solcroft
09-07-2007, 03:53 PM
In brief...
1. Assume a malware drops files hidden in the NTFS ADS, which it then executes. How would TF handle this? Would TF be capable of removing the hidden file and quarantine it, or would it simply quarantine the host file? Or, in the worst case scenario, TF would be unable to locate the hidden file?
2. Attached is a small test program I came across, which demonstrates a very interesting method of protecting its process from termination. It resisted everything I could throw at it, even GMER and IceSword (:eek: !!!) - the only way to be able to terminate it seems to be to prevent it from modifying the system core center in the first place. How well would TF be able to handle malware that used the same process protection methods?
1. Assume a malware drops files hidden in the NTFS ADS, which it then executes. How would TF handle this? Would TF be capable of removing the hidden file and quarantine it, or would it simply quarantine the host file? Or, in the worst case scenario, TF would be unable to locate the hidden file?
2. Attached is a small test program I came across, which demonstrates a very interesting method of protecting its process from termination. It resisted everything I could throw at it, even GMER and IceSword (:eek: !!!) - the only way to be able to terminate it seems to be to prevent it from modifying the system core center in the first place. How well would TF be able to handle malware that used the same process protection methods?