Samurai

Samurai, shown in Figure A-6, is a host-based intrusion prevention system. The Samurai HIPS initially displays a list of solutions to common security vulnerabilities and enables the user to apply any or all of the solutions listed. Some of the vulnerabilities will be specific to a particular program (such as AOL) or a particular operating system (such as XP Home Edition), so not all solutions will be applied to every machine. Nonetheless, Samurai will fix what it can to provide an optimal configuration based on the solutions selected when the Apply Configuration button is pressed.

Figure A-6

Samurai is a completely reversible hardening tool. Every changed registry entry, every changed file permission, every disabled service, every injected process, and so on is recorded and can be reversed by deselecting the solution or uninstalling Samurai.

Of particular interest to rootkit developers is the “DISABLE ROOTKITS–Prevent the loading of rootkits” solution. This feature hooks all forms of rootkit loading and either denies the operation, if the loading technique is only used for rootkits, or asks the user if the operation should be allowed. Because module loading is usually performed during the boot process, or when software is installed or started, most users will know to deny module loading if an attempt is made unexpectedly (e.g., while surfing the Internet).