UPHClean's "Rootkit" Driver

Discussion in 'Ghost Security Suite (GSS)' started by nameless1, Dec 24, 2005.

Thread Status:
Not open for further replies.
  1. nameless1

    nameless1 Guest

    I use both AppDefend and RegDefend. When I installed the Microsoft User Profile Cleanup Service (version 1.6d), AppDefend did not notify me that a "rootkit driver" was being installed.

    However, when I ran RootKit Hook Analyzer, it showed a "rootkit driver" associated with the UPHClean service (named uphclean.sys).

    I am not worried about UPHClean actually being a rootkit. I am wondering why AppDefend did not seem to have caught this driver, or what else may have happened.
  2. nick s

    nick s Registered Member

    Nov 20, 2002
    Hi nameless1,

    AppDefend protects against "undocumented" driver installation methods, while RegDefend protects against traditional registry-based driver installation. Microsoft's UPHClean setup very likely uses the latter method. More here: Rootkit protection in AppDefend....

  3. nameless1

    nameless1 Guest

    Ah, yes, thank you very much, Nick. The sad thing is I actually read that before, and forgot it. It sucks to have a sieve for a brain.
Thread Status:
Not open for further replies.