svchost question

Discussion in 'ProcessGuard' started by Gunslinger, Apr 12, 2005.

Thread Status:
Not open for further replies.
  1. Gunslinger

    Gunslinger Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    11
    is there anyway to stop svchost starting internet explorer using process guard ?

    explanation as to why i want this,
    if you are using msn messenger, they are too pig ignorant to use the launch default browser command when clicking links in msn messenger chat window, forcing you to use crappy IE, i use outpost firewall and that stops it as a hidden process, and asks if i want to let it connect ... good, i can just say "no" and copy the link too opera browser instead but the proplem there sometimes is windows is too stupid to understand NO and just keeps opening new windows trying to connect till it crashes your pc

    so is there any way to restrict this using process guard ?

    TIA

    Gunslinger
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Yes, just change the setting for IE in the security tab from 'whatever' in 'set to deny always'. :rolleyes:
    Dolf
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    A different tack could be in order... vote with your feet and use a better IM client ( gaim or trillian are not too bad ). One caveat that I know of is that gaim doesn't do file transfers to real MSN clients (for me anyhow)... trillian might be better in that regard

    PG unfortunately doesn't allow fine grained app control, but it does do some other useful things (like stopping process termination and controlling drivers loading)

    System Safety Monitor (SSM) does have fine grained application control, but doesn't (as of the last time I looked) have the same level of protection that PG offers

    So I would think that your solution (if you wish to keep using MSN Messenger) would be to use SSM as well as PG in your setup and explicity deny msmsgs.exe from launching other programs (especially IE) using SSM

    Obviously it is not ideal and it will be good when/if PG matures a bit more and DCS decide what feature set it should have in the medium to long term
    Growing a better version of app control will be confusing to the average user (if it was enabled) so its not a trivial thing to add in

    Alternately other products might get better at performing this function and you can then use PG for its core functionality which it does very well (stopping code injection, driver loading and killing processes)
     
  4. Mephisto

    Mephisto Guest

    Personally i don't think it's possible to stop it (IE) ... It's too ingrained into the OS. I have IE set as a blocked application in my firewall and in PG and it still connects to the Internet although i never use IE (ever). But i still manage to receive cookies and temp files generated by IE making it out onto the internet.
     
  5. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I still think you should just set iexplore.exe to permit once in PG (deny always would be more silent). I do this and it works well.

    Most apps respect the default browser settings, but it's nice to stop iexplore.exe cold if something doesn't.

    If you do not like IE popping up in your face at unexpected "Microsoft moments", the permit once settings seems to stop it from launching on my machine while giving me the option to allow it on the rare occasion I actually want it to run, like checking local HTML code for display quirks.

    IM (Instant Malware) has been deleted from my machine so I don't know if it would keep trying after clicking links however.
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Do you happen to use a personal firewall with app control ?
    I have found that this does stop IE from getting out of the box quite nicely

    I agree with rickontheweb that "permit once" is a sensible setting for IE, but it wasn't what the original request was for....

    It is a decent workaround but would also popup asking for ACK's when IE was invoked from explorer or from within other poorly written applications
     
  7. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    gottadoit,

    my antivirus application suite, McAfee Viruscan Enterprise 8.0i has data (edit:meant to say "file", not "data") execution prevention. You can list exceptions to the no execute rule that you create with it, so in theory, I guess you could stop svchost.exe from executing iexplore.exe while allowing something like explorer.exe or a 3rd party app launching dock to start it by listing them as exceptions to the rule.

    But aside from setting execution permissions globally for iexplore.exe, PG doesn't really have anyway of stopping svchost from making the request.
     
  8. Gunslinger

    Gunslinger Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    11
    thanks for the replies guys, sorry for my slow reply

    i think this SSM thing sounds like it might be worth a look, i would get rid of it but i need it, and i had some issues with trillian clashing with other things on my machine

    i am inclined not to use the deny always option, because i have other things that launch in this maner, and outpost would stop those too :(

    thanks once again for the replies :)
     
  9. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    You can always delete IE. Yes you can remove IE from Windows XP as well.

    And get updates from microsoft.com instead of windows update, just like I do.

    :D
     
Thread Status:
Not open for further replies.