TrojanHunterGuard (wants it all).

26 Jan 09:08:04 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\csrss.exe [636]
26 Jan 09:08:04 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\winlogon.exe [660]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\services.exe [704]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\lsass.exe [732]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [916]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [988]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [1080]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [1112]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\eset\nod32krn.exe [1404]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\agnitum\outpost firewall\outpost.exe [1476]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\processguard\pg_msgprot.exe [1556]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [1768]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\explorer.exe [472]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\eset\nod32kui.exe [1992]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\spyblocker software\spyblocker.exe [1944]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\spywareguard\sgmain.exe [1684]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\processguard\procguard.exe [1444]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\spywareguard\sgbhp.exe [1888]
26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\trojanhunter 3.8\trojanhunter.exe [2244]
26 Jan 09:08:08 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\system32\smss.exe [564]

(My log is loaded up with this stuff - I didn't c&p all of it so as not to bore you).

Trialing the latest TH here. The thing about this is, I thought I was going to be able control this by re-naming THSec.dll to something else, but it's quite apparent that it's not working (log-wise, anyway).

I really don't know what to do about this, since I don't really feel comfortable giving TH unlimited "Allow" permissions before I'm through trialing it and have made a decision one way or the other - but the other side of that coin - not just with TH, but with programs like OutPost Pro is - are those programs still working as designed if they are not getting those "Allows"?

Can I get some input, especially on that last question? Pete

 

In the case of your log sample, the process is just trying to gain WRITE access on all other processes on your system to modify them, so by blocking that you're just preventing whatever modifications would've occurred in those other processes - everything should still run fine though, and in the case of that particular program it is just trying to achieve termination protection by modifying processes on your system so that they cant call termination functions), but Process Guard can do this more efficiently and securely anyway with kernel-level protection, and without modifying any of your other processes either, so if you can I'd just disable it's protection and just use Process Guard to protect it, then you have both programs doing what they do best. You can always give that program Allow privileges, for example TerminateProcess so it can terminate trojans, but writing to other processes has nothing to do with that, just protecting itself from termination so it's ok to block that.

 

Yes, but I thought I did do that by re-naming THSec.dll? Pete

 

Renaming a DLL doesn't stop a program making calls to the OpenProcess function in kernel32.dll (or NtOpenProcess/ZwOpenProcess in ntdll.dll) though which are the blocked requests you're seeing in the main PG window, but it will stop that DLL from being loaded etc.

 

Spy1,

Can understand your concern per using a trial version program.

I am as user of TrojanHunter along with TDS-3. For ProcessGuard 1.2, I do not rename THSEC.DLL. I allow privileges to TrojanHunter Guard which is the memory resident scanner and privileges for TrojanHunter for the manual scan. Works like a dingaling! No log messages, no errors reported and as far as I can evaluate no problems or breakdown in security. Been doing it since the first version of PG.

Perhaps Wayne and Jason have a different take on this, but this is my personal experience thus far.

 

Thanks, siliconman1. I might give that a shot! Pete

 

There is no need to activate both protection, moreover because PG is far better, i don't see the point to enable the TH protection when PG full version is installed.

 

Pete. Just give TH Guard and TH allowed privileges.
This is my understanding: TH Guard and TH require these privileges so they can close down malicious programs found running in memory. Guard checks running processes about every 10 seconds and this is why the log fills up. This has nothing to do with Thsec.dll. Adding the ‘allowed’ flags let everything works perfectly. HTH

 

does your trusted protected processes are 'malicious' ?
Allowances are needed only for accessing your protected processes, without allowances TH will still be able to terminate any malicious executable on your comp.

Anyway, i don't know TH, i just say that if you can disable his Termination protection, do it, and then if you want give him all allowances you want, just don't use TH terminate protection AND PG together.

 

NO. But TH Guard looks for these privileges and so PG logs it. Renaming Thsec.dll and using PG for protection works fine, but you will still get log messages in PG unless you give TH Guard the correct 'allows'.

 

Thanks, ReGen! Pete

 

if you read carefully my last post you will that it was what i said.

 

Just for clarification, THSEC.dll only protects THGuard from termination. It does not protect other processes in memory.

 

If there is no way to disable TrojanHunter from trying to protect itself, you might want to ask the author (Magnus) to add that as an option.

-Jason-

 

Yes you should ALLOW TH to access your processes. If (not going to happen) BEAST was injected into Winlogon.exe then it would need access to inject in there itself, to remove it. This is fine, since you wont find that TH attacks anything in your PG list

Most likely the access it is trying to get actually MEANS nothing, it just LOOKS like it wants terminate access. Leaving it as is and letting it generate all those logs would be fine, it just means its use would be a little limited - if in fact you had a DLL that it wanted to unload. With PG stopping that though, you shouldn't have to worry.

In short, add ALLOW access for them just so they shh and dont fill up your PG with logging