Jump to content

Recommended Posts

Why not just protect/lock HKEY_CLASSES_ROOT\exefile and .exe ??

SO many webpage based attacks simply use this method to redirect any application launch to itself. i.e. all those fake security packages, taht are really a virus. aka "Vista Security 2011"

I mean seriously, this would be trivial to do, and stop a HECK of alot of CRUD. Why would 99.9999% of the people ever need to redirect .exe away from cmd? Only those who wish to replace their own file manager/etc.

It's always the same attack method. Download a file to /Users/<user name>/AppData/Local, and then redirect HKEY_CLASSES_ROOT\exefile and .exe to that file.

[ directories different on XP/Win7, but same thing. ]

I know how to fix it, but i'm tired of having to tell other people the same instructions over and over, because companies refuse to do a simple/trivial thing to protect against it.

Link to post
Share on other sites

Greetings :)

There actually is software out there that can do this (among other things), it's called HIPS. I basically monitors the activities of all files and processes and prevents them from making any changes to the system (including the registry) without user consent.

Similarly, User Account Control in Windows Vista and Windows 7 would actually prevent any software from altering that registry key because it would require administrative privileges to do so, so the user would have to click Continue or Allow to a UAC prompt before any executable could run with sufficient privileges to alter that key.

Generally, if the malware has made it to the execution stage to the point where it already has administrative or higher privileges (which would be required to alter that registry key), then the malware already owns your system until you remove the infection, this includes likely being capable of disabling any protection software you already have in place to prevent changing that registry key (your antivirus, firewall, antispyware etc.). Preventing the infection from executing in the first place is the best method, so using software that is likely to detect and block the infection would be the best defense in addition to keeping your OS patched along with any third party software you might have installed that is prone to vulnerabilities (such as Flash, Java, Reader etc.).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.