Full Disclosure mailing list archives
RE: Registry Watcher
From: "Alan Melia \(Melmac\)" <alanme () melmac co uk>
Date: Sun, 9 May 2004 13:14:11 +0100
Greetings, Personally if you are running with least privilege then simply make the registry read-only ACL's can be applied to the registry too you know. I've worked with a couple of companies where we have made everything but the necessary HKCU keys read-only. This stops rogue installs and even ActiveX controls as well as general fiddling that some users try to do. I'd recommend the following reading. http://support.microsoft.com/default.aspx?scid=kb;en-us;246261 http://www.microsoft.com/technet/prodtechnol/winntas/tips/winntmag/inreg.msp x http://www.microsoft.com/security/guidance/topics/DesktopSecurity.mspx Then there are the tools mentioned but I prefer to plan first and stick with stuff that Microsoft has a responsibility to fix. Alan Melia Melmac Solutions Ltd. http://www.melmac.co.uk -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Steve Menard Sent: 09 May 2004 12:48 To: Full Disclosure List Subject: Re: [Full-disclosure] Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] wrote:
the common installation inserts and all programs have values that must be inserted. If a "watcher" would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag.viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without
changing registry also.
hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya
I think it's supposed to be www.tdupage.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Registry Watcher RandallM (May 08)
- Re: Registry Watcher Marcel Krause (May 08)
- Re: Registry Watcher m . garg (May 08)
- RE: Registry Watcher "Kit" <full<dash>disclosure(at)smallfoxx (May 08)
- RE: Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] (May 08)
- Re: Registry Watcher Steve Menard (May 09)
- RE: Registry Watcher Alan Melia (Melmac) (May 09)
- Re: Registry Watcher David (May 08)
- Re: Registry Watcher Chris Porter (May 08)
- RE: Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] (May 08)
- Re: Registry Watcher Scott Manley (May 10)
- Re: Registry Watcher Troy Solo (May 11)
- RE: Registry Watcher Aditya, ALD [Aditya Lalit Deshmukh] (May 12)
- Re: Registry Watcher Scott Manley (May 10)
- Policy measurement and compliance tools n30 (May 09)
- Windows IPS personal use n30 (May 09)