Sign in to follow this  
Followers 0
iamtheky

Trend Micro file and service protection questions

3 posts in this topic

A couple of protections i would like to see implemented in an AutoIt script:

1) Create a service(s) that cannot be killed.  A pair that watch each other is fine, i think tm may even have 3 or 4 that all do that. 

2) There are folders with Everyone-Full Control acls.  I'm admin,  I can takeown, i can set myself as Full control and delete the everyone group.  I cannot however rename, modify, nor delete any of these files or folders, how the crap?  It even taunts me and says I have to ask my currently logged on account for permissions, and then deny me.  If you can mimic that, that would be neat.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites



@iamtheky,

four hours since your OP, still no response.  that can either be because the dev/admin/mod teams are still fast asleep, or they are in total bewilderment as to what-the-hell-are-you-thinking.

You have been here long enough – and moreover, you are a sys.admin! – to know that what you are asking is straight-out malicious. that is obvious for your first comment, not so obvious but still true for the second one. and yes, even an enterprise the size of Microsoft can demonstrate behaviour that can be considered malicious by users and admins, see GWX and Windows 10 upgrade promotion methods, for example.

Now let yourself contradict yourself:

4 hours ago, iamtheky said:

...  I'm admin ...  I cannot however rename, modify, nor delete any of these files or folders, how the crap?  ...  If you can mimic that, that would be neat.

you describe an annoying situation that someone imposed on you, then you want to reproduce it to impose it on your users as well?

as for the unstoppable service - how can that NOT be considered malicious?

technically, a watchdog service/process can be easily circumvented (with adequate permissions) - by terminating the entire process tree, for example. the most "unstoppable" behaviour you can achieve is to write the service to run as a kernel driver. if you feel adventurous, by all means go ahead - no one will stop you.

but ethically, i doubt anyone here is able to assist you in clear conscience with any of your ideas.

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

you misunderstand.  AV is not malicious, nor is building watchdog services or cacls.  I have many, many ways to do this, but was wondering if anyone knows this particular mechanism.

This is academic, I only point out that I am admin, in that I could undo this with Napalm if desired.  If a mod deems that an answer to this could be used maliciously they will lock it, but thank you for your concern and you may want to read this:

 

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0