Abtrusion Protector is an integrity-based launch protection software that injects itself
between the Windows kernel and the user-mode application space. Whenever an
executable file is loaded by Windows, a call into kernel mode is made.
Abtrusion Protector intercepts that call and verifies that the file is
allowed to execute before allowing the call to proceed into the Windows
Abtrusion Protector maintains a database of digital thumbprints of
files that are allowed to execute on the computer. Files present on the
computer when Abtrusion Protector is first installed are automatically
added to the database. Whenever new software is installed to the computer,
Abtrusion Protector can be told to record and add thumbprints of the new
files to the database.
Abtrusion Protector includes a kernel mode component that performs the
actual verification of file thumbprints. It also contains a service
component that maintains the database of thumbprints. In addition, it
includes a user interface component.
Normally, Abtrusion Protector operates in the background and is
virtually invisible to the user. The only time a user has to interact with
Abtrusion Protector is when there is a potential breach in security or when
installing new software. Abtrusion Protector can also be administered at a
central site, without any user intervention at individual workstations.
Files are identified by the strong cryptographic hash function SHA-1.
File hashes of executable files are computed using the method used by
Windows to sign files, except that Windows normally uses the slightly weaker
hash function, MD5. This is utilized by Abtrusion Protector to interoperate
with regular certificate-based code signatures. For example, Abtrusion Protector can be set
up to automatically allow code signed by specified trusted software vendors.
By default, Abtrusion Protector is set-up to allow code signed by
Microsoft. This allows Abtrusion Protector to automatically and safely
record files installed by Microsoft security patches, service packs and other updates.
It also allows Abtrusion Protector to integrate seamlessly with Windows
Abtrusion Protector protects its own files and registry settings so that
no other applications are allowed to modify them. In addition, Windows
access control lists are also used to determine which users are allowed to
modify settings or install new software to the computer.