Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Block/ask for service installs in the temp folder?


  • Please log in to reply
No replies to this topic

#1 Na'ven

Na'ven

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lakewood, OH
  • Local time:10:12 AM

Posted 04 January 2012 - 06:18 PM

Hey guys, I was wondering if anyone knows how to block (or preferably use a program to ask) installs in the temp folders on your system. The reason I want to do this is because I manually remove viruses because most of the anti-virus scanners out there don't do as well as I do when it comes to detecting what is a virus and what isn't as well as removing them. (This is by design and fully intentional on their part.) So, that being said, I'd like to take preventive measures on stopping rootkit installations and any other virus installations by targeting a popular directory that virus will load from including service installs. I'd rather not have to log into the registry as the System user and start scanning or try to figure out what System user is running so I can delete those files as the System user. When the rootkit has ring 0 it makes it use the System user for many things and hides them from the user logged into the system. This is why a rootkit works for those who wish to know.

So, that being said, I want to prevent them so I don't have to labor for hours killing off rootkits and I have one now. It's bloody annoying and I'm working on it. Any suggestions? A rootkit can't gain ring 0 without a system restart because it has to be the first one with a hook and when its downloaded, usually whatever is supposed to have that hook will have ring 0 access. Thanks again for your help! =)

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users