RE: [Full-Disclosure] Registry Watcher
Pro (the pay-for version) has a TSR called AdWatch, that will alert to TSR used to in DOS and they were good challange to program and when the TSRs worked it was time to celebrate. in windows we only have processes which can be invisible minimized or normal state! entry is changed or created or deleted, AdWatch will alert you and give you the option to Accept or Deny. this will be very bothersome because *all* the app write to the registry. is there an options like do not ask about this program again ? -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
Sysinternals also has an application called 'autoruns' - this will list everything that may be started upon system boot - it's clear from this there are some other methods that viruses will no doubt find useful in the future. regmon from sysinternals.com, not only it watches and alerts on the screen it also logs everything in very small detail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
On Sat, 8 May 2004 18:00:57 -0500 RandallM [EMAIL PROTECTED] wrote: Any programs out there that watches changes to registry and can give an alert? Registry Prot and Autostart Viewer from DiamondCS Freeware http://www.diamondcs.com.au/index.php?page=products RegRun 3 Security Suite http://www.greatis.com/regrun3.htm System Safety Monitor http://maxcomputing.narod.ru/indexe.html?lang=en (slow link) -robert ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
Aditya, ALD [Aditya Lalit Deshmukh] wrote: the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya I think it's supposed to be www.tdupage.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Registry Watcher
Greetings, Personally if you are running with least privilege then simply make the registry read-only ACL's can be applied to the registry too you know. I've worked with a couple of companies where we have made everything but the necessary HKCU keys read-only. This stops rogue installs and even ActiveX controls as well as general fiddling that some users try to do. I'd recommend the following reading. http://support.microsoft.com/default.aspx?scid=kb;en-us;246261 http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp x http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx Then there are the tools mentioned but I prefer to plan first and stick with stuff that Microsoft has a responsibility to fix. Alan Melia Melmac Solutions Ltd. http://www.melmac.co.uk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Menard Sent: 09 May 2004 12:48 To: Full Disclosure List Subject: Re: [Full-Disclosure] Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] wrote: the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya I think it's supposed to be www.tdupage.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
RandallM [EMAIL PROTECTED] writes: Hi, Any programs out there that watches changes to registry and can give an alert? RegMon from sysinternals.com. There are a whole load of useful Windows tools at that site. cheers, Jamie -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Registry Watcher
Hi, Any programs out there that watches changes to registry and can give an alert? My intention for this is only because of my limited knowledge of the windows registry. As I understand, no processes, applications, programs run with out entries in to the registry. This it seems includes virus and Trojan installations. There are the common entries that belong in the registry that the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. Wouldn't this in a sense be a firewall and virus protection method or am I really off base in my understanding. I know that such use is used by AdWatch and other types of tools but I have never seen anything mention for protection against backdoors, Trojans and viruses. If such a program does not exist I'd appreciate any input on building one. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
[EMAIL PROTECTED] wrote on 05/09/2004 04:30:57 AM: Hi, Any programs out there that watches changes to registry and can give an alert? My intention for this is only because of my limited knowledge of the windows registry. As I understand, no processes, applications, programs run with out entries in to the registry. this is not true. You need not touch registry to run any program. Programs generally keep their config info in the registry. This it seems includes virus and Trojan installations. There are the common entries that belong in the registry that the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. Wouldn't this in a sense be a firewall and virus protection method or am I really off base in my understanding. I know that such use is used by AdWatch and other types of tools but I have never seen anything mention for protection against backdoors, Trojans and viruses. If such a program does not exist I'd appreciate any input on building one. thank you Randall M cheers, Manu Garg http://manugarg.freezope.org ForwardSourceID:NTCDAE DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services on any subject matter. Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services shall be understood as neither given nor endorsed by Tata Consultancy Services or any affiliate of Tata Consultancy Services. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail. Thank you.
Re: [Full-Disclosure] Registry Watcher
Hi RandallM wrote: Any programs out there that watches changes to registry and can give an alert? My registry is protected by the Geek SuperHero. You can find it via google. Yours, Marcel ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
http://www.sysinternals.com/ntw2k/source/regmon.shtml ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
RandallM wrote: Hi, Any programs out there that watches changes to registry and can give an alert? Spyboy Search Destroy beta (RC5?) has some of this functionability -- Spybot-SD Resident. So far I have gotten alerts about programs attempting to add startup commands into the registry. I don't know what else it watches for but you might want to check it out. My intention for this is only because of my limited knowledge of the windows registry. As I understand, no processes, applications, programs run with out entries in to the registry. This it seems includes virus and Trojan installations. There are the common entries that belong in the registry that the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. Wouldn't this in a sense be a firewall and virus protection method or am I really off base in my understanding. I know that such use is used by AdWatch and other types of tools but I have never seen anything mention for protection against backdoors, Trojans and viruses. If such a program does not exist I'd appreciate any input on building one. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Registry Watcher
Call me crazy, but what about the built-in auditting function? http://www.cert.org/security-improvement/implementations/i028.04.html http://www.winnetmag.com/Article/ArticleID/14742/14742.html Still, as Manu points out, you don't *need* to touch the registry for any reason. It's really just designed as an organized set of INI files. Good place to put configuration information, but never needed just to run an executable. Now, if you want to proactive andmonitor the registry and prevent things from modifying key areas, Greyware Automation makes a good tool called "GRR!" (Greyware Registry Rearguard). It watches all the key startup entries that most viruses try to put themselves in so that they can't restart when your system does: http://www.greyware.com/software/grr/ They have a free trial version so you can look it over. -Kit -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Saturday, May 08, 2004 7:08 PMTo: [EMAIL PROTECTED]Subject: Re: [Full-Disclosure] Registry Watcher[EMAIL PROTECTED] wrote on 05/09/2004 04:30:57 AM: Hi, Any programs out there that "watches" changes to registry and can give an alert? My intention for this is only because of my limited knowledge of the windows registry. As I understand, no processes, applications, programs run with out entries in to the registry. this is not true. You need not touch registry to run any program. Programs generally keep their config info in the registry. This it seems includes virus and Trojan installations. There are the common entries that belong in the registry that the common installation inserts and all programs have values that must be inserted. If a "watcher" would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. Wouldn't this in a sense be a firewall and virus protection method or am I really off base in my understanding. I know that such use is used by AdWatch and other types of tools but I have never seen anything mention for protection against backdoors, Trojans and viruses. If such a program does not exist I'd appreciate any input on building one. thank you Randall M cheers, Manu Garg http://manugarg.freezope.org ForwardSourceID:NTCDAE
RE: [Full-Disclosure] Registry Watcher
the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html