bsvTag
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору У меня 280 из 340. Какой режим включен - авто или интерактив? Но все равно шесть дырок, при всем том, что я всегда жал запретить: 1. RootkitInstallation: ChangeDrvPath What does it do ? Tries to change the path of an already existing driver by using service control manager. What is the risk ? A malicious device driver loaded can be as dangerous as it can be due to the fact that it acts as a part of the operating system with the maximum privileges 2. Injection: SetWinEventHook What does it do ? Tries to inject the malicious DLL using a windows accessibility API, SetWineventHook. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 3. Injection: SetWindowsHookEx What does it do ? Tries to inject the malicious DLL using a common windows API, SetWindowsHookEx. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 4. Injection: SetThreadContext What does it do ? Tries to inject the malicious DLL by using a slightly different method from ProcessInject. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 5. Injection: DupHandles What does it do ? Tries to access the memory of another process by stealing the handles from a trusted process which already has it. What is the risk ? A DLL/Code injected into another process acts as the part of the process it is loaded and has the same privileges. Malware commonly exploit this method to present itself as a trusted process. 6. Hijacking: StartupPrograms What does it do ? Tries to modify “StartupPrograms” key in registry in order to have itself launched when the windows starts. What is the risk ? The malware is going to have itself automatically started every time Windows starts. The fact that this key is not a common startup key that an average diagnostics utility would look for increases the chance of malware survival. Стоит Виста SP1. UAC включен. Перед запуском приложение попросило права админа. Разрешил. Примечания: 1. Сам работаю под ограниченной учетной записью. 2. Касперский стоит в интерактиве 3. Для приложений со слабыми ограниченийями везде стоит запрос действия. При запуске подозрительного приложения, можно нажать запретить, и тогда приложение не запуститься. По-моему, тут все логично, и вины каспера в дырках нет, т.к. я сам дал лик тесту права админа и разрешил его выполнение. Поправьте меня если что не так. |