Virus Scanners and Process Authentication for Windows?

← Back to Stories (view on slashdot.org)

Virus Scanners and Process Authentication for Windows?

Posted by Cliff on Friday July 25, 2003 @11:45AM from the improved-reliability-in-redmond-OSes dept.

cavedwler asks: "Like alot of people, for one reason or another, I still have Windows running on one of my PC's and have the standard virus scanner and wondered if that is enough. I ran across this site and found a program that seems to work well in conjunction with any virus scanner. It blocks any executable or script from running on your PC without your approval. It is not a virus scanner as it does not search for viruses but just does not allow them to run. It also has the ability to monitor files and restore them in real time if they have been modified. I have been running it for a while now and am thinking of recommend it to my boss for use at work. I was wondering if anyone else out there had tried this, or other programs similar to it, in a real world environment and had any problems or successes."

3 of 23 comments (clear)

Min score:

Reason:

Sort:

theoretically by thexaspect · 2003-07-25 11:51 · Score: 2, Informative

while this sounds great in theory, if your virus software is as up to date as it should be on an important box, then how would these scripts be a problem? i've had outlood running on my desktop for YEARS and have received at least one email that contained all of the "famous" virus/scripts, and i've never had a problem. if you have your software set to NOT OPEN ANYTHING you dont tell it to, you dont have a problem. save your IT department some moeny and implement policies or some other such feature. just my 2 cents. . .
I use AVG + ZoneAlarm + Ad-aware by rhild · 2003-07-25 12:11 · Score: 5, Informative
The combination of:
- AVG AntiVirus
- ZoneAlarm and
- Ad-aware
will keep your Windows box free of all sorts of nasty things for FREE.
1. Re:I use AVG + ZoneAlarm + Ad-aware by Permission+Denied · 2003-07-25 13:37 · Score: 4, Informative
  
  Funny thing about Kerio is that it works by hooking calls into wsock32.dll. You can write a simple program that does not use winsock and it bypasses Kerio.
  Download winpcap. Unlike Unix libpcap, it includes both functions to create packets as well as capture them. It does not use winsock but rather installs an NDIS driver that sits lower in the TCP stack. You can then write a simple program that listens for packets and then manually constructs packets with UDP/TCP headers and sends them out. Completely bypasses Kerio.
  If you'd like, I can post the code. I tested this about a month ago and it worked against the latest version of Kerio Personal Firewall. Took about an hour of work for a proof-of-concept program. You could get really crazy and implement a TCP stack in userspace and then write all kinds of trojans that would bypass TPF. Only works with privileged accounts since you need permissions to install an NDIS driver, but outside of controlled corporate environments, all Windows users use the Administrator account anyway.
  Sygate and ZoneAlarm both install low-level NDIS drivers and are not susceptible to this attack. (At least I couldn't figure out how to bypass them - it may be possible to install a TDI hook which sits below NDIS, but this looks like months of work.)
  Other than that, TPF really is much nicer than Sygate or ZoneAlarm, but this is a pretty gaping hole. I'd recommend Sygate over ZoneAlarm.