zlacker

[return to "Notepad++ supply chain attack breakdown"]
1. yodon+0o[view] [source] 2026-02-04 00:52:37
>>natebc+(OP)
Is there a "detect infection and clean it up" app from a reputable source yet (beyond the "version 8.8.8 is bad" designator)?
◧◩
2. kijin+vC[view] [source] 2026-02-04 02:35:29
>>yodon+0o
The only way to clean up an infected Windows system is to wipe your disk and reinstall the OS.

There are so many nooks and crannies where malware can hide, and Windows doesn't enforce any boundaries that can't be crossed with a trivial UAC dialog.

◧◩◪
3. ziml77+pK[view] [source] 2026-02-04 03:45:55
>>kijin+vC
I'd say it's more true on Linux that malware can hide anywhere if you allow a sudo prompt (which people have been unfortunately been trained is normal when installing software).

Windows enforces driver signing and has a deeper access control system that means a root account doesn't even truly exist. The SYSTEM pseudo-account looks like it should be that, but you can actually set up ACLs that make files untouchable by it. In fact if you check the files in System32, they are only writable by TrustedInstaller. A user's administrative token and SYSTEM have no access those files.

But when it comes down to it, I wouldn't trust any system that has had malware on it. At the very least I'd do a complete reinstall. It might even be worth re-flashing the firmware of all components of the system too, but the chances of those also being infected are lower as long as signed firmware is required.

◧◩◪◨
4. kijin+111[view] [source] 2026-02-04 06:32:34
>>ziml77+pK
Malware can't modify files in System32, but it can drop extra files in there no problem. The only way to find and clean them up is a clean install.

In Linux, one could write a script that reinstalls all packages, cleans up anything that doesn't belong to an installed package, and asks you about files it's not sure about. It's easy to modify a Linux system, but just as easy to restore it to a known state.

◧◩◪◨⬒
5. tonyme+u11[view] [source] 2026-02-04 06:37:31
>>kijin+111
False . Even escalated sustem32 is blocked by protected folders. The write silently fails and logs to MS Defender
◧◩◪◨⬒⬓
6. kijin+vj1[view] [source] 2026-02-04 09:06:15
>>tonyme+u11
Well, try again. I just managed to copy a random .exe to C:\Windows\System32 using an administrator account. I got a typical UAC dialog that most people would blindly click "Continue" on, and the copy succeeded. :)
◧◩◪◨⬒⬓⬔
7. tonyme+003[view] [source] 2026-02-04 18:44:21
>>kijin+vj1
And you likely have protected folders and certainly s mode disabled
◧◩◪◨⬒⬓⬔⧯
8. kijin+7v4[view] [source] 2026-02-05 04:22:05
>>tonyme+003
It's a testing box, sure, but a lot of people have the same setting, usually because of some legacy app that requires it.

It does contradict your insistence that Windows would never allow such things. An exploit doesn't need to do its thing silently in order to be effective. If a security apparatus can be bypassed by tricking a user to flip a switch, it WILL be bypassed. Heck, just trying to install or update Notepad++ throws up a UAC dialog. Who would suspect anything?

◧◩◪◨⬒⬓⬔⧯▣
9. tonyme+Va6[view] [source] 2026-02-05 17:27:40
>>kijin+7v4
I'm not going to say that any OS is perfect. and it's great that you actually test Windows. most critiques I see are 1990s assessments of ACLs and memory protection.

Generally protected folders (CFA) will protect system32 , but trusted apps can make it through. e.g. explorer.exe and powershell.exe if it's run in the terminal. Untrusted apps are expected to be blocked.

My general point is that modern windows landscape has an incredible number of protections that linux systems don't. and linux has become a bigger target over the past 10+ years as well.

It's not so much to say that Windows is better, but to encourage Linux users to be more careful with their systems, and Windows users to enable those features if they turned them off in the past.

[go to top]