RE: Dynamicism Of Windows Registry

["Vijender Yadav" <vijender () nodeinfotech com>]

Windows registry can be as dynamic as traffic flowing across your IDS.
How does IDS works? It has been trained for normal traffic and asked to
generate alarm for abnormal traffic flow.

Same way, a software can be build that is trained for normal and legimitate
changes in registry and abnormal changes in registry can be detected and
alarm can be raised. 

Have you I got you right Jason?
 

-----Original Message-----
From: Colin Bean [mailto:ccbean () gmail com] 
Sent: Friday, June 23, 2006 3:44 AM
To: Jason T. Hallahan
Cc: security-basics () securityfocus com
Subject: Re: Dynamicism Of Windows Registry

You can monitor the registry in real time using RegMon from SysInternals:
http://www.sysinternals.com/Utilities/Regmon.html

Spybot Search and Destroy also has a helper application (TeaTimer) that
hooks registry changes and allows you to permit or deny them as they happen.
http://www.safer-networking.org/en/index.html

So it's possible to monitor the registry and prevent changes; although I'm
not sure if this answers your question.  Perhaps you could clarify what you
mean by "thwart an attack by that system"?

I've installed RegMon on a system infected with malware that would
automatically regenerate its startup keys, and I could see the malware
continuously polling the registry to see if its keys were still there.
 Didn't help me to remove the malware, but was interesting to see :)

Regards,
-Colin

On 6/21/06, Jason T. Hallahan <jthallah () gmail com> wrote:
> Hello and good day:
>
> I have a question. Exactly how dynamic is the Windows Registry?
> Specifically, if you were somehow able to monitor in real-time the 
> changes made to the registry of a system on your network (HW/SW 
> installation, Processes running, websites visited, etc.) would you be 
> able to thwart an attack by that system (user), or would it be too 
> little information, too late?
>
> Thanks for your help.
>
> Best regards,
> Jason
>
> ----------------------------------------------------------------------
> ----- This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has 
> designated Norwich University a center of Academic Excellence in 
> Information Security. Our program offers unparalleled Infosec 
> management education and the case study affords you unmatched consulting
experience.
> Using interactive e-Learning technology, you can earn this esteemed 
> degree, without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> -----

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in Information
Security. Our program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------