Jump to content

Trend Micro file and service protection questions

iamtheky
 Share

Recommended Posts

iamtheky Universalist

iamtheky

Posted
Posted

A couple of protections i would like to see implemented in an AutoIt script:

1) Create a service(s) that cannot be killed.  A pair that watch each other is fine, i think tm may even have 3 or 4 that all do that. 

2) There are folders with Everyone-Full Control acls.  I'm admin,  I can takeown, i can set myself as Full control and delete the everyone group.  I cannot however rename, modify, nor delete any of these files or folders, how the crap?  It even taunts me and says I have to ask my currently logged on account for permissions, and then deny me.  If you can mimic that, that would be neat. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
orbs Universalist

orbs

Posted
Posted

@iamtheky,

four hours since your OP, still no response.  that can either be because the dev/admin/mod teams are still fast asleep, or they are in total bewilderment as to what-the-hell-are-you-thinking.

You have been here long enough – and moreover, you are a sys.admin! – to know that what you are asking is straight-out malicious. that is obvious for your first comment, not so obvious but still true for the second one. and yes, even an enterprise the size of Microsoft can demonstrate behaviour that can be considered malicious by users and admins, see GWX and Windows 10 upgrade promotion methods, for example.

Now let yourself contradict yourself:

4 hours ago, iamtheky said:

...  I'm admin ...  I cannot however rename, modify, nor delete any of these files or folders, how the crap?  ...  If you can mimic that, that would be neat.

you describe an annoying situation that someone imposed on you, then you want to reproduce it to impose it on your users as well?

as for the unstoppable service - how can that NOT be considered malicious?

technically, a watchdog service/process can be easily circumvented (with adequate permissions) - by terminating the entire process tree, for example. the most "unstoppable" behaviour you can achieve is to write the service to run as a kernel driver. if you feel adventurous, by all means go ahead - no one will stop you.

but ethically, i doubt anyone here is able to assist you in clear conscience with any of your ideas.

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
  • Author
Posted (edited)

you misunderstand.  AV is not malicious, nor is building watchdog services or cacls.  I have many, many ways to do this, but was wondering if anyone knows this particular mechanism.

This is academic, I only point out that I am admin, in that I could undo this with Napalm if desired.  If a mod deems that an answer to this could be used maliciously they will lock it, but thank you for your concern and you may want to read this:

 

 

Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...