Why does sb want to read winlogon.exe and does it matter if this request is denied?
Why does sb want to read winlogon.exe and does it matter if this request is denied?
Hello.
Originally Posted by tomoz
Spybot-S&D scans for the Winlogon Hijacker, not the legitimate Windows Logon (winlogon.exe) process.
http://www.safer-networking.org/en/u...004-09-30.html
Did a scan show an infection?2004-09-30
Hijacker
+ CleverIEHooker.Jeired + Winlogon ++ Winhlp
Microsoft MVP Reconnect 2018-
Windows Insider MVP 2016-2018
Microsoft Consumer Security MVP 2006-2016
Tashi, this happens when I open SB not during the scan.
The scan does not show up any malware at all.:D
Good.Originally Posted by tomoz
Could you explain in more detail please?Originally Posted by tomoz
Thanks.
Microsoft MVP Reconnect 2018-
Windows Insider MVP 2016-2018
Microsoft Consumer Security MVP 2006-2016
I am using Process Guard to prevent from services being started on my pc without my knowledge or permission. The default setting for winlogon.exe is to prevent any program to read winlogon.exe. The reason being:Could you explain in more detail please?
If winlogon.exe is protected from READ access then most methods used to disable Windows File Protection (WFP) will not work anymore. If WFP is disabled then system files can be replaced on your system, which could lead to the system being severly compromised.
It appears to me that Spybot attempts to read winlogon.exe each time I start it. When I deny the "read", the scan still works fine but I am unsure if some other "behind the scene" function of Sb may be negatively affected possibly causing later problems?
If you know what's cousing the alert, ie SpyBot why do you deny it ?
Guess i will have to intall Process Guard when time permits.
In this case working from a new clean pc, I am not particularly worried. However in general many programs ask for all kinds of permissions that they do not necessarily need. From a security point of view, given blanket permissions even to "good" programs increases the risk as some nasty intruder may manage to infiltrate "good" progs.If you know what's cousing the alert, ie SpyBot why do you deny it ?
As an analogy, you may give the keys to your house to a friend but he does not really need the combination to your safe:D
tomoz:
Can you show us the message/dialog that you are getting?
I can find no indication that SpybotSD.exe is attempting to read winlogon.exe when it loads.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Please see attached
Hope you can read it.
As I guessed, this is simply a case of SpybotSD.exe reading the Winlogin.exe file at startup, likely to determine whether it might have been replaced by malware in an attempt to compromise the system. In any case, a simple read of the file can't cause a problem and blocking it simply removes Spybot's ability to verify that the file is safe.
To echo Lonny's question, why would you deny Spybot? Your answer implies that any access by any program could allow malware to take root. However, what is really required is that the malware be given access itself, which in theory would display in ProcessGuard as a direct attempt by a malware executable to modify or delete a file.
A quick look at the ProcessGuard FAQ reinforces these same sentiments:
Why isn't Read access blocked by default?
Reading-based attacks are extremely rare so protection isn't often needed, but ProcessGuard provides the ability to protect against reading simply for completeness of it's feature set. Only advanced users who understand what they're doing should block Read access.In general, the best course of action is to allow all trusted applications whatever access they require, since you really have no criteria upon which to base the blocking of a trusted app. If, on the other hand, an unknown and unrequested application starts to execute, say when you are browsing a new web site, it might be appropriate to block the attempt at least until you are made aware of its purpose.ProcessGuard is giving me alerts, is my system infected?
Not all alerts ProcessGuard shows are related to infections or malicious software. Some valid programs need certain privileges that ProcessGuard can restrict. It is up to you the user to know whether you trust a certain application. If you are unsure about the application then it would be best to leave ProcessGuard as it is, protecting you from whatever the application is doing. Otherwise if you know and trust the application then give it the privileges it desires.