Note to path-based anti-exe program users: recent Windows update adds another path to blacklist

Discussion in 'other anti-malware software' started by MrBrian, Jan 14, 2015.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    One or more of the January 13, 2015 Windows updates on Windows 7 x64 resulted in a path within folder \Windows that is writable by everyone: C:\Windows\SysWOW64\Microsoft\Crypto\RSA\MachineKeys. Other operating systems might also be affected.

    Member Minimalist noticed the same thing back in 2014 on Windows 8.1.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    Thank you for the heads up, MrBrian. Windows 10 builds did not receive this update. However, I will run the audit when the new build comes out on the 21st and see if it has been affected. I will post here at the time if Windows 10 is affected.
     
  3. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    It is taken care by AppGuard with no settings needed to be add/change. That system space folder is write protected from user space programs as well as from installed guarded apps.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    That can miss some cases though, for example ACLs with specific user accounts.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Which parameters do you use? I use administrator account (with UAC on max) and if I run that check for my account I get almost all folders listed. All of them are writable for my account sure, but only when I elevate my privileges.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    Should be run/tested under a Standard (LUA) account for proper audit with this method. The reason why I know is because I have followed MrBrian's technique for quite some time now. Hopefully he will chime in here as well and confirm as well as suggest why that is necessary.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Setting up Standard account is too much just to check it up. I found out that I can use icacls.exe to get a list of objects with rules for my username.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    WildByDesign is right that the method that I use works only for a standard account. A thread in post #4 lists a workaround for UAC-protected admin accounts (i.e. temporarily demote it to a standard account). The reason it doesn't work for a UAC-protected admin account is because of "split tokens."
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    Thanks, I thought it was something like that :) For now I settled down with this solution: check the drive to identify files and folders with permissions for my username and then check permissions for my account on identified files and folders.
     
  12. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    None of the Win 7 x64 machines I have checked have that folder. I did install the latest updates. Do you know which update could be creating it?
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'm not sure. It's also possible that uninstallation and reinstallation of Avast Free Antivirus caused it.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Uninstalling Avast Free Antivirus creates this path. Sorry for the wrongful assumption.:oops:
     
Loading...