Re: Processes missing from list?

Started by Jeremy Collake, March 01, 2013, 04:42:40 AM

Previous topic - Next topic

Jeremy Collake

Since listing of these protected processes does require rather extensive regression testing, I've first added an option to show these processes. As I test it with the various security suites, I will move to enabling it by default.
Software Engineer. Bitsum LLC.

Hotrod

I've noticed that Agnitum Outpost Security Suite processes show up on my Windows 7 X64 setup, but do not show on my XP boxes.

BenYeeHua

Quote from: Jeremy Collake on March 01, 2013, 01:59:59 AM
Processes that Process Lasso can not get access to, such as audiodg.exe, are not listed in the process list. This is a protected Windows process, thanks to DRM.

Avast's processes, like the processes of some other security software, are not shown because it was discovered that read-only querying of many security processes induces tamper detection events. These events are not handled well by security software, and can lead to thousands of duplicate events in their logs, repeated every second.

I do plan to make sure these processes are listed in the near future. Initially, I tried to hide problematic metrics of the security processes so that tamper detection problems didn't occur. This was only partially successful, and after testing numerous products, I eventually decided to just ignore them all completely, at least for the time being. From a development perspective, the choice was potentially crippling interoperability problems, or ignoring these processes. Process Lasso is not intending to be a full-fledged task manager, it is more an automation tool, and rules should not be set on these processes anyway. Still, since so many people use it as a task manager, this behavior must be adjusted.
Yes, it is protected because of DRM.
And you can disable the protection by disable the DRM, with some registry change.
http://www.kconnolly.net/Post.aspx?ID=246
So maybe you can detect the protection, and don't access them? :)

Jeremy Collake

Yes, I will see what I can do as I work to better the task manager portion of Process Lasso.
Software Engineer. Bitsum LLC.

phthisic

Though the "protection" of the processes may explain why they don't show up, I guess I still don't understand why they all show up in every other task manager I have tried. Even simple ones from Win98 show these (though being pre-DRM, just as the Linux kernel has no problem bypassing file security, older ones may be able to do it simply by being simple and avoiding DRM collisions).

Thanks, by the way, for looking into this. It seems like I only come to the forum when there is a problem, but I don't want to leave the impression that I don't respect and appreciate all the work done on this. I use it all the time, as my primary task manager, actually, since it's easier to kill things or set priorities all in one place. It's a tool I also recommend a lot, though the average user may be a bit intimidated by it. Maybe a one-button self-configuration would be a good idea for simpler minds, though I'm not sure how well that would work in practice since some processes need attention and tweaking beyond what most automation would do well.
Microsoft MVP, Windows Shell (2004-2013)

BenYeeHua

Quote from: phthisic on March 18, 2013, 11:13:37 AM
Though the "protection" of the processes may explain why they don't show up, I guess I still don't understand why they all show up in every other task manager I have tried. Even simple ones from Win98 show these (though being pre-DRM, just as the Linux kernel has no problem bypassing file security, older ones may be able to do it simply by being simple and avoiding DRM collisions).

Thanks, by the way, for looking into this. It seems like I only come to the forum when there is a problem, but I don't want to leave the impression that I don't respect and appreciate all the work done on this. I use it all the time, as my primary task manager, actually, since it's easier to kill things or set priorities all in one place. It's a tool I also recommend a lot, though the average user may be a bit intimidated by it. Maybe a one-button self-configuration would be a good idea for simpler minds, though I'm not sure how well that would work in practice since some processes need attention and tweaking beyond what most automation would do well.
Because it will cause some issues if you don't control it correctly.
Like creating 1000 logs per minutes by accessing anti-virus. :)

hanemach_gt

Quote from: phthisic on March 18, 2013, 11:13:37 AM
Though the "protection" of the processes may explain why they don't show up, I guess I still don't understand why they all show up in every other task manager I have tried. Even simple ones from Win98 show these (though being pre-DRM, just as the Linux kernel has no problem bypassing file security, older ones may be able to do it simply by being simple and avoiding DRM collisions).

Thanks, by the way, for looking into this. It seems like I only come to the forum when there is a problem, but I don't want to leave the impression that I don't respect and appreciate all the work done on this. I use it all the time, as my primary task manager, actually, since it's easier to kill things or set priorities all in one place. It's a tool I also recommend a lot, though the average user may be a bit intimidated by it. Maybe a one-button self-configuration would be a good idea for simpler minds, though I'm not sure how well that would work in practice since some processes need attention and tweaking beyond what most automation would do well.

Not to enumerate any companies (or either defend Bitsum), I think it's more like that Bitsum is "troublesome" for some companies, because the company insists on telling the whole truth openly and widely. Bitsum represses software bundles, bust scams and reveals "aloud" performance glitches.
In my opinion, that's the main factor of Bitsum not getting treated friendly, though I might not have known everything closely enough.
<img src="[url="http://imageshack.com/a/img913/7827/On37F9.gif"]http://imageshack.com/a/img913/7827/On37F9.gif[/url]"/>

Jeremy Collake

Quote from: phthisic on March 18, 2013, 11:13:37 AM
Though the "protection" of the processes may explain why they don't show up, I guess I still don't understand why they all show up in every other task manager I have tried. Even simple ones from Win98 show these (though being pre-DRM, just as the Linux kernel has no problem bypassing file security, older ones may be able to do it simply by being simple and avoiding DRM collisions).

A few system processes are ignored. Processes not in the defined manage-able user context are ignored. This latter be changed in the runtime config (all users or not).

Certain security software has been seen to emit an infinite number of duplicate log events (one or more each refresh of the process info) when its processes are opened with mere read-only access. For a while I tried to work around the issue, but various products had various triggers, and it became quite tedious to even test. If the process was simply logged, it wouldn't be a problem, but the tamper detection systems on more than one security product were extremely dumb and had a big impact on system performance. Known task managers get an exemption from this. Whether or not Process Lasso's use of the NT Native API exacerbates the problem is unknown, but likely.

This is something I intend to revisit again, as perhaps things have changed, or perhaps I can make it work without triggering those tamper detection events. It is tedious though, all to display information about a few processes of security software, processes that should never be acted on anyway. Given the other task managers, and indeed Windows own improved task manager, it seems redundant and a large effort.

The first thing I am going to do (soon) is at least show these processes, even if absolutely no information is presented about them. In time, I'll then start filling in the process information as best I can without triggering a tamper detection event, something that will require lots of testing with annoying trial versions of security suites.

I will show the system processes in a similar way (name only).
Software Engineer. Bitsum LLC.

Jeremy Collake

I am going to start enabling the view of these system and tamper-proof security processes more aggressively in the near future. Please let me know if there are any issues seen with security software tamper detection (sometimes it won't say anything, but will be busy emitting thousands of tamper detection log entries). It is difficult for me to test all security suites out there, and all their various editions and updates.
Software Engineer. Bitsum LLC.

BenYeeHua

Quote from: Jeremy Collake on March 22, 2013, 02:50:19 PM
I am going to start enabling the view of these system and tamper-proof security processes more aggressively in the near future. Please let me know if there are any issues seen with security software tamper detection (sometimes it won't say anything, but will be busy emitting thousands of tamper detection log entries). It is difficult for me to test all security suites out there, and all their various editions and updates.
Luckily my anti-virus don't do that log. :D
But I wonder why it is enabled as default?
Did it help detect the virus that "touch" or trying to kill the anti-virus process more easily?
Or they want to collect other thing for debug use?

Jeremy Collake

Quote from: BenYeeHua on March 22, 2013, 02:59:40 PM
Did it help detect the virus that "touch" or trying to kill the anti-virus process more easily?
Or they want to collect other thing for debug use?

A few years ago, malware started to disable security products (makes sense, eh?). At that time, they added a bunch of tamper detection crap. In addition, they added all those big warnings and prompts when you turn off any particular function of their software.

I must say, in general, I continue to be extremely frustrated with all security software, with the exception of Windows Defender. The third-party security products are all awful, slow down any system to extreme levels, rarely detect anything but benign threats, and are prone to false positives. It's more about scaring people into buying their software and continuing to purchase updates than anything else.

I believe security software may even make users *more vulnerable* by lulling them into a false sense of security. Users can mistakenly believe their security software will detect threats, and be less safe in their activities. I believe it is better, for some users, to not use security software, and instead realize that their activities matter more than anything. By not using security software, they won't have the *false* sense of safety, and thus be more cautious.
Software Engineer. Bitsum LLC.

BenYeeHua

Quote from: Jeremy Collake on March 22, 2013, 03:06:15 PM
A few years ago, malware started to disable security products (makes sense, eh?). At that time, they added a bunch of tamper detection crap. In addition, they added all those big warnings and prompts when you turn off any particular function of their software.

I must say, in general, I continue to be extremely frustrated with all security software, with the exception of Windows Defender. The third-party security products are all awful, slow down any system to extreme levels, rarely detect anything but benign threats, and are prone to false positives. It's more about scaring people into buying their software and continuing to purchase updates than anything else.

I believe security software may even make users *more vulnerable* by lulling them into a false sense of security. Users can mistakenly believe their security software will detect threats, and be less safe in their activities. I believe it is better, for some users, to not use security software, and instead realize that their activities matter more than anything. By not using security software, they won't have the *false* sense of safety, and thus be more cautious.
Yes, it look like, you has a baby that don't know anything.
And you stop anything it want to do, not let him/her learn himself/herself.
When he/she become a child, everytime he/she been bullied, you help him fight back, not give some tips and let him/her solve it.
----
Just a simple one, overly protection. ;)

Many people start using MSE, and they fail.
As it is too quiet, it don't tell what it is doing until it found a old virus, in Picture.(Yes, they hide it in the Windows 98 picture ::))
And I just lol ;D