What I would like to see from the OS is something like a trimmed down version of UAC *just for the malware load points* !!! A permission / integrity monitor that prompts and/or logs whever a RUN key is altered, whenever a scheduled task is created, whenever a link is added to the STARTUP group, etc ...
and it would be great if all the antimalware vendors' software could read these load points, parse out the potentially infectious files ( exe, dll, etc ) and quick scan just those. On Wed, Jul 13, 2011 at 1:12 PM, Micheal Espinola Jr < [email protected]> wrote: > Maybe I'm nuts. Maybe I'm sick of dealing with malware. But I have some > very simple questions about things I almost ALWAYS see on infected systems. > Perhaps someone here can clarify something for me that I have yet to see > Microsoft and any antivirus vender directly address. I'm gonna start this > with one point, and then how the conversation goes: > > I almost always see malware injection points in the allusers\appdata > folder. In these instances I *always* see a reference in one of the "run" > registry keys. > > As far as I know; this top level appdata filer should NOT contain files at > all. I repeat: NO FILES AT F'ING ALL. > > Can someone confirm this? Can someone with contacts at Microsoft or other > AV providers confirm why this is completely overlooked when scanning? This > is were 0-day malware live very commonly. This is very easy to check! > > Thank you for your time and any vender reach-outs you can provide. > > I'm currently working on a set of scripts to check what I consider very > foolish things like this. If anyone wants to team-up, please do. > > -- > Espi > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
