro, neither a n00b; I use my PC 1. for my work 2. for gathering information on the internet and 3. for some hobbies like music and graphic design. For me a computer is a tool, something to use, not an very important thing in itself. So, reading about defrag.exe, helpsvc.exe, sethc.exe, and so on, I get the feeling: wow, big deal, but what's so important about them when my computer worked fine for the last 10 years without knowing anything about these little exe-guys?

    The other day I read this sadly ended discussion and recognised some points spm was making in the beginning: as a common user you can get tired and a bit stubborn of choices about things you know nothing about. In that case 'safety' can turn itself against you, ironically enough. For that reason I wanted to ged rid of Kerio, though it's a good firewall). So, to put it simple: my worry was a kind of Kerio-effect. But when you say that the use of PG will become more easy the longer you use it I'm looking forward to a happy time with this little guy :) .

    Edit: got TweakUI and turned off auto defrag. Thanx for the tip!
     
    Last edited: Nov 25, 2005
  13. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    Thanks Gavin.

    I use TweakUI, but apparently those settings didn't get saved or transfered
    when I had to do a system restore awhile back. Funy most other settings got saved.

    Problem resolved.
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    More defaults in the new version, however I will check and see if we can add a feature.. we may add more default items (there are more being added anyway)

    The help and imaging services can start later and not be "known" yet to the system.. the same goes for built in CD burning support and definitely some more things. I'll add this to the to do list for more documentation :) thanks !
     
Thread Status:
Not open for further replies.