Host file

Discussion in 'ProcessGuard' started by docfleetwood, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. docfleetwood

    docfleetwood Registered Member

    Joined:
    Apr 6, 2004
    Posts:
    36
    Can process guard protect the Windows Host file from being altered by a trojan. Apparently the "phishing" exploits are growing and part of that is rewriting an ip number in the Host file so it redirects you to a phisher's version of the page you think you are going to.

    Can I just add the Host file to the process guard protected list and it will warn me when its md5 sum changes? Or, since it is not an exe file, will it never get an md5 checksum, even if I add it to the protected list?

    Sorry if this has been asked before - I did a search but couldn't find anything on it in the processguard forum.

    Thanks,

    Doc
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi docfleetwood, the easiest way to protect your HOSTS file is to make it "read" only. In XP it is usually found in *:\wndows\system32\drivers\etc\HOSTS
    Right click HOSTS Select "Advanced" & tick read only you would have to change it back to allow change when you wish to alter your hosts file.
    There are a number of utilities that will allow you to do this in other ways, Spybot being one of them I believe.

    You cannot add it to the checksum list, Thinks: "Hmm maybe a suggestion for the next version"

    You can add it the the protection list but it does not run as a process so would serve no purpose :)

    Cheers Pilli
     
  3. docfleetwood

    docfleetwood Registered Member

    Joined:
    Apr 6, 2004
    Posts:
    36
    Thanks Pilli,

    I know about the 'read only' trick but have read that, while that may be helpful, it is easy for someone to encode into their malware the ability to remove the 'read only' attribute and change the file anyway. So I am looking for something that is significantly more robust. Hopefully they will add it to the next version (the ability to track any file you wish).

    But thanks again for the advice.

    Doc

    PS - and yes, there are other utilities to protect the file such as spybot and the new zonealarm. So I am hoping PG will also be able to do the trick - It would be nice to only have to run a 1/2 dozen utilities to protect my computer and not need to keep adding more ;)
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    To prevent a file such as your hosts file being modified, read-only attribute is the easiest way to go, but like you said it's easy for a malicious program to remove that attribute before it writes to the file. However, I'd still set that attribute because most programs don't bother checking attributes before attempting to write to files so it can be quite effective.

    Another simple method is to have a 'guard' program that simply opens the file and permits READ access to other processes, whilst keeping the file open. While the file is open no other processes will be able to write to the file, yet they'll still be able to read from it (which you'd want). I'm not aware of any such programs, but it'd be very quick and easy to write one so if any of your friends can program then I'm sure they'd be able to put it together for you, if one doesn't already exist. We may even incorporate such a feature into TDS4's active/resident component.

    Regards,
    Wayne
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    ;) Thanks Wayne.
     
  6. docfleetwood

    docfleetwood Registered Member

    Joined:
    Apr 6, 2004
    Posts:
    36
Thread Status:
Not open for further replies.