Driver load interception for Windows 2000?

Discussion in 'other anti-malware software' started by Gullible Jones, Feb 5, 2012.

Thread Status:
Not open for further replies.
  1. My problem: rootkits and driver-based malware like Stuxnet are common now, and older versions of Windows are very vulnerable (especially to ones that can be transmitted through infected USB sticks).

    My hypothetical patchwork solution: some software that prompts the user whenever something tries to load a driver, set up an autorun service, or write to the MBR. IOW a very limited HIPS.

    (I figure that, if it can't get into the kernel and hide itself, I can find it and disable it using Autoruns/ProcExp/etc. Hopefully I'm mostly right about that.)

    A few things like this already exist...

    - Outpost Firewall Free 6.51: What I usually use on Win2k. Getting a bit long in the tooth though, and seems to let through anything with a "valid" digital signature (so probably would let Stuxnet right past it).

    - System Safety Monitor, AntiHook, etc.: Haven't really tried. Old and unmaintained, I'm thinking they may not protect old systems from new rootkits.

    - MJ RegWatcher: hooks the registry areas that are involved with driver loading and autoruns, so if run as admin it should theoretically be able to block that... Right? However, when I tried it on my Win7 install vs. the Rootkit Revealer driver, it became clear that there are ways of avoiding this method of interception... So unfortunately RegWatcher is a no go.

    Is there anything else out there worth trying? Or is it time to switch all the Windows 2000 boxes to OpenBSD?
     
  2. gregd

    gregd Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    75
    Official support for Windows 2000 ended in 2010. Why would you continue to cobble together security for an OS that's over 10 years old?
     
  3. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    VMWare ?
     
  4. 'Cause it's the only OS that will run decently on some of my computers, and I don't like giving up on old computers. I'm not a big believer in new-today-obsolete-tomorrow.*puppy*
     
  5. guest

    guest Guest

    still one of the best that MS put outo_O
     
  6. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    I like W2K as well but it's getting harder to find compatible and updated software.
    The same is becoming true for XP.
     
  7. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,191
    Location:
    USA,IA
    why use XP still? thats getting up there.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, ProcessGuard which i Very happily use on XP/SP2, Totally blocks Drivers & other things too :)

    If you want it, PM me ;)
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Windows 7 can run faster than windows 2000 on old machines, just give up, for example, on all advanced graphics options. See this old article about it.
     
  10. Have you ever actually tried running 7 in a VM with less than a gig of RAM? Because I have, and it's definitely slower than 2000.

    That said...

    - I have discovered that FreeBSD 9, unlike Linux, actually works okay on a Pentium II. I've got it running on my former Win2k box. It's certainly not as user-friendly, but it's good enough for me, and I may yet become a BSD fanatic.

    - Upgrade to Win7 *is* an option for the other Win2k machine, which has a 1.6 GHz Sempron and half a gig of RAM. Or so it seems. But that computer belongs to a family member, who I'll have to get to back everything up. (Unless I do some kind of 2000 -> XP -> 7 upgrade, which doesn't strike me as a good idea.)
     
  11. CloneRanger: ProcessGuard is from DiamondCS right? Thank you, but I think I will pass. :)

    However, I did discover that the latest version of Online Armor works fine with Win2k!
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    yes, if on top of an old computer you even install windows 7 within a VM then its mininum you can expect...:)
     
  13. The VM was on the fastest computer I have. :p

    Anyway please consider this issue resolved (if not exactly solved) because I finally got Linux running smoothly on an ex-win2k machine. The secrets are:
    - Let Xorg autodetect the right driver and settings (evidently this software is smarter than me)
    - Set swappiness and VFS cache pressure to something low, to prevent premature use of swap space (swapping matters more than you think on old machines)
    - Use Fluxbox or some other window manager that provides an outline move/resize mode

    As things are currently, I'm posting from a Thinkpad 600E (Pentium II, 4 GB EIDE hard drive, 192 MB RAM) and it's running pretty much without a hitch!
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Classic HIPS like SSM work well on Win 2K and will protect against rootkits on several fronts. Installing a driver requires a running process. Classic HIPS will detect and intercept this process. It will also block the loading of drivers unless it's allowed for the specific process.

    Unsupported does not equal weak.
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Very sad that SSM was discontinued. It was the best. The developer wanted to sell the source code, but clearly he didn't find a buyer.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It is a shame, especially when it failed for financial reasons, not for quality or ability problems. One time sale apps are just not financially viable. It would make for a fantastic Open Source project.
     
Loading...
Thread Status:
Not open for further replies.