SSM Free - how to protect deletion of services?

Discussion in 'other anti-malware software' started by solcroft, Jun 12, 2007.

Thread Status:
Not open for further replies.
  1. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Title says it all, I think.

    Recently I ran across a piece of malware that deleted the SharedAccess (Windows Firewall) service when I executed it, which got me thinking of how to stop this kind of malicious behavior with SSM Free.

    Here's a brief recap of what I've tried so far:

    1. Monitor HKLM\System\CurrentControlSet\Services\SharedAccess
    Didn't work.

    2. Monitor HKLM\System\ControlSet001\Services\SharedAccess
    This works ONLY if the service is not running. If the service is stopped first and then deleted, it is effectively removed from the system even if its registry keys are left intact.

    I tested my system by setting up registry protection rules, then repeatedly using sc.exe and registry editing to try to delete the service in a manner of ways. Any further suggestions?

    Thanks.
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft

    Add Winpooch for proper registry and file protection. Outbound net connect is a bonus with WinPooch

    Reg K
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Hi Kees,

    Do you know which reg keys/values I need to monitor to prevent service deletion?

    Thanks.
     
  4. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69
    ssm free ......


    Other options:
    1. PG full ver.
    2. Tiny Desktop Firewall pro .
     
  5. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    mitchelson,

    Thank you for your help, but that wasn't what I asked.
     
  6. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69
    Reg keys -- Service Protection? Not enough.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft

    Use EQSecure of Winpooch to protect the file path of services in the Registry

    entry: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\*
    key: ImagePath

    Protect the start status also
    entry: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\*
    key : Start


    Protect the services or better in general critical files from modification (in WinPooch or EQSecure), see pic 2


    Reduce the rights/authorization to start/stop services in the registry with the registry editor, see pic 1 (in Dutch), be carefull though first google and learn how to do this according your wishes (do not just try it and hope it will work).
     

    Attached Files:

  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Thanks for the reply.

    Will try it when I get home and let you know how it goes.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
Loading...
Thread Status:
Not open for further replies.