should Userinit.exe be protected ??

Hi . I recently learned that most of dangerous Trojans/Malware often "put" themselves in "IniFileMapping", and "Userinit", under Windows XP ( what equals to the Shell, or "System.ini", for the formers Windows versions, I think). So, I would like to know if someone has added Userinit.exe in his Program protection list .

Cheers

 

Hi nico-nico, I do not have that .exe in my protection list and do not recall seeing it on any other.
Remember a program would need to run to use userinit and you would be alerted by the checksum facility, also .dll injection is prohibited providing you have the General option 2 enabled

HTH Pilli

 

Hi, Pilli . Ah, OK, it would that way be unnecessary, according to what you said (and maybe delicate to configure, I guess...). Thanks . I will not try to make "too much" with my "protection" list...

Cheers!

 

The rule is quite simple, protect everything that connects to the Net and the default processes that come with Process Guard. It is easy the build a wall around oneself without any doors.

 

Hmmmm.... "everything that connects to the Net", you said ? It looks like I'll increase my list of protected program.....

Thanks for the Tip, the "wall without doors" regarding IE speaks for itself..

Cheers !

 

Just make sure you don't get internet explorer many "Allow" privileges, because if it becomes compromised, it might be able to take down the rest of your Process Guard protected programs if it has the right "Allow" flags given to it.

 

Hi, Jason and Peter 2150 . About the IE's Allowed flags: right,I think that only security softs should be granted ALL allowed flags (with later adjustments if needed, for applications like IE ).
And I'm actually trying BHOdemon, seems very useful . ( never heard about Popupcop, but I run Norton's firewall, doing quite the same, I think, when setted at it's maximum security level ) .

Thanks

Cheers !

 

Better to do it the other way round, Only enable the first four Block flags which is the default, then watch the logging and enable allow flags only when necessary.

Internet Explorer's default of four block flags - No allows and no options works fine on my three machines.

 

Hi! My IE comes with read and get info allowed flags, what must be inoffensive... ; But I am surprised, as it has "allow global hook", in options, too. And I'm quite sure that it came with the default wizard from PG itself Whatever, I'll make a try without "allow global hook", to see what happen...
Oh, and by the way, it would surely be "delicate" to protect Userinit, as it seems to change permanently. (an anti-spyware soft, Flowprotector, that I tried, noticed changes about it at each start; and all of theses changes were surely legit; so...)

Cheers

 

Nothing wrong with trying Please let us know how you get on - Pilli

 

Hmmmmm, if you are really interrested in the result, I'll volunteer to do that ... . But according to the permanent changes I noticed in Flowprotector about that, I would rather miss my turn . Hemmmmm ...

 

Hi ! . OK, as I'm curious, I finally made a try with "userinit.exe" protected...
and, well, it seems to work "quietly", no apparents problems . But I'm not sure to keep it in the protected list, as it seems that this .exe file is just a "launcher", and protecting this only .exe isn't enough to "protect", because that should be the Registry entries (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit , and HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping), which should moreover be protected, I think . So it would be a job for "Reg Prot", from Diamondcs, right ?

Cheers