[clamav-win32] Feature request: supressing changes of win32 files

Thu May 22 16:16:32 CEST 2008

2008/5/22 Dave Warren <dave-usenet at djwcomputers.com>:

> In message <418911cd0805202321u5d2eabd3n63ff94a74af62bf6 at mail.gmail.com>
> "Cuchuk Sergey" <cuchuk.sergey at gmail.com>
> wrote:
>
> >viruses or warms often use binaries or executables - so when we're
> >protecting them from changing(or asking for comfirmation of user for
> >program(for example installers can overwrite them)) we're protecting data
> >from viruses
>
> It's a great idea -- In fact, so great that every modern operating
> system has a robust set of file system permissions already included
> which can do exactly what you want.
>
> In the Windows environment, simply don't use an administrator account
> all the time and executables installed in correct locations cannot be
> modified.
> --
> Dave Warren,          dave at djwcomputers.com
> Office: (403) 775-1700   /   (888) 300-3480
>
> _______________________________________________
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
>

> It's a great idea -- In fact, so great that every modern operating
> system has a robust set of file system permissions already included
> which can do exactly what you want.
> In the Windows environment, simply don't use an administrator account
> all the time and executables installed in correct locations cannot be
> modified.

Yes that's right. I use this feature. But i'm a developer and design some
kind of software at home(including creating of installation packets). There
were about 6 times during last 2 years when i have to search all *.exe and
*.dll in my work disk partition and delete them, because of viruses. Now i'm
doing things in the next way: when i get a software packet - i'm zipping it,
when i'm stopping developing something - i'm changing permission for myself
to provide read-only access.

Yes of course it's a decision - but is it convinient?

So i propose a thing that when something tries to modify *.exe or *.dll
software shield should create window for user with alert: to allow or not to
allow for this process to alter binaries. If Yes, shield should ask user
wheather to always allow for this software to change it or not. If yes
anitivirus should save md5 summ of process it's name and location

Also as i'm a user i don't make updates. When I wan't to update something i
run process with administrator's privileges. Not as user

For Linux i don't know but i think there's analog situation.

Also I discovered that some processes tries to load their libraries in
explorer by configuring my registry key(of couse with user privileges)
So maybe it's good to disallow altering such registry keys (or allowing this
with making notification for user)

Best regards, Siarhei Kuchuk
-----------------------------------------
ICQ: 376562952
Cuchuk.Sergey at gmail.com
toCuchukSergey at yandex.ru

CONFIDENTIALITY CAUTION AND DISCLAIMER
This message is intended only for the use of the individual(s) or
entity(ies) to which it is addressed and contains information that is
legally privileged and confidential. If you are not the intended recipient,
or the person responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. All unintended
recipients are obliged to delete this message and destroy any printed
copies.