View Full Version : security , acl's
Is it possible to build in the capacity to deny system access
Sure would be handy fighting malware
What exactly are you thinking about?
Editing the ACLs?
Blocking usage of bad files by removing the according access types?
This could get difficult, since most oft bad processes are running under the user account, so just blocking system access wouldn't do. But maybe changing the access types to "see and delete" only?
I haven't written the code to manipulate ACLs yet, but it should not be too difficult... I'll need to think about it (and find a free minute to code ;) ).
Im just starting to understand the basics
so far no luck in denying just sytem BUT I can goof up acls realy easy :)
On ntfs systems I can defeat vundo and l2m with this script
if not exist "%WinDir%\System32\XCACLS.exe" copy XCACLS.exe "%WinDir%\System32" >nul
XCACLS l2m1.DLL /P ADMINISTRATOR:F /Y
XCACLS l2m2.DLL /P ADMINISTRATOR:F /Y
XCACLS l2m3.DLL /P ADMINISTRATOR:F /Y
XCACLS guard.tmp /P ADMINISTRATOR:F /Y
modify and run this batch then delete files
xcacls l2m1.DLL /T /E /G System:F Administrators:F /C /Y
xcacls l2m2.DLL /T /E /G System:F Administrators:F /C /Y
xcacls l2m3.DLL /T /E /G System:F Administrators:F /C /Y
XCACLS guard.tmp /T /E /G System:F Administrators:F /C /Y
Goofing up isn't a problem for me either :D
Anyway... the code to manipulate ACLs was already there, I just forgot where I used it before :rolleyes:
So next release will have that function.
And the next version will have a page showing Authenticode certificates...
Looking farward to it
Ok, I've just uploaded new versions of RunAlyzer, RegAlyzer and of course FileAlyzer, the later one including a plaintext ACL preview as well as a simple ACL editor window.
Im not seeing an editor, i must be blind.
Edit: I see it now
Hmmm sorry, you're right, it's quite hidden :rolleyes:
That was more or less a debug measure, but I grew that accustomed to it that I didn't think about it being not plain in sight :D
For everyone else looking for it: just click on the plaintext ACL text.
Patric Thanks for the new tool
Best its sort of hard to see i think.
I have to ask next :)
Eventualy can you can make it so we can call FileAlizer and modify acls from a batch
Did you intentionaly include r/click create detiotion rule in this new version?
I hadnt noticed, that could have been in prior version's as well. ?