SSM & Host

Discussion in 'other anti-malware software' started by Rico, Feb 18, 2007.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,704
    Location:
    Texas
    Hi Guys,

    Is it possible to write a rule using SSM to protect the 'host' file? If possible exactly how would this be done?


    Thanks & Take Care
    Rico
     
  2. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Rules->Applications, then under "Object Name", choose the group folder you want to place the hosts file in, right-click and choose: Edit Rules->Add Rule for file, in "Files of type" choose "All Files [*.*]" then next to "Look in" drill down to the hosts file, select it, then hit "Open". That should do it. Once you have it in place, you may want to tailor the security on it by right-clicking it, choose "Special Permissions". You will probably want to choose "Protect from remote data modification", at least.
     
  3. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    That will not work. SSM can prevent a process from being modified by another process but the hosts file is NOT a process. It's a text file that cannot be executed, so even if the checksum changes SSM will never alert about that.
     
  4. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,704
    Location:
    Texas
    Hi Guys,

    I remember winpatrol, & microsoft antispyware, would alert if the 'hosts' file is/was modified. I was hoping that one of my resident apps (SSM, RD, AVG/as, or NOD32) could protect or notify. Currently the file is read only, does it need anything other than that?

    Take Care
    Rico
     
  5. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I know it's not a process so that is why I suggested to select "Protect from remote data modification", since this is probably - maybe?? - the only useful option for only a text or similar file. I have not tried this but why wouldn't SSM at least protect that type of file from data modification?
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Actually there is something you can do with RD. Make sure it is protecting the data on this Reg value:-

    HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters || DataBasePath

    That gives the file path for your Hosts File and if it got changed it could result in a spurious file being used instead.

    As to the Hosts File itself, you can lock it with ZA Pro if you happen to use that; also SpywareBlaster enables you to keep a backup copy in case of emergency.

    I have been using CounterSpy to protect my non-Registry locations, including the Hosts File, though the recent version is not entirely to my liking!
    File protection is being mooted for a future release of SSM, but for the moment it does not protect non-running objects. (aside from special cases, such as .ini startup files etc)
     
  7. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Too bad, though I guess anything trying to modify the hosts file should be picked up by SSM anyways, since it is likely to be an executable?
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The simplest way to protect the Hosts file is via Windows' NTFS permissions - set Write and Modify to Deny for all users aside from the Administrator, and don't use the Administrator account for day-to-day use. If you then do need to modify the hosts file, use the Run As option to start up a copy of Explorer with Admin privilege to access the file.
     
  9. EASTER.2010

    EASTER.2010 Guest

    This very issue that is been brought up is exactly why i been crowing for so long and loud that someone, anyone who is expert at programming development to invent a simple Folder/File Monitor as a standalone or else incorporate a folder monitor into their security products.

    It's extremely important even after a rule is applied (if possible), or after applying M$ Group Policy to have areas, chiefly specific directory folders of importance constantly monitored for any forced changes IMO.

    In this case the gentleman seeks only to protect a single text file that is been a notorious target of malware redirectors the world over, namely his HOSTS file.

    I been relying on an old abandoned project named FileChangeAlarm which only monitors folders but does a fair enough job of it. LoL

    btw, it was my understanding that SSM was to incorporate some type of Folder monitoring. Never heard if they got around to implimenting it in one of their many latest releases yet or not.

    I can only find it Google cache'd now.
    FileChangeAlarm...cache'd
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It has been raised regularly and is on the ToDo list (see here, here and here). However NTFS permissions will do the job just as effectively for those sensible enough to limit their use of the Admin account.
     
Loading...
Thread Status:
Not open for further replies.