Driver load interception for Windows 2000?

My problem: rootkits and driver-based malware like Stuxnet are common now, and older versions of Windows are very vulnerable (especially to ones that can be transmitted through infected USB sticks).

My hypothetical patchwork solution: some software that prompts the user whenever something tries to load a driver, set up an autorun service, or write to the MBR. IOW a very limited HIPS.

(I figure that, if it can't get into the kernel and hide itself, I can find it and disable it using Autoruns/ProcExp/etc. Hopefully I'm mostly right about that.)

A few things like this already exist...

- Outpost Firewall Free 6.51: What I usually use on Win2k. Getting a bit long in the tooth though, and seems to let through anything with a "valid" digital signature (so probably would let Stuxnet right past it).

- System Safety Monitor, AntiHook, etc.: Haven't really tried. Old and unmaintained, I'm thinking they may not protect old systems from new rootkits.

- MJ RegWatcher: hooks the registry areas that are involved with driver loading and autoruns, so if run as admin it should theoretically be able to block that... Right? However, when I tried it on my Win7 install vs. the Rootkit Revealer driver, it became clear that there are ways of avoiding this method of interception... So unfortunately RegWatcher is a no go.

Is there anything else out there worth trying? Or is it time to switch all the Windows 2000 boxes to OpenBSD?

 

Official support for Windows 2000 ended in 2010. Why would you continue to cobble together security for an OS that's over 10 years old?

 

VMWare ?

 

'Cause it's the only OS that will run decently on some of my computers, and I don't like giving up on old computers. I'm not a big believer in new-today-obsolete-tomorrow.

 

still one of the best that MS put out

 

I like W2K as well but it's getting harder to find compatible and updated software.
The same is becoming true for XP.

 

why use XP still? thats getting up there.

 

Hi, ProcessGuard which i Very happily use on XP/SP2, Totally blocks Drivers & other things too

If you want it, PM me

 

Windows 7 can run faster than windows 2000 on old machines, just give up, for example, on all advanced graphics options. See this old article about it.

 

Have you ever actually tried running 7 in a VM with less than a gig of RAM? Because I have, and it's definitely slower than 2000.

That said...

- I have discovered that FreeBSD 9, unlike Linux, actually works okay on a Pentium II. I've got it running on my former Win2k box. It's certainly not as user-friendly, but it's good enough for me, and I may yet become a BSD fanatic.

- Upgrade to Win7 *is* an option for the other Win2k machine, which has a 1.6 GHz Sempron and half a gig of RAM. Or so it seems. But that computer belongs to a family member, who I'll have to get to back everything up. (Unless I do some kind of 2000 -> XP -> 7 upgrade, which doesn't strike me as a good idea.)

 

CloneRanger: ProcessGuard is from DiamondCS right? Thank you, but I think I will pass.

However, I did discover that the latest version of Online Armor works fine with Win2k!

 

yes, if on top of an old computer you even install windows 7 within a VM then its mininum you can expect...

 

The VM was on the fastest computer I have.

Anyway please consider this issue resolved (if not exactly solved) because I finally got Linux running smoothly on an ex-win2k machine. The secrets are:
- Let Xorg autodetect the right driver and settings (evidently this software is smarter than me)
- Set swappiness and VFS cache pressure to something low, to prevent premature use of swap space (swapping matters more than you think on old machines)
- Use Fluxbox or some other window manager that provides an outline move/resize mode

As things are currently, I'm posting from a Thinkpad 600E (Pentium II, 4 GB EIDE hard drive, 192 MB RAM) and it's running pretty much without a hitch!

 

Classic HIPS like SSM work well on Win 2K and will protect against rootkits on several fronts. Installing a driver requires a running process. Classic HIPS will detect and intercept this process. It will also block the loading of drivers unless it's allowed for the specific process.

Unsupported does not equal weak.

 

Very sad that SSM was discontinued. It was the best. The developer wanted to sell the source code, but clearly he didn't find a buyer.

 

It is a shame, especially when it failed for financial reasons, not for quality or ability problems. One time sale apps are just not financially viable. It would make for a fantastic Open Source project.