startup folder / registry protector

  • Thread starter Thread starter Jason Wade
  • Start date Start date
J

Jason Wade

So many viruses configure windows to start themselves
when the OS loads, that I think it's time for
someone to create a start up entry protector.

This would be a program that would disallow
any new entries in the startup folder, win.ini
(run= and load= keys), and startup registry keys.

When a program tries to modify any of these
items, the startup protection utility should
present a dialog box to the user. The user
would have to put a password into the dialog box
to allow the program to install.

The password should not be stored on disk, but
a hash should be stored instead. Otherwise, a
virus would simply read the password and
use it to install itself without the user's
permission.

What do you people think?
(followups to alt.comp.anti-virus)

--
+----------------> Jason Wade <----------------+
| (e-mail address removed) |
| "I ask for Swen, but ya give me Bagle. Cute. |
| So I guess that Swen has finally gone to |
| that big virus network in the sky. Good." |
+----------------------------------------------+
 
Jason Wade said:
So many viruses configure windows to start themselves
when the OS loads, that I think it's time for
someone to create a start up entry protector.
Click to expand...

There is one already existing, that does exactly what you describe,
standing here in the background and verifying in real time what has
been added in various startup / registry / boot time files where
trojan, viruses, worms, spywares, adwares, etc, always add themselves.
And this program is totally free, and very small. Let me smoke a
cigarette first and I will find its name.

I always wondered why anti-viruses do not do that, actually. It's so
evident. I know one very expensive generic anti-virus that has this
interesting protection routine, but the rest of the product is not
worth it.
 
Guillermito said:
And this program is totally free, and very small. Let me smoke a
cigarette first and I will find its name.
Click to expand...

Found it. It's called StartUp Monitor (I think it forgot to check for
win.ini, maybe that has been corrected):

http://www.mlin.net/StartupMonitor.shtml (free)

The same guy did a similar version to check what programs are going to
be executed at startup, but not resident, actually an add-on for the
control panel:

http://www.mlin.net/StartupCPL.shtml (free)

Another free Startup Manager here:

http://home.ptd.net/~don5408/toolbox/startupcpl/
 
Jason said:
So many viruses configure windows to start themselves
when the OS loads, that I think it's time for
someone to create a start up entry protector.

This would be a program that would disallow
any new entries in the startup folder, win.ini
(run= and load= keys), and startup registry keys.

When a program tries to modify any of these
items, the startup protection utility should
present a dialog box to the user. The user
would have to put a password into the dialog box
to allow the program to install.

The password should not be stored on disk, but
a hash should be stored instead. Otherwise, a
virus would simply read the password and
use it to install itself without the user's
permission.

What do you people think?
(followups to alt.comp.anti-virus)
Click to expand...

if you store the hash on the hard disk it will still be susceptible to
virus attack... in fact the software you propose could simply be
terminated by a virus/worm before attempting to write to the registry...
 
There is one already existing, that does exactly what you describe,
standing here in the background and verifying in real time what has
been added in various startup / registry / boot time files where
trojan, viruses, worms, spywares, adwares, etc, always add themselves.
And this program is totally free, and very small. Let me smoke a
cigarette first and I will find its name.

I always wondered why anti-viruses do not do that, actually. It's so
evident. I know one very expensive generic anti-virus that has this
interesting protection routine, but the rest of the product is not
worth it.
Click to expand...

In a slightly different vein, I wonder if you've ever used InCtrl5?
This was a PC mag freeware program released in the year 2000. It's
still available on the net. Just Google InCtrl5 (INCTRL5)

The program allows you to take a snapshot of the registry, drives, ini
files and text files before installing some software. After the
install, it displays everything done to all these items.

In these days of parasites in commercial software which are sometimes
almost impossible to remove ... and the software itself perhaps
refusing to uninstall (or completely uninstall) ... I think this old
tool might be quite helpful. Of course, the best and easiest way is to
have a good backup/restore method in place.

InCtrl5 should be useful also for analyzing Trojans on a goat PC.


Art
http://www.epix.net/~artnpeg
 
In a slightly different vein, I wonder if you've ever used InCtrl5?
Click to expand...

No, I didn't know it. From what I can see, it's more like a static
tool. You take snapshots of your system at time t1, and then at time
t2, and you will know what changed between t1 and t2. Probably useful
for analyzing trojans a posteriori, as you said.
 
Guillermito said:
No, I didn't know it. From what I can see, it's more like a static
tool. You take snapshots of your system at time t1, and then at time
t2, and you will know what changed between t1 and t2. Probably useful
for analyzing trojans a posteriori, as you said.
Click to expand...

Yes, it's a static tool. Very usefull even when installing a
known "good" s/w, say a shrinkwrapped game. One can see all the
ancillary crap that gets loaded on the box (in some cases it may
help to find a way out of the DLL hell).

J
 
Yes, it's a static tool. Very usefull even when installing a
known "good" s/w, say a shrinkwrapped game. One can see all the
ancillary crap that gets loaded on the box (in some cases it may
help to find a way out of the DLL hell).
Click to expand...

Also, it is good for determining if the uninstall program actually removes
most items that it installs.
 
FromTheRafters said:
Also, it is good for determining if the uninstall program actually removes
most items that it installs.
Click to expand...

Yes, indeed! Thanks for poiting that out -- I forgot about that.
Perhaps even more important than hunting down the extra crap
stuff.

J
 
In Message-ID:<[email protected]> posted on


Did you pony up the twenty bucks for the plus version, any differences?
Click to expand...

Haven't got the plus yet but am considering it only to support the
author. With Plus you can get additional info on 'IE helpers' etc,
that WP identifies. Detection wise, there's no difference.

I rate Spyblaster, WinPatrol and Hostsmgr as my top 3 free protectors.

BoB
 
if you store the hash on the hard disk it will still be susceptible to
virus attack... in fact the software you propose could simply be
terminated by a virus/worm before attempting to write to the registry...
Click to expand...

You're right. Doh!

--
+----------------> Jason Wade <----------------+
| (e-mail address removed) |
| "I ask for Swen, but ya give me Bagle. Cute. |
| So I guess that Swen has finally gone to |
| that big virus network in the sky. Good." |
+----------------------------------------------+
 
Found it. It's called StartUp Monitor (I think it forgot to check for
win.ini, maybe that has been corrected):

http://www.mlin.net/StartupMonitor.shtml (free)

The same guy did a similar version to check what programs are going to
be executed at startup, but not resident, actually an add-on for the
control panel:

http://www.mlin.net/StartupCPL.shtml (free)

Another free Startup Manager here:

http://home.ptd.net/~don5408/toolbox/startupcpl/
Click to expand...

Thanks for the links. I'll try these out.
 
In Message-ID:<[email protected]> posted on
Haven't got the plus yet but am considering it only to support the
author. With Plus you can get additional info on 'IE helpers' etc,
that WP identifies. Detection wise, there's no difference.

I rate Spyblaster, WinPatrol and Hostsmgr as my top 3 free protectors.

BoB
Click to expand...
I found a keygen and tried the plus, like you say, mainly just more info
on things that can't affect me. I ended up dumping the thing, but see
where it might help some noob using IE to catch a few blunders.
 
In Message-ID:<[email protected]> posted on

I found a keygen and tried the plus, like you say, mainly just more info
on things that can't affect me. I ended up dumping the thing, but see
where it might help some noob using IE to catch a few blunders.
Click to expand...

Yes, it has tremendous potential since the vast majority of internet
users are noobies and >95% of them use IE. After I pried my wife off
WebTV, I taught her proper safehex practices. She prefers IE and OE
and operates quite nicely with appropriate changes to default settings
and critical updates applied. She has Kerio FW, EZTrust AV and the above
three programs, all of which 'I' update daily. She has no idea what they
are or what they do.

I'm strictly Firefox/Agent myself.

BoB
 
Back
Top