Microsoft Securiiy Essentials

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Dosnít have a boot scan
What can I use to do a boot scan?

Thanks

--
Posted at author's request, using moderated http://www.securityforumz.com
interface
Thread archive:
http://www.securityforumz.com/Microsoft-Securiiy-Essentials-ftopict11482.html

Re: Microsoft Securiiy Essentials


Quoted text here. Click to load it

Are you using WinXP or later OS and all partitions are NTFS ?



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Re: Microsoft Securiiy Essentials

Windows 7

Thanks

"David H. Lipman" wrote:

 >
 > > Dosnít have a boot scan
 > > What can I use to do a boot scan?
 > >
 > > Thanks
 > >
 >
 > Are you using WinXP or later OS and all partitions are NTFS ?
 >
 >
 >
 > --
 > Dave
 > Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
 > http://www.pctipp.ch/downloads/dl/35905.asp

Re: Microsoft Securiiy Essentials


Quoted text here. Click to load it

You didn't answer if "all partitions are NTFS" but I'll presume - yes.

Since it uses NTFS there is no chance of a Boot Sector Infector like the "NYB"
or "Form"
virus and boot scan are not needed.

I haven't heard that a boot scan can prevent or clean the TDL3 when it injects
code into
the MBR.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Microsoft Securiiy Essentials

wrote:
Quoted text here. Click to load it

There should be something in Windows--this is a proposal not a
statement that this exists--that will tell you if the MBR has
changed,by comparison with a hash to a previous version.

Also, it is interesting that the TDL rootkit will not run in a Virtual
Machine.  But I've read somewhere that running on Windows 7 the XP
virtual machine (by VWware, the free version) can in theory infect
your real machine (since a XP VM can cross-over into your real non-
virtual machine).

Is it possible to run a Windows 7 virtual machine while running
Windows 7 OS?  What advantage would that have?  Perhaps to prevent
this rootkit.

RL

http://go.eset.com/us/resources/white-papers/TDL3-Analysis.pdf

Detecting virtual machine environment
The rootkit dropper checks whether the rootkit is being executed in
the context of a virtual
machine. It does so by reading the local descriptor table register
(LDTR) that is used to calculate the
linear address from the segment_selector:offset pair. Microsoft
Windows operating systems don=92t use a
Local Descriptor Table (LDT), so the LDTR contains zero, but many
virtual machine programs use it,
nonetheless. In this way, the rootkit can easily check whether it is
running inside virtual machine. The
following figure shows how TDL3 uses this technique to ensure that it
isn=92t executed inside a virtual
machine

Re: Microsoft Securiiy Essentials

RayLopez99 wrote:

[...]

Quoted text here. Click to load it

This is being done, but there are other considerations regarding the way
it is being done and the consequences of other uses of the technology.
See TPM.

[...]

Re: Microsoft Securiiy Essentials

Quoted text here. Click to load it

Wow, I did not know TPM was around for so many years (since at least
2006)--I'd never heard of it and I keep abreast of PC advances more
than most.  Interesting.

RL

The TPM was sardonically dubbed the "Fritz chip" by Professor Ross
Anderson, Security Engineering Professor at the University of
Cambridge Computer Laboratory, in reference to the former United
States Senator Ernest "Fritz" Hollings, who according to Anderson
"worked tirelessly in Congress to make TC a mandatory part of all
consumer electronics."[7]

TPM hardware

Trusted Platform Module on Asus motherboard P5Q PREMIUM
Starting in 2006, many new laptop computers have been sold with a
Trusted Platform Module chip built-in. In the future, this concept
could be co-located on an existing motherboard chip in computers, or
any other device where a TPM's facilities could be employed, such as a
cell phone. On PC the LPC bus is used.

Trusted Platform Module microcontrollers are currently produced by:

Atmel
Broadcom
Infineon (Infineon TPM)
Intel (via Intel Manageability Engine as iTPM)
Sinosun
STMicroelectronics
Nuvoton (formerly Winbond)
ITE (ITE TPM)
TOSHIBA

Re: Microsoft Securiiy Essentials

RayLopez99 wrote:
Quoted text here. Click to load it

In order to have a stored measurement (hash) of the flash-able BIOS, you
would need a secure place to store it where an earlier ROM program could
compare it to a new measurement for that BIOS.

Unfortunately, the TPM also has other characteristics that have the
privacy crowd up in arms. To me, it's a baby/bathwater thing.

Re: Microsoft Securiiy Essentials


Quoted text here. Click to load it

http://nesipublic.spawar.navy.mil/nesix/View/P1360

"The DoD memo also mandates that all new computer assets procured to support the
DoD
enterprise include a Trusted Platform Module (TPM) version 1.2 or higher where
such
technology is available. TPM is a microcontroller that stores keys, passwords
and digital
certificates. It typically is affixed to the motherboard of computers. The
nature of this
hardware chip ensures that the information stored becomes more secure from
external
software attack and physical theft."

http://iase.disa.mil/policy-guidance/dod-dar-tpm-decree07-03-07.pdf



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Microsoft Securiiy Essentials

David H. Lipman wrote:
Quoted text here. Click to load it

Some nuts and bolts that address Ray's idea about using hashes as
integrity checks for BIOSes, loaders, OSen and applications.

http://www.rsa.com/rsalabs/technotes/tpm/sealedstorage.pdf

IFAIK, it isn't necessary to make use of the unique to the machine root
key in any outgoing data. I think that *this* and what can be done with
it is what the privacy folks are concerned about.

Re: Re: Microsoft Securiiy Essentials

Thanks

"FromTheRafters" wrote:
 > RayLopez99 wrote:

 >
 > [...]
 >
 > > There should be something in Windows--this is a proposal not
 > a
 > > statement that this exists--that will tell you if the MBR
 > has
 > > changed,by comparison with a hash to a previous version.
 >
 > This is being done, but there are other considerations
 > regarding the way
 > it is being done and the consequences of other uses of the
 > technology.
 > See TPM.
 >
 > [...]

--
Posted at author's request, using moderated http://www.securityforumz.com
interface
Thread archive:
http://www.securityforumz.com/Microsoft-Securiiy-Essentials-ftopict11482.html

Site Timeline