What is Samurai driver name?

Discussion in 'other anti-malware software' started by poirot, Mar 2, 2007.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Can anyone please tell me what is the name of the (hidden) driver which the 'hardening' software Samurai allegedly puts in 'driver non Plug and Play'?

    I need it to be sure i uninstalled everything: i wanted to try Samurai in one pc,but the install couldnt complete and i had made the mistake of not using Total Uninstall, thinking Samurai was very light,which isnt entirely so.
    I searched the Registry quite accurately and i also couldnt find anything related in the 'hardware' section of 'MyComputer',but i'd rather be sure,if possible, given Samurai 'hooking' nature.

    To those who already run Samurai i'd like to ask if they found any trouble installing it, as i think my other security software-namely in this instance Jetico,Antivir,Boclean and Cyberhawk , although put to sleep before the attempted install, still heavily conflicted with it at reboot, to the point i could completely reboot only at the second attempt.

    It's unlikely i'll try again to use Samurai,but i'd like it to be completely uninstalled.
     
  2. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Hi Poirot

    Interesting app Samurai
    I have never tried to uninstall it completely

    Search here @wilders shows threads going back: 2005

    I have just noted this:
    http://gladiator-antivirus.com/forum/index.php?showtopic=49247

    Interesting, VERY VERY interesting, the links go to a (for me) new version: 2.7

    I had thought that all the dl links were gone apart from Download.com which is still hosting V2.5; but with active links to new dl !!

    There is some useful ifo for you wrt uninstall.

    If you really want to follw the install/uninstall, then disable/uninstall samurai.
    You should be able to re-enable/reinstall with TU or Zsoft or if you really want to watch: InCtrl5.

    The web page info suggeste that the only remnant is the "config" file after disabling/uninstalling, fwiw.

    I am going to start a new thread about V2.7.
    Regards

    ~snip~
     
    Last edited by a moderator: Mar 2, 2007
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi poirot,

    Samurai 2.7 installs KernelHooks.sys and is listed as "KernelHooks" in Device Manager. Its path is whatever folder you installed Samurai to.

    Nick

    PS: KernelHooks.sys + SSM = BSOD
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i thought Samurai was dead. maybe ill readd it to my setup :thumb:
     
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Poirot:
    In Autoruns: Drivers: (currently uninstalled so not found)
    "Jump To" in regedit
     

    Attached Files:

  6. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Thanks a lot , Longboard and nick s ,for your help.
    I was late in replying due to Time Zones,eg-i was flirting with Morpheus until some time ago.

    Longboard, the link at Gladiators is very detailed and useful and i fear i didnt follow quite the exact rules for uninstall-simply because i didnt know them.

    I've proceeded as i usually do with stubborn programs,anyhow,that is: an 'official' uninstall, (in Samurai from within the control panel-GUI)
    reboot,
    a 'Total Uninstall' job then another reboot,
    followed by finding all files remaining related to the program,via 'Search All files' and via the Find feature of RegSeeker,a general Clean then Reboot.
    After that i run RegSupreme in 'Aggressive' fashion,it still finds something, then another Reboot.
    In the end i make a manual,personal survey of the whole Registry and after all i did previously it is rare to find anything, apart a few Paid softwares which might require an intervention at Permit level for erasing their last barriers.

    But it seems Samurai did not leave anything behind, also because it didnt install properly in my opinion. I know it does not install in the orthodox sense with an AddRemove entry, still ,the evident conflict which prevented reboot must have somehow hindered its deploying,as the systemtray icon (in red with japanese characters) didnt respond and vanished afterwards.
    Definetely Samurai conflicts with my security setup which already included WWDC and Seconfig.

    After all the data you provided i am tempted to try again,though!
    Will it be 'installed' from SafeMode?
    It could be perhaps the only way for me, as i dont intend to uninstall-reinstall my other programs which are in the way.
    Best regards and thanks again
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @poirot

    An expert friend has suggested that Samurai is an extensive SSDT hooker
    This may lead to some conflicts with other utilities as per nick s's post.

    You may have to test a bit
    Maybe your install issue was related to same?

    I am not smart enough to now much about this but be cautious?
     
  8. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Thank you Longboard,i am aware of the 'hooking' propensities of Samurai,
    that's why i think it's very unlikely i try again to install this software.
    I reckon it would be another ,unnecessary, hook in the kernel area,
    (not entirely unnecessary,really,as it has its usefull facets,but i wouldnt part with any other program i run in order to make way for Samurai) just in a situation when one has to choose just a single program for every needed action and no more (eg-only one antivirus,one antitrojan/antispyware,one HIPS etc.) because nearly all of them are hooking the Kernel and battling for supremacy.
    Matter of fact i run now much less things than in the past and i strive constantly to streamline even more.

    I re-checked ,as suggested by nick s,in Device Manager and there's nothing untoward:Samurai quietly vanished;but to be even more sure i reinstalled Rootkit Analyzer ,which confirmed the only hooks i got in that pc belong to Jetico and Novatix (Cyberhawk at the moment under trial).
    As we're talking about a 'normal' program and not malware i didnt search with RKU or other rootkit programs.
    I'm positive BOClean would have alerted me to the fact,if there arose a need to. It had already happened with serviwin.exe from the Serviwin program,which finds hidden drivers, an obvious FP and not a Trojan horse,but just to pinpoint that Boclean alerts about suspicious moves as well.

    So, i am glad no remnants of Samurai remain and for the time being i dont plan to try again.
    Best regards,
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi,
    I tested Samurai against some malware. Firslty I'd say it aint for me, for one it stiffled the test machine* and secondly didn't like the test VM - both were set up with just Samurai and winXPSP2+hotfixes and WinDbg, the VM resulted in bsod (KernelHooks.sys.)
    For simplicity and time I'll lay it out as follows and wont be going into great detail (this was NOT an extensive test) :

    Hacker Defender - Pass (see screen shot.)
    Anti-keylogger tester v1.000 - failed all tests.
    Martins undetectable keylogger - fail.
    DCS termination - passed 1,6 and 10 / failed the rest.
    Rustock a,b - failed both.
    Unreal (Team RkU) - fail.

    This was just something small as I was asked by someone if I'd test it, and I never tested the other Samurai attributes, I'll be testing more thoroughly at the weekend with some more from the zoo and different attack sites.:)

    *afterwards I brough some other tools to the machines, the ARKs especially wouldn't load.
     

    Attached Files:

  10. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Meriadoc
    That's great work.
    Thankyou.
    Very interesting to see what this elegant pure HIPS/Hardener can do.

    Possibly not the be all?

    Interesting the probs in VM and with other anti-r-k's.
    If the full set-up is enabled in Samurai it may block other SSDT tools ??
    Will wait with bated breath for more results.

    Regards,
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I put Samurai 2.5 and 2.7 'through the mill.'
    Samurai is a hardening tool with a host intrusion prevention. If a driver tries to install, a popup like the one for Hxdef or Vanquish below will warn the user.
    I was able to workaround the previous problems for this test.
    The 2.5 protection tries to clear the system call table which can cause BSOD, which is corrected in 2.7. -(also thanks to author.)
    For as much as it would let me see Samurai hooks 3 SSDT

    Tests :
    Internet Explorer Browser security
    DHTML Edit Control Script Injection PASS
    HTML Help Control Local Zone Security Restriction Bypass PASS
    JavaScript Method Assignment Cross-Domain Scripting PASS
    Modal Dialog Argument Caching Cross-Domain Scripting PASS
    CHM File Processing Arbitrary Code Execution PASS
    Cross Domain Scripting PASS
    Search Frame Fake Caller PASS
    Object Data Remote Execution PASS
    Multimedia Page Cross-Site Scripting PASS
    Dialog Style Same Origin Policy Bypass PASS
    Zone Bypass PASS
    IFRAME dialogArguments Cross-Zone Access PASS
    Document Reference Zone Bypass PASS
    Iframe Document Property Cross Domain Scripting PASS
    URL Same Origin Policy Violation PASS
    Arbitrary File Execution PASS
    Navigate Function Cross Frame Access PASS
    Temporary Internet Files Folder Disclosure PASS
    MIME Header Attachment Execution PASS
    DYNSRC File Information Disclosure PASS
    Content-Disposition Handling File Execution PASS
    OBJECT Tag Same Origin Policy Violation PASS
    Dialog Same Origin Policy Bypass PASS
    Cookie Content Disclosure PASS
    ActiveX PASS

    All the services and prevention Samurai claims is confirmed,
    UPnP, BITS, Message, Net DDE, RDS, PCT, Index, My Computer Zone, Denial of Service (SynAttackProtect and EnablePMTUDiscovery,) anonymous sessions etc (see 32 Steps link below) - basically setting registry values and stopping services.

    Rootkit
    FU BLOCKED
    NT Rootkit BLOCKED
    AFX BLOCKED
    HE4 BLOCKED
    Vanquish PARTIAL BLOCK Samurai didn't block DLL injection

    DFK Threat Sim FAIL although Samurai blocked the kernal driver and was not disabled
    OSR Crash on Demand PASS

    32 Steps to PC Security
     

    Attached Files:

    Last edited: Mar 14, 2007
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Meriadoc
    Very nice
    - did you notice any conflicts with other tools?
    -did you try again with Rustock or Unreal on non Vm?

    Thankyou for doing this: very generous of you to spend the time.
    Useful free tool eh.
    Any feedback from developer?

    Regards.
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Longboard,
    Only tools that load driver, but I did eventually note hooks.
    There are other ways to hide - many ways to skin a cat (excuse expression) and I confirmed somethings and looking at others, but I think I show what Samurai couldn't do,..nor claim to.
    I do this all the time but I have been pretty busy this weekend as vista ultimate came through the mailbox.
    Yeah, its a none intrusive hardener and little hips and when its working it does its job plus its free.
    A little, confirming what I found out about changes between version and that there maybe problem with vm. Send an email to him for information on Samurai, he will kindly reply. :)
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The power of hardening and interception of execution :eek: :eek:
     
Loading...
Thread Status:
Not open for further replies.