Shutdown Defender

Discussion in 'ProcessGuard' started by pasito, Dec 8, 2005.

Thread Status:
Not open for further replies.
  1. pasito

    pasito Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    22
    ProcessGuard should protect from un-authorized system Shutdowns/Restarts/Log offs.

    -Why?-

    Some malicious programs can add its self to the BootExecute entry of the registry allowing for code execution during the boot up procedure of the computer. (The loading screen before the Windows Login Screen)

    The code could modify a wide variety of security suites such as ProcessGuard, SSM, TDS-3, RegDefend, Anti Viruses, Firewalls etc and system files before any security is effective.
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    pasito,
    I'm not really sure what you are suggesting here, ProcessGuard is for execution protection and constraining some potentially insecure behaviours without explicit authorisation; it is not a registry based defense tool

    On the other hand RegDefend was created to protect against exactly this type of problem and it would stop the hypothetical process from creating the BootExecute entry in the registry in the first place

    If you allow arbitrary registry modifications to BootExecute or PendingFileRenameOperations then you are effectively allowing your security programs to be bypassed if you happen to be unfortunate enough to running some malware that does this

    Polling Registry monitors would have a fair chance at catching a change like this as well, it would depend on how quickly the malware could get the machine to reboot

    That said simply protecting against a shutdown wouldn't do very much if BootExecute was changed and you didn't have a registry monitor running that could tell you about it
     
  3. pasito

    pasito Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    22
    Hmm very true. Well I suppose Shutdown Defender would still be a good addition to ProcessGuard.

    Well I suppose every scenario I make up can be prevented in the first place but it would make ProcessGuard a more solid product.

    Wouldn't you agree?
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    pasito,
    It might be ok as far as features go as long as it intercepted the request prior to the OS not allowing new processes to start because it is in the middle of shutting down

    You can get notification prior to the reboot if you have logonui.exe (in system32) ask for permission to execute. That at least stops the shutdown process while you are being prompted, it just doesn't allow you to stop it because whether you allow or deny the execution the shutdown or reboot operation still happens. I have found this notification quite useful so that I can finish off something cleanly
     
Thread Status:
Not open for further replies.