Home page logo
/

basics logo Security Basics mailing list archives

Re: What files to watch??
From: H Carvey <keydet89 () yahoo com>
Date: 21 May 2003 17:12:02 -0000

In-Reply-To: <Law15-F100zGNsokLQ800000f5e () hotmail com>

Chris,

Lacking funds and a GPL alternative, I went ahead a
wrote a 
scanner using perl and the Digest::Md5 module.

I'd like to applaud your initiative.  I've done the
same, and have written some pretty cool monitoring and
analysis tools, in Perl for the Win32 systems.

Anyone have a good idea on how to get it to produce 
more useable detections?  

Well, that really sort of depends on your
infrastructure, policies, etc., doesn't it?  

However, here are some things you might consider:

1.  Malware tends to target files in %WINDIR%, as well
as the system32 directory.  

2.  Something to add to the monitoring program might be
checking of the contents of the Run key, as well as others.

3.  You might consider explicitly looking at
application files, such as those located in the Program
Files directory.

HTH,

Harlan

---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault