UPHClean's "Rootkit" Driver

Discussion in 'Ghost Security Suite (GSS)' started by nameless1, Dec 24, 2005.

Thread Status:
Not open for further replies.
  1. nameless1

    nameless1 Guest

    I use both AppDefend and RegDefend. When I installed the Microsoft User Profile Cleanup Service (version 1.6d), AppDefend did not notify me that a "rootkit driver" was being installed.

    However, when I ran RootKit Hook Analyzer, it showed a "rootkit driver" associated with the UPHClean service (named uphclean.sys).

    I am not worried about UPHClean actually being a rootkit. I am wondering why AppDefend did not seem to have caught this driver, or what else may have happened.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi nameless1,

    AppDefend protects against "undocumented" driver installation methods, while RegDefend protects against traditional registry-based driver installation. Microsoft's UPHClean setup very likely uses the latter method. More here: Rootkit protection in AppDefend....

    Nick
     
  3. nameless1

    nameless1 Guest

    Ah, yes, thank you very much, Nick. The sad thing is I actually read that before, and forgot it. It sucks to have a sieve for a brain.
     
Thread Status:
Not open for further replies.