Posted 04 January 2012 - 06:18 PM
Hey guys, I was wondering if anyone knows how to block (or preferably use a program to ask) installs in the temp folders on your system. The reason I want to do this is because I manually remove viruses because most of the anti-virus scanners out there don't do as well as I do when it comes to detecting what is a virus and what isn't as well as removing them. (This is by design and fully intentional on their part.) So, that being said, I'd like to take preventive measures on stopping rootkit installations and any other virus installations by targeting a popular directory that virus will load from including service installs. I'd rather not have to log into the registry as the System user and start scanning or try to figure out what System user is running so I can delete those files as the System user. When the rootkit has ring 0 it makes it use the System user for many things and hides them from the user logged into the system. This is why a rootkit works for those who wish to know.
So, that being said, I want to prevent them so I don't have to labor for hours killing off rootkits and I have one now. It's bloody annoying and I'm working on it. Any suggestions? A rootkit can't gain ring 0 without a system restart because it has to be the first one with a hook and when its downloaded, usually whatever is supposed to have that hook will have ring 0 access. Thanks again for your help! =)