Efficacy of different setups at containing a userspace attack on Windows XP SP3

No, SD is not sufficient by itself (but for that matter, what is?). All ISR/LV apps are vulnerable to infection without malware protection. Their only 'claim to fame' is their potential ability to restore a clean system upon rebooting; that's the only way to test their mettle.

Regards,
TS

 

Ah, I see what you're getting at.

Currently I'm working with another ISR program, Faronics Deep Freeze; and so far I've been unable to do anything to the driver. ATM I'm researching how to build an injected payload to unhook it, so I can turn the thing off and write to the disk.

I do have to admit a grudging respect for this kind of software. I don't think it's well suited for home/desktop use, but it's highly effective within its own narrow domain.

 

Hang in there Gj

Your efforts are welcome discoveries indeed.

EASTER

 

I would like to see how Kaspersky behaves in this test...

 

May try it. It has a HIPS component, right? If that's any good, it should do pretty well.

But keep in mind that I've been hitting a brick wall with kernel stuff. Messing around in userspace is easy (especially on Windows); in kernel space it's a whole other story. To access functions that are not part of the public API, you need your own driver, and writing one is currently beyond my skills. So again, results in these tests are probably better than what you'd get from a real attack.

 

Thanks GJ.

About the HIPS i really don't know, i have installed it numerous times, but i never took the time to mess with configurations