Friday, May 7, 2010

Kudos to MSFT for Real Time Files Monitor - Windows XP Security

Acronyms & Abbreviations
SP2 - Service Pack 2
WTM - Windows Task Manager
WFP - Windows File Protection
CPU - Central Processing Unit
MSFT - Microsoft

Introduction
One of our test computer systems is running Windows XP SP2 and was running sluggishly recently. When we looked at the WTM system processes display, the application/process wuauclt.exe was running "fast and furious", essentially controlling the CPU time. A quick web search indicate that this program is a standard Windows application that has occasionally been a source of concern to other users. Because of our issue - a sluggish test box - and because the task manager was pointing to this application as the one that may be causing the problem, we decided to delete the program anyway.

The "Discovery"
It was during the deletion process that we discovered what we hadn't noticed before, what had been quietly working as a security measure all along - the Windows File Protection facility. Here is the sequence of events:

1. Searched and found all the occurrences of  wuauclt*.*  Our search returned:
   WINDOWS\system32\dllcache\wuauclt.exe
   WINDOWS\ServicePackFiles\i386\wuauclt.exe
   WINDOWS/system32\wuauclt.exe
   WINDOWS\system32\wuauclt1.exe
2. In the WTM, the wuauclt.exe process was ended
3. The files returned in Step 1 above were deleted
4. Then pops up a message box titled Windows File Protection: Files that are required for Windows to run properly have been replaced by unrecognized versions... See image below.
Windows File Protect Msg Box: Warning about OS File Tamper








When we clicked Cancel, the following message box appeared:


Windows File Protect Msg Box: Warning about OS File Tamper not being restored






The Take Away
While we decided to delete and not restore as prompted on this occasion, the take away for us is the comfort to know that the Windows File Protection exists and is working near real time to monitor essential OS files. This is a good security measure and for it Kudos to MSFT. While we have not spent time to fully understand the full functions of protection facility, it is safe to infer, based on this encounter, that an attacker (malware) cannot easily overwrite or delete any file under the WFP facility without being logged or without the action generating an alert; hence the malware will have to write to a different directory or use a different filename.

No comments:

Post a Comment

Internet blogs