Driving protection of rogue software with Autoruns

Why is rogue software always erased? Often have a netizen post son said file deletion, or rogue software can not clear, or delete the relevant files, but immediately it appeared again. Now rogue software in order to protect itself, the means to take is all sorts of ways: process protection, cross infection, self priming, self recovery, file hiding, process injection, drive protection. So far, the ultimate, most effective protection for all rogue software is the protection of the underlying drive level, In general, add one or more. sys files to the drivers directory (I've also seen a rundll32 to run a. dll as a driver), but essentially this will be in Windows Hklm\system\currentcontrolset\ Services\ to build a related value, such as Cnnic built is Hklm\system\currentcontrolset\services\cdnprot, and the boot level is very high, in Safe mode will automatically start. This low-level driver filters all files and registry operations, and if found to be a file/registry operation on the rogue software itself, returns a true, and if the file is deleted, it is downloaded and restored via a backup or network. Their protection has been done at this level, ordinary users simply do not have the means to delete the relevant files, generally need to reboot to the DOS system down to delete files. This is also a lot of netizens to mention why the file deleted, or deleted, after the restart, and then appeared again, the cause of the haunting. The next thing we want to do is to find out the background of these rogue software driver protection. Second, why is it difficult to find the driver protection? Windows driver files are generally located in the System32\Drivers directory and exist as a. sys file, and are initiated through the Registry's hklm\system\currentcontrolset\services\, which is part of the service, Can be seen in Windows Services MMC control window. But if it's a drive, you can't see it here. Windows officially, there are 200 or so files under the drivers directory, and it's hard to find if you sneak a. sys file underneath it. Like the famous 3721 such cnsminkp.sys,cnnic Cdnprot.sys is easier to understand, but now many software names are not fixed, or randomly generated, such identification is very difficult. I have used the way there are: 1, by saving the file list, often manually compare these two files, see the difference between the file must be a problem 2, the date generated by the file. (This rogue software also thought, date can only be used as a reference) 3, through the file attributes in theCompany Information. In the early days, more and more of the rogue software driver is Microsoft, and some even English words are written wrong. 4, through the folder monitoring tool. The above four kinds all have certain flaw, can only serve as the reference, are not too good. And now there are some software hidden through the file system, these driver files, through the resource manager, can not even see. Third, how to find the suspicious driver? Is there no better way? Yes, there should be, this is the protagonist we want to introduce today: Autoruns name: Autoruns URL: http://www.sysinternals.com/Utilities/Autoruns.html size: 326K v8.53 Platform: Windows 95/98/2000/xp/2003 Nature: Free Software Introduction: Autoruns is a well-known Sysinternals produced a small software, its main function is to list the system from the start of the project. Through it, you can easily see where all systems may start, very comprehensive. Related to rogue software are services (services), LSA Providers (LSA provider), Winsock Providers (Winsock provider), Drivers (driver). The following highlights the features of this section of drivers. After running Autoruns, there are two verifiy code signatures (authentication code signing) Hide signed Microsoft Entries (hide signed Microsoft entries) in its Options menu. Both are selected. Verifying code signing refers to verifying the file signature of the. sys file under all dirvers. The hardware under Windows has a signature feature that is designed to ensure that all driver files are Microsoft tested and compliant with HAL compatibility. Hiding signed Microsoft items is to hide those legal ones. or more than 200, will look dizzy. This autoruns checks all the entries that have been registered as drivers and checks all the. SYS's file digital signatures. All items that are fake or not signed by code will be listed here. It's easy to tell if there's a problem with the driver. If there is a problem, possibly through the ice skates (please see "Remove rogue software the first sharp weapon (icesword)" file to delete the relevant registry keys, restart the machine, so that the driver protection is invalid, and then you can delete other files through the file deletion tool to complete the final cleanup work. Summary of the final summary: 1, rogue software removal or resurgence, often because there is a driver or service Protection 2, through the autoruns to find these suspicious drivers 3, through the skate to delete the relevant drive health value or directly with the file shredder Delete related. sys file, restart the driver is invalid 4, clean up other documents, finish the work. The above methods are proved to be effective through various tests, but do not rule out further hidden means to avoid autoruns inspection in the future. But the principle is the same. However, it is through the program to reduce the workload. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: With the Autoruns to pull out rogue software driver protection Back to column Recycle Bin Home