How dangerous is direct disk access?

I notice all safe applications are allowed direct disk access but very few should actually need it. (Quite a few applications get detected by defence+ but I believe that is a false positive).

Can direct disk access be used to write to the registry getting past defence+ registry protection? If so it could be very dangerous.

I admit the code to write directly to the registry would have to be very complicated but with so many open source projects (e.g. wine) I would have thought it would be easy to find examples.

Should it be allowed by default?

I am no computer expert, but I think that direct disk access means that some kind of program is trying to access space on the physical disk… So it can read stuff or replace files on the disk for example or create files on the disk… It is comparible with direct memory access. Direct disk access does not have to be dangerous, some program like diskcleaners, diskdefragmenters, word processing program, video/photo editting program need to access the disk directly to read/replace/create stuff on the disk to work properly… If you use some kind of program and CIS does not recognize the program, CIS will produce an alert. I don’ think you should be afraid about your registry is being modified somehow. CIS will alert you with a different alert if that happens

I am a programmer but have never used direct disk access. Word processors and video/photo editing programs would not require it. They would all write to the disk using the windows API. So do most defragmenters. Disk cleaners and anti-malware programs are about the only ones that should require direct disk access.

If it is potentially dangerous and so few programs need it it would be more secure it it was not automatically allowed for all safe programs.

CD ripping programs and CD/DVD authoring software need direct access, but not to the HDD I guess, to find the CD/DVD drive.

(EAC.exe is Exact Audio Copy.)

[attachment deleted by admin]

yes it is true, basically when a program needs access to the disk, most programs use windows api or other programs. But accessing the disk directly is mostly used by disk defragmenters, diskcleaners and antimalware programs… But it is hard to judge when a person doesn’t know much about software and hardware… Maybe CIS should include more practical information for novice users…

I have always wondered about this. May be it is not a good practice of programming for some of the programs? I can see the need for disk defragmenters and cleaners but I have my doubts for other applications. What would be the shortcomings of the Windows API…etc…?

Windows API is great for nearly ALL programs. I am a professional programmer and would never even think of trying anything else. It is fast, flexible and does everything for you.

Just to indulge my curiosity as a non programmer.(:NRD)

In what situation would you use direct disk access over using the API?

What do you think about the thesis I dropped that other than for disk defragmenters, disk maintenance and anti malware programs using direct disk access is a sloppy was of programming?

The reason I am asking is that direct disk access probably needs elevated rights within the OS. Then this may be a type of programming makes it harder to run these programs as Limited user (which is a more secure mode of course) and being part of a (decreasing?) problem of programs needlessly using admin rights.

I’m no programmer… But I know for a fact that the Windows API includes functions for defragmenting even. JkDefrag for example claims to use nothing but the Windows API. Actually I don’t think I’d trust a defragger that uses direct disc access instead. It may mess things up inadvertently. Same goes for disc cleaners, if they bypass the OS the may touch something they shouldn’t or in a way they shouldn’t. When should a program use direct disc access instead of the Windows API? When it’s for DOS instead of Windows I guess. :wink: Just my opinion, as I said I’m no expert.

I think, I may be wrong, that when writing to a NTFS disc via the Windows API, the disc can’t be damaged even if the power comes out suddenly. Otherwise damage may occur, as happened in the past with FAT.

I usually block the direct disk access for all apps except defraggers and recoverors.

The only circumstances I can think of for needing direct disk access would be detection of rootkits (where the API would lie to you) and probably ChkDsk and disk formatting like utilities. There is an API for defragging.

So it is needless for most programs. Does direct disk access need admin rights in Windows or is it something that is allowed under limited user account as well?

It must needs admin rights or any non-admin program could wreck your computer.

I think it depends on which folder you are trying to write, even if direct access is used?

A program may open a physical disk or volume to flush it. This is not dangerous at all. The weird thing is that with TortoiseSVN installed I got a direct disk access warning every time an Open File Dialog appeared. After a reinstall of Vista I noticed that CIS no longer monitored direct disk access by default. Could it be because users kept on getting meaningless prompts about disk access?

I get lots of messages about direct disk access. Blocking them does not stop the programs working. Even a test program using windows API to write to disk triggers direct disk access but is not blocked if you say block. This is a bug in defence+ I reported some time ago.

trusted application should use whatever resources wants/needs, otherwise can be dangerous for work you do with them… e.g. if you wanna flash bios from windows you wanna do that properly or else…

I agree but most program do not need direct disk access. My solution it to create a group of dangerous applications (all those that handle files from the internet) and block direct disk access for this group. I get lots of attempt logged (due to the bug I have mentioned) but everything works.

In 3.9 RC1 with the Internet Security profile CIS does monitor disk access. I don’t know for 3.8 as I always use the Proactive Security profile.

Limiting direct disk access to applications that handle files from the web makes sense .Coming to think of things it would also make sense to not allow them to install a driver (rootkit).

it would make sense if unknown (malware) process inherit permisions from trusted app. with internet access which started unknown (malware) process, but that is not possible in CIS…