Wayne DCS
Premium
join:2001-12-07
Australia
| reply to tempnexus
Re: Did Process Guard stop the Sony rootkit?
Yes! ProcessGuard easily stops it - at many levels, and has had this capability for well over a year. 
If you want to allow the rootkit to install you actually have to tell ProcessGuard to allow the execution of several different programs and also the installation of a couple of drivers (you'd probably be suspicious of what is installing by this stage ) in order for the installation to complete and the rootkit to install. If you simply say No to any of these you'll disrupt the installation process and the rootkit driver won't install.
We'll add some more comprehensive info about this to the ProcessGuard website soon, but I'll attach a couple of screenshots.
The first screenshot is what you see when you first put the CD in your machine, when autorun is enabled. Autorun.exe is launched, and ProcessGuard asks you if you want to allow it.
At this stage you could simply click No, and ProcessGuard would block it from running and that's that - the installation process has been blocked, so even at that early stage it's easy to block it. However for this demo we'll say Yes to everything, to essentially allow the full installation so that we can monitor everything that happens.
The second image shows one of the popup balloon windows youll see when a program attempts to install a driver.
The third image is a composite of two images that were taken after allowing everything to install - you can see that the installation is quite vigorous, and we had to say Yes (Permit execution/installation) a lot of times.
If you do permit everything to install then you will have installed the rootkit. The fourth image shows some of these files.
|
