Cyber Security Screensaver Download
Fritzi Schlicker
I downloaded some retro Windows screensavers last December from a website called Screensaver Planet. I know very little about computer science and cyber security, so I had no idea .scr files were executables. Last month, Bitdefender picked up on one of these and I posted about it on these forums but the conclusion was that it was a false positive. Malwarebytes didn't flag any of these files. I've since gone and run the rest of them on VirusTotal and some of them were flagged as malware. They're in my System32 folder, in case that makes a difference. I just don't know how probable it is that these are threats given that only one of the nearly 70 vendors flagged these .scr files as malware. I have pasted the virus total results below.
WCM is implementing a screensaver with a security feature that requires you to enter your password in order to resume use of the computer once the screensaver activates in order to comply with requirements for good security practices. Below are some frequently asked questions that deal with this topic.
A screensaver is a computer program that can be set to turn on after a period of user inactivity (when you leave your computer). It was first used to prevent damage to older monitors but is now used as a way to prevent viewing of desktop contents while the user is away.
The screensaver will activate after three hours (180 minutes) of inactivity. For some computers under stricter guidelines, such as those processing credit cards, a stricter policy will activate the screensaver after 15 minutes of inactivity.
In order to regain use of your computer after the screensaver activates, you will need to enter the password used to log into the computer. Simply move the mouse or tap a key to bring up the prompt for your password.
In limited scenarios, certain computers may be considered for exemption from the screensaver policy with department approval. Please contact your department administrator to discuss any exemption from this policy.
Only certain computers, such as shared exam room workstations, kiosks, and shared research computers dedicated to running instruments can be exempted from the screensaver policy. Individual workstations will not be able to be exempted from this policy as it would not comply with security requirements.
If you are working on a computer that has existing screensaver security policies (e.g., workstations processing credit cards in a front desk area) you will not be able to change the setting for the screensaver in order to comply with existing regulatory requirements.
Please contact Support at 212-746-4878 for assistance with your password. If you have forgotten your password and the screensaver has activated, you may need to reset the machine in order to log into it.
I need to create a GPO for a screensaver lockout policy in our domain (set at 5 min or so) while excluding specific PCs from inheriting this policy if they are shared PCs. Those PCs are apart of a AD security group that I want to use in my process to exclude from that policy.
Loopback is the way to go on this one. Apply the screensaver policy to an OU that has computers in it and either deny permissions to your group or use item level targeting to block the computers that you don't want it applied to. Turn on the loopback trigger in Computer Configuration > Administrative Templates > System > Group Policy and it should work.
I set a screensaver policy on the Desktops OU here, and then created another OU within Desktops for Security Computers and Meeting Rooms, and set another policy on those OUs specifically blocking screensavers. The last policy that applies is the one that sticks, so make sure that the screensaver block is last on the list for those OUs.
So assuming you're happy to use loopback, you'd simply have a GPO that enables loopback processing applied to all of the computers you want to affect, but to stop your special group of computers from getting the screensaver you'd just deny that group permission to apply the GPO where you're enabling loopback processing (which you can do from the advanced section of the GPO security). So now all of your computers will get loopback enabled, meaning they'll get the user based screensaver setting (as long as you've got a GPO applying to the computer accounts that enables the screensaver anyway) apart from the computers that are a member of this AD group.
I guess you would also need to remove the GPO that currently applies this screensaver to all user accounts, otherwise when one of those users logs on to one of these special PCs they'll still be getting the screensaver GPO. When they log on to a normal PC though the loopback processing will mean the screensaver GPO gets applied from the computer object so they'll get the screensaver as expected even though there's no GPO applying the screensaver to the user account.
Well I ended up making a video explaining loopback processing in a fair amount of detail, and describing how you can achieve what you wanted (excluding certain computers from getting a screensaver GPO) towards the end. Just rendering and uploading it now, I'll post a link here when it is done
A default screensaver must be configured for all users, as the screensaver will act as a session time-out lock for the system and must be one that conceals the contents of the screen from unauthorized users. The screensaver must not display any sensitive information or reveal the contents of the locked session screen. Publicly viewable images can include static or dynamic images such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen.
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
suspicious_files = filter k.ProcessGuid, k.ProcessFilePath, k.UserName, k.RegistryKeypath, k.RegistryKeyValueData FROM screensaver_key_modification kINNER JOIN new_files fON k.RegistryKeyValueData = f.FileName
Note: Although there are no standard events for file modification, Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted accesses of screensaver files (typically ending in a file extension of .scr).
Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior. Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Default screen saver files are stored in C:\Windows\System32. Use these files as a reference when defining list of not suspicious screen saver files.
A screensaver (or screen saver) is a computer program that blanks the display screen or fills it with moving images or patterns when the computer has been idle for a designated time. The original purpose of screensavers was to prevent phosphor burn-in on CRT or plasma computer monitors (hence the name).[citation needed] Though most modern monitors are not susceptible to this issue (with the notable exception of OLED technology, which has individual pixels vulnerable to burnout), screensaver programs are still used for other purposes. Screensavers are often set up to offer a basic layer of security by requiring a password to re-access the device.[1] Some screensaver programs also use otherwise-idle computer resources to do useful work, such as processing for volunteer computing projects.[2]
While modern screens are not susceptible to the issues discussed above, screensavers are still used. Primarily these are for decorative/entertainment purposes, or for password protection. They usually feature moving images or patterns and sometimes sound effects.
As screensavers are generally expected to activate when users are away from their machines, many screensavers can be configured to ask users for a password before permitting the user to resume work. This is a basic security measure against another person accessing the machine while the user is absent.
Some screensavers activate a useful background task, such as a virus scan or a volunteer computing application (such as the SETI@home project).[4] This allows applications to use resources only when the computer would be otherwise idle. The Ken Burns panning and zooming effect is sometimes used to bring the image to life.
The first screensaver was allegedly written for the original IBM PC by John Socha, best known for creating the Norton Commander; he also coined the term screen saver. The screensaver, named scrnsave, was published in the December 1983 issue of the Softalk magazine. It simply blanked the screen after three minutes of inactivity (an interval which could be changed by recompiling the program).
By 1983 a Zenith Data Systems executive included "screen-saver" among the new Z-29 computer terminal's features, telling InfoWorld that it "blanks out the display after 15 minutes of nonactivity, preventing burned-in character displays".[7] The first screensaver that allowed users to change the activating time was released on Apple's Lisa, in 1983.
The Atari 400 and 800's screens would also go through random screensaver-like color changes if they were left inactive for about 8 minutes. Normal users had no control over this, though programs did. These computers, released in 1979, are technically earlier "screen savers". Prior to these computers, games for the 1977 Atari VCS/2600 gaming console such as Combat and Breakout, included color cycling in order to prevent burn-in of game images into 1970s-era televisions. In addition, the first model of the TI-30 calculator from 1976 featured a screensaver, which consisted of a decimal point running across the display after 30 seconds of inactivity. This was chiefly used to save battery power, as the TI-30 LED display was more power intensive than later LCD models. These are examples of screensavers in ROM or the firmware of a computer.
df19127ead