Greetings, Personally if you are running with least privilege then simply make the registry read-only ACL's can be applied to the registry too you know. I've worked with a couple of companies where we have made everything but the necessary HKCU keys read-only. This stops rogue installs and even ActiveX controls as well as general fiddling that some users try to do.
I'd recommend the following reading. http://support.microsoft.com/default.aspx?scid=kb;en-us;246261 http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp x http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx Then there are the tools mentioned but I prefer to plan first and stick with stuff that Microsoft has a responsibility to fix. Alan Melia Melmac Solutions Ltd. http://www.melmac.co.uk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Menard Sent: 09 May 2004 12:48 To: Full Disclosure List Subject: Re: [Full-Disclosure] Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] wrote: >>>the common installation inserts and all programs have values that >>>must be inserted. If a "watcher" would have a data base to follow and >>>any odd or uncommon entries could be flagged. As far as I know all >>>newly found viruses insert registry entries and these could be placed >>>in a data base that would cause registry to deny and flag. > > >>viruses generally attack registry first because most of the >>application including os use registry for running properly.. so >>registry is the favorite target. but a virus can do much harm without changing registry also. > > > > > hey for this sort of thing i use a program called as proport, it > watches all the autostart up registry entries and alerts u when any > new program is added to it. this program sits in the system tray so it > is not obstrusive download it from www.tudpage.com u dont want regmon > but proport for this sort of thing > > -aditya > > I think it's supposed to be www.tdupage.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
