MSFN Forum: Hidden Antivirus In Windows? - MSFN Forum

Jump to content



Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Hidden Antivirus In Windows? Rate Topic: -----

#1 User is offline   Aegis 

  • MSFN Expert
  • PipPipPipPipPipPip
  • Group: Banned
  • Posts: 1,298
  • Joined: 12-March 05

Posted 14 March 2005 - 09:50 PM

One might not be able to go as far as calling it an antivirus, but there is a hidden virus-blocking mechanism included with Windows. Using the registry, one can block certain file names. And just as it turns out, most viruses have a certain definite name that can be blocked using this method. Just go to the Symantec site and add all virus filenames from the threat pages to the registry. The keys are:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="virus1.exe"
"2"="virus2.exe"
"3"="virus3.exe"

And so on...Although I have yet to find a virus that does not have a definite filename. One of the disadvantages of this approach is that if a virus were to have the same filename as a system file, then you cannot block the filename. I have created a sample file that blocks some of the current viruses. To use it, copy this to notepad and save as filename.reg and run it.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="toosexy.pif"
"2"="x.exe"
"3"="xx.exe"
"4"="winnett.exe"
"5"="scvhost.exe"
"6"="cpu.dll"
"7"="csrss.dat"
"8"="csrss.ini"
"9"="csrss.lnk"
"10"="Readme.txt.exe"
"11"="daemon.exe"
"12"="Infect.drv"
"13"="Infectate.reg"
"14"="Muerte.drv"
"15"="daemon2.exe"

#2 User is offline   matrix0978 

  • Web Guru
  • PipPipPipPipPip
  • Group: Members
  • Posts: 814
  • Joined: 17-August 04
  • OS:none specified
  • Country: Country Flag

Posted 15 March 2005 - 12:02 AM

but if you use this now, wouldnt it block those system files like scvhost.exe from running which is need for Windows to run?

#3 User is offline   MCT 

  • MSFN Junkie
  • PipPipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 3,288
  • Joined: 19-May 04

Posted 15 March 2005 - 12:11 AM

does the firewall have 2 be installed/active for this 2 work? sounds interesting..

#4 User is offline   Aegis 

  • MSFN Expert
  • PipPipPipPipPipPip
  • Group: Banned
  • Posts: 1,298
  • Joined: 12-March 05

Posted 15 March 2005 - 06:21 PM

Seems that matrix0978 has fallen for a classic virus trick. The file that he is referring to his svchost.exe, not scvhost.exe. And no firewall is needed.

#5 User is offline   webyourbusiness 

  • Group: Members
  • Posts: 6
  • Joined: 16-March 05

Posted 17 March 2005 - 08:34 AM

Aegis, on Mar 15 2005, 05:21 PM, said:

Seems that matrix0978 has fallen for a classic virus trick. The file that he is referring to his svchost.exe, not scvhost.exe. And no firewall is needed.
<{POST_SNAPBACK}>


classic indeed - you read what you expect to read - I do it at least 50% of time, probably a lot more; and I'm aware of the problem!! :huh:

#6 User is offline   jondercik 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 445
  • Joined: 15-January 04

Posted 21 March 2005 - 08:00 AM

You can also do with with GPOs with a Windows 2003 domain. It falls under software restriction policies. You can also do this for older OS's using SMS.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users



All trademarks mentioned on this page are the property of their respective owners
Copyright © 2001 - 2011 msfn.org
Privacy Policy