1

This is related to How does one Blacklist a patch based on Knowledge Based/KB number? and How to add a Deny ACE for TrustedInstaller?.

The Get Windows X malware has returned (again) on two Windows 7 machines and Windows 8 machine. I have previously removed it 5 times or so (per machine). After the last removal and I pre-created the folder it installs itself into and then placed a DENY ACE for both SYSTEM and TrustedInstaller. According to Microsof's documentation, this should have stopped it from installing and executing.

How did the malware install itself given it was denied access?

This is absolutely amazing... The machine was off for about 6 weeks, so I had to perform two update/reboot cycles. The malware installed itself twice in one day even though it is denied access to the folder!

The second update/reboot cycle was for KB3102429. Notice it claims to resolve issues in Windows - it does not state its marketing nagware or malware.

Community
  • 1
jww
  • 12,722

2 Answers2

3

The SYSTEM account has SeRestorePrivilege, which grants it the right to write to the data or ACL of any securable object. (Kind of like how elevated administrators can blow through ACLs using the Security tab of the object's Properties.) These powers can also be used by the SYSTEM in Group Policy refreshes.

As an aside, the update responsible for your pain is actually KB3035583. You can try to identify which update is responsible for a certain file by searching Google for site:support.microsoft.com followed by the file name, since update KB articles always have tables of updated files.

Ben N
  • 42,308
0

I've had a lot of success (until today) of hiding the recommended update KB3035583. For some reason I allowed windows update to some specified install "recommended updates" at the weekend and it appears to have unhidden itself and installed it anyway! Sneaky "@%&#'s By the way, it wasn't in the list of recommended updates either!

EDIT It seems to be an "Important Update" now and not recommended!!!! Lord Ubuntu save me!!!!

Declan Quinn
  • 412