Do packet sniffers need to load at boot time?
Background:
The company I work for is considering purchasing a security product that attempts to prevent the workstation from running a packet sniffer. (It does a lot more than that, but I have questions about this function.) For Windows, it only detects whether a sniffer is running on the workstation at boot time. Supposedly it detects "unusual interactions" with the NIC / NDIS.
Question:
Is there anything inherent in Windows that would require a sniffer to load & interact with NDIS at boot time, or could a sniffer be loaded after boot time? My concern is that this product may be specifically targeting two sniffers that just happen to load at boot time; their literature specifically mentions WindDump and dsniff.
BTW, I realize this product does not prevent the "protected" workstation from being eavesdropped on by another "unprotected" machine sniffing on the network; it only prevents the "protected" machine from becoming an eavesdropper.
Thanks in advance,
parkerea
The company I work for is considering purchasing a security product that attempts to prevent the workstation from running a packet sniffer. (It does a lot more than that, but I have questions about this function.) For Windows, it only detects whether a sniffer is running on the workstation at boot time. Supposedly it detects "unusual interactions" with the NIC / NDIS.
Question:
Is there anything inherent in Windows that would require a sniffer to load & interact with NDIS at boot time, or could a sniffer be loaded after boot time? My concern is that this product may be specifically targeting two sniffers that just happen to load at boot time; their literature specifically mentions WindDump and dsniff.
BTW, I realize this product does not prevent the "protected" workstation from being eavesdropped on by another "unprotected" machine sniffing on the network; it only prevents the "protected" machine from becoming an eavesdropper.
Thanks in advance,
parkerea
ASKER
Thank you richrumble -- tremendous info. Since I am wondering if it is valid to only check for the existence of a sniffer at boot time, perhaps the root question should be something like "Can a NIC be changed to promiscious mode after boot time, or after logging onto Windows XP?"
Thanks again,
parkerea
Thanks again,
parkerea
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. Although my assignment is to evaluate whether this security product will interfere with our department's home grown apps, I feel I should also put some effort into evaluating its effectiveness -- the project manager is not that technical, and IMHO has a rather odd view of security (long ago I realized she installed Timbuktu without disabling the default password, and when I pointed it out rather than thanking me she screamed to the dept manager that I was "hacking into their network.")
- parkerea
- parkerea
http://www.microsoft.com/downloads/details.aspx?familyid=1a10d27a-4aa5-4e96-9645-aa121053e083&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&displaylang=en
http://ntsecurity.nu/toolbox/promiscdetect/
http://www.securityfriday.com/promiscuous_detection_01.pdf
It's simple to write a program or script that can detect the most popular "sniffing" programs... that's a no brainer. There are techniques to detect nic's listening in promiscuous mode using arp responses as outlined in the pdf above, and it's also easy to detect a nic on the local machine in promisc mode.
http://packetstormsecurity.nl/sniffers/antisniff/
-rich