"Terminate Protected Applications"

Discussion in 'ProcessGuard' started by bch, Nov 18, 2004.

Thread Status:
Not open for further replies.
  1. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    I've just installed the full version of PG. After reading the help file, I've ticked the "Terminate Protected Applications" box for Task Manager, and the other task manager type programmes like Process Explorer and APT etc. I've done the same with my security apps, anti-virus, anti-spyware, anti-trojan etc but I'm not 100% sure I needed to do that with the security apps.

    My question is, is it necessary, or ill advised, to allow the security apps to "terminate protected applications"?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi bch & welcome :)

    In my mind to add terminate to any but maybe Process Explorer is unnecessary.
    Why? Terminate process could be used by malware to try and terminate any of your protected list trusted programs. Having said that if, say TM, was on your protection list and somehow managed to be compromised then it would be end game as whatever it was that could do such a thing would be mighty dangerous indeed. Having said that risk reduction is what ProcessGuard is all about so the less the better in this case :)

    AV's, At's and firewalls do not normally require terminate process as their main job (AV & AT Anti spyware) is to detect and clean any identified threat. Your firewall is there to stop disallowed incoming or outgoing packets.

    APT is a test program once on the prot list it can terminate anything on the list if given the Terminate process Allow so this is pointless. APT should not be on the Protection list Full Stop :) But just given the Execute permission to run so that you can do any appropriate tests.

    Adding the four General protections are important for your protected processes and are required for all the APT tests to be stopped apart from K7 and K8, programs with a a windows (GUI) close message ability such as Exit, Quit or x require that you give the program the Secure Message Handling (SMH) enable. Pleas take a time to read and understand the specific information regarding SMH as it has it's own traing procedure.

    Please note that some programs such as KAV 5 and Zone Alarm would not normally require SMH as they are already well protected from closure using the K7 & K8 terminate methods.

    Also note that any program you add SMH to should not be running when you enable SMH - In some cases this may require a reboot for the service to be restarted.

    I hope this will help you and please ask for any other information or clarifications should you have the need.

    HTH Pilli.
     
  3. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    Hello Pilli,

    Thank you very much for your reply. I've added SMH to my security aps, as per the help file instructions, so that is fine and thanks.

    PG is still in learning mode and here is where I have gone wrong, I think!
    Whilst in learning mode, I've opened just about every programme I've got so I have a long list of protected items. After reading your reply, I think all I needed to do was to open all my security apps. Given what I've done is their any harm in leaving everything protected? I thought that by opening every programme and letting PG learn about it, it would reduce any prompts that I would subsequently receive.

    As regards APT, I've had that on the computer for a while to enable me to kill any malware process which was putting up a fight. (I've never had to use it as such but think its a good programme to have). This is why I wanted to specifically protect it and allow it the termination privelege. Am I wrong thinking this way?

    Thank you again.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, You cannot apply SMH in learning mode unfortunately, SMH is complex and requires learning mode to be off when applied.

    Nothing is likely to attack APT as it is just a test tool. By allowing to be on the security list with permit should be fine as if any malware were to change it you would be informed.

    The only time you may want to put it on the protection list is if you needed to close a protection listed program that could not be closed in any other way.

    I personally do not put any non internet or non system programs on the protection list but, of course, they all go on the Security list so that if they are changed without my knowledge I can investigate the cause.

    I actually have Notepad & Freecell on permit once as it reassures me that ProcessGuard is working OK

    Once eveything settles down when running PG it is very non-intrusive unless you are forever changing programs. :)

    Cheers. Pilli
     
  5. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    Thanks again. I understand more now. Just a point about SMH. Although PG is still in learning mode, I do seem to have been able to set this up for my security apps i.e. I'm receiving the prompts to type in the five letters before they will close down. I've only done it for three programmes, NAV 2003, Ewido, and McAfee Firewall.

    Thanks again. I'll go and do the second reboot now so its all up and running.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi bch, Habit on my part, the changes to SMH since version 2 probably do allow it, to be honest SMH is the last thing I add. I know that Jason changed the way that SMH worked so I am pretty sure you are correct. :oops: Though on certain low level programs this may not always be the case.
    An easy way to check it to use ProcessExplorer or Faber toys to make sure that the procguard.dll is injected into the protected process.
    You will need to set them Pro Exp or Fab to view .dll's

    Thanks for your input. Pilli
     
  7. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    Found the procguard.dll in NAV using Faber Toys.

    Just one more point. When I defragmented using Diskeeper Home 9.0, it left the pghash.dat and the pguard.dat files fragmented stating "access denied". That seemed fair enough. When I later defragmented using PerfectDisk 7, it left no unfragmented files. I double checked this by immediately opening Diskeeper and clicking on "Analyse" and it confirmed that there were no fragmented files.

    I have absolutely no idea whether or not its important that these files could be accessed by another programme.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi bch, The defragmenters cannot access procguard.dat .pguard.dat unless ProcessGuard is diabled as they are locked by DCSuserprot whereas Diskeeper just passes them by :)
    I doubt they were fragmented anyway and that perfect disk just assumes they are fragmented because it cannot open them.
    You have not stated what allows etc. you have for either defragmenter program as this may also have a bearing on what is happening.

    These are the files that hold your security & protection list data and are important to ProcessGuard, if these were left unprotected it could be seen as a possible vulnerability.

    HTH Pilli
     
  9. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    Hello again Pilli,

    Both Diskeeper and PD have the Modify and Read allows. After the Diskeeper run, it reported that there were two fragmented files, the pghash.dat and the pguard.dat files. The number of excess fragments was sixteen. After the PerfectDisk run, there were no fragmented files. I confirmed this by checking immediately after with Diskeeper. Process Guard protection was enabled at the time i.e. it was out of learning mode.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I guess that Perfect disk must be doing a better job then :) Maybe it tried harder.
    DCS may have a better answer.
    I run System Suite for defragging and am not sure if that is VCOM's own defragmenter or licensed from another supplier but I have not run it since installing V3.

    Pilli
     
  11. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    Thanks again, Pilli, for your help. PG is a fine programme.
     
Thread Status:
Not open for further replies.