I’ve an issue with the ChangeDrvPath test in CLT v.126.96.36.199
First, is there a link to something more technical than the html help :
1. RootkitInstallation: ChangeDrvPath What does it do ? Tries to change the path of an already existing driver by using service control manager. What is the risk ? A malicious device driver loaded can be as dangerous as it can be due to the fact that it acts as a part of the operating system with the maximum privileges'Tries to change the path of an already existing driver by using service control manager' : does that mean that CLT.exe asks some system program (services.exe ?) to write to HKLM\SYSTEM\ControlSet???\Services\*\ImagePath (or somewhere else in the registry ?)
The issue is that I disabled ‘service control manager’ monitoring (‘\RPC Control\ntsvcs’), because too many programs need it, but I however expected an alert for registry write to an ‘ImagePath’ value.
I didn’t get such alert and failed the test
(although Services is not allowed to write to ‘ImagePath’ or install driver without prompt, nor any other program).
So, the question is :does the ChangeDrvPath test really tries to change the path of an existing driver in the registry, or does it just checks if it can connect to the Service Control Manager? (which might not be enough to install/replace a driver)
PS: My config
- Custom HIPS Policy - Paranoid Mode - no AV
- Trusting Digitally Signed Application disabled
- Detect shellcode injections
- Image Execution Aggressive : all files