I have detect software tail end MSI but the software not MSI i didn't detected. You can talk about that. How to detect software?
Vào 08:19:57 UTC+7 Thứ tư, ngày 04 tháng sáu năm 2014, Trieu Ngo Duy đã viết: > > I was watching the installation of unauthorized software agent. I was > warned. I now want to block software that runs it how? My idea is to add > one command to the registry. for example: I discovered the agent > installation, the agent Fifox I can ban runs piece using the following > command: > REG ADD HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies > \ Explorer \ DisallowRun / v 1 / t REG_SZ / d fifox.exe > My question is how we can from OSSEC server running software blocking > agent. if you can give me an example. thanks all > > > 2014-06-03 19:04 GMT+07:00 dan (ddp) <ddp...@gmail.com <javascript:>>: > >> On Mon, Jun 2, 2014 at 10:22 PM, Trieu Ngo Duy <trieu...@gmail.com >> <javascript:>> wrote: >> > Thanks everyone for the reply. My purpose is to prevent one party agent >> > software Windows 7. Much I've learned in the past week but no way to >> solve >> > it. Can you help me write a script for this. >> > >> > >> >> Basic instructions: >> Write a normal batch script for Windows, distribute it to your agents >> in the ossec/active-response/bin directory (hopefully, it could be way >> different on Windows I guess), and set it up on the server as an >> active response. >> >> If you need more than that, please ask specific questions. >> >> > 2014-06-03 8:23 GMT+07:00 Michael Starks <ossec...@michaelstarks.com >> <javascript:>>: >> > >> >> On 06/01/2014 09:37 PM, Trieu Ngo Duy wrote: >> >>> >> >>> help me about active response. how to execute this command: REG ADD >> HKCU >> >>> \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ >> Explorer >> >>> \ DisallowRun in agent window ? >> >>> thank you very much..! >> >> >> >> >> >> I have used the following to check the registry run key so maybe you >> could >> >> use something similar for an active response: >> >> >> >> %WINDIR%\system32\reg.exe query >> >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s | >> >> %WINDIR%\system32\findstr.exe /BV "! REG.EXE" | >> %WINDIR%\system32\findstr >> >> /BV "^$" >> >> >> >> >> >> -- >> >> >> >> --- You received this message because you are subscribed to the Google >> >> Groups "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to ossec-list+...@googlegroups.com <javascript:>. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com <javascript:>. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
