Which Programs should be allowed to terminate others?

Discussion in 'ProcessGuard' started by Knowbodynow, Sep 16, 2005.

Thread Status:
Not open for further replies.
  1. Knowbodynow

    Knowbodynow Guest

    Earlier this week I experienced a "melt-down" with applications being terminated including ProcessGuard which didn't prevent the occurrence. I reformatted the hard-drive and used TrueImage to restore an earlier system backup. I'm now reviewing my settings for ProcessGuard. Originally I didn't use learning mode but just OKed or denied requests as I went along. I'd like to know if my current set-up is secure. I suspect not. Currently the following programs are protected from Termination and Modification and have rights to Terminate, Modify and Read:

    ad-aware.exe
    csrss.exe (also access physical memory)
    setup.exe
    spybotsd.exe
    taskmgr.exe
    winlogon.exe

    Is this list safe. Should anything else be on this list. For example, BoClean, Counterspy, AVG and ProcessGuard itself?

    Thanks,

    Chris (Hunt)
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Chris,

    First, what is "setup.exe"? If it is an installer of some kind, it is not necessary to put it in the Protection list. Second, you should include c:\windows\system32\smss.exe in your Protection list with permission to install drivers/services, access physical memory, and terminate other protected apps. I believe those permissions for smss.exe are granted automatically in Learning Mode. You will likely have system stability problems if you don't.

    Nick
     
  3. knowbodynow

    knowbodynow Guest

    Thanks Nick, I've no idea what setup.exe was. I checked the location which was in the windows temp folder. It doesn't exist. I've removed the reference from the protected list. Regarding c:\windows\system32\smss.exe it is protected but currently it doesn't have the permission to terminate protected applications, it can access physical memory and install drivers/services. I Should give it the power to terminate?

    Chris
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Smss.exe does not have the ability to terminate on my system (install drivers, physical memory, read and modify permissions are set). Csrss.exe is the Windows component that tends to terminate rogue processes and which therefore needs termination permission more. You will get an alert if Smss.exe tries to terminate something that it does not have permissions for anyway, so the best advice is to try it and see.

    Note that anything given Install Driver or Physical Memory access could bypass PG's protection (and with Physical Memory access, could disable PG itself) so I'd suggest being especially careful about assigning these permissions to third party software.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Yes. Based on my experience, that is the way Learning Mode configures it, along with crss.exe and winlogon.exe. Those are the only protected processes on my systems that are allowed to terminate others.

    Nick
     
  6. knowbodynow

    knowbodynow Guest

    Thanks Nick,

    I've changed the setting of crss.exe as you suggested. You don't allow your anti-virus, anti-trojan software or ProcessGuard to terminate protected applications?

    Chris
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    You're welcome, Chris. I prefer not to give any security app blanket permission to terminate other security apps. Every time you give an app blanket terminate permissions, you increase the risk of one app taking everything down. Give permissions only as required (dictated generally by PG alerts or looking at PG's logs).

    Nick
     
    Last edited: Sep 17, 2005
  8. knowbodynow

    knowbodynow Guest

    Looking more carefully I just noticed the process ProcessGuard is protecting on my system is called csrss.exe and NOT crss.exe. Are these processes different? Now I'm confused as to what I should be protecting and what rights it should have.

    Chris
     
  9. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    I think nick s just made a typo csrss is the right one.
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    It's a typo. Sorry for the confusion.

    Nick
     
  11. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    In learning mode, PG granted physical memory access to:

    alg.exe
    csrss.exe
    iexplore.exe
    lsass.exe
    ntvdm.exe
    smss.exe
    svchost.exe

    Can install global hooks:
    explorer.exe
    iexplore.exe
    msimn.exe
    procguard.exe

    Can install drivers:

    services.exe
    smss.exe

    Are these ok?

    I hesitate to change anything. I have 38 processes protected from termination and modification. Every time I think PG has sufficiently learned and I put it on full mode, I have a mess. While I am trying to examine a PG alert, the application in question will try to run and may be damaged because not all parts of it were allowed fast enough by me. I had to resort to System Restore yesterday after PG tried to block nVidia desktop management from opening my profile. I haven't opened that in months. I wanted to open it to see what theme it was because I couldn't recall. I had a major mess caused by PG trying to stop the process. I ended up with a blank desktop and no ability to open any theme. Every time I put PG in full mode, thinking it has learned enough, I have a disaster.

    It makes no sense to me to run every application you have right after you get PG. That would take forever. Plus, you still would not have covered everything. Like nVidia desktop manager that is already allowed but not the little act of opening "my profile" or the hundreds of other little things I can do in desktop manager. There is no way you could possibly run everything right after getting PG. The only plausible way is to leave PG in learning mode for a week or two while you use your computer normally. That still will leave a lot that PG has not encountered. I really am doubting that PG will ever be useful rather than a major headache.

    The free version is not a problem. It is the full version that causes the headaches.
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are 2 approaches to configuring Process Guard:
    • The DCS-recommended way - run every application in Learning Mode so that PG can pick up what permissions are needed. Upside: Simple, though tedious to accomplish. Downside: Applications may be given more privileges than prudent, including any malware. Some applications may only attempt PG-restricted actions when certain functions are used - meaning that every function of every application would need to be checked.
    • The masochist's way - Ignore Learning Mode and reset PG to Default settings. If a program fails or behaves strangely, check the PG logs and adjust settings if needed. Upside: Great learning experience, less upfront configuration needed, more control. Downside: Some programs may show bizarre behaviour that does not immediately suggest a PG issue. The first Windows restart will likely require a lot of adjustment followed by another restart to get all startup programs working properly.
    While I have encountered some oddities that have required a program to be rerun after adjusting PG's settings, I have never had to restore from a backup. I did try Nvidia's Desktop Manager myself - it did hang when loading a profile but using Task Manager to terminate rundll32.exe (which was using all available CPU) worked OK. It does suggest a deeper conflict between Nvidia's driver and PG though since allowing the permissions requested (CBT and mouse hooks) did not help.

    As for configuration specifics, I would simply suggest not giving Internet Explorer any permissions - least of all Physical Memory Access since that would allow it to disable PG. Since IE seems to be the whipping boy of the majority of malware out there, it seems prudent to treat it like a binary leper. Alg.exe and svchost.exe likely don't need this permission either but experimentation is your best guide here - you can always change settings back.

    For driver installation and services.exe, please review the sticky thread Notice for PG users who use the Block Rootkit\Driver Install feature.
     
  13. knowbodynow

    knowbodynow Guest

    I'd be grateful if someone could comment on the following - I'd like t give as few permissions as practical. Alg.exe and svchost.exe can possibly be denied accessing physical memory. Any other cut backs I can make.

    Thanks,

    Chris
    ----------------------------------

    INSTALL DRIVES AND ACCESS PHYSICAL MEMORY:

    smss.exe


    ACCESS PHYSICAL MEMORY:

    csrss.exe
    svchost.exe
    Isass.exe
    ntvdm.rxr
    alg.exe

    INSTALL DRIVERS:

    e_s00rn2.exe
    services.exe
    surmix2.exe
    rootkitrevealer.exe
    coreldrw.exe
    e_s00mt2.exe
    ikernel.exe
    pxhpinst,exe
    rundll32.exe
    update.exe
    wuauclt.exe

    ----------------------------------
     
  14. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Hope that clarifies things...
     
  16. EGD

    EGD Guest

    Have been trawling posts looking for confirmation that this or that process should be given or denied whatever powers, simply because I don't know anything about what they are (apart from looking up the tech explanations, which mean nothing to a brain without the data base to bounce the info off). Is there a thread I have not yet found that gives a 'norm' value for noobies who believe those pesky viruses are still invading the lawn?

    So far when someone who sounds knowledgable says deny or allow whatever, I am leaping on it with some surprising agility.....what a field day anyone without integrity, happening upon this forum, could have....given that there are others out there as lawn conscious as I am and still getting around with a torch ;)

    Perhaps I am alone in my ignorance though.

    :eek:)
     
  17. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I saw a new post in this thread, started reading and saw I posted in it back in September. Fascinating as PG full version was new to me then and I said I had 34 protected processes after using learning mode for more than two days. Three months later, I now have about 155 protected processes. Most are just protected from termination and modification and are authorized to modify and read. Is this normal after having PG for awhile?

    I have 6 that can also terminate, 13 that can install Global Hooks, 7 that can access physical memory, 10 that can install drivers.
     
Thread Status:
Not open for further replies.