.blog

Microsoft is offering a free antivirus program called Security Essentials. It includes protection against viruses, spyware and other malware. I’ve just begun testing it in order to see if I would recommend it. The installation was simple, hassle free and it seems like it runs smoother than AVG, especially when opening documents in Microsoft Word (AVG occasionally hangs when working with documents). Security Essentials also has a “very good detection score” of 98.4% according to this article on PC World.

You can download Security Essentials for free from Microsoft here.

There is a really great list of repair tools for the conficker worm here on the conficker working groups site and they have a pretty cool infection test.

I personally think the conficker worm is overhyped. The two main methods of infection have both been patched. Those two methods being a buffer overflow in the services process (which was patched way back with MS08-067) and the Autorun vulnerability (i mentioned that earlier in the blog). If your network admin is worth his salt then you have nothing to worry about because the risk is easy to mitigate. Home users are also probably safe if auto-update enabled and autorun has been disabled.

It also bothers me a little when i see the alerts go off like this for a threat that is overhyped. Why are they raising red flags now and not six months ago?

I had never heard of threatfire until this weekend, and to be honest I wish that I could forget the experience. Threatfire is a security monitoring system that hooks into you systems and watches for malicious activity. It installs several filter drivers, including TfKbMon.sys which is installed as a Keyboard filter driver (a legitimate keylogger).

What had happenned is this driver either malfunctioned or didn't uninstall properly, which rendered the keyboard useless. Actually, the keyboard was ok, it’s just that the filter driver was intercepting calls to the default ps2 windows driver (i8042prt.sys).

To correct the problem i ran the threatfire removal utility which uninstalled the driver but left quite a bit in the registry, including the entry that called it as the upper filter driver for the keyboard. Now just the fact that this program has a removal utility aside from the regular uninstall routine should be a crapware warning sign in itself…norton also has a removal utility… coincidence?

anyways, after a bit of searching (regscanner is a great tool for this) I found this key

HKLMSYSTEMControlSet001ControlClass
{4D36E96B-E325-11CE-BFC1-08002BE10318}

which defines the UpperFilters for your keyboard. A normal configuration will only have kbdclass set for UpperFilters in this key. So I reset that and then imported a good registry entry for the i8042prt services and the kbdclass (download).

of course, to make things very difficult all this was done with the on on screen keyboard, one click at a time…and when u type over seventy words a minute that is just aggravating!