decaf v2 quick review v09.30.12.txt

After reading the emails on COFEE and DECAF because of some odd newsletter I am subscribed to and then seeing the following post: http://windowsir.blogspot.com/2009/12/lions-and-tigers-and-decafoh-my.html

I figured it would only be prudent to give it a shot..

First impression.. Is this whole thing a 2009 end of year joke? While I understand it has value, here are some simple steps to side-step decaf or just understand is weakness..

It runs in the systray, right-click, maximize and close it. That was easy.

Or if you don't want to touch anything on the system, just rename your tools.. I didn't take the time to join the forum and search is disabled for guests, but the signatures.dat file isn't utilizing MD5 or SHA-1 hashes. It's just plain and simple process name matching..

Tested tools that you can try yourself..

autoruns.exe, pslist.exe, pskill.exe, windd.exe, PasswareKitEnterprise.exe

Note the case-sensitivity in the PasswareKitEnterprise.exe.. I renamed NOTEPAD.EXE to passwarekitenterprise.exe and noticed that the workstation didn't lock, renamed it with with the proper case to match the commercial app and voila, decaf responds!

I am not assuming the person that decides to run decaf to "protect" their workstation should be a Windows Administrator, but atleast take the time to google "Software Restriction Policies" and see what you can do with hash rules, path rules and for the most-restrictive systems, certificate rules..

In the meantime, decaf should focus on making the signatures.dat and open standard with plain-text readable filenames, hash values (MD5 and SHA1) with version numbers instead of lack-luster case-sensitive process executable name matching to call a lock workstation API method.

Comments

Popular posts from this blog

xenserver update v08.24.08.txt

using vlc to create a web-based vod library v07.18.11.txt

an outlook for security improvements in 2019 v18.12.24.txt