Tips, Tricks & FAQ's

Discussion in 'ProcessGuard' started by Pilli, Jan 25, 2004.

  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Task Manager protection:

    Hi All, A good programme to add to the list is Task Manager, as I guess that certain Trojans might use it to close other programmes.

    Taskmgr.exe, is usually found in the \windows\system32 folder.

    Add it to the Process Guard list.
    Select the drop down options - Enable "Close Message handling" & "Allow Global Hooks".
    Keep the standard blocking flags as default
    No normal Allows flags enabled.

    This way no one can close Task Manager without using the Human Interface Device and Task Manager cannot close any listed programme but can close any other programme.

    If you need to close a listed programme you can enable the "Termination" Allow flag, then Disaallow after you have used it it.
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    i put permanently the allow flag terminate on it, because a protected program can be buggy and can hang, i need to be able to terminate them.

    I don't know any way to use the task manager from another program to terminate another one, it seems to haven't any command line, so no need to worry.
    Moreover if it is protected by PG, i don't see any way to hijack it.
    May be DCS can confirm that.

    More usefull may be is to remove any allowances to explorer.exe, my system works well like that and never logs anything on a normal usage.
    I remember explorer.exe trying a endtask one time but that just happend once.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Here is a few tips if you are having problems :-

    1) Try renaming PG_MSGPROT.exe to PG_MSGPROT1.exe and rebooting.
    2) Disable CLOSE MESSAGE HANDLING for any application you enabled it on.
    3) Read the helpfile, especially STEP by STEP guides to uninstalling.
    4) Disable Protection in Process Guard before uninstalling.
    5) Terminate PG_MSGPROT.exe in Task Manager before running the uninstall utility.
    6) Run the uninstall utility before installing a new version.
    7) Ensure that PGUARD.dat does not exist in your SYSTEM32 folder (usually c:\windows\system32\) before installing a new version. The installer will delete this file if it can, but if existing Process Guard protection is active it will stop this file from being deleted.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:Tips, Tricks & FAQ's - CD / DVD Device errors

    Device Errors from CD / DVD

    Some times you may experience Device errors when running a CD or DVD programmes such as those using .exe such as Start or Setup.

    To work around this try the following:
    With the CD or DVD in the drive open it to view the file system rather than allowing autorun, then using PG's "Add file to protect" navigate to the .exe file on your CD/DVD drive, find the file such as D:\start.exe and add into the PG list. Once in the list you can then give it the nessary allows.

    Note: Playing music CDs or DVD video does not usually requie any action within PG
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Close Message Handling: (CMH) As there are known issues with CMH for some configurations, I thought it might be nice to describe one of the tools that can let one "see" what is happening :)

    For those that use Close Message handling and would like to check that the the CMH enabled programme is protected without using the progrmme Exit key or DCS's Advanced Process Termination's Kill 7 there are a number of other tools available.

    One such tool,which is easy to use, is Faber Toys available from: http://www.faberbox.com/fabertoys.asp

    You will need to add faber toys.exe to the protection list and allow Getinfo & Read (this stops a lot of logging in Process Guard)

    When Faber Toys is running you can click on the running processes file in the top window and then the bottom window will show the modules loaded.
    If procguard.dll is loaded then Close Message Handling will normally be working.
    If it is not and you have close message handling enabled on a particular program then restart it until procguard.dll is showing, you may need to use Faber Toys refresh to renew the modules loaded list.

    Pilli
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Process Guard data back up.

    This is useful if you get a corrupted Process list or checksum list:

    Disable Process Guard and Terminate dcsuserprot.exe using Task Manager:
    Go to the \windows\system32 folder - Find pguard.dat & pghash.dat, highlight them both, right click and "Send to" compressed (zipped) folder.
    This will create a zipped archive called pguard.zip which you can use as a backup. This file can be stored wherever you keep your normal back ups and restrored should the need arise.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tips, Tricks & FAQ's - XP RC1

    Have now loaded XP SP2 RC1 and initially had a problem with Internet Explorer & Windows explorer not accepting manually entered addresses.
    To resolve this problem the following procedure worked for myself and another user.
    Remove Internet Explorer & Windows explorer from the process protection list & the checksum list. Disable learning mode and reboot.
    When windows restarts Secure desktop shows a whole new bunch of programmes to view and as they were all part of the new build I allowed them. After which I re-added IE and windows explorer to the list with the four blocks and the global hooks option allowed and then fired them up. Secure desktop needed the required allows.
    After this both programmes appear to behave properly, rebooting several times times to ensure that all the new services are captured to the checksum list has shown no new recurrence of the original problem.

    I have a feeling that this may be something to do with the debug code that is in all the XP beta versions.
     
  10. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re: Tips, Tricks & FAQ's - XP RC1

    Hi all,
    I've put some detailed discussions (along with historical and technical background) onto my webpage. At http://www.commontology.de/andreas/win_secure.html you will find a page about securing windows that is to be worked on, but the parts about PG are ready. On the page you can click your way to a discussion of the old (v2.000) or to a discussion of the current (3.000 beta) version. (Be prepared for a lot to read :eek: )

    HTH,
    Andreas

    Also, feel free to quote it or to refer/link to it, of course.
    If you have any suggestions, mail me at A<dot>wagner<at>stud<dot>uni-frankfurt<dot>de.
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tips, Tricks & FAQ's ProcessGuard V3

    ProcessGuard Version 3 - Secure message Handling:
    Taken from the help file:

    Custom Message Verification

    Usually ProcessGuard will only ask for human verification when you click on the X button of one of your programs. However if you tried to exit an application by going to the File Menu then clicking on Exit or by clicking on a custom button which exit's the application, you may find ProcessGuard didn't request your verification before closing down. Or you may find that even if you cancel the verifications that ProcessGuard does display, that the application still closes down.

    You can fix this issue by holding down the INSERT key on your keyboard, whilst you click your mouse on a menu item, or button. Now the next time you click on that button or on that menu item, ProcessGuard will request your verification. By holding down the INSERT key you are allowing ProcessGuard to learn that there is other ways that this application can use windows messages to close itself. ProcessGuard will then protect the application from any malicious application which may use these custom messages.

    You can theoretically allow ProcessGuard to learn any menu item or button you want, it doesn't necessarily need to be a button or menu item which closes the application. There could be a menu item which disables your firewall's protection for instance, by holding down INSERT and clicking on it, you are making sure that only you can disable your firewall, not a malicious program.

    If you want to remove any custom messages you made ProcessGuard learn, simply remove Secure Message Handling from the application. This clears ProcessGuard's knowledge of the custom messages for the application. You can then enable it again immediately if you want the feature back on, but the custom messages you defined will be gone for that application.

    This custom message verification is enabled for any application which has Secure Message Handling enabled for it, all you need to do is hold down the INSERT key and click on a button or menu item to activate this feature.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tips, Tricks & FAQ's - SMH PG Icon

    When right clicking the ProcessGuard Icon using the normal Exit the PG GUI is closed, this is fine as protection is still running but protection can inadvertently disabled.
    By using the tip below you can force an HID for protection of the Disable / Enable menu item.
    Here is how - Once you have right clicked the PG icon, hold the insert key down now click the disable protection menu item, close the GUI and restart - The next time you go to disable PG from the PG Icon you will get an HID whilst still being able to Exit the GUI without getting an HID.
    With this new feature you could, of course, also teach PG to do the same for the exit key. :cool:
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tips, Tricks & FAQ's Secure Message Handling

    Secure Message Handling

    This was posted by Andreas1 in another thread and is a very worthy addition to this thread.

    Thank you Andreas:

    .... I might perhaps add some general details here.

    When an application closes, it has to perform all kinds of tasks (saving changes, clearing variables and buffers, destroying windows etc.). Normally you have one event that, when happening, triggers the whole chain of these other procedures. Or, let's admit, a few of these events that could be in that position. And, of course these events are what PG's SMH is after - whenever one of them occurs, you get the confirmation prompt. (And since in such an application shutdown procedure, several of the events may happen, you sometimes get several prompts.)

    The main problem arises when you have applications that do their cleaning up in a not-so-orderly way. Maybe the initial event is not one that PG normally catches. In that case, the app-shutdown sequence would start, and maybe at a later point one (or more) of the events that PG recognizes by default happens. Then you get a confirmation prompt (or several), but then it's too late - the shutdown sequence is in full swing already. (And even when you cancel one of the events, then either another, non-cancelled aspect of the shutdown procedure takes care of what you've just meant to block, or you have effectively blocked something, but will end up with the application gone, only some uncleared buffer still hanging around or so.)

    That's why it (sometimes) helps to teach PG with the INS key. In order for SMH to work properly, it has to catch the very first of the shutdown events. And in most cases, you can tell it that a certain event should count as one of them.

    BTW, in what way did you shut down MJRW? Normally, PG catches the "x" window icon quite well, but actions you perform on an app's systray icon often have to be taught to it with the INS trick.
     
  14. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Re: Tips, Tricks & FAQ's

    Is there a way to transfer the LEARNING acquired by PG 3.100 to 3.150?
     
  15. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
  16. User77362

    User77362 Guest

    Limited Account

    I use the share version, and PG does not load in the system tray at bootup. Is it possible to have PG load at startup when using a limited account?
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Tips, Tricks & FAQ's

    Because of it's nature ProcessGuard has to be installed as an admin, other users still get alerts. Giving limited user accounts full access would undermine PG's usefullness as a security program.

    HTH Pilli
     
  18. tlu

    tlu Guest

    Re: Limited Account

    Yes, by using RUNASSPC from http://www.robotronic.de/runasspcEn.html and creating a shortcut in your autostart folder. However, you will get an error message (just like starting the PG GUI via runas.exe). Don't worry - just click "OK" and you're done.
     
    Last edited by a moderator: Oct 17, 2005
  19. pasito

    pasito Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    22
    Re: Tips, Tricks & FAQ's ProcessGuard V3

    Can you please re explain what this does? I'm confused.
     
  20. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Re: Tips, Tricks & FAQ's

    The Close Message Handling feature extension is really only for advanced users, but could be pretty useful. I'll try to think of a really good use and demo this, if anyone can do so please do :)

    Perhaps you have a window which auto minimises and you DON'T want it to, there may be a control being pressed (same as if you minimised it) and you can then control this window's messages (minimise close etc). It may or may not work depending on what the program does, what window messages are available and get used. Basically any program which sends window messages around its windows to do things, can be controlled somewhat.

    Any suggestions ? :)
     
  22. Marine06

    Marine06 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    17
    Re: Tips, Tricks & FAQ's

    Just an idea -

    For the demo, could you possibly create two separate programs. One can just have a gui with several different windows/tabs. The other program (lets call it Modifier) can send controls to the first program to minimize, close or exit windows.

    The first demonstration can show how Modifer can alter the functions of the first program without Secure Message Handling enabled. The second demonstration can show how Processguard interfers with Modifer's functionality to protect the first program.