Hey folks... sorry if this is a dumb question, but i have a doubt about this executable and if is necessary attention to configure his execution. I'm testing this 2 softwares and with some DOS malware that virus signatures doesn't catch, the HIPS feature simply don't alert what they are trying to do. In DefenseWall i see this executable in the untrusted category. In DriveSentry this exec. is trusted (think through the whitelist) and in Comodo (I create a rule to "ask") they alert that the ntvdm.exe is executing HIMEM.sys and command.com, but don't alert to any malware behaviour and the malware execute. I try with Avira and one alert to the malware is triggered. I try make a rule for control his execution but without success. If today the applications that need this behavior are low, if you are navigating in some pages and you are alerted with his execution is a bit strange right? should I care about it?


Sorry for my poor english


Duplicated post... my ISP connection is a ****, come down much times - Sorry

That is a component of Windows (NT Virtual DOS Machine in full).It's no surprise that it's showing up when playing with DOS malware.

But the thing is the DriveSentry don't alert me! (I put the whole Windows partition to monitor and enable lockdown mode). If this is a path for malware execution so it not be in the whitelist right? Through this, if the fingerprint not is in the database, they are allowed to run?

I don't use DriveSentry so I wouldn't like to comment on any alerts you may or may not get but from my understanding it isn't like a full-blown HIPS in respect of coverage.You'd be better asking Katie in the dedicated thread.

http://www.wilderssecurity.com/showthread.php?t=209764