zlacker

[return to "Notepad++ supply chain attack breakdown"]
1. yodon+0o[view] [source] 2026-02-04 00:52:37
>>natebc+(OP)
Is there a "detect infection and clean it up" app from a reputable source yet (beyond the "version 8.8.8 is bad" designator)?
◧◩
2. kijin+vC[view] [source] 2026-02-04 02:35:29
>>yodon+0o
The only way to clean up an infected Windows system is to wipe your disk and reinstall the OS.

There are so many nooks and crannies where malware can hide, and Windows doesn't enforce any boundaries that can't be crossed with a trivial UAC dialog.

◧◩◪
3. ziml77+pK[view] [source] 2026-02-04 03:45:55
>>kijin+vC
I'd say it's more true on Linux that malware can hide anywhere if you allow a sudo prompt (which people have been unfortunately been trained is normal when installing software).

Windows enforces driver signing and has a deeper access control system that means a root account doesn't even truly exist. The SYSTEM pseudo-account looks like it should be that, but you can actually set up ACLs that make files untouchable by it. In fact if you check the files in System32, they are only writable by TrustedInstaller. A user's administrative token and SYSTEM have no access those files.

But when it comes down to it, I wouldn't trust any system that has had malware on it. At the very least I'd do a complete reinstall. It might even be worth re-flashing the firmware of all components of the system too, but the chances of those also being infected are lower as long as signed firmware is required.

◧◩◪◨
4. kijin+111[view] [source] 2026-02-04 06:32:34
>>ziml77+pK
Malware can't modify files in System32, but it can drop extra files in there no problem. The only way to find and clean them up is a clean install.

In Linux, one could write a script that reinstalls all packages, cleans up anything that doesn't belong to an installed package, and asks you about files it's not sure about. It's easy to modify a Linux system, but just as easy to restore it to a known state.

◧◩◪◨⬒
5. tonyme+u11[view] [source] 2026-02-04 06:37:31
>>kijin+111
False . Even escalated sustem32 is blocked by protected folders. The write silently fails and logs to MS Defender
◧◩◪◨⬒⬓
6. kijin+vj1[view] [source] 2026-02-04 09:06:15
>>tonyme+u11
Well, try again. I just managed to copy a random .exe to C:\Windows\System32 using an administrator account. I got a typical UAC dialog that most people would blindly click "Continue" on, and the copy succeeded. :)
[go to top]