[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Registry Watcher
- To: "'Steve Menard'" <smenard@xxxxxxxxxxx>, "'Full Disclosure List'" <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Registry Watcher
- From: "Alan Melia (Melmac)" <alanme@xxxxxxxxxxxx>
- Date: Sun, 9 May 2004 13:14:11 +0100
Greetings,
Personally if you are running with least privilege then simply make the
registry read-only ACL's can be applied to the registry too you know. I've
worked with a couple of companies where we have made everything but the
necessary HKCU keys read-only. This stops rogue installs and even ActiveX
controls as well as general fiddling that some users try to do.
I'd recommend the following reading.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp
x
http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx
Then there are the tools mentioned but I prefer to plan first and stick with
stuff that Microsoft has a responsibility to fix.
Alan Melia
Melmac Solutions Ltd.
http://www.melmac.co.uk
-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Steve Menard
Sent: 09 May 2004 12:48
To: Full Disclosure List
Subject: Re: [Full-Disclosure] Registry Watcher
Aditya, ALD [Aditya Lalit Deshmukh] wrote:
>>>the common installation inserts and all programs have values that
>>>must be inserted. If a "watcher" would have a data base to follow and
>>>any odd or uncommon entries could be flagged. As far as I know all
>>>newly found viruses insert registry entries and these could be placed
>>>in a data base that would cause registry to deny and flag.
>
>
>>viruses generally attack registry first because most of the
>>application including os use registry for running properly.. so
>>registry is the favorite target. but a virus can do much harm without
changing registry also.
>
>
>
>
> hey for this sort of thing i use a program called as proport, it
> watches all the autostart up registry entries and alerts u when any
> new program is added to it. this program sits in the system tray so it
> is not obstrusive download it from www.tudpage.com u dont want regmon
> but proport for this sort of thing
>
> -aditya
>
>
I think it's supposed to be
www.tdupage.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html