Termination Capability

Discussion in 'ProcessGuard' started by Dazed_and_Confused, Nov 1, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Regarding PG's termination allow flag, if an app has the termination allow flag set (as TDS does in the attached pic), why would I get a message saying PG has blocked it from terminating an another app (in this case RegWatcher)? I thought the termination allow flag would allow the app to terminat another app, even if the other app had the termination block flag set. o_O
     

    Attached Files:

    • 1.gif
      1.gif
      File size:
      4.2 KB
      Views:
      219
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Items in the Protection List are protected from termination by default. The reasoning would be that if you put a process in the Protection List, you probably want it to be protected from termination (like your firewall or AV). It is more efficient to disable termination protection for one process when you need to. Otherwise, you would have to enable it for every process that you put in the list.

    Nick
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Learning mode automatically "enables" the allow flag after a block occurs, so it can be a little misleading.
     
  4. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Nick. But I think I'm still confused.

    So in my scenario above, what allow flag was automatically set?


    If I want an application (such as ProcessExplorer or TDS-3) to be able to terminate another application, even one that has "Protected from Termination" flag set (such as RegWatcher), how does one do this?
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dasie, I'll try and explain :)
    Allows on the protection listed programs overide blocks on protected list programs.
    For instance Port explorer has the default Block Terminate & Modify.
    Giving Process Explorer the Termination Allow will enable it to kill Port Explorer. Doing this is safe when applied to any trusted program, in fact it is very useful as in the case above as it allows you to terminate a non responding process easily, whereas If you did not give the Allow termination to, say, Proc Exp or TM then you could not kill the non responding process.

    I do it on the fly and do not give any process the termination allow unless I need to. SpySweeper always wants to know if it can terminate smss.exe although AFAIK it has no intention of doing it. Just two alerts which I ignore with no detrimental effects.

    HTH Pilli :)
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi D&C,
    You got it right in your first post: programs in the protection list are (by default) protected against any attempt to terminate them. However, granting a program terminate privilege (which can be done only via that very same protection list), amounts to allowing this program to not only terminate programs that are not on the list at all, but to terminate all programs, overriding an eventual protection defined in the list (for this single terminate-allowed program only, of course).

    The problem (possibly) is that Learning mode only learns after an attempt has been blocked. So, if your scenario from the beginning would mean that TDS was trying to terminate regwatcher while in Learning Mode (and thus not having had the terminate allow flag beforehand), you would get *one* alert by PG, then PG's Learning Mode would adjust TDS's authorizations and you'll not get that alert when you try it next time.
    However, if "learning termination priv." is not involved and you get the alert every time although the settings are as your screenshot shows them, then there is something weird. Maybe it would then be best to describe in more detail what you were trying to do, on what occasion and how each of the involved programs acquired its privileges. And whether or not (or when) a reboot/relaunch was executed before trying your experiment.

    Cheers,
    Andreas
     
  7. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Sorry, missed Pilli's posting while I was writing mine and catching up reading forum threads.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I like your explantion too Andreas - More detailed than mine Thanks. :)
     
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Tried out RegWatcher for the first time. When I start TDS (no termination privileges) with RegWatcher running (termination protection enabled), TDS tries to terminate RegWatcher but PG blocks it. If I allow TDS to terminate protected apps, when TDS loads it terminates RegWatcher. Same behavior occurs when I start TDS while running Sysinternals' Regmon. Daisey, you should only get that message if TDS has no termination privileges.

    Nick
     

    Attached Files:

    Last edited: Nov 2, 2004
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Thanks for that Pilli. I think I remember a similar discussion in a GRC newsgroup a few years ago. I use RegRun, which gets along with TDS.

    Nick
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    I am in the process of evaluating PG 3.0. I looked over the Help section and couldn't quite find what I was looking for. What I would like to see are some basic examples of how to set up the Protect and Authorize Application sections. For example, it would seem reasonable that taskmgr.exe and taskman.exe (for example) should be Authorized to Terminate. Is this true? If so, then I think it should be part of and "Example Section" in the Help guide. How about other standard software that may be running such as ATs and AVs? Should they be Authorized to Terminate?

    When I use to develop software there were always two manuals. One was the Reference Guide which documented facilities and the other was a User Guide which gave real world examples which new users can easily relate to. I hope to see more real world examples in future Help sections of TDS products.

    Also, it seems like some key features are missing from the Free version which makes it impossible to evaluate compatibility on a given system. Will PG 3.0 have temporary licenses, such as the ones KAV supplies, in order to evaluate full versions?

    Thanks again for a wonderful set of products.

    Rich
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Excellent explanation Adreas. :)

    I thought that I had give TDS termination authority before I got the warning, but I could be wrong. I'll try again and see what happens.

    I'm surprised that PG would give an application terminate authority in Learning Mode just because it tried to terminate an application when in Learning Mode. Maybe there is good reason for this - just seems strange.
     
Thread Status:
Not open for further replies.