[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405091214.i49CEH402972@netsys.com>
From: alanme at melmac.co.uk (Alan Melia (Melmac))
Subject: Registry Watcher
Greetings,
Personally if you are running with least privilege then simply make the
registry read-only ACL's can be applied to the registry too you know. I've
worked with a couple of companies where we have made everything but the
necessary HKCU keys read-only. This stops rogue installs and even ActiveX
controls as well as general fiddling that some users try to do.
I'd recommend the following reading.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp
x
http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx
Then there are the tools mentioned but I prefer to plan first and stick with
stuff that Microsoft has a responsibility to fix.
Alan Melia
Melmac Solutions Ltd.
http://www.melmac.co.uk
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Steve Menard
Sent: 09 May 2004 12:48
To: Full Disclosure List
Subject: Re: [Full-Disclosure] Registry Watcher
Aditya, ALD [Aditya Lalit Deshmukh] wrote:
>>>the common installation inserts and all programs have values that
>>>must be inserted. If a "watcher" would have a data base to follow and
>>>any odd or uncommon entries could be flagged. As far as I know all
>>>newly found viruses insert registry entries and these could be placed
>>>in a data base that would cause registry to deny and flag.
>
>
>>viruses generally attack registry first because most of the
>>application including os use registry for running properly.. so
>>registry is the favorite target. but a virus can do much harm without
changing registry also.
>
>
>
>
> hey for this sort of thing i use a program called as proport, it
> watches all the autostart up registry entries and alerts u when any
> new program is added to it. this program sits in the system tray so it
> is not obstrusive download it from www.tudpage.com u dont want regmon
> but proport for this sort of thing
>
> -aditya
>
>
I think it's supposed to be
www.tdupage.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists