The company I work for is considering purchasing a security product that attempts to prevent the workstation from running a packet sniffer. (It does a lot more than that, but I have questions about this function.) For Windows, it only detects whether a sniffer is running on the workstation at boot time. Supposedly it detects "unusual interactions" with the NIC / NDIS.
Is there anything inherent in Windows that would require a sniffer to load & interact with NDIS at boot time, or could a sniffer be loaded after boot time? My concern is that this product may be specifically targeting two sniffers that just happen to load at boot time; their literature specifically mentions WindDump and dsniff.
BTW, I realize this product does not prevent the "protected" workstation from being eavesdropped on by another "unprotected" machine sniffing on the network; it only prevents the "protected" machine from becoming an eavesdropper.
Thanks in advance,