RE: Bug in Norton FireWall 2003

> From: nowak.a@pg.com [mailto:nowak.a@pg.com]
> Sent: Monday, August 11, 2003 5:15 PM
>
>
> > I suppose a simple defense for "personal firewall" vendors
> > against this sort of thing would be to use hard-to-guess window

Agreed. "simple" wasn't really the adjective I wanted; something more like "preliminary" or "first-cut" was what I meant. Another possibility would be to require that the window be visible when the event is received, and have been visible for some minimum time (even on the order of a few seconds), which would allow an alert user to see the trojan in action, anyway.

Some firewall products of this type allow a "reject without prompting" configuration, which is safer, albeit potentially frustrating. (I'm familiar with the Symantec products, and getting log information out of them is not a pleasant process. Their UIs in general are not well-designed.)

Is there a reliable mechanism in Windows for distinguishing between real and spoofed events? I've never looked into the subject, as I avoid GUI-mode programming like the plague (which is an apt description, in my book).

Of course, the popup window shouldn't be owned by a process running with elevated privileges anyway.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus