Re: Tools for checking for presence of adware remotely

[Harlan Carvey <keydet89 () yahoo com>]

-aditya

> > Sure...Perl scripts.  As a security admin in an
> FTE
> > position, I had scripts that checked all systems
> > within the domain for entries in the ubiquitous
> 'Run'
> > key, as well as for BHOs.  Easy stuff, pretty
> trivial, actually.
>
> but then you would have to keep on updating your
> bhos and other sigs, and what about the spyware that
> when removed from the run key refuse to let the
> network connections operate? how do u take care of
> them ?

You need to go back and read what I posted again.  I
never said anything about removing anything...all I
did was check.  By querying the BHO listings and the
entries in the Run key (and others), I was able to
narrow down the systems that needed to be visited
personally.  

It's not difficult to figure out how things work on
Windows systems.  Once you find that out, it's pretty
simple.  I will defer to Marcus Ranum's title of
"artificial ignorance" to describe how the Perl
scripts work...by identifying those things that are
known to be 'good' entries and filtering those out,
you're left with the suspicious stuff.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html