v4's feet of clay: IFEO hijacking

Discussion in 'ESET Smart Security v4 Beta Forum' started by Bensec, Nov 20, 2008.

Thread Status:
Not open for further replies.
  1. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    feet of clay :ouch: found in v4

    the toolkit (Wsyscheck ) here uses ifeo hajaking to disable/block target program.

    Operations:

    1 start Wsyscheck ,
    right click on ekrn.exe choose the highlighted menu item on the popupmenu as below.

    http://www.nod32club.com/attachments/month_0811/20081121_13f82e658ce5e35dc642XdifAH3Ciu9S.jpg


    the image file execution option entry left in registry after reboot.
    http://www.nod32club.com/attachments/month_0811/20081121_94d126937998f149d9e5HX3iyAyACdqN.jpg

    2 reboot your computer.

    source :http://www.nod32club.com/viewthread.php?tid=58077
    (your chinese official forum =)

    *the OP suggested that v4 should have some driver
    to implement kernel level protection that can take effect at early boot stage
    to protect critical registries and files

    --
    oops i missed the second shot.
     
    Last edited: Nov 20, 2008
  2. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    ifeo hajaking is usually used by virus
     
  3. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    yep, but Wsyscheck/icesword... are virus removing toolkits for cleaning rootkits and other stubborn virus and trojans.
    they are risky at some point but they are powerful.

    maybe ess and other AVs can use ifeo hijacking against virus and trojans too.
    to any extent, the action of removing any single file itself is potentially risky,
    so no trick is risky enough to be/deserves to be forever forbidden as "dark magic".:cool:
     
  4. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    hi,x-soar
    It's nice to meet you here

    your "dark magic" is really a great imagery
     
  5. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    The issue is being investigated. Thank you for your report.

    Regards,

    Aryeh Goretsky
     
  6. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    ah, Glad to hear that.

    really hope v4 can take eset products to a entire new level of security.
    maybe ess can offer extra protection for the critical sys registery keys like Pendingoperations and ifeo as Optional protection and wrap them up together with other self-protection functions in a seperate moudle, someday.

    personally i like it to be lite and focused.
    I use hips to protect critical registries and files, and i dont like KIS etc.
    some of their protection is redundant and inferior to profesional hips :)
     
Thread Status:
Not open for further replies.