Copy/Update & Pagefile.sys

Discussion in 'FirstDefense-ISR Forum' started by ErikAlbert, May 23, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I recently discovered a flaw in my boot-to-restore solution, because the copy/update of FDISR, doesn't include the pagefile.sys and that means that pagefile.sys isn't cleaned by FDISR.

    According Ilya (DefenseWall) some keyloggers operate from the pagefile.sys to record keystrokes.
    Read the last posts of this thread :
    https://www.wilderssecurity.com/showthread.php?p=1009825#post1009825

    Is this a problem for other members ?
     
  2. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
    Hi Erik,

    My pagefile is wiped ever time my computer reboots.I wonder if I can still get caught out:rolleyes:
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How do you wipe your pagefile during reboot. o_O
     
  4. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
    I use a software called r-wipe&clean.I set it up so that it deletes all the junk+plus swap+page files before system shutdown and completes its job firts thing when system starts up.

    Btw, OT.I see that you use defensewall what's the difference between defensewall and ssm ?
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't think you can compare DefenseWall with SSM, but you could compare DefenseWall with Sandboxie.
    I wonder more about the difference between Anti-Executable and SSM.
    But what do I know. I'm a less-knowledgeable user, who doesn't even see the difference between good and bad objects. I don't even see suspicious behaviour of bad objects. I only notice malware, when it wipes my system partition, like killdisk, that's something I can see and feel.

    I'm not sure what DefenseWall does. It works with untrusted applications with a very limited execution, so that it can't hurt your feelings.
    It is sooo quiet, that I don't even notice it's on my computer, except for the icon. :D
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I know this software, but I couldn't install it due to an error message.
    I think r-wipe is one of the best in cleaning your harddisk.
     
  7. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543


    Try again. It is very good in my opinion. I use it together with crap cleaner+wintools.net they do a good job.
     
  8. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
     
  10. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    XP-AntiSpy can clear the pagefile on shutdown / re-boot. The only issue w/ this procedure is that it slows down the operation.

    ...screamer
     

    Attached Files:

  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    In the security setting, you can have the pagefile wiped clean everytime the system shuts down. It does add some time. My preference is prevention.

    Pete
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    To answer the question, without much detail, as it is slightly off topic, the difference between say AE and KAV/PDM or SSM is that AE blocks the exe from running, but once the exe runs that is it. KAV/PDM or SSM do that, but also challenge additional things like installing services. This kind of give a 2nd chance.

    For example, if you get slightly in a hurry and allow an executable to run, and then realize you shouldn't have with SSM and KAV/PDM, you can just start blocking anything else it does.

    Then of course you undo the whole thing with FDISR:D
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, but AE says always NO to any unauthorized executable without any other choice. I have to turn off AE before I can even touch this executable. SSM probably gives me the choice to run it or not and that is for a newbie like me DANGEROUS. :D

    You are right about FDISR :D, even when the executable bypasses AE (which is most unlikely), then FDISR will remove it as a CHANGE, the weakness of all malwares. :D
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What kind of security settings, in Windows ?
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well my reboot-to-restore + cleaning pagefile.sys on shutdown takes now 115 seconds instead of 100 seconds, which is still acceptable. :)
     
  16. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543
    I like to run in "disconnect user interface" mode.Pretty much like a frozen snapshot ?
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Don't know what "disconnect user interface" means.
    Maybe it's the same as my off-line snapshot, which acts like a computer without internet.
     
  18. Banshee

    Banshee Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    543


    I have SSM paid.If you disconnect user interface nothing will happen to your pc because SSM will block it.(Unless you have rules in place).In that sense I meant
    "frozen".-
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Oh I see, I don't know much about SSM. Maybe one day, when I have more time. SSM takes too much time and I have other problems to solve.
    Security softwares are priority #2, my total recovery solution is priority #1 and I'm still polishing it.
    The pagefile.sys was an unexpected flaw, but R-Wipe cleans it now during each shutdown, which takes about 15 seconds. Case closed.
     
  20. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    If you want to permanently keep having xp clear the paging file at shut down you can do a registry tweak like this.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management


    Change the value of ClearPageFileAtShutdown to 1.



    No need to install a program to do this just change the data value in the registry.


    Also if you have the free program "Eraser" it has an option to clean the pagefile at shutdown also that you can turn on and off.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Well, there seem to be a confusion between Ilya Rabinovich and me in this thread and the confusion started from post #28 and post #41 seems to me that the pagefile.sys has nothing to do with it.
    https://www.wilderssecurity.com/showthread.php?t=175054

    As far as I understand, all keyloggers change your harddisk, but they can use the pagefile.sys or memory to send data over the internet. So the keylogger isn't installed in the pagefile.sys.

    @Horus,
    I know and used this registry setting, which is also mentioned in the above link, but this works alot slower than R-Wipe.
     
Thread Status:
Not open for further replies.