update:Thanks everybody who participated, but feature request is not consistent. Mentioned registry access warnings for installing driver are used by D+ for both common techniques to install driver. Despite these warnings do not explicitly indicate that driver is being installed (subject of another enhancement request), main D+ warnings for driver is being loaded are present in both cases.
It is just in Safe/Clean PC modes of D+ main warning when driver is being loaded by services.exe is autolearnt by D+ (
under certain circumstances) - one of two common techniques to load driver. However if driver is being loaded by other of two common techniques, warning is almost always there.
See
this post and post by
wj32 (which is linked to it).
----- original post start here -----Currently Defense+ gives "Registry modification" alerts when driver is to be installed/loaded with definite technique. See screenshots from
this post.
These alerts
do not explicitly tell user that HKLM\SYSTEM\ControlSet???\Services registry branch is used to
install/load drivers.
My feature request would be following: in described cases Defense+ would provide alerts which
explicitly indicate that driver(s) is/are to be installed/loaded. This can be implemented by at least adding one more sentence under "Security Considerations" of D+ alerts.
Some of original reports inside original threads (i merely added a poll here):
Please read my comment on this in the PH thread:
There are two main ways a program can load a driver. One is by writing to the registry in HKLM\System\CurrentControlSet\Services and then calling NtLoadDriver. The other is by contacting the services controller (services.exe) and telling it to create a service to load the driver. In the first case, D+ correctly reports that a program is attempting to load a driver, and tells you the filename of the driver. The prompt is also in red (I think). In the second case however, D+ only prompts you about registry access (which most people will allow since it comes from services.exe) and then the driver is loaded. This is a HUGE problem with D+ and I hope the developers will fix it. Sad
I will elaborate on this. In the Wilders Security thread, gmer was shown with the correct CIS alert. That's because it uses the first technique I discussed (NtLoadDriver). Process Explorer and Process Monitor also use this method. Most other software uses the second technique, and the alerts are broken. I find it puzzling why we are alerted to registry access by services.exe but we are not alerted to services.exe calling NtLoadDriver...
Attached is a small test program demonstrating the two methods. You will be able to see how CIS responds to the two methods with different alerts...
I. On driver installations, do NOT mix in the alert with registry modifications. Separate the two so that users do not confuse trivial registry alerts with driver installs.
Poll
Author