funsec mailing list archives
Re: Administrator Accounts
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Thu, 23 Feb 2006 11:12:09 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 James Kehl wrote: [snip]
For instance, check out the Win64 file system redirector - needed because somehow System32 is now the province of 64-bit DLLs. Funny, I would have thought those would really suit a System64 directory... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/file_system_redirector.asp (Sounds like Win64's got a built-in rootkit! 32-bit virus scanners? Why on earth would they want to see the filesystem as it really is?)
Let's be careful not to start throwing around the term "rootkit" for everything that hooks into the system -- the purpose of a rootkit is stealth. At best, this technology is rootkit-like. First of all, why you'd run a 32-bit virus scanner on a 64-bit OS is beyond me. There's no support for the on-access component of that type of scanner -- typically a kernel-mode driver -- so you'd be lacking a key component of their protection. Secondly, there's an exposed API to shut it off if for some reason you want to be able to run a 32-bit on-demand virus scanner. It's called Wow64DisableWow64FsRedirection(). Thirdly, thunking will make a 32-bit AV rather slow on the x64, if it works at all. AV scanners tend to make some pretty deep assumptions about how the system works, so they may not even run in the "fake" 32-bit environment of an x64. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFD/ezofp4vUrVETTgRA/ZTAKDPsUucD7nOl6Aw9k5+Jfp4E554cQCgwOES Z8IQAvjP1j451vVDUXq4W9I= =7joH -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Administrator Accounts, (continued)
- RE: Administrator Accounts Larry Seltzer (Feb 22)
- Re: Administrator Accounts Blue Boar (Feb 22)
- RE: Administrator Accounts Larry Seltzer (Feb 22)
- Re: Administrator Accounts Blue Boar (Feb 22)
- RE: Administrator Accounts Larry Seltzer (Feb 22)
- Re: Administrator Accounts Nick FitzGerald (Feb 22)
- Re: Administrator Accounts Vicky Røde (Feb 22)
- Re: Administrator Accounts Nick FitzGerald (Feb 22)
- Re: Administrator Accounts Matthew Murphy (Feb 22)
- Re: Administrator Accounts James Kehl (Feb 23)
- Re: Administrator Accounts Matthew Murphy (Feb 23)
- Re: Administrator Accounts Blue Boar (Feb 23)
- Re: OT Ferrari Enzo crash Dude VanWinkle (Feb 22)
- Message not available
- Re: OT Ferrari Enzo crash Brian Loe (Feb 22)