Access application and Office Guard

Hi, Dima.

Actually I've not been encountered with Kaspersky Office Guard.
But the answer seems to be simple.
Just run a code that is sure to be recognized as unsafe by Kaspersky or any other AV soft.

BTW how does it blocks unsafe instructions? Stops code execution? Raise a VBA error?

Yes, it stops code execution - that's why the answer is not so simple :)

Does it blocks VBA completely?
If no, then maybe the following trick will work:

• declare some global variable
• set timer event handler checking the variable
• set the variable to Value1
• run "unsafe" code
• set the variable Value2

Interesting idea, but I don't want to run an "unsafe" code as part of the checking, since antivirus pops up it's message each time it detects an "unsafe" code execution, and this is what I want to avoid in the first place.

May be to find running OfficeGuard process will be the cure.

I've tried it with winapi EnumProcesses but it seems that VBA is too high-livel to have an opportunity to work with pointers. EnumProcesses is being invoked normally and returns something about 100 bytes but target array/string is being destroyed, probably VBA array/string is not a flat memory allocation.
Anyway I think there is another opportunity to detect running process.

On the one hand the solution looks nice as anti-antivirus. On the other hand it is too specific.

Hi, dima.

If you are interested in detecting OfficeGuard via running processes enumeration, then look at a code I've finally managed to write.
At least Kaspersky antivirus appears in the list. :)

[code=vb]
Option Compare Database

Public Declare Function EnumProcesses Lib "psapi.dll" _
(ByRef pProcessIds As Long, ByVal cb As Long, ByRef pBytesReturned As Long) _
As Boolean

Public Declare Function GetProcessImage FileName Lib "psapi.dll" _
Alias "GetProcessImag eFileNameA" _
(ByVal hProcess As Long, ByRef lpImageFileName As Byte, ByVal nSize As Long) _
As Long

Public Declare Function OpenProcess Lib "kernel32.d ll" _
(ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Boolean, _
ByVal dwProcessId As Long) _
As Long

Public Declare Function CloseHandle Lib "kernel32.d ll" _
(ByVal hObject As Long) As Boolean




Public Sub EnumProcessesIm ageFileNames()

Dim strProcImageNam e As String
Dim strPIN(1 To 1000) As Byte
Dim lngBR As Long
Dim lngPIDs(1 To 1000) As Long

Dim hProcess As Long

'init array with zeroes to force memory allocation
For i = 1 To UBound(lngPIDs)
lngPIDs(i) = 0
Next i
For i = 1 To UBound(strPIN)
strPIN(i) = 0
Next i

EnumProcesses lngPIDs(1), 256, lngBR

For i = 1 To lngBR / 4

hProcess = OpenProcess(&H4 10, False, lngPIDs(i))
GetProcessImage FileName hProcess, strPIN(1), UBound(strPIN)
'Debug.Print Err.LastDllErro r
Debug.Print CloseHandle(hPr ocess)
strProcImageNam e = ""
For j = 1 To UBound(strPIN)
strProcImageNam e = strProcImageNam e & Chr(strPIN(j))
Next j
Debug.Print lngPIDs(i); " "; strProcImageNam e

Next i

End Sub

[/code]

and take a look at tovarisch Fedotov article
Enumerating Windows Processes

Thanx, I'll take a look.

I think I'll give it up after all.
Finding Kaspersky antivirus within running processes is not necessarily points out that Office Guard is active. So I guess there is no elegant solution for this.
Thanks for the help.