funsec mailing list archives

Re: Administrator Accounts

From: Matthew Murphy <mattmurphy () kc rr com>
Date: Thu, 23 Feb 2006 11:12:09 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

James Kehl wrote:
[snip]

For instance, check out the Win64 file system redirector - needed because
somehow System32 is now the province of 64-bit DLLs. Funny, I would have
thought those would really suit a System64 directory...

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/file_system_redirector.asp

(Sounds like Win64's got a built-in rootkit! 32-bit virus scanners? Why
on earth would they want to see the filesystem as it really is?)


Let's be careful not to start throwing around the term "rootkit" for
everything that hooks into the system -- the purpose of a rootkit is
stealth.  At best, this technology is rootkit-like.

First of all, why you'd run a 32-bit virus scanner on a 64-bit OS is
beyond me.  There's no support for the on-access component of that type
of scanner -- typically a kernel-mode driver -- so you'd be lacking a
key component of their protection.

Secondly, there's an exposed API to shut it off if for some reason you
want to be able to run a 32-bit on-demand virus scanner.  It's called
Wow64DisableWow64FsRedirection().

Thirdly, thunking will make a 32-bit AV rather slow on the x64, if it
works at all.  AV scanners tend to make some pretty deep assumptions
about how the system works, so they may not even run in the "fake"
32-bit environment of an x64.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFD/ezofp4vUrVETTgRA/ZTAKDPsUucD7nOl6Aw9k5+Jfp4E554cQCgwOES
Z8IQAvjP1j451vVDUXq4W9I=
=7joH
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: Administrator Accounts, (continued)
- - - RE: Administrator Accounts Larry Seltzer (Feb 22)
    - Re: Administrator Accounts Blue Boar (Feb 22)
    - RE: Administrator Accounts Larry Seltzer (Feb 22)
    - Re: Administrator Accounts Blue Boar (Feb 22)
    - RE: Administrator Accounts Larry Seltzer (Feb 22)
    - Re: Administrator Accounts Nick FitzGerald (Feb 22)
    - Re: Administrator Accounts Vicky Røde (Feb 22)
    - Re: Administrator Accounts Nick FitzGerald (Feb 22)
    - Re: Administrator Accounts Matthew Murphy (Feb 22)
    - Re: Administrator Accounts James Kehl (Feb 23)
    - Re: Administrator Accounts Matthew Murphy (Feb 23)
    - Re: Administrator Accounts Blue Boar (Feb 23)
- Re: OT Ferrari Enzo crash Valdis . Kletnieks (Feb 22)
- RE: OT Ferrari Enzo crash Todd Towles (Feb 22)
- Re: OT Ferrari Enzo crash Fergie (Feb 22)
- RE: OT Ferrari Enzo crash Todd Towles (Feb 22)
  - Re: OT Ferrari Enzo crash Dude VanWinkle (Feb 22)
    - Message not available
    - Re: OT Ferrari Enzo crash Brian Loe (Feb 22)