Sygate PF process consistently terminated despite PG protections being enabled

Discussion in 'ProcessGuard' started by Pikachu762, May 17, 2004.

Thread Status:
Not open for further replies.
  1. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi everyone,

    I have a strange problem. I currently have the latest version of the Sygate personal firewall, along with PG 2.00, TDS-3, and Port Explorer 1.8.

    All of these programs are running when I'm online, and I use Opera 7.50 Beta for browsing the web. TDS execution protection is also enabled. I'm running WinXP Home with all the latest critical updates. I have a dialup connection at home, with no other computers or routers involved.

    The problem seems to be related in some way to the screen saver kicking in on my system, although I find it odd that the screen saver would play any role in running processes. I suppose it's possible... although I suspect that there is something else going on that I'm missing. In the log below, ssstars.scr is one screen server that comes with WinXP, and gives the illusion of moving through space at great speed. I've tried the saver that just makes the screen go blank, but SPF still fails. I have a log from PG showing drwatson32 running and trying to gain access on the SPF process. The first time I had this happen, I configured PG to not allow drwatson32 from gaining anything but Read and GetInfo on a process. However, this did not solve the problem. PG blocks the good doctor from gaining access, but SPF still terminates and my computer is left without a firewall.

    Something is thus killing my firewall, and I don't know what it could be. Why isn't the system event that kills Sygate showing up in the PG log? I am wondering if it is a software conflict of some kind, since PG should prevent any normal routines from disabling the firewall.

    Here is the partial log:

    14 May 15:45:37 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
    14 May 15:55:33 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test: was ALLOWED to run
    14 May 15:55:34 - [EXECUTION] c:\program files\solidworks\sldworks.exe with commandline "c:\program files\solidworks\sldworks.exe" was ALLOWED to run
    14 May 16:34:17 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
    14 May 16:39:30 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
    14 May 16:40:57 - [EXECUTION] c:\windows\system32\drwtsn32.exe with commandline drwtsn32 -p 1292 -e 1044 -g was ALLOWED to run
    14 May 16:40:57 - [P] c:\windows\system32\drwtsn32.exe [616] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\sygate\spf\smc.exe [1292]
    14 May 16:53:55 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run
    14 May 17:13:48 - [EXECUTION] c:\windows\system32\ssstars.scr with commandline c:\windows\system32\ssstars.scr /s was ALLOWED to run


    I have recently updated my nVidia drivers to 56.72, I am running the latest BIOS (which I upgraded to a few months ago, and never had any problems with SPF. This all started recently). I've also tried uninstalling SPF, cleaning the registry, reinstalling...and I still have this problem.

    Argh.

    Any ideas?
     
  2. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Ok, it just happened again...no screensaver activated this time. I am starting to think something hostile is going on...

    Just before it crashed, SPF gave me a requester window asking if i should allow a new .dll to be loaded. I don't remember exactly what it was, since it disappeared very soon after appearing once SPF died, but it was related to the Windows Help files or system. It was also remote initiated (hmmmm).

    Here's the PG log for this latest event. drwatson32 is once again mentioned...
    I've included all entries from when I first booted the machine.

    17 May 19:59:16 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
    17 May 19:59:16 - [1 of 2] Success: Driver is active and secure.
    17 May 19:59:16 - [2 of 2] Success: Process Guard's Protection is currently Enabled.
    17 May 19:59:16 - General Protection Options
    17 May 19:59:16 - [1 of 4] Block End-Task is enabled.
    17 May 19:59:16 - [2 of 4] Block Appinit registry key is enabled.
    17 May 19:59:16 - [3 of 4] Block Drivers/Services is enabled.
    17 May 19:59:16 - [4 of 4] Block Global Hooks is enabled.
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\logonui.exe with commandline logonui.exe /status was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\userinit.exe with commandline c:\windows\system32\userinit.exe was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\explorer.exe with commandline c:\windows\explorer.exe was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\rundll32.exe with commandline rundll32.exe nvcpl.dll,nvcplmanageusersettings 3 was ALLOWED to run
    17 May 19:59:16 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\windows\explorer.exe [1452]
    17 May 19:59:16 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\windows\system32\winlogon.exe [448]
    17 May 19:59:16 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\windows\system32\csrss.exe [424]
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\rundll32.exe with commandline rundll32.exe nvcpl.dll,nvcplmanageusersettings 3 was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\program files\mru-blaster\indexcleaner.exe with commandline "c:\program files\mru-blaster\indexcleaner.exe" -cc was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\rundll32.exe with commandline "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\nwiz.exe with commandline "c:\windows\system32\nwiz.exe" /install was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe with commandline "c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\program files\avpersonal\avgnt.exe with commandline "c:\program files\avpersonal\avgnt.exe" /min was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\windows\agrsmmsg.exe with commandline "c:\windows\agrsmmsg.exe" was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\progra~1\sygate\spf\smc.exe with commandline "c:\progra~1\sygate\spf\smc.exe" -startgui was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\program files\iisystem wiper\systemwiper.exe with commandline "c:\program files\iisystem wiper\systemwiper.exe" m was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\program files\mru-blaster\mrublaster.exe with commandline "c:\program files\mru-blaster\mrublaster.exe" -silent was ALLOWED to run
    17 May 19:59:16 - [EXECUTION] c:\program files\processguard\procguard.exe with commandline "c:\program files\processguard\procguard.exe" -minimize was ALLOWED to run
    17 May 19:59:18 - [EXECUTION] c:\windows\system32\imapi.exe with commandline c:\windows\system32\imapi.exe was ALLOWED to run
    17 May 19:59:27 - [EXECUTION] c:\program files\die\tds-3.exe with commandline "c:\program files\die\tds-3.exe" was ALLOWED to run
    17 May 19:59:30 - [EXECUTION] c:\windows\msagent\agentsvr.exe with commandline c:\windows\msagent\agentsvr.exe -embedding was ALLOWED to run
    17 May 19:59:30 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\sygate\spf\smc.exe was ALLOWED to run
    17 May 19:59:34 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" -start was ALLOWED to run
    17 May 19:59:34 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" was ALLOWED to run
    17 May 19:59:34 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\port explorer\portexplorer.exe was ALLOWED to run
    17 May 19:59:35 - [EXECUTION] c:\program files\port explorer\portexplorer.exe with commandline "c:\program files\port explorer\portexplorer.exe" was ALLOWED to run
    17 May 19:59:36 - [EXECUTION] c:\program files\die\dcsmutex.exe with commandline "c:\program files\die\dcsmutex.exe" diamond computer systems pty. ltd.
    17 May 20:00:03 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\juno6\qs\exec.exe was ALLOWED to run
    17 May 20:00:04 - [EXECUTION] c:\program files\juno6\qs\exec.exe with commandline "c:\program files\juno6\qs\exec.exe" was ALLOWED to run
    17 May 20:00:04 - [EXECUTION] c:\program files\juno6\qs\exec.exe with commandline exec 95db625hsjl|-1 56 was ALLOWED to run
    17 May 20:00:05 - [P] c:\program files\juno6\qs\exec.exe [1296] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\juno6\qs\exec.exe [1264]
    17 May 20:00:08 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\program files\juno6\qs\exec.exe [1296]
    17 May 20:00:28 - [P] c:\windows\system32\svchost.exe [804] tried to gain TERMINATE access on c:\program files\juno6\qs\exec.exe [1296]
    17 May 20:00:43 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" -nohome http://my.juno.com/s/sp?r=al&cf=sp&...000000&c=1062486000000&d=0&i=6.2b4ju&n=pl&o=i was ALLOWED to run
    17 May 20:00:47 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\opera75\opera.exe was ALLOWED to run
    17 May 20:00:47 - [EXECUTION] c:\program files\opera75\opera.exe with commandline "c:\program files\opera75\opera.exe" was ALLOWED to run
    17 May 20:15:48 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\documents and settings\******\my documents\sygate_error_log.sxw was ALLOWED to run
    17 May 20:15:49 - [EXECUTION] c:\program files\openoffice.org1.1.1\program\soffice.exe with commandline "c:\program files\openoffice.org1.1.1\program\soffice.exe" -o "c:\documents and settings\****\my documents\sygate_error_log.sxw" was ALLOWED to run
    17 May 20:39:46 - [EXECUTION] c:\windows\system32\drwtsn32.exe with commandline drwtsn32 -p 224 -e 936 -g was ALLOWED to run
    17 May 20:39:47 - [P] c:\windows\system32\drwtsn32.exe [160] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\sygate\spf\smc.exe [224]
    17 May 20:39:57 - [EXECUTION] c:\program files\die\ext.sys\execprot.exe with commandline "c:\program files\die\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\sygate\spf\smc.exe was ALLOWED to run
    17 May 20:39:58 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" -start was ALLOWED to run
    17 May 20:39:58 - [EXECUTION] c:\program files\sygate\spf\smc.exe with commandline "c:\program files\sygate\spf\smc.exe" was ALLOWED to run
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If its Dr Watson killing it, then it has already crashed by itself. Dr Watson just attaches AFTER to get debug info about the crash.

    Can you save your protection list and email it to support ? you might want to try adding ALLOW flags for known safe processes - give ALL allow flags to Sygate to limit the chance of something causing Sygate to crash. I cant figure out what you were doing at the time of the crash from the log since theres a time gap between the last action and the startup of Dr Watson. What were you doing at the time ?
     
  4. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi Gavin,

    Is the address support@diamondcs.com ?

    I cut and pasted the protection list I currently have. I wasn't at the computer for all of the crashes but one. I left for a bit, sometimes while it was downloading files for AntiVir, or TDS....other times I wasn't downloading anything and I stepped away for a while. When I came back, the Sygate icon was still in the system tray in the lower right. When I moved the mouse pointer over it, the icon disappeared.

    The first time I was present for a crash was during the .dll allow request that Sygate initiated, which just happened tonight. Within a few seconds, the requester window was gone and Sygate was gone with it. At the time I was using the software I listed in my first post (I forgot to mention AntiVir free in the first post. I have never had a problem with it though, so I don't think it has anything to do with my current troubles).

    Should I post a list from asviewer? Perhaps that would help...maybe someone can pick out a known conflict with what I have running now and Sygate.


    Process Guard v2.000 Protection List
    Date Saved: 18 May 2004 at 00:26:18

    Total items in list:- 24

    001 - c:\program files\processguard\procguard.exe
    002 - c:\program files\processguard\pg_msgprot.exe
    003 - c:\windows\system32\lsass.exe
    004 - c:\windows\system32\services.exe
    005 - c:\windows\system32\svchost.exe
    006 - c:\windows\system32\winlogon.exe
    007 - c:\windows\system32\smss.exe
    008 - c:\windows\system32\csrss.exe
    009 - c:\windows\system32\wbem\winmgmt.exe
    010 - c:\windows\system32\wbem\wmiadap.exe
    011 - c:\windows\system32\drwtsn32.exe
    012 - c:\windows\explorer.exe
    013 - c:\program files\internet explorer\iexplore.exe
    014 - c:\program files\outlook express\msimn.exe
    015 - c:\program files\avpersonal\avguard.exe
    016 - c:\program files\processguard\dcsuserprot.exe
    017 - c:\program files\opera7\opera.exe
    018 - c:\program files\juno6\qs\exec.exe
    019 - c:\program files\die\tds-3.exe
    020 - c:\program files\yahoo!\messenger\ypager.exe
    021 - c:\program files\yahoo!\messenger\yserver.exe
    022 - c:\program files\port explorer\portexplorer.exe
    023 - c:\matrix games\massive assault\ma.exe
    024 - c:\program files\sygate\spf\smc.exe

    ---001-----------------------------------------------
    Long Path :- c:\program files\processguard\procguard.exe
    Short Path :- c:\progra~1\proces~1\procgu~1.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- None
    Option Flags :- Allow Global Hooks


    ---002-----------------------------------------------
    Long Path :- c:\program files\processguard\pg_msgprot.exe
    Short Path :- c:\progra~1\proces~1\pg_msg~1.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---003-----------------------------------------------
    Long Path :- c:\windows\system32\lsass.exe
    Short Path :- c:\windows\system32\lsass.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---004-----------------------------------------------
    Long Path :- c:\windows\system32\services.exe
    Short Path :- c:\windows\system32\services.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---005-----------------------------------------------
    Long Path :- c:\windows\system32\svchost.exe
    Short Path :- c:\windows\system32\svchost.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---006-----------------------------------------------
    Long Path :- c:\windows\system32\winlogon.exe
    Short Path :- c:\windows\system32\winlogon.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---007-----------------------------------------------
    Long Path :- c:\windows\system32\smss.exe
    Short Path :- c:\windows\system32\smss.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---008-----------------------------------------------
    Long Path :- c:\windows\system32\csrss.exe
    Short Path :- c:\windows\system32\csrss.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---009-----------------------------------------------
    Long Path :- c:\windows\system32\wbem\winmgmt.exe
    Short Path :- c:\windows\system32\wbem\winmgmt.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---010-----------------------------------------------
    Long Path :- c:\windows\system32\wbem\wmiadap.exe
    Short Path :- c:\windows\system32\wbem\wmiadap.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---011-----------------------------------------------
    Long Path :- c:\windows\system32\drwtsn32.exe
    Short Path :- c:\windows\system32\drwtsn32.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- None


    ---012-----------------------------------------------
    Long Path :- c:\windows\explorer.exe
    Short Path :- c:\windows\explorer.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- Allow Global Hooks


    ---013-----------------------------------------------
    Long Path :- c:\program files\internet explorer\iexplore.exe
    Short Path :- c:\progra~1\intern~1\iexplore.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- None
    Option Flags :- None


    ---014-----------------------------------------------
    Long Path :- c:\program files\outlook express\msimn.exe
    Short Path :- c:\progra~1\outloo~1\msimn.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- None
    Option Flags :- None


    ---015-----------------------------------------------
    Long Path :- c:\program files\avpersonal\avguard.exe
    Short Path :- c:\progra~1\avpers~1\avguard.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- None


    ---016-----------------------------------------------
    Long Path :- c:\program files\processguard\dcsuserprot.exe
    Short Path :- c:\progra~1\proces~1\dcsuse~1.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,Write,Terminate,Suspend,GetInfo,SetInfo
    Option Flags :- None


    ---017-----------------------------------------------
    Long Path :- c:\program files\opera7\opera.exe
    Short Path :- c:\progra~1\opera7\opera.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- None


    ---018-----------------------------------------------
    Long Path :- c:\program files\juno6\qs\exec.exe
    Short Path :- c:\progra~1\juno6\qs\exec.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- None


    ---019-----------------------------------------------
    Long Path :- c:\program files\die\tds-3.exe
    Short Path :- c:\progra~1\die\tds-3.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- None


    ---020-----------------------------------------------
    Long Path :- c:\program files\yahoo!\messenger\ypager.exe
    Short Path :- c:\progra~1\yahoo!\messen~1\ypager.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read
    Option Flags :- None


    ---021-----------------------------------------------
    Long Path :- c:\program files\yahoo!\messenger\yserver.exe
    Short Path :- c:\progra~1\yahoo!\messen~1\yserver.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read
    Option Flags :- None


    ---022-----------------------------------------------
    Long Path :- c:\program files\port explorer\portexplorer.exe
    Short Path :- c:\progra~1\portex~1\portex~1.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- None


    ---023-----------------------------------------------
    Long Path :- c:\matrix games\massive assault\ma.exe
    Short Path :- c:\matrix~1\massiv~1\ma.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- Allow Global Hooks


    ---024-----------------------------------------------
    Long Path :- c:\program files\sygate\spf\smc.exe
    Short Path :- c:\progra~1\sygate\spf\smc.exe
    Blocked Flags :- Write,Terminate,Suspend,SetInfo
    Allow Flags :- Read,GetInfo
    Option Flags :- Allow Global Hooks
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    I notice you still have PG_MsgProt from an older build, remove that from the list. If the file exists, delete it.

    ASViewer log would be helpful, yes please email both to support@diamondcs.com.au

    Since everything in your list is KNOWN to be good, try giving every item full allow access (all 6 flags) and then reboot. See if your firewall dies at any time. When you moved the mouse over the icon, it was already closed long ago

    Also, see if Sygate support can offer any ideas. Try installing an old version, and possibly try uninstalling both programs (stay off the internet though !) and just install this new version of Sygate. Does it still go down ? Lots of things we can try to narrow down the problem, but the first for me would be an older version and contact their support team :)
     
  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    did you use Windows Worms Doors Cleaner ?

    I had a user mailing me about SPF PRO crashing after disabling DCOM or Locator (which is just a registry editing that you can do manually) and wasn't able to make SPF to work properly even after to have enabled again the services.

    I'm still looking at why a firewall should fail to run after to have disabled a service not needed for the firewall to run o_O
    All of the firewalls I have tested works very fine with every critical services disabled, apart of Kerio 2.1.5 and SPF Pro.

    If it's not your case, then forget my post, but I would really like to know anyway what could make your firewall to crash.

    regards,

    gkweb.
     
    Last edited: May 18, 2004
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I had similar problems with Sygate 5.5 and reverted to 5 as it is a known problem and is mentioned many times on the Sygate forums, This is definately NOT a Process Guard problem. I got so peed off with the lack of support from Sygate that I ditched it.
    Now happily using Kerio 2.1.5 with Process Guard protecting it :)
    I also use Outpost 2 on Server 2003 with PG and they have been running continously now, apart from updates, for over six months with no problems :)

    :End Rant:

    Pilli
     
  8. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi Gavin,

    Thank you for your help. I will send the protection list and asviewer log to the support address. I just had Sygate crash two times in a row. The .dll requester appeared both times, asking about the same things (Windows helpfile related things that were remote initiated).

    I have been getting lots of bad traffic the past couple weeks, all of it from the same general IP range. I am wondering if there is some sort of malformed packet that can kill Sygate. Most of this bad traffic is trying to get in on my port 5000, with a few attempts on 113, 80, 0 using ICMP requests, and 2745. Perhaps it would be a good idea to send in the packet log to the Sygate people and have them look at it. If anyone on here wants to look, I'll email them the logs as well. I am starting to get very suspicious, and maybe there is something malevolent going on here.

    The IPs coming in to my machine are ranging in 199.35.xxx.xxx WhoIs gives this info:


    OrgName: ICG NetAhead, Inc.
    OrgID: ICGN
    Address: 161 Inverness Drive West
    City: Englewood
    StateProv: CO
    PostalCode: 80112
    Country: US

    NetRange: 199.35.96.0 - 199.35.255.255
    CIDR: 199.35.96.0/19, 199.35.128.0/17
    NetName: ICG-BLK-BLK3A
    NetHandle: NET-199-35-96-0-1
    Parent: NET-199-0-0-0-0
    NetType: Direct Allocation
    NameServer: AS1.ICG.NET
    NameServer: AS2.ICG.NET
    Comment: Addresses within this block are non-portable
    RegDate:
    Updated: 2004-05-03

    TechHandle: IPADM127-ARIN
    TechName: IP Admin
    TechPhone: +1-303-414-5000
    TechEmail: ip_admin@icgcomm.com

    OrgAbuseHandle: ABUSE170-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-303-414-5000
    OrgAbuseEmail: abuse@icgcom.com

    OrgTechHandle: IPADM127-ARIN
    OrgTechName: IP Admin
    OrgTechPhone: +1-303-414-5000
    OrgTechEmail: ip_admin@icgcomm.com

    # ARIN WHOIS database, last updated 2004-05-17 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database

    I've tried emailing their abuse address in the past, but they didn't bother with anything more than a form letter. Up til now, I didn't care much, but now it seems that something is wiping out my firewall, so I am a rather more concerned.

    The version of Sygate I have is the latest one, but it came out a number of months ago. I never had any troubles at all with it until...about 10 days ago, when it started to crash with no explanation.

    Here is the asviewer log if anyone would like to see it, with running services and autostarts:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for ********@POOP1, 05-18-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\scrnsave.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\scrnsave.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVGCtrl
    C:\Program Files\AVPersonal\AVGNT.EXE /min
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AGRSMMSG
    C:\WINDOWS\AGRSMMSG.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService
    C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRUBlaster
    C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iIWiper
    C:\Program Files\iISystem Wiper\SystemWiper.exe m
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\**********\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
    C:\Program Files\MRU-Blaster\mrublaster.exe
    C:\Documents and Settings\****\Start Menu\Programs\Startup\Process Guard.lnk
    C:\Program Files\ProcessGuard\procguard.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AntiVirService\
    C:\Program Files\AVPersonal\AVGUARD.EXE
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\DCSUserProt\
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\IOPort\
    \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS
    HKLM\System\CurrentControlSet\Services\irda\
    C:\WINDOWS\System32\DRIVERS\irda.sys
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\procguard\
    \??\C:\WINDOWS\System32\drivers\procguard.sys
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SocketLock\
    \??\C:\WINDOWS\System32\socketlock.sys
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\wg3n\
    C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
     
  9. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi gkweb,

    Thank you for the suggestion. Unfortunately, I haven't run Windows Worms Doors Cleaner. I am rather curious as to why Sygate has suddenly stopped being reliable.... An interesting problem.
     
  10. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi Pilli,

    I have heard about various problems with Sygate, but up until very recently, it had been working well for me. I like the program a lot, and would like to keep using it...if at all possible. I might not be able to continue using it the way things are going now.

    I tried installing the free version of Kerio a few days ago, but it didn't install correctly, complaining about not finding a certain series of registry keys.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Log looks OK, does sound like a Sygate bug. Its a good firewall though, agreed

    Try uninstalling and reinstalling it soon ? Hope you receive an answer from their support team (soon) which helps :)
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Gavin, It is a good firewall when working correctly but the latest version was too unstable on this PC, Sygate have been very slow to react on one or two fronts, firstly not changing the default rules which allows unecessary servers for allowed programs & secondly the instability of the tcp layer.
    On the Sygate forums there is a mention that Sygate have produced private beta builds for some users that can correct the second error.

    Pikachu762
    If Kerio 4 would not install it sounds like you may have some registry cleaning to do or defragging.
    Did you try and install it with other programs running? PG, AV, AT etc. If so this could have caused the install problem.

    Pilli
     
  13. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi Gavin,

    Thank you for checking out the logs and your help.

    I am starting to believe that Sygate is vulnerable to some bad incoming traffic, since it seems to be crashing only when I am getting bad inbound connection attempts.

    I started another thread in the "other firewalls" section with more info from my System and Security logs.

    I haven't gotten any responses yet on the Sygate forum...grrrr.
     
  14. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi Pilli,

    The Kerio install issue was an odd one. The entire registry key folder to which it was trying to add keys doesn't exist on my computer. I should have written it down, because I have forgotten what exactly it was called.
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    BTW Kerio 4 works great for me :D
     
  16. clocko

    clocko Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    9
    If your running sygate you must ensure that any javacools software is disabled properly or sygate crashes.....if you are running spywareguard you must manually disable it as sygate does not seem to like it at all....i suggest uninstalling it all together.
     
Thread Status:
Not open for further replies.