republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Did Process Guard stop the Sony rootkit?
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Critical IE security flaw: executes code »
« Tracking PC's Over the Internet  
AuthorAll Replies


Wayne DCS
Premium
join:2001-12-07
Australia

reply to tempnexus
Re: Did Process Guard stop the Sony rootkit?

 
Click for full size
Yes! ProcessGuard easily stops it - at many levels, and has had this capability for well over a year.

If you want to allow the rootkit to install you actually have to tell ProcessGuard to allow the execution of several different programs and also the installation of a couple of drivers (you'd probably be suspicious of what is installing by this stage ) in order for the installation to complete and the rootkit to install. If you simply say No to any of these you'll disrupt the installation process and the rootkit driver won't install.

We'll add some more comprehensive info about this to the ProcessGuard website soon, but I'll attach a couple of screenshots.

The first screenshot is what you see when you first put the CD in your machine, when autorun is enabled. Autorun.exe is launched, and ProcessGuard asks you if you want to allow it.

At this stage you could simply click No, and ProcessGuard would block it from running and that's that - the installation process has been blocked, so even at that early stage it's easy to block it. However for this demo we'll say Yes to everything, to essentially allow the full installation so that we can monitor everything that happens.

The second image shows one of the popup balloon windows youll see when a program attempts to install a driver.

The third image is a composite of two images that were taken after allowing everything to install - you can see that the installation is quite vigorous, and we had to say Yes (Permit execution/installation) a lot of times.

If you do permit everything to install then you will have installed the rootkit. The fourth image shows some of these files.

to forum · permalink · · 2005-11-22 03:37:39 · Reply to this
Forums » Up and Running » Security » SecurityCritical IE security flaw: executes code »
« Tracking PC's Over the Internet  

Tuesday, 01-Dec 19:55:11 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [120] Comcast Releasing Promised Usage Meter
· [67] Baltimore To Ban Lazy Cable Installs
· [55] Broadband Killed The Game Console
· [46] Rogers Unveils The ISP Dream Model
· [39] Rural Carriers Quickly Embracing Fiber
· [35] Charter Exits Chapter 11
· [33] AT&T Top Lobbyist Cicconi Has His Feelings Hurt
· [29] ACTA: Global Three Strikes
· [29] Latest Consumer Reports Survey Not Kind To AT&T
· [24] Midcontinent Socked With Easement Lawsuit
Most people now reading
· Ooma changing features [VOIP Tech Chat]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· [Internet] Gaming problem for "Heroes of Newerth" ( New bell Upd [Bell Canada]
· Am I the only one that loves to work in IT? [No, I Will Not Fix Your #@$!! Computer]
· [Phish] email from CDC "personal vaccination profile" [Spam, Scam and Phishbusters]
· [Newsgroups] Newzleech down? [Filesharing Software]
· Windows 7 boot manager editing questions [Microsoft Help]
· Blade servers [TekSavvy]
· Considering Leaving Vonage, who should I Consider? [VOIP Tech Chat]
· [Snow Leopard] NFS Mounts - no more Directory Utility [All Things Macintosh]