Copy/Update & Pagefile.sys

I recently discovered a flaw in my boot-to-restore solution, because the copy/update of FDISR, doesn't include the pagefile.sys and that means that pagefile.sys isn't cleaned by FDISR.

According Ilya (DefenseWall) some keyloggers operate from the pagefile.sys to record keystrokes.
Read the last posts of this thread :
https://www.wilderssecurity.com/showthread.php?p=1009825#post1009825

Is this a problem for other members ?

 

Hi Erik,

My pagefile is wiped ever time my computer reboots.I wonder if I can still get caught out

 

How do you wipe your pagefile during reboot.

 

I use a software called r-wipe&clean.I set it up so that it deletes all the junk+plus swap+page files before system shutdown and completes its job firts thing when system starts up.

Btw, OT.I see that you use defensewall what's the difference between defensewall and ssm ?

 

I don't think you can compare DefenseWall with SSM, but you could compare DefenseWall with Sandboxie.
I wonder more about the difference between Anti-Executable and SSM.
But what do I know. I'm a less-knowledgeable user, who doesn't even see the difference between good and bad objects. I don't even see suspicious behaviour of bad objects. I only notice malware, when it wipes my system partition, like killdisk, that's something I can see and feel.

I'm not sure what DefenseWall does. It works with untrusted applications with a very limited execution, so that it can't hurt your feelings.
It is sooo quiet, that I don't even notice it's on my computer, except for the icon.

 

I know this software, but I couldn't install it due to an error message.
I think r-wipe is one of the best in cleaning your harddisk.

 

Try again. It is very good in my opinion. I use it together with crap cleaner+wintools.net they do a good job.

 

XP-AntiSpy can clear the pagefile on shutdown / re-boot. The only issue w/ this procedure is that it slows down the operation.

...screamer

 

Yes, but AE says always NO to any unauthorized executable without any other choice. I have to turn off AE before I can even touch this executable. SSM probably gives me the choice to run it or not and that is for a newbie like me DANGEROUS.

You are right about FDISR , even when the executable bypasses AE (which is most unlikely), then FDISR will remove it as a CHANGE, the weakness of all malwares.

 

What kind of security settings, in Windows ?

 

Well my reboot-to-restore + cleaning pagefile.sys on shutdown takes now 115 seconds instead of 100 seconds, which is still acceptable.

 

I like to run in "disconnect user interface" mode.Pretty much like a frozen snapshot ?

 

Don't know what "disconnect user interface" means.
Maybe it's the same as my off-line snapshot, which acts like a computer without internet.

 

I have SSM paid.If you disconnect user interface nothing will happen to your pc because SSM will block it.(Unless you have rules in place).In that sense I meant
"frozen".-

 

Oh I see, I don't know much about SSM. Maybe one day, when I have more time. SSM takes too much time and I have other problems to solve.
Security softwares are priority #2, my total recovery solution is priority #1 and I'm still polishing it.
The pagefile.sys was an unexpected flaw, but R-Wipe cleans it now during each shutdown, which takes about 15 seconds. Case closed.

 

If you want to permanently keep having xp clear the paging file at shut down you can do a registry tweak like this.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management


Change the value of ClearPageFileAtShutdown to 1.



No need to install a program to do this just change the data value in the registry.


Also if you have the free program "Eraser" it has an option to clean the pagefile at shutdown also that you can turn on and off.

 

Well, there seem to be a confusion between Ilya Rabinovich and me in this thread and the confusion started from post #28 and post #41 seems to me that the pagefile.sys has nothing to do with it.
https://www.wilderssecurity.com/showthread.php?t=175054

As far as I understand, all keyloggers change your harddisk, but they can use the pagefile.sys or memory to send data over the internet. So the keylogger isn't installed in the pagefile.sys.

@Horus,
I know and used this registry setting, which is also mentioned in the above link, but this works alot slower than R-Wipe.