read winlogon.exe
- Thread starter tomoz
- Start date
tashi
Member of Team Spybot
Hello.
Spybot-S&D scans for the Winlogon Hijacker, not the legitimate Windows Logon (winlogon.exe) process.
http://www.safer-networking.org/en/updatehistory/2004-09-30.html
Did a scan show an infection?
tomoz said:
Spybot-S&D scans for the Winlogon Hijacker, not the legitimate Windows Logon (winlogon.exe) process.
http://www.safer-networking.org/en/updatehistory/2004-09-30.html
Did a scan show an infection?
I am using Process Guard to prevent from services being started on my pc without my knowledge or permission. The default setting for winlogon.exe is to prevent any program to read winlogon.exe. The reason being:
If winlogon.exe is protected from READ access then most methods used to disable Windows File Protection (WFP) will not work anymore. If WFP is disabled then system files can be replaced on your system, which could lead to the system being severly compromised.
It appears to me that Spybot attempts to read winlogon.exe each time I start it. When I deny the "read", the scan still works fine but I am unsure if some other "behind the scene" function of Sb may be negatively affected possibly causing later problems?
LonnyRJones
Security Expert-Emeritus
If you know what's cousing the alert, ie SpyBot why do you deny it ?
Guess i will have to intall Process Guard when time permits.
Guess i will have to intall Process Guard when time permits.
In this case working from a new clean pc, I am not particularly worried. However in general many programs ask for all kinds of permissions that they do not necessarily need. From a security point of view, given blanket permissions even to "good" programs increases the risk as some nasty intruder may manage to infiltrate "good" progs.
As an analogy, you may give the keys to your house to a friend but he does not really need the combination to your safe
md usa spybot fan
Spybot Advisor Team [Retired]
tomoz:
Can you show us the message/dialog that you are getting?
I can find no indication that SpybotSD.exe is attempting to read winlogon.exe when it loads.
Can you show us the message/dialog that you are getting?
I can find no indication that SpybotSD.exe is attempting to read winlogon.exe when it loads.
As I guessed, this is simply a case of SpybotSD.exe reading the Winlogin.exe file at startup, likely to determine whether it might have been replaced by malware in an attempt to compromise the system. In any case, a simple read of the file can't cause a problem and blocking it simply removes Spybot's ability to verify that the file is safe.
To echo Lonny's question, why would you deny Spybot? Your answer implies that any access by any program could allow malware to take root. However, what is really required is that the malware be given access itself, which in theory would display in ProcessGuard as a direct attempt by a malware executable to modify or delete a file.
A quick look at the ProcessGuard FAQ reinforces these same sentiments:
In general, the best course of action is to allow all trusted applications whatever access they require, since you really have no criteria upon which to base the blocking of a trusted app. If, on the other hand, an unknown and unrequested application starts to execute, say when you are browsing a new web site, it might be appropriate to block the attempt at least until you are made aware of its purpose.
To echo Lonny's question, why would you deny Spybot? Your answer implies that any access by any program could allow malware to take root. However, what is really required is that the malware be given access itself, which in theory would display in ProcessGuard as a direct attempt by a malware executable to modify or delete a file.
A quick look at the ProcessGuard FAQ reinforces these same sentiments:
In general, the best course of action is to allow all trusted applications whatever access they require, since you really have no criteria upon which to base the blocking of a trusted app. If, on the other hand, an unknown and unrequested application starts to execute, say when you are browsing a new web site, it might be appropriate to block the attempt at least until you are made aware of its purpose.
Bitman,
I freely admit that I am not enough techy to understand the inner workings of PG or the registry. I am quite happy to leave things on default in general though I try to follow the advice to learn more.
The point you misunderstood though is that winlogon.exe is by default protected from reading. Your quote re read access must refer to other programs, but if you look at http://www.diamondcs.com.au/pgdb/index.php?whatis=winlogon.exe you will see that it does not normally refer to this file.
I freely admit that I am not enough techy to understand the inner workings of PG or the registry. I am quite happy to leave things on default in general though I try to follow the advice to learn more.
The point you misunderstood though is that winlogon.exe is by default protected from reading. Your quote re read access must refer to other programs, but if you look at http://www.diamondcs.com.au/pgdb/index.php?whatis=winlogon.exe you will see that it does not normally refer to this file.
Let me make this simple; Don't block anything that an application you trust is attempting to do. If you do it is only likely to create a problem for you.
The key sections of the two ProcessGuard FAQ entries I posted are:
The key sections of the two ProcessGuard FAQ entries I posted are:
The most fundamental statement I can make is that using a security application you don't understand is as dangerous as not having one at all.