should Userinit.exe be protected ??

Discussion in 'ProcessGuard' started by nicM, Jul 28, 2004.

Thread Status:
Not open for further replies.
  1. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi :D . I recently learned that most of dangerous Trojans/Malware often "put" themselves in "IniFileMapping", and "Userinit", under Windows XP ( what equals to the Shell, or "System.ini", for the formers Windows versions, I think). So, I would like to know if someone has added Userinit.exe in his Program protection list o_O .

    Cheers :D
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi nico-nico, I do not have that .exe in my protection list and do not recall seeing it on any other. :)
    Remember a program would need to run to use userinit and you would be alerted by the checksum facility, also .dll injection is prohibited providing you have the General option 2 enabled

    HTH Pilli
     
  3. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi, Pilli :D . Ah, OK, it would that way be unnecessary, according to what you said (and maybe delicate to configure, I guess...). Thanks :D . I will not try to make "too much" with my "protection" list... ;)

    Cheers! :D
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The rule is quite simple, protect everything that connects to the Net and the default processes that come with Process Guard. It is easy the build a wall around oneself without any doors.
     
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hmmmm.... "everything that connects to the Net", you said ? It looks like I'll increase my list of protected program.....

    Thanks for the Tip, the "wall without doors" regarding IE speaks for itself.. ;)

    Cheers ! :D
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Just make sure you don't get internet explorer many "Allow" privileges, because if it becomes compromised, it might be able to take down the rest of your Process Guard protected programs if it has the right "Allow" flags given to it.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    Internet Explorer does have "issues" but you can control them relatively easily. Two excellent programs aid. BhoDemon handles the Browers Helper Objects, which can be used for nasty purposes. The other is PopUpCop. I originally bought it for popups, but it does a wonderful job of alerting to Active X and drive by download issues. Used inconjunction with the DCS family and an antivirus/firewall, I've not had any problems.
     
  8. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi, Jason and Peter 2150 :D . About the IE's Allowed flags: right,I think that only security softs should be granted ALL allowed flags (with later adjustments if needed, for applications like IE :D ).
    And I'm actually trying BHOdemon, seems very useful :cool: . ( never heard about Popupcop, but I run Norton's firewall, doing quite the same, I think, when setted at it's maximum security level ;) ) .

    Thanks :D

    Cheers !
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Better to do it the other way round, Only enable the first four Block flags which is the default, then watch the logging and enable allow flags only when necessary. ;)

    Internet Explorer's default of four block flags - No allows and no options works fine on my three machines. :)
     
  10. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi! My IE comes with read and get info allowed flags, what must be inoffensive... :cool: ; But I am surprised, as it has "allow global hook", in options, too. And I'm quite sure that it came with the default wizard from PG itself o_O Whatever, I'll make a try without "allow global hook", to see what happen...
    Oh, and by the way, it would surely be "delicate" to protect Userinit, as it seems to change permanently. (an anti-spyware soft, Flowprotector, that I tried, noticed changes about it at each start; and all of theses changes were surely legit; so...)

    Cheers :D
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nothing wrong with trying :) Please let us know how you get on - Pilli
     
  12. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hmmmmm, if you are really interrested in the result, I'll volunteer to do that :'( ... . But according to the permanent changes I noticed in Flowprotector about that, I would rather miss my turn :oops: . Hemmmmm :oops: :oops: ...
     
  13. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi ! :) . OK, as I'm curious, I finally made a try with "userinit.exe" protected...
    and, well, it seems to work "quietly", no apparents problems :D . But I'm not sure to keep it in the protected list, as it seems that this .exe file is just a "launcher", and protecting this only .exe isn't enough to "protect", because that should be the Registry entries (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit , and HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping), which should moreover be protected, I think o_O . So it would be a job for "Reg Prot", from Diamondcs, right ?

    Cheers :D
     
Thread Status:
Not open for further replies.