tempnexus
Premium
join:1999-08-11
Boston, MA | Did Process Guard stop the Sony rootkit?
Just wondering |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | According to Wayne, yes. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to tempnexus
Yes, Process Guard stops the rootkit from installing its driver. However, the user can also allow the installation in Process Guard. Process Guard can't decide whether the driver is malicious or not - that's up to the user, and in this case, since the user agreed to the EULA, the user would probably agree to installing the driver as well. Ultimately, it's all up to the user.
--
Want security? Run as limited user. |
|
tstop
| reply to tempnexus
I'll bet 95% of PG users would have allowed the Sony rootkit to install if it wasn't so widely publicized. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by tstop :
I'll bet 95% of PG users would have allowed the Sony rootkit to install if it wasn't so widely publicized.
That may be true. But who would allow a player to be installed? I have PG and yes, I might have allowed the driver to install, but I would never allow the player to install so what does it matter? I guess Sony thinks everyone wants some proprietary player. That is the kicker for me. I got rid of Quicktime, WMP (except version 6.4), Real Player, Rhapsody, etc. I have Winamp and WMP 6.4 and if something won't play on those then I don't want it. People say DVD discs try to install the interactual player. Not on my computer they don't because Dell has antispyware to stop that. Again, why would anyone allow these proprietary players to install when you have your favorite player already and wish to use it?
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| A lot of people are less... uh... 'careful' about installing software. But seriously, installing a player is one thing, but allowing something to install a driver is a massive no-no, if you don't even know what the driver does.
--
Want security? Run as limited user. |
|
Wayne DCS
Premium
join:2001-12-07
Australia
| reply to tempnexus
Yes! ProcessGuard easily stops it - at many levels, and has had this capability for well over a year. 
If you want to allow the rootkit to install you actually have to tell ProcessGuard to allow the execution of several different programs and also the installation of a couple of drivers (you'd probably be suspicious of what is installing by this stage ) in order for the installation to complete and the rootkit to install. If you simply say No to any of these you'll disrupt the installation process and the rootkit driver won't install.
We'll add some more comprehensive info about this to the ProcessGuard website soon, but I'll attach a couple of screenshots.
The first screenshot is what you see when you first put the CD in your machine, when autorun is enabled. Autorun.exe is launched, and ProcessGuard asks you if you want to allow it.
At this stage you could simply click No, and ProcessGuard would block it from running and that's that - the installation process has been blocked, so even at that early stage it's easy to block it. However for this demo we'll say Yes to everything, to essentially allow the full installation so that we can monitor everything that happens.
The second image shows one of the popup balloon windows youll see when a program attempts to install a driver.
The third image is a composite of two images that were taken after allowing everything to install - you can see that the installation is quite vigorous, and we had to say Yes (Permit execution/installation) a lot of times.
If you do permit everything to install then you will have installed the rootkit. The fourth image shows some of these files.
|
|
Oremina
Tempus edax rerum
Premium
join:2004-06-02
England
1 edit | reply to tstop
said by tstop :
I'll bet 95% of PG users would have allowed the Sony rootkit to install if it wasn't so widely publicized.
I would have hoped that 95% of the people who have the nous to use ProcessGuard would also have sufficient knowledge and nous NOT to have installed the rootkit.
--
Oremina
|
|
Wayne DCS
Premium
join:2001-12-07
Australia
| reply to tempnexus
quote:
I would have hoped that 95% of the people who have the nous to have ProcessGuard installed would also have sufficient knowledge and nous NOT to have installed the rootkit.
That's a good call Oremina. The ProcessGuard website and helpfile both have plenty of information about rootkits, and there are even Tips Of The Day in PG itself with such info - it's just as important to arm customers with good security knowledge as it is to arm them with good security software. One of the main options in ProcessGuard is "Block Rootkit/Driver/Service Installation" - a checkbox you can simply turn on or off at will, so ProcessGuard users are generally quite aware of drivers and their security implications. |
|
