In the context of simple whitelisting systems I agree, but in the case of something like CSA unless your fake Notepad has specific permissions to modify scvhost (for example) it will get denied. By specific I mean VERY specific. That process started by a specific user from a specific path has the ability to do a specific modification to scvhost and again only to a specific path and a specific modification.
So that code can run and do things, but taking over a box or modifying a box isn't going to happen. -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, May 11, 2010 11:29 AM To: NT System Admin Issues Subject: RE: Life just keeps getting better.... Once code is running as system, it's irrelevant what system you try to put in place to prevent it. Whitelisting is not going to help, because the rootkit can simply report that it's notepad..... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
