TrojanHunterGuard (wants it all).

Discussion in 'ProcessGuard' started by spy1, Jan 27, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    26 Jan 09:08:04 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\csrss.exe [636]
    26 Jan 09:08:04 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\winlogon.exe [660]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\services.exe [704]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\lsass.exe [732]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [916]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [988]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [1080]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [1112]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\eset\nod32krn.exe [1404]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\agnitum\outpost firewall\outpost.exe [1476]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\processguard\pg_msgprot.exe [1556]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\system32\svchost.exe [1768]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\windows\explorer.exe [472]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\eset\nod32kui.exe [1992]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\spyblocker software\spyblocker.exe [1944]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\spywareguard\sgmain.exe [1684]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\processguard\procguard.exe [1444]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\spywareguard\sgbhp.exe [1888]
    26 Jan 09:08:05 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE access on g:\program files\trojanhunter 3.8\trojanhunter.exe [2244]
    26 Jan 09:08:08 - [P] g:\program files\trojanhunter 3.8\thguard.exe [2272] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\system32\smss.exe [564]

    (My log is loaded up with this stuff - I didn't c&p all of it so as not to bore you).

    Trialing the latest TH here. The thing about this is, I thought I was going to be able control this by re-naming THSec.dll to something else, but it's quite apparent that it's not working (log-wise, anyway).

    I really don't know what to do about this, since I don't really feel comfortable giving TH unlimited "Allow" permissions before I'm through trialing it and have made a decision one way or the other - but the other side of that coin - not just with TH, but with programs like OutPost Pro is - are those programs still working as designed if they are not getting those "Allows"?

    Can I get some input, especially on that last question? Pete
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    In the case of your log sample, the process is just trying to gain WRITE access on all other processes on your system to modify them, so by blocking that you're just preventing whatever modifications would've occurred in those other processes - everything should still run fine though, and in the case of that particular program it is just trying to achieve termination protection by modifying processes on your system so that they cant call termination functions), but Process Guard can do this more efficiently and securely anyway with kernel-level protection, and without modifying any of your other processes either, so if you can I'd just disable it's protection and just use Process Guard to protect it, then you have both programs doing what they do best. You can always give that program Allow privileges, for example TerminateProcess so it can terminate trojans, but writing to other processes has nothing to do with that, just protecting itself from termination so it's ok to block that.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, but I thought I did do that by re-naming THSec.dll? Pete
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Renaming a DLL doesn't stop a program making calls to the OpenProcess function in kernel32.dll (or NtOpenProcess/ZwOpenProcess in ntdll.dll) though which are the blocked requests you're seeing in the main PG window, but it will stop that DLL from being loaded etc.
     
  5. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Spy1,

    Can understand your concern per using a trial version program.

    I am as user of TrojanHunter along with TDS-3. For ProcessGuard 1.2, I do not rename THSEC.DLL. I allow privileges to TrojanHunter Guard which is the memory resident scanner and privileges for TrojanHunter for the manual scan. Works like a dingaling! No log messages, no errors reported and as far as I can evaluate no problems or breakdown in security. Been doing it since the first version of PG.

    Perhaps Wayne and Jason have a different take on this, but this is my personal experience thus far.
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, siliconman1. I might give that a shot! Pete
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    There is no need to activate both protection, moreover because PG is far better, i don't see the point to enable the TH protection when PG full version is installed.
     
  8. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    Pete. Just give TH Guard and TH allowed privileges.
    This is my understanding: TH Guard and TH require these privileges so they can close down malicious programs found running in memory. Guard checks running processes about every 10 seconds and this is why the log fills up. This has nothing to do with Thsec.dll. Adding the ‘allowed’ flags let everything works perfectly. HTH :)
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    does your trusted protected processes are 'malicious' ? :)
    Allowances are needed only for accessing your protected processes, without allowances TH will still be able to terminate any malicious executable on your comp.

    Anyway, i don't know TH, i just say that if you can disable his Termination protection, do it, and then if you want give him all allowances you want, just don't use TH terminate protection AND PG together.
     
  10. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    NO. But TH Guard looks for these privileges and so PG logs it. Renaming Thsec.dll and using PG for protection works fine, but you will still get log messages in PG unless you give TH Guard the correct 'allows'.
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, ReGen! Pete
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    if you read carefully my last post you will that it was what i said.
     
  13. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Just for clarification, THSEC.dll only protects THGuard from termination. It does not protect other processes in memory.
     
  14. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    If there is no way to disable TrojanHunter from trying to protect itself, you might want to ask the author (Magnus) to add that as an option.

    -Jason-
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes you should ALLOW TH to access your processes. If (not going to happen) BEAST was injected into Winlogon.exe then it would need access to inject in there itself, to remove it. This is fine, since you wont find that TH attacks anything in your PG list :)

    Most likely the access it is trying to get actually MEANS nothing, it just LOOKS like it wants terminate access. Leaving it as is and letting it generate all those logs would be fine, it just means its use would be a little limited - if in fact you had a DLL that it wanted to unload. With PG stopping that though, you shouldn't have to worry.

    In short, add ALLOW access for them just so they shh and dont fill up your PG with logging ;)
     
Thread Status:
Not open for further replies.