updated program with 'allow global hooks' ...

Discussion in 'ProcessGuard' started by tuatara, Aug 20, 2004.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    In the list Program Protection i used a program that i have given
    the option 'allow global hooks' because the security pogram will not start
    without this option set. (and of course i trust this p.)

    Now, the program has been updated and did not start anymore.
    The work-aound was easy i added it AGAIN to the program Protection list
    and set the mentioned option 'on' again.

    Now this program can be found TWICE in the list, the old version,
    that is not there anymore, and the new one that works.

    The strange thing is that i did NOT get a Warning that the program has changed!

    I would expect that, because the program has the same name and directory, that PG would notice the change.

    Is this normal behaviour, or am i missing something here?
    I am curious to know that..
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tuatara, Yes, strange as usually the checksum list would flag a changed .exe even if the application was on the protection list.
    Now what I am going to suggest may appear basic but can you please check that the name of the exe is exactly the same? Normally if you try to add same .exe then Process Guard will tell you that it is already protected - Try it on one of your other apps and see.
    If not then it may be that some corruption has occurred in your protection list and you may need to delete pguard.dat and rebuild your list.

    HTH Pilli
     
    Last edited: Aug 20, 2004
  3. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi tuatara,

    I agree with Pilli here:
    I'm not actually knowing this for sure, but i think the settings of the items in the protection list are stored in a file pguard.dat where the settings are associated to the process by means of the path and name of the executable only - whereas the detection of changed programs, and other information about the checksum protection of the programs is kept in pghash.dat. If that is true, then there's no way the protection list can keep apart two entries identified by one and the same executable.
    That means, if you're 100% certain, then you probably have a corrupted pguard.dat file and there no way of making sure that this will not have other, more detrimental, effects on PG's operation, and thus on your system as a whole. You probably would have to delete the file (in safe mode) and build it anew (maybe using the default "wizard" by setting the BeenRun registry key to "0").
    OTOH, the checksumming protection should have warned you that the program PG knows as X:\bla\blub\something.exe has changed. When you acknowledge that, then the settings of something.exe should apply to the new version as well, when you don't something.exe won't be allowed to run at all - before even attempting to install any hook...

    Keep us updated.
    Andreas
     
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Yes, you (both) were correct, the file was (again) corrupted.
    When i wanted to check if the files were exactly the same (thanks Pilli)
    the first thing i did was sorting the list, then i had some strange behaviour,
    the sort didn't work at all.
    I backup the 2 files daily, so i restored the old situation ..
    and the problem is solved now.
    This was the 3rd time the file was corrupted.
    But i know it is a know problem, and a 'restore' was/is on the wish-list (added by me :>)

    The problem is that the previous times, the corruption occured, the .dat file(s) appeard to be empty. (List also)
    So i overlooked it now, do you know, if there is a way, to test if the .dat files are still oke?
    Because ....creating daily backups of corrupted files is not my hobby.

    BTW: Thanks for your quick response Pilli/Andreas1
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi again,

    I can understand that. But I'm afraid I don't know of any way to make sure of that quickly. I'll try to find out if there's anything in the works about it.

    Glad that the current issue has been solved anyway,

    CU,
    Andreas
     
Thread Status:
Not open for further replies.