TDS3 Execution protection

Hi I am running the full version of TDS3 and Process guard, when I inspect the log in process guard I would expect the TDS execprot.exe to be called for each executable run, however it only seems to be called some of the time.
This is an extract of the log

18 Aug 19:14:56 - [EXECUTION] c:\windows\system32\wbem\wmiprvse.exe with commandline c:\windows\system32\wbem\wmiprvse.exe -embedding was ALLOWED to run
18 Aug 19:32:45 - [EXECUTION] c:\windows\system32\wuauclt.exe with commandline "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[504]susdsf89b20517062d946957b67961d2b475d was ALLOWED to run
18 Aug 19:44:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81483-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
18 Aug 19:44:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81484-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
18 Aug 19:44:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {2d787830-1657-44f4-aaae-51788083545e} 0 was ALLOWED to run
18 Aug 19:44:56 - [EXECUTION] c:\windows\system32\wbem\wmiprvse.exe with commandline c:\windows\system32\wbem\wmiprvse.exe -embedding was ALLOWED to run
18 Aug 20:09:57 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\outlook express\msimn.exe was ALLOWED to run
18 Aug 20:09:58 - [EXECUTION] c:\program files\outlook express\msimn.exe with commandline "c:\program files\outlook express\msimn.exe" was ALLOWED to run
18 Aug 20:10:16 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" -embedding was ALLOWED to run
18 Aug 20:13:09 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\diamond cs\port explorer\portexplorer.exe was ALLOWED to run
18 Aug 20:13:09 - [EXECUTION] c:\program files\diamond cs\port explorer\portexplorer.exe with commandline "c:\program files\diamond cs\port explorer\portexplorer.exe" was ALLOWED to run
18 Aug 20:14:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81483-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
18 Aug 20:14:47 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81484-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
18 Aug 20:14:47 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {2d787830-1657-44f4-aaae-51788083545e} 0 was ALLOWED to run
18 Aug 20:14:47 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\internet explorer\iexplore.exe was ALLOWED to run
18 Aug 20:14:48 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" was ALLOWED to run
18 Aug 20:14:56 - [EXECUTION] c:\windows\system32\wbem\wmiprvse.exe with commandline c:\windows\system32\wbem\wmiprvse.exe -embedding was ALLOWED to run
18 Aug 20:17:03 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\sysinternals\process explorer\procexp.exe was ALLOWED to run
18 Aug 20:17:04 - [EXECUTION] c:\program files\sysinternals\process explorer\procexp.exe with commandline "c:\program files\sysinternals\process explorer\procexp.exe" was ALLOWED to run

Note how only some of the apps have been scanned by TDS3. Is this by design of is Execution Protection not working on my system

Thanks
Tom

 

Looking at the log files it seems that only programs with no arguments are scanned, the ones with '-embedding' or ' {2d787830-1657-44f4-aaae-51788083545e} 0' or similar are not scanned. Could someone explain what the various arguments mean
Thanks
Tom

 

Hi frogfoot, I'm guessing here but are the .exe's that are not showing execution protection "executing" also on your PG protection list?
What I am thinking is that you may not have given TDS3 the correct allow privileges for protected list programs or that TDS3 .exe is not on your PG protection list
In other words PG is stopping TDS3's execution protection from running. ie. doing it's job

Oh, Just checked on my other PC as this one is running the new PG beta - It appears that all programs I run are being scanned by exec prot - Strange

Regarding the "arguments" I have no real idea but hopefully DCS will comment.

As I said just a guess. Pilli

EDited 21:06

 

Hi,

Fisrt of all:
I don't have Process Guard (I can't run it because I'm still at W 98SE).
So I have to leave that part to others

However:
There is a difference between execprot.exe and execprot.dll !

See this thread:
https://www.wilderssecurity.com/showthread.php?t=21003

If I remember me well: there have been one or two long threads about execprot.exe and Process Guard with some discussion about it.

Maybe, if we can come to a clear explanation for execprot.exe and Process Guard, it might be a good idea to add it to that thread for future reference.

 

Thanks for the quick reply, but execprot.exe has all available privs (excluding driver install, global hooks and CMH)
Thanks
Tom

 

Hi agian, I only have the tds-3.exe on my protection list with the normal four blocks no allows and CMH - Exec prot works fine, so I guess tds-3.exe starts / sporns the exec prot process ie. the hook.

18 Aug 20:57:13 - Window Log Started
18 Aug 20:57:21 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\lavasoft\ad-aware 6\ad-watch.exe was ALLOWED to run
18 Aug 20:57:23 - [EXECUTION] d:\program files\lavasoft\ad-aware 6\ad-watch.exe with commandline "d:\program files\lavasoft\ad-aware 6\ad-watch.exe" was ALLOWED to run
18 Aug 20:57:25 - [P] d:\program files\lavasoft\ad-aware 6\ad-watch.exe [2080] tried to gain READ access on d:\program files\processguard\procguard.exe [484]
18 Aug 20:57:25 - [P] d:\program files\lavasoft\ad-aware 6\ad-watch.exe [2080] tried to gain READ access on d:\program files\agnitum\outpost firewall\outpost.exe [1824]
18 Aug 20:58:05 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\port explorer\portexplorer.exe was ALLOWED to run
18 Aug 20:58:06 - [EXECUTION] d:\program files\port explorer\portexplorer.exe with commandline "d:\program files\port explorer\portexplorer.exe" was ALLOWED to run
18 Aug 20:58:26 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\cryptosuite\cryptosuite.exe was ALLOWED to run
18 Aug 20:58:29 - [EXECUTION] d:\program files\cryptosuite\cryptosuite.exe with commandline "d:\program files\cryptosuite\cryptosuite.exe" was ALLOWED to run
18 Aug 21:12:20 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\internet explorer\iexplore.exe was ALLOWED to run
18 Aug 21:12:21 - [EXECUTION] d:\program files\internet explorer\iexplore.exe with commandline "d:\program files\internet explorer\iexplore.exe" was ALLOWED to run
18 Aug 21:12:47 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\eset\nod32.exe was ALLOWED to run
18 Aug 21:12:47 - [EXECUTION] d:\program files\eset\nod32.exe with commandline "d:\program files\eset\nod32.exe" was ALLOWED to run
18 Aug 21:12:49 - [P] d:\program files\eset\nod32krn.exe [1396] tried to gain READ access on d:\program files\processguard\procguard.exe [484]
18 Aug 21:12:49 - [P] d:\program files\eset\nod32krn.exe [1396] tried to gain READ access on d:\program files\agnitum\outpost firewall\outpost.exe [1824]

 

I notice that none of the applications in your log extract have arguments, it seems to only be the ones with arguments which dont get checked by TDS3

(see my second post).

Thanks again
Tom

 

Hi Tom,

I really doubt whether this proves that TDS-3 Execution Protection (which is the hook execprot.dll) did not check those !

Once again I would like to point to the difference between execprot.exe and execprot.dll

 

Hi again frogfoot, Please remove execprot.exe from your protection list, then add, if you have not already, TDS-3.exe with the default settings and CMH if you like. execprot.dll is sporned from TDS-3.exe - You can see it in process explorer. As stated by Fanj, this creates the necessary hook.

 

Interesting. I also have TDS3 and PG, but I never see anything in my PG log file like "d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe .....".

I have setup TDS-3 execution protection enabled (or so it says so), and have enter TDS-3 into the protected programs list as stated above. I was unaware these entried into the log file were a way of checking to see if Exec Protection were working. What might I be doing wrong?

 

Hi Daisey,

As I posted earlier in this thread:
I absolutely doubt whether the fact that you don't see those entries in your ProcessGuard-logfile, does prove that those files are NOT scanned by TDS-3 !

I really think that it does not prove it !!!

I could try to prove that TDS-3 DOES check them by Execution Protection, but I guess that makes not much sense here (cause I don't run PG; you know: W 98 SE ).
I really have to leave the PG-issues here to others

I cannot tell enough that execprot.exe and execprot.dll are NOT the same things.

Well, I leave it further up to the DCS guys and mods and to the more experienced users of both TDS-3 and PG.

Take care !
Cheers, Jan.

 

Hi Daisie,

Hmm, Are you sure that Execution protection is installed? You can see this in the console window after TDS3 has started. TDS3 must be a running process as a desktop item ie. GUI showing, minimised or iconised in the sys tray.
If you are using Process Explorer you can see that execprot.dll is loaded in the .dll view.
The DLL view shows the image file, DLLs, and data files mapped into the address space of the selected process.

HTH Pilli

 

In the ext.sys folder in the TDS-3 directory you should see many executables, including execprot.exe.
Question: which of the many executable files in this folder(and other TDS folders too as far as that goes) should be given full allow permissions in Procguard in order to get the maximum protection when TDS is running in the tray?

 

I have removed execprot.exe from the protected items list, TDS3 was already added to the list, with the blocks and allows you sugest, there seems to be no change, some applications still do not have a pre-ceeding TDS entry in the PG log when run.

This makes interesting reading. If execprot.exe is nothing to do with execution protection but simply used for dde exchange why is it called prior to running some aplications. It seems it is related in some way to execution protection.

Pilli, in your process guard log do you see any applications start without being preceeded by a call to execprot.exe? especialy ones with an argument in the command line like the one below. (note the {21e81483-745b-11d5-83f7-0050ba6dbfd6})

19 Aug 09:12:50 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81483-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run

 

Hi Bluekey, As far as I know only the main .exe ie. tds-3.exe. The other .exe's are started by TDS so, when run, the checksum part of Process Guard will demand a permission therefore they do not need to be be on your protection list. Also many will not run unless TDS3 is running.

HTH Pilli

 

No, not on the pc I was checking it on which uses Windows 2003 server OS and has very few program changes except for updates.

This PC is running the new beta which quite different.

Hopefully DCS may get time to answer your question.

 

I think I understand what is going on now. If the process is started by the user (ie you click on a shortcut, start menu item) the TDS eceprot.exe process runs, with or without an argument following it, however if the application is spawned from another application then exeprot.exe is not run
I did the following simple test
1) Run media player from start menu item - exeprot runs
2) Run Media player (with argument) by clicking on an AVI file on my HDD -exeprot runs
3) Run Media player spawned from iExplorer by clicking on a link to an AVI - exeprot does not run
see below

19 Aug 09:36:45 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\windows media player\wmplayer.exe was ALLOWED to run
19 Aug 09:36:46 - [EXECUTION] c:\program files\windows media player\wmplayer.exe with commandline "c:\program files\windows media player\wmplayer.exe" /prefetch:1 was ALLOWED to run
19 Aug 09:36:52 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\windows media player\wmplayer.exe was ALLOWED to run
19 Aug 09:36:53 - [EXECUTION] c:\program files\windows media player\wmplayer.exe with commandline "c:\program files\windows media player\wmplayer.exe" /prefetch:8 /shellhlp_v9 play /dataobject:nefepehfbaaaaaaaoabaaaaaaaaaaaaaamaaaaaaaaaaaageaaaaaaaafaaaaaaakbgchhpacogofpgplafhobaboidalpoloaijaaaaaccamcpadlmhahjciindapceaaaaaaaa was ALLOWED to run
19 Aug 09:37:03 - [EXECUTION] c:\program files\windows media player\wmplayer.exe with commandline "c:\program files\windows media player\wmplayer.exe" /ocx /nolibraryadd /play "http://www.teamspeed95.nu/images/ny%20mapp/wmmplt.wmv" /prefetch:10 was ALLOWED to run

Does this mean that TDS will not scan an application spawned from another process? if so then isn't that a bit of a vulnerability.

I am sure however that I am barking up the wrong tree, maybe someone from DCS could explain what I am seeing and put my mind at rest.
Thanks
Tom

 

Hi frogfoot,

I don't know what is happening

Maybe this thread needs an update:
Difference between execprot.DLL and execprot.EXE

As far as I am concerned it is from now on up to DiamondCS to try to help you.
It are their programs.