AppDefend x64 BETA Released (XP64)

[Defenestration]

BTW, I am running XP Pro x64 SP2 with ALL updates, and I don't get any notification about new Kernel Patch Protection when installing AD x64 alpha 3, even though I imagine I must have the latest KPP.

[Defenestration]

Quote:

Originally Posted by Defenestration

BTW, I am running XP Pro x64 SP2 with ALL updates, and I don't get any notification about new Kernel Patch Protection when installing AD x64 alpha 3, even though I imagine I must have the latest KPP.

I think I know the problem - I used nLite to slipstream SP2 and all updates to 2nd December 2007 onto my XP x64 SP1 CD, to create a new installation CD. I then used this to install XP x64. Therefore, the KPP updates cannot simply be un-installed by using Add/Remove Programs to remove the relevant KB's.

Is there any way around this so people, who have slipstreamed updates, can un-install the KPP updates and use GSS ?

[lucas1985]

You'll have to make a new custom CD.

[Defenestration]

Which KB's should I not slipstream to get rid of the KPP updates ?

Also, do these KB's only contain the KPP updates, or do they also contain other fixes ?

[Defenestration]

While it may not be possible to automatically remove the KPP updates from slipstreamed installations (although that would be handy), would it be possible to have some sort of special alert in the GSS x64 build, which would be displayed when a possible KPP update was being attempted. Without looking into exactly what files are being changed when the KPP is updated, would it be possible to have a list of these files, and then alert when one of these was about to be changed ?

I suppose this kind of functionality would be a specialized form of a new "FileDefend" ® © module (which could allow/block creation/modification/deletion of files and folders, based on a rule-set).

[Defenestration]

Quote:

Originally Posted by Defenestration

Which KB's should I not slipstream to get rid of the KPP updates ?

Update for Windows XP x64 Edition (KB914784) is the first update to KPPv2.

Update for Windows XP x64 Edition (KB932596) is the second update to KPPv3.

NOTE: KB932596 supersedes KB914784.

[Defenestration]

Quote:

Originally Posted by Defenestration

While it may not be possible to automatically remove the KPP updates from slipstreamed installations (although that would be handy), would it be possible to have some sort of special alert in the GSS x64 build, which would be displayed when a possible KPP update was being attempted. Without looking into exactly what files are being changed when the KPP is updated, would it be possible to have a list of these files, and then alert when one of these was about to be changed (eg. "An update to Kernel Patch Protection is possibly being installed, which may disable GSS. Do you want to allow this update ?") ?

I suppose this kind of functionality would be a specialized form of a new "FileDefend" ® © module (which could allow/block creation/modification/deletion of files and folders, based on a rule-set).

According to the MS Security Advisory for KB914784, only two files were updated - "Ntkrnlmp.exe" and "Ntoskrnl.exe".

Since other non-KPP updates may also modify these files, then the alert should stress that these updates may not be KPP updates, but this would be a powerful tool against KPP updates.

[Defenestration]

Jason - Would it be OK to simply replace the two files, "Ntkrnlmp.exe" and "Ntoskrnl.exe" with those from my XP x64 SP1 install CD (as it would be a pain to have to re-install XP along with all my other apps) ?

[Jason_R0]

Quote:

Originally Posted by Defenestration

Jason - Would it be OK to simply replace the two files, "Ntkrnlmp.exe" and "Ntoskrnl.exe" with those from my XP x64 SP1 install CD (as it would be a pain to have to re-install XP along with all my other apps) ?

I think that should be fine, in theory. As they rarely change anything major in those modules (besides KPP of course). I can see an instance where Microsoft try to roll out some major update with a new version of KPP bundled along with it, but then the major update would have to have something worthwhile for us to want to upgrade to it.

Whenever something important comes with KPP, I will have to "fix" that version of KPP, but for now uninstalling the updates is the preferred method if you want system speed and stability.

I will probably have to use a better method to detect the version of KPP installed rather than relying on those updates being installed into the registry, file version checks, things of this nature.

[TheQuest]

Hi, Defenestration

Quote:

(as it would be a pain to have to re-install XP along with all my other apps) ?

There is aways Repair Install which would save you having to reinstall all of your apps, and then edit your update install.

Take Care,
TheQuest