Build 564 with the new "share probe" has been
released. The purpose of
the new IV function is to alert whether a PC has a problematic
share,
and report it to the user and to IV Administrator.
The following shares are considered "problematic":
On NT4.0, W2K
and XP, a read-write share of either the entire system drive,
or the Windows
installation directory. The NT administrative default shares
(C$, D$, ADMIN$
etc.) are ignored. On Windows 9x and ME, *any share* of
either the system drive, or the Windows directory are considered
unsafe.
The IV share probe does NOT check wether an unsafe share
is protected by
password or not. Shares of the type described are "unsafe"
just the same
with or without password. FYI, recent malware have password
"dictionaries"
that will let them test thousands of trivial passwords and
crack them. "Mumu"
and "Litmus" are such, to mention a couple of
such examples.
Operation: The share probe is implemented in Interceptor,
and is active in all
its statuses, from 'none' to 'both', just like SAM (startup
apps monitor). The
share test runs about every three minutes and issues an
alert to the user, in
the form of a "caution" message box, and reports
the same to the IV real-time
report, as well as to IV Administrator, where installed.
If the user doesn't want to be alerted anymore then they
may tick the "don't show"
box. This will set a registry flag that will prevent further
alerting, yet the event will
recorded in the realtime report and reported to IVAdmin.
The "don't warn on share" flag is unconditionally
cleared when the bad share
is removed, and the probe will issue a new alert when a
new unsafe share is
created. No alert will be issued when such new share is
created and the
"don't warn" flag hasn't been cleared.
In the enterprise: Build 564 contains a new IVAdmin
build (#98), to process
the new message about unsafe shares. After upgrading an
existing installation
to build 564, open IVAdmin, select the 'Options' tag, and
make sure that the
last message on the list (directories are shared!) is checked.
This won't be
necessary with new installations, only when upgrading an
existing one.
System administrators are advised to periodically inspect
the IVAdmin report
for share perpetrators.
Known problem: Build 562 that was released a few
days before 562 had
an unexpected bug. It would lock IVI on NT/XP and W2K if
a unsafe share
existed. Such an unsafe share is giving "full control"
to "everyone" on either the system drive or directory.
To recover from that condition and fix it, just (cold) restart
the PC, hold the shift key pressed when Windows starts,
after logging in, to prevent Interceptor from loading. Open
My Computer, remove the bad share,
and resume IVI. The bug was fixed in build 564.
Online shares listing utility: This utility lists
the shares found on a PC and specifies whether they are
risky or safe. htttp://www.virusdefence.com.au/dl/client/client_files/gateway/listshr.exe
Back
