lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405091214.i49CEH402972@netsys.com>
From: alanme at melmac.co.uk (Alan Melia (Melmac))
Subject: Registry Watcher

Greetings,

Personally if you are running with least privilege then simply make the
registry read-only ACL's can be applied to the registry too you know. I've
worked with a couple of companies where we have made everything but the
necessary HKCU keys read-only.  This stops rogue installs and even ActiveX
controls as well as general fiddling that some users try to do.

I'd recommend the following reading.
http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp
x
http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx

Then there are the tools mentioned but I prefer to plan first and stick with
stuff that Microsoft has a responsibility to fix. 

Alan Melia

Melmac Solutions Ltd.

http://www.melmac.co.uk

 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Steve Menard
Sent: 09 May 2004 12:48
To: Full Disclosure List
Subject: Re: [Full-Disclosure] Registry Watcher

Aditya, ALD [Aditya Lalit Deshmukh] wrote:
>>>the common installation inserts and all programs have values that 
>>>must be inserted. If a "watcher" would have a data base to follow and 
>>>any odd or uncommon entries could be flagged. As far as I know all 
>>>newly found viruses insert registry entries and these could be placed 
>>>in a data base that would cause registry to deny and flag.
> 
> 
>>viruses generally attack registry first because most of the 
>>application including os use registry for running properly.. so 
>>registry is the favorite target. but a virus can do much harm without
changing registry also.
> 
> 
> 
> 
> hey for this sort of thing i use a program called as proport, it 
> watches all the autostart up registry entries and alerts u when any 
> new program is added to it. this program sits in the system tray so it 
> is not obstrusive download it from www.tudpage.com u dont want regmon 
> but proport for this sort of thing
> 
> -aditya
> 
> 

I think it's supposed to be

www.tdupage.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ