Re: Windows 2000 WFP
- From: "Rick Kingslan [MSFT]" <rickk.microsoft.com@xxxxxxxxx>
- Date: Thu, 25 Aug 2005 21:46:24 -0700
Jim,
What you see happening is interesting. I haven't been able to duplicate the behavior, but I won't say it's not possible for another system .exe (which, strangely - calc.exe is a system .exe, as is notepad.exe) to 'masquerade' as another .exe.
However, because part of the Windows File Protection mechanism is to use a cryptographic signature to validate files, I can see that a renamed notepad.exe to calc.exe could be interpreted as a valid system file by WFP - because - in all honesty it *IS* a valid system file.
What I can say is that unless an attacker can cryptographically spoof a file to appear like a protected file (through the validation engine) the likelihood of being able to use a trojan file to replace a file in the WFP cache (or, dllchache) is really remote.
Rick
-----Original Message-----
From: Jim Nugent
Posted At: Wednesday, August 17, 2005 8:55 AM
Posted To: microsoft.public.win2000.setup_upgrade
Conversation: Windows 2000 WFP
Subject: Re: Windows 2000 WFP
Thanks, Dave.
It sounds like WFP simply consults the dllcache and servicepackfiles
directories. Think that to be rather non-robust I decided on an
experiment -- dropping a replacement file into dllcache. But first I just
wanted to verify that things were working properly: I made a copy of
notepad.exe on my desktop, and renamed it to calc.exe. Then copied and
pasted the "bogus" calc.exe into c:\winnt\system32.
1. It stayed there, and clicking on it brought up notepad.
2. It copied the bogus calc.exe into dllcache!
I noted that if I DELETE the file from system32, it will pull it from
dllcache, but not if I replace it. Assuming malware or a misguided install
tries to replace a system file, I find this behavior analogous to the
following:
1. WFP does not restore modified system file = watchdog is sound asleep.
2. WFP(?) copies modified file into dllcache = watchdog dog comes running to
thief with your wallet in its mouth.
What am I missing? Do you have to run SFC to get WFP to act?
--
Jim
"Be right back... Godot"
"Dave Patrick" <DSPatrick@xxxxxxxxxxxxxxxx> wrote in message
news:OmMJjmtoFHA.2976@xxxxxxxxxxxxxxxxxxxxxxx
> When updates are installed the \servicepackfiles and \dllcache folders are
> updated with the new versions. SFC pulls from these.
>
>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_checker.mspx
>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_protection.mspx
>
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "Jim Nugent" wrote:
> | In all my W2k research, I have never come across what it is (catalog?
> | database?) that WFP consults to determine if a system file is the
"correct
> | one." Obviously, msi files have to update this information since they
are
> | allowed to replace these files.
> |
> | But how can I repair it if something goes wrong. For example, if I were
to
> | do an sfc /scannow right now, I believe it would "break" some hot fixes
by
> | undoing some file replacements. I'd like to tell it what I believe to be
> the
> | correct files. How do I do that?
> | --
> | Jim
> | "Be right back... Godot"
> |
> |
>
>
.
- Prev by Date: Re: Win2000 Server Problem With Lasts hotfix
- Previous by thread: Re: Windows 2000 WFP
- Next by thread: Re: Replace a primary domain controller?
- Index(es):
Relevant Pages
|
