Question on ProcessGuard (e.g., "MediaMonkey.exe tried to install a global shell hook ")

[buzz Light Beer]

"MediaMonkey.exe tried to install a global shell hook "
Is this , well, normal ?
I mean global hooks are commonly used by keyloggers and trojans...
I really like MediaMonkey, and even w/ ProcessGuard blocking the hook,
it seems to be working as usual ?
The reason I got ProcessGuard was because of the recent *Rootkit*
thread that caught my attention.
There's a limited freeware ver here:
http://www.diamondcs.com.au/processguard/index.php?page=download

Maybe I'm just getting too paranoid, jeez...
Right now I'm using

Spy Sweeper
Ad-Aware SE Personal
ewido security suite
a-squared
Sygate Pro <and using advanced rules>
AntiVir <Portable,for manual back-up>
Kaspersky Personal
ProcessGuard
s-t-i-n-g-e-r
and some I prob haven't included......

Every time I boot up SuSE Linux on my virtual drive and see such a
clean desk top w/out the need for all these peripherals , I have to
ask myself, why Windows ?
Basically two reasons , CAD and Photoshop, I guess ?
Oh well, don't want to get on a skew from my topic question
/bLB

 

[Aaron]

"MediaMonkey.exe tried to install a global shell hook "
Is this , well, normal ?

Who knows. Global hook could mean many things. That's one of my
complains of products like ProcessGuard, it takes a bloody hacker to
use one of these effectively.

Personally I deny access to this unless a) I really trust the program,
and/or b) It needs it to run.

The problem is that it's difficult to judge whether a program really
needs it to run. I could hide a rootkit as some application. And the
fake application would refuse to run unless it was granted the right to
install a driver.

I mean global hooks are commonly used by keyloggers and trojans...

Yes and many legimate programs too.

I really like MediaMonkey, and even w/ ProcessGuard blocking the hook,
it seems to be working as usual ?

Then leave it.

The reason I got ProcessGuard was because of the recent *Rootkit*
thread that caught my attention.
There's a limited freeware ver here:
http://www.diamondcs.com.au/processguard/index.php?page=download

The freeware version doesn't block driver installation, sadly. That the
main thing that keep out rootkits.

In any case the ProcessGuard forum is here
http://www.wilderssecurity.com/forumdisplay.php?f=13

 

[buzz Light Beer]

Who knows. Global hook could mean many things. That's one of my
complains of products like ProcessGuard, it takes a bloody hacker to
use one of these effectively.

I'm no hacker, to be sure. But, so far, Process Guard (now) seems
pretty much a set it up and leave it alone defense. Of course, I know
that each time I install new software I'll have to set privileges, but
that's cool.

Personally I deny access to this unless a) I really trust the program,
and/or b) It needs it to run.

The problem is that it's difficult to judge whether a program really
needs it to run. I could hide a rootkit as some application. And the
fake application would refuse to run unless it was granted the right to
install a driver.



Yes and many legimate programs too.

Very true.
Was just a momentary case of paranoia.
MediaMonkey was just the first program that wanted global hooks after
changing from *Learning Mode*. Subsequently a couple of other clean
programs have done the same. So, I'm giving existing trusted programs
more of a carte blanc, now.

Then leave it.

I did, and all is well.

The freeware version doesn't block driver installation, sadly. That the
main thing that keep out rootkits.

Agreed, rootkit was the deciding factor for going full ver.
Also, testing F-Secure BlackLight Beta which runs nicely on my
box..free now but times out in Oct.

In any case the ProcessGuard forum is here
http://www.wilderssecurity.com/forumdisplay.php?f=13

Thanks Aaron, for taking the time to respond.
After a couple of days w/ ProcessGuard, I believe I am starting to get
a little more savvy w/ it. Kinda like initially setting up privileges
for a firewall...but different
Assuming I am not infected now, um before,
I just let it run for a while in *Learning Mode* and later granting
some privilege request for existing trusted programs that didn't run
during that period.
This program has proven real easy on resources and I believe it is
gonna be a nice program for my defense arsenal.
As easy as it is on my resources, I believe just the free ver would be
worth the download.
BTW, the full version stopped Gibson Research's *Leak Test* dead in
it's tracks when I tested it.....Quickley, hehe
/bLB

 

[Mark Marsh]

I have to ask myself, why Windows ?
Basically two reasons , CAD and Photoshop, I guess ?

You could try Wine with Photoshop it should work.

 

[buzz Light Beer]

You could try Wine with Photoshop it should work.

At the moment I'm running Linux w/ VMware on a virtual drive.
Not the most efficient way to run large programs. Gimp will run, but
slowly.
I am running 3 different OS(s) SuSE 9 and Windows 2000 pro in Virtual
drives on Windows XP.
I use windows 2000 pro as a testing sandbox w/ all new software before
I dedicate installing on XP.
It's kinda cool to boot up SuSE and just minimize it if I need to go
back into Windows...VMware <Payware> is pretty awesome.
I am in the process of setting up another hard drive partition for
Linux...So I'm sure I will try Wine for Photoshop after installation.
But I make my living w/ AutoCad, so that may be more of a challenge ?
To me, the hardest thing about learning Linux is un-learning Windows.
I have a son who is 10 yrs old and his first box will be a Linux
system...putting it together for him now.<He hasn't learned Windows
yet>
He can do all his hardcore gaming on his Xbox console, hehe
Thanks, Mark !
/bLB