Full Disclosure mailing list archives
RE: Registry Watcher
From: "\"Kit\" <full<dash>disclosure(at)smallfoxx"<dot () netsys com>com () invaliddomain com
Date: Sat, 8 May 2004 21:08:08 -0500
Call me crazy, but what about the built-in auditting function? http://www.cert.org/security-improvement/implementations/i028.04.html http://www.winnetmag.com/Article/ArticleID/14742/14742.html Still, as Manu points out, you don't *need* to touch the registry for any reason. It's really just designed as an organized set of INI files. Good place to put configuration information, but never needed just to run an executable. Now, if you want to proactive and monitor the registry and prevent things from modifying key areas, Greyware Automation makes a good tool called "GRR!" (Greyware Registry Rearguard). It watches all the key startup entries that most viruses try to put themselves in so that they can't restart when your system does: http://www.greyware.com/software/grr/ They have a free trial version so you can look it over. -Kit -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of m.garg () tcs com Sent: Saturday, May 08, 2004 7:08 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Registry Watcher full-disclosure-admin () lists netsys com wrote on 05/09/2004 04:30:57 AM: > Hi, > > Any programs out there that "watches" changes to registry and can give an > alert? > > > > My intention for this is only because of my limited knowledge of the windows > registry. As I understand, no processes, applications, programs run with out > entries in to the registry. this is not true. You need not touch registry to run any program. Programs generally keep their config info in the registry. > This it seems includes virus and Trojan installations. There are the common > entries that belong in the registry that > the common installation inserts and all programs have values that must be > inserted. If a "watcher" would have a data base to follow and any odd or > uncommon entries could be flagged. As far as I know all newly found viruses > insert registry entries and these could be placed in a data base that would > cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. > Wouldn't this in a sense be a firewall and > virus protection method or am I really off base in my understanding. I know > that such use is used by AdWatch and other types of tools but I have never > seen anything mention for protection against backdoors, Trojans and viruses. > If such a program does not exist I'd appreciate any input on building one. > > > > thank you > > Randall M > cheers, Manu Garg http://manugarg.freezope.org ForwardSourceID:NT0000CDAE
Current thread:
- Registry Watcher RandallM (May 08)
- Re: Registry Watcher Marcel Krause (May 08)
- Re: Registry Watcher m . garg (May 08)
- RE: Registry Watcher "Kit" <full<dash>disclosure(at)smallfoxx (May 08)
- RE: Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] (May 08)
- Re: Registry Watcher Steve Menard (May 09)
- RE: Registry Watcher Alan Melia (Melmac) (May 09)
- Re: Registry Watcher David (May 08)
- Re: Registry Watcher Chris Porter (May 08)
- RE: Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] (May 08)
- Re: Registry Watcher Scott Manley (May 10)
- Re: Registry Watcher Troy Solo (May 11)
- RE: Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] (May 12)
- Re: Registry Watcher Scott Manley (May 10)