Re: Did Process Guard stop the Sony rootkit? in Security

Re: Did Process Guard stop the Sony rootkit? in Security http://www.dslreports.com/forum/r14852681 en Sat, 05 Dec 2009 20:05:22 EDT Sat, 05 Dec 2009 20:05:22 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14858183 Wayne DCS :

quote:
I would have hoped that 95% of the people who have the nous to have ProcessGuard installed would also have sufficient knowledge and nous NOT to have installed the rootkit.

That's a good call Oremina. The ProcessGuard website and helpfile both have plenty of information about rootkits, and there are even Tips Of The Day in PG itself with such info - it's just as important to arm customers with good security knowledge as it is to arm them with good security software. One of the main options in ProcessGuard is "Block Rootkit/Driver/Service Installation" - a checkbox you can simply turn on or off at will, so ProcessGuard users are generally quite aware of drivers and their security implications.]]> http://www.dslreports.com/forum/remark,14858183 Tue, 22 Nov 2005 04:26:52 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14858166 Oremina :

said by tstop :

I'll bet 95% of PG users would have allowed the Sony rootkit to install if it wasn't so widely publicized.

I would have hoped that 95% of the people who have the nous to use ProcessGuard would also have sufficient knowledge and nous NOT to have installed the rootkit.
--
Oremina

]]> http://www.dslreports.com/forum/remark,14858166 Tue, 22 Nov 2005 04:13:15 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14858106 Wayne DCS : Yes! ProcessGuard easily stops it - at many levels, and has had this capability for well over a year. :)

If you want to allow the rootkit to install you actually have to tell ProcessGuard to allow the execution of several different programs and also the installation of a couple of drivers (you'd probably be suspicious of what is installing by this stage :)) in order for the installation to complete and the rootkit to install. If you simply say No to any of these you'll disrupt the installation process and the rootkit driver won't install.

We'll add some more comprehensive info about this to the ProcessGuard website soon, but I'll attach a couple of screenshots.

The first screenshot is what you see when you first put the CD in your machine, when autorun is enabled. Autorun.exe is launched, and ProcessGuard asks you if you want to allow it.

At this stage you could simply click No, and ProcessGuard would block it from running and that's that - the installation process has been blocked, so even at that early stage it's easy to block it. However for this demo we'll say Yes to everything, to essentially allow the full installation so that we can monitor everything that happens.

The second image shows one of the popup balloon windows youll see when a program attempts to install a driver.

The third image is a composite of two images that were taken after allowing everything to install - you can see that the installation is quite vigorous, and we had to say Yes (Permit execution/installation) a lot of times.

If you do permit everything to install then you will have installed the rootkit. The fourth image shows some of these files.

:)

]]> http://www.dslreports.com/forum/remark,14858106 Tue, 22 Nov 2005 03:37:39 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14855544 Tuulilapsi : A lot of people are less... uh... 'careful' about installing software. But seriously, installing a player is one thing, but allowing something to install a driver is a massive no-no, if you don't even know what the driver does.
--
Want security? Run as limited user.]]> http://www.dslreports.com/forum/remark,14855544 Mon, 21 Nov 2005 19:35:04 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14855433 Mele20 :

said by tstop :

I'll bet 95% of PG users would have allowed the Sony rootkit to install if it wasn't so widely publicized.

That may be true. But who would allow a player to be installed? I have PG and yes, I might have allowed the driver to install, but I would never allow the player to install so what does it matter? I guess Sony thinks everyone wants some proprietary player. That is the kicker for me. I got rid of Quicktime, WMP (except version 6.4), Real Player, Rhapsody, etc. I have Winamp and WMP 6.4 and if something won't play on those then I don't want it. People say DVD discs try to install the interactual player. Not on my computer they don't because Dell has antispyware to stop that. Again, why would anyone allow these proprietary players to install when you have your favorite player already and wish to use it?
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,14855433 Mon, 21 Nov 2005 19:21:28 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14852681 anon : I'll bet 95% of PG users would have allowed the Sony rootkit to install if it wasn't so widely publicized. ]]> http://www.dslreports.com/forum/remark,14852681 Mon, 21 Nov 2005 12:52:51 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14852229 Tuulilapsi : Yes, Process Guard stops the rootkit from installing its driver. However, the user can also allow the installation in Process Guard. Process Guard can't decide whether the driver is malicious or not - that's up to the user, and in this case, since the user agreed to the EULA, the user would probably agree to installing the driver as well. Ultimately, it's all up to the user.
--
Want security? Run as limited user.]]> http://www.dslreports.com/forum/remark,14852229 Mon, 21 Nov 2005 11:44:30 EDT Re: Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14852223 John2g : According to Wayne, yes.]]> http://www.dslreports.com/forum/remark,14852223 Mon, 21 Nov 2005 11:43:55 EDT Did Process Guard stop the Sony rootkit? http://www.dslreports.com/forum/remark,14852197 tempnexus : Just wondering]]> http://www.dslreports.com/forum/remark,14852197 Mon, 21 Nov 2005 11:40:19 EDT