Who really needs to modify protected programs?

Discussion in 'ProcessGuard' started by earth1, Nov 21, 2004.

Thread Status:
Not open for further replies.
  1. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Just a general question. When a program is put under PG's Protection, I'm curious why it is given, by default, permission to modify other protected applications. The recent question about EndItAll made me aware of how much damage program modification can cause. Almost anything can be killed.

    I'm know that some programs do modify others, but I can't imagine it's a common need. From indications other folks have given, I'm guessing that the typical PG user has 40-80 programs protected. I wonder how many of them really need to modify other programs. I'm hoping to get general (or specific) guidelines about when it's really needed. Should it be authorized by default?

    Thanks
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Earth1, When programs are on the protected they are very secure, therefore allowing them to be ablle to modiffy other protected programs is very safe, it has been found that allowing modify and read is necessary for most if not all protection list items.
    You can, of course, try disabling any of the programs specific blocks & allows and watch the behaviour of your system to see what effects your actions make but some of these affects may be very subtle and could cause system instability.
    Another thing to watch when trying different settings is that what may be fine on your particular machine could cause problems on another.

    Running ProcessGuard has given many users insights as to what is happening within a particular machine and is quite an eye opener to most, so in this respect we are ALL on a learning curve regarding these sytem and program interactions.

    HTH Pilli
     
  3. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I've eliminated modify rights on most of my everyday applications without any ill effects. In fact I haven't even gotten a single popup complaint about denying modification attempts when using them.

    I did leave modify checked on all core windows apps and components (except IE and OE) that got listed during learning. Also if it's a security related app like antivirus or antispyware or firewall etc., I give it all the rights it asked for in learning mode plus termination rights on the antispy and antivirus apps. I don't know how safe that is or if it's even necessary, but the last thing I want to do is prevent my antivirus or antispyware apps from working on or terminating infections in memory if they ever need to.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yep, You can do it but your mileage may vary :)


    Usually not necessary, I don't think any AV AT or AS uses Termination doing it's normal cleaning and what if your AV AT were compromised would you really want them to be able to kill other protection list programs?

    Agreed, programmes like TDS3 and AdWatch do have additions to kill processes but I would rather give them terminate process ability only on demand and with my permission.

    Cheers. Pilli :cool:
     
  5. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Thanks, Pilli, for your ideas and continued questioning. Has anyone seen an example of a typical (non-security) user application that triggered an alert because it wanted to modify a protected application? I'd really like to know if this seems legitimate to others.

    Thanks rickontheweb, your policy seems well reasoned. I will soon try something and let you know what seems to work for me.
     
  6. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Thanks rick, earth, Pilli. I too have removed "modify" rights from most of the apps on my protection list except my AV/AT apps and things like Task Manager and Sysinternals Proc Explorer.

    This is an interesting thread and I will stay tuned for the results of any tests you do earth1. :)
     
  7. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Just quequing :)
     
  8. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    My testing is very preliminary at this point, but I have had an odd event. I removed "Modify app" from all my regular applications, my firewall and Proxomitron. Then, I rebooted, started a few apps, and browsed for about an hour without problem. Suddenly, on a link like many others I'd already clicked, I got an error from Proxomitron followed quickly by a Kerio error about Proxo. At this point, I re-enabled "Modify app" on those two. I got one more round of errors, so I exited Proxo and restarted it. Everything seemed fine after that.

    It was an error I hadn't seen before, which leads me to suspect the change of settings in PG. The odd thing is that I didn't get a single alert. If the error was caused by removing "Modify app", I would have expected at least one PG alert about that happening. I should have written something down., but I think Proxo complained that it couldn't access a port, and Kerio complained about not finding localhost:8080. I've tried to recreate similar circumstances, but couldn't duplicate anything.

    So far, the "normal" apps seem to have no problem. I'll learn more as I try these settings on my main Internet machine.
     
    Last edited: Nov 25, 2004
Thread Status:
Not open for further replies.