|
Full Disclosure
mailing list archives
Re: Tools for checking for presence of adware remotely
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 30 Jun 2004 18:31:41 -0700 (PDT)
-aditya
Sure...Perl scripts. As a security admin in an
FTE
position, I had scripts that checked all systems
within the domain for entries in the ubiquitous
'Run'
key, as well as for BHOs. Easy stuff, pretty
trivial, actually.
but then you would have to keep on updating your
bhos and other sigs, and what about the spyware that
when removed from the run key refuse to let the
network connections operate? how do u take care of
them ?
You need to go back and read what I posted again. I
never said anything about removing anything...all I
did was check. By querying the BHO listings and the
entries in the Run key (and others), I was able to
narrow down the systems that needed to be visited
personally.
It's not difficult to figure out how things work on
Windows systems. Once you find that out, it's pretty
simple. I will defer to Marcus Ranum's title of
"artificial ignorance" to describe how the Perl
scripts work...by identifying those things that are
known to be 'good' entries and filtering those out,
you're left with the suspicious stuff.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
|
Intro
