Why does AdAware try to "Modify" everything?

Discussion in 'ProcessGuard' started by spy1, Apr 18, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This is the applicable section of my ProcessGuard log when I do a full scan with the freeware version of AdAware, and I do not give AA "Modify" privileges in PG:

    Mon 18 - 01:22:01 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\smss.exe [456]
    Mon 18 - 01:22:02 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\csrss.exe [560]
    Mon 18 - 01:22:02 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\winlogon.exe [620]
    Mon 18 - 01:22:05 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\services.exe [712]
    Mon 18 - 01:22:05 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\lsass.exe [724]
    Mon 18 - 01:22:06 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [916]
    Mon 18 - 01:22:06 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [980]
    Mon 18 - 01:22:06 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [1056]
    Mon 18 - 01:22:13 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [1216]
    Mon 18 - 01:22:13 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\spoolsv.exe [1436]
    Mon 18 - 01:22:14 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\apc\apc powerchute personal edition\mainserv.exe [1688]
    Mon 18 - 01:22:14 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\processguard\dcsuserprot.exe [1736]
    Mon 18 - 01:22:14 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\ewido\security suite\ewidoctrl.exe [1768]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\eset\nod32krn.exe [1864]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\pctspk.exe [1904]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\pgpserv.exe [1968]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\riomsc.exe [228]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\locator.exe [284]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\snoopfreesvc.exe [372]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [416]
    Mon 18 - 01:22:16 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\ups.exe [540]
    Mon 18 - 01:22:16 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\alg.exe [1524]
    Mon 18 - 01:22:16 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\explorer.exe [504]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spyblocker software\spyblocker.exe [1176]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\eset\nod32kui.exe [1328]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\mynetwatchman\nwclient.exe [1572]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\processguard\pgaccount.exe [1116]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\snoopfreeui.exe [1308]
    Mon 18 - 01:22:19 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spybot - search & destroy\teatimer.exe [1876]
    Mon 18 - 01:22:19 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\processguard\procguard.exe [2120]
    Mon 18 - 01:22:19 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\pgp corporation\pgp for windows xp\pgptray.exe [2496]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\shadowstor\shadowuser\shadowuser.exe [2552]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\mru-blaster\scheduler.exe [2664]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\apc\apc powerchute personal edition\apcsystray.exe [2960]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\cookiemuncher\cookiem.exe [2964]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\id-blaster plus\idblasterplus.exe [3032]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spywareguard\sgmain.exe [3128]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spywareguard\sgbhp.exe [3220]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\kw1337\kw1337.exe [4048]

    And my question(s) would be:

    (1) Does AdAware actually need/USE the "Modify" option it's asking for - or is this simply sloppy programming?

    (2) If it does "modify" things - what does it modify - and why?

    (3) Does denying it the ability to modify protected programs affect the programs' function/efficiency in any way? Does anyone know?

    I notice that SpyBot Search&Destroy has no such issue if you deny it "Modify" rights in PG - what kind of conclusion can be drawn from that? Pete
     
  2. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    I also want to know the answer to this. Does anyone know?
     
  3. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    maybe it wants to behave like an AV? [seriously]
    Is it hooking" every available process?
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    When you scan with Adaware as you know it puts a copy of everything it scans in a temp file to do it's scanning. Looks like your Process Guard is seeing that..nothing more PETE.

    :)
    Funny..there is no modifying going on.. :p
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    This be another one of those dah! threads.. :D


    https://www.wilderssecurity.com/showthread.php?t=69837
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    John - Over on DSL reports, it was suggested (if I understood it correctly)that what was being seen here was simply the result of AA accessing any of the files in the "Protected" list of ProcessGuard - and PG preventing the time-stamp of last access of any of the "Protected" programs from being "modified" to reflect that access.

    Sound reasonable? Pete
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    yup that is exactly how i understood it all too Pete..Process guard doing a good job then to give you a list of everything you want to know unless you exclude it..and adaware just doing it's thing with the hook it found to scan effectively...with you hitting the nail on the head as to what PG was seeing and most likely everyone of those windows .exe you have listed above..were running at the time adaware was doing its scan..

    I think you could check that by looking at the adaware log then.

    good discussion pete
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    "MODIFY" in PG refers to certain functions which are used by trojans to modify another application. So as indicated by a few users as long as you trust the application, allow it. It wont actually modify anything, it just uses some functions which make it look that way. The functionality has legitimate uses, such as a scanner looking around inside a process and scanning it.

    It's a little confusing, but far better this way. MODIFY is a grouping of a few types of access. We could have made PG much more complex and leave users bewildered as to what was happening when they see words like VirtualAllocEx, CreateRemoteThread, WriteProcessMemory etc etc
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Of course, that doesn't answer the question "Why don't I see the same types of entries in the PG log when I run a SpyBot Search&Destroy scan?" if SBS&D also doesn't have "Modify" rights in PG?

    Different detection/cleaning method? It (SBS&D) also has to access files (and presumably would alter the "last accessed" timestamps) wouldn't it?

    Very confusing stuff - I should probably get more sleep! :D Pete
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    But Pete..i think PG writers would not really want to tell you all they monitor and protect..much less the way they do it..and that makes sense.

    Maybe Adaware does a WriteProcessMemory as it scans in their TEMP queue area and Sypbot certainly does not do that..each product has its different method to scan..

    And i would rather just see a generic modify in a print out than all the Myriad of other function call outs .

    You trust PG and I trust Adaware..they are secuity programs and both can help you keep your PC secure.
     
Thread Status:
Not open for further replies.