原帖由 jpzy 于 2008-8-25 12:06 发表 
提个问题。比如我现在运行regedit,或者explorer.exe向system32一个文件,那么UAC都会跳出来询问!
假如我用了这个工具,选择了记住我的回答。那么是不是以后这样的操作都不再提示了呢?
如果不是我运行热rege ...
Thanks for bringing this up, the current implementation indeed is designed with this in mind, here is how.
In order for the tool to consider one particular action as the SAME action, we look at many attributes. The attributes which identifies an action includes: the parent process (launching process) and all the modules loaded; target process (module); Associated windows name and class etc... So for example launching regedit from the run cmd, will be a different action than launching it by double click on regedit.exe in the system32 directory (try it out).
We try to use many different attributes to asess a particular action, so that an action triggered by executable automatically will look a lot different than an action triggered by a user. So if a virus use "regedit" write a registry. The tool should consider this as a different action. 1. The parent executable is probably different, (this case will be the virus name). 2. If explorer.exe is used, the launcher must be loaded in explorer.exe as a module, the action will be considered different if loaded modules are not the same. 3. We also check the integrity of the executables, so if explorer.exe is some how infected, the binary difference will also trigger the action to be different. 4. The associated windows also is a factor to identify an action. ("launching from task bar", "launching from cmd"...)
With that said, you are very right, it is important for the tool to identify an unique action correctly. The current implementation is designed to do that. But there might be flaws in the algorithm, or cases we did not think of. That's why we want more people to use it and tell us the issues you find :), so we can fine tone the algorithms. |
楼主: zwl2828
发表于 2008-8-25 12:06:18
楼主
