UGH!!!! [Archive] - Wilders Security Forums

View Full Version : UGH!!!!

Peter2150

April 30th, 2004, 09:31 AM

Hi Gavin

I was glancing thru other posts on Wilders and found this post of yours:

"I just tried a variant and it failed against Process Guard with my default
setup - it tried to infect any running process it could. This is because it
USERMODE patches NTDLL.DLL in a running process to change some
functions. No driver, just the single Agobot/Phatbot process. Users of PG
should add all running processes to the list just in case"

The significance of this seems to be all running processes and any exe that is used for any time, also needs to be added to the list.

I wanted to post this here, as this was not in an obvious place where I found relative to Process Guard.

Jason, maybe for the next version, the new install needs to not only add certain system stuff by default, but everything it finds running?

Pete

Oremina

April 30th, 2004, 10:20 AM

I second Peter2150's suggestion for the next version. It would be very useful
for some of the more cerebrally challenged amongst us. (Me!!).

;D

Gavin - DiamondCS

May 1st, 2004, 02:42 AM

I've been meaning to look closely at some of the more advanced malware before making any recommended settings, but adding all running EXE's.. its not something you really need to do. Not yet anyway since there is no malware which does need it - I'll edit that post since it was actually blocking services/drivers that counts.

I think the help file is probably a little underused which is a consideration for default settings.. will have to look at it. We can't make the full version too aggressive without users being able to handle how that could stop certain things working, its a very hard thing to balance. Blocking services by default isn't really a good idea unfortunately, but in future versions we should be able to get more things done FOR the user rather than leaving it up to them.

The default setup PLUS block services/drivers blocks the latest Agobot/Phatbot installs :) This will be in the next help file and any online documentation. There does need to be some guides to usage, and this is where the community could help. Agobot will be a good example of why block services/drivers just like Hacker Defender so I'll try to get something extra good into the next help file.

The default configuration will protect against all other usermode patching, its just that THIS one does add a service, like Hacker Defender and any driver based rootkit.

JW Clements

May 1st, 2004, 08:43 AM

The path is, from the menu bar:

Protection > General Protection Options > 3. Block drivers and services from installing

should have a check mark.

I've checked all 4 options, paranoid - probably, safer - definitely.