> From: nowak.aat_private [mailto:nowak.aat_private] > Sent: Monday, August 11, 2003 5:15 PM > > > > I suppose a simple defense for "personal firewall" vendors > > against this sort of thing would be to use hard-to-guess window > > titles for their popups... > > This simple defense may not be enough, as there are ways to > find out the names of all "child" windows belonging to specific > process. Agreed. "simple" wasn't really the adjective I wanted; something more like "preliminary" or "first-cut" was what I meant. Another possibility would be to require that the window be visible when the event is received, and have been visible for some minimum time (even on the order of a few seconds), which would allow an alert user to see the trojan in action, anyway. Some firewall products of this type allow a "reject without prompting" configuration, which is safer, albeit potentially frustrating. (I'm familiar with the Symantec products, and getting log information out of them is not a pleasant process. Their UIs in general are not well-designed.) Is there a reliable mechanism in Windows for distinguishing between real and spoofed events? I've never looked into the subject, as I avoid GUI-mode programming like the plague (which is an apt description, in my book). Of course, the popup window shouldn't be owned by a process running with elevated privileges anyway. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 22:29:17 PDT