RE: Bug in Norton FireWall 2003

[Michael Wojcik <Michael.Wojcik () microfocus com>]

> From: nowak.a () pg com [mailto:nowak.a () pg com] 
> Sent: Monday, August 11, 2003 5:15 PM
>
>
> > I suppose a simple defense for "personal firewall" vendors 
> > against this sort of thing would be to use hard-to-guess window
> > titles for their popups...
>
> This simple defense may not be enough, as there are ways to 
> find out the names of all "child" windows belonging to specific
> process.

Agreed.  "simple" wasn't really the adjective I wanted; something more like
"preliminary" or "first-cut" was what I meant.  Another possibility would be
to require that the window be visible when the event is received, and have
been visible for some minimum time (even on the order of a few seconds),
which would allow an alert user to see the trojan in action, anyway.

Some firewall products of this type allow a "reject without prompting"
configuration, which is safer, albeit potentially frustrating.  (I'm
familiar with the Symantec products, and getting log information out of them
is not a pleasant process.  Their UIs in general are not well-designed.)

Is there a reliable mechanism in Windows for distinguishing between real and
spoofed events?  I've never looked into the subject, as I avoid GUI-mode
programming like the plague (which is an apt description, in my book).

Of course, the popup window shouldn't be owned by a process running with
elevated privileges anyway.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus