Jump to content
dellyfry

Lock down of certain registry entries

Recommended Posts

Much of the malware today is hijacking the exefile value in the registry. When the malware component in question is removed and the offending registry entry is not repaired, it can cause issues in trying to execute any *.exe file on the next reboot.

Case in point - SAS recently removed a malware file cftmon.exe that had hijacked the exefile extension, but did not repair the value after removal - so on the next reboot, the system was unable to open any program.

SuperAntiSpyware already locks down the homepage from tampering. Why not add the ability to lock certain parts of the registry down from tampering - such as the exefile value? Any changes to the entry would have to be cleared by the user or denied outright.

:)

Share this post


Link to post
Share on other sites
Much of the malware today is hijacking the exefile value in the registry. When the malware component in question is removed and the offending registry entry is not repaired, it can cause issues in trying to execute any *.exe file on the next reboot.

Case in point - SAS recently removed a malware file cftmon.exe that had hijacked the exefile extension, but did not repair the value after removal - so on the next reboot, the system was unable to open any program.

SuperAntiSpyware already locks down the homepage from tampering. Why not add the ability to lock certain parts of the registry down from tampering - such as the exefile value? Any changes to the entry would have to be cleared by the user or denied outright.

:)

The problem with that is that users don't know what is ok and what is not....we are adding some new repairs to handle some of these issues.

Share this post


Link to post
Share on other sites
The problem with that is that users don't know what is ok and what is not....we are adding some new repairs to handle some of these issues.

I can see your point. However, do you know of any legitimate programs that modify these values? I can't think of one.. other than malware. Maybe it could be locked down without any user interaction?

Either way, I'm sure you have sometime up your sleeve... :)

Keep up the good work.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×