I'd like comments about this software:

www.adinf.com

If anyone has experience with it/testimonials/usefulness, I'd appreciate feedback.

Thanks!

-{ Quote: "I'd like comments about this software:

www.adinf.com

If anyone has experience with it/testimonials/usefulness, I'd appreciate feedback.

Thanks!" }-
I did a search to discover which Topic would be most appropriate for asking a question about File Integrity Checkers {FIC}. Lo & behold, I found this old post which was done by JimIT (blimee!) waaaay back in 2003 anno Domini. Amazingly, it never drew a reply.

AFAIK FanJ, Technodrome, & JVMorris (is he still around?) are the *resident experts* on FIC in general, & Adinf in particular. Although I am far from being an expert, I thought it might be best to resuscitate this thread rather than start a new one.

I DO have a couple of questions that have been badgering me for quite some time. I am hopeful that bumping this thread back to life will bring about answers, not only to my questions, but to JimIT's question, as well.

First off, here's a bit of GENERAL background about FIC...
-{ Quote: "It is very difficult to compromise a system without altering a system file, so FIC are an important capability in intrusion detection. An FIC can detect changes made for any reason (including legitimate ones) as well as changes made by ANY type of malware (not just viruses, trojans & worms -- Oh my!). That's why it's difficult to decide WHICH topic should be used to discuss FIC.

An FIC will compute a baseline checksum (call it value "b") for every guarded file and store this. At a later time (designated by you, the user) the FIC will re-calculate a checksum for every guarded file (call this value "r").

If value "r" for a guarded file is NOT equal to value "b" for that file, then you know that something caused a change. Of course, an FIC also detects new files & deleted files within the file categories it has been instructed to guard.

That is basically ALL that an FIC does. When a change is detected, it's up to you, the user, to determine whether the change is benign or ominous. This you must do by such actions as: (a) Scanning new & changed files with your AV, AT, etc., (b) Doing Googles of new files to find out if they are associated with bad stuff, (c) Remembering the actions that you have done since the FIC calculated baseline value "b" -- for example, if your AV got an update to its scan engine, you would expect that this would have caused changes to the associated checksums.

The checksum algorithms used by FIC are designed such that (a) even changing one binary bit in the file will cause the checksum to change, and (b) it is VERRRRY difficult for a bad guy to contaminate a file in such manner that the checksum does not reveal that a change has been made." }-Some Firewalls (Outpost, for example) maintain checksum-type integrity checks of some of the various applications you run.

For home users, the FIC programs I know of are AdInf (~$25 -- by the DrWeb follks), Sentinel ($10 by Runtime -- the programer thereof visits Wilders from time to time), & Fingerprint (a freebie). Also, NIS Filecheck (http://www.wilderssecurity.com/forumdisplay.php?f=52) is a *golden oldie* with a long & glorious history here at Wilders. FanJ is a knowledgeable & vigorous proponent thereof.

Okay, here are THREE questions...

_/JimIT wants to know more about AdInf. Since he asked for that info nearly 2 years ago, he probably already has his answer. Even so, I hope someone else will add to the knowledge of all of us concerning AdInf -- the Russian perfecto.

_/I solicit comments & suggestions as to WHICH file extensions should be guarded by an FIC. Concerning which, here is my present list of extensions that my FIC is guarding: bat bin drv lib pgm xlw ocx dll ini dos pif scr sys com exe vxd. If you think I should add or delete something from this list PLEASE let me know.

_/I further solicit opinions as to whether you think Process Guard, Prevx, etc. make it unnecessary to run an FIC.

I do hope that this thread doesn't return to oblivion for yet another 2 years. If so, by then BG & M$ will no doubt have totally eliminated malware, & Wilders will have become a forum for discussing plant propagation.*puppy*

Bellgamin,

I was wondering have you (or anyone else) tried a program I recently came across called XIntegrity 1.6 ? I have not tried yet.

I haven't tried it, but Xintegrity 1.6 (http://www.xintegrity.com) is definitely an industrial-strength FIC, & looks like a good one. It ought to be, since the price is ~$47 USD. Claims...
-{ Quote: "Xintegrity makes it virtually impossible for anybody or anything to modify your files without being detected. When Xintegrity detects a modified file it will show exactly how and when the file was modified and display the contents of the modified file in comparison with an optionally backed up copy of the file. All your files [including operating system files] can be protected. Xintegrity can automatically create protected backup files [optionally encrypted with 256 bit AES] allowing you the option of restoring the file when modification is detected.
Auto restore and email notifications make Xintegrity ideal for monitoring large numbers of servers." }-Sounds VERY promising. Let's hope someone here has trialed it & is good enough to share their opinion thereof.

I. -- Some basic questions about Fingerprint software:

1) Does it maintain a database? (I would assum that it would, but just thought I'd doublecheck by asking you this.)

2) Will it detect both the Addition and Deletion of "Files", since the last scan check?

3) Will it detect both the Addition and Deletion of "Folders/Subdirectories" added, since the last scan check?

4) Does it work on Win 98 PC's ?

5) Does it have its own scheduler for scheduling scans or does it use the Win98 task scheduler?

6) Do the scans run in the background with effecting performance on the PC too much?

7) I there an option to scan upon boot-up of windows?

8) Does it have both a GUI and command-line interface?


II. -- Have you heard of and what do you think of 'Integrity Master", by Stiller Research?

III. -- In terms of ADinf32, why is it that I do not find it listed on any of the common download sites like Cnet's download.com, pcworld.com, zdnet, etc. ???
--- Do you know whether it can be bought in the U.S. and if anyone has purchased it and been satisifed with it and its support?

-{ Quote: "I. -- Some basic questions about Fingerprint software:

1) Does it maintain a database? (I would assum that it would, but just thought I'd doublecheck by asking you this.)" }-Yes

-{ Quote: "2) Will it detect both the Addition and Deletion of "Files", since the last scan check?" }-Yes

-{ Quote: "3) Will it detect both the Addition and Deletion of "Folders/Subdirectories" added, since the last scan check?" }-No. However, if a folder appears or disappears, & IF such folder contained a guarded file extension, then you will get notified about the file (not the folder). On the other hand, AdInf DOES report any & all such details.

-{ Quote: "4) Does it work on Win 98 PC's ?" }-Yes

-{ Quote: "5) Does it have its own scheduler for scheduling scans or does it use the Win98 task scheduler?" }-Has own scheduler.

-{ Quote: "6) Do the scans run in the background with effecting performance on the PC too much?" }-Unless your computer is a real wimp, there should be very little degradation of its performance by Fingerprint's background scan.

-{ Quote: "7) Is there an option to scan upon boot-up of windows?" }-You can schedule any desired profile to be scanned under several optional times or occurrences -- including at start-up.

-{ Quote: "Does it have both a GUI and command-line interface?" }-GUI only

-{ Quote: "II. -- Have you heard of and what do you think of 'Integrity Master", by Stiller Research?" }-Heard of it. Never tried it.

-{ Quote: "III. -- In terms of ADinf32, why is it that I do not find it listed on any of the common download sites like Cnet's download.com, pcworld.com, zdnet, etc. ???
--- Do you know whether it can be bought in the U.S. and if anyone has purchased it and been satisifed with it and its support?" }-AdInf can be purchased from its website HERE (http://www.adinf.com/home.htm). They use ShareIt (part of the well-known element5 outfit) for credit card sales. There are several AdInf users here at Wilders. Try a PM to Technodrome and FanJ -- both of them are very knowledgeable.

AdInf is a product of DrWeb's outfit (Dialogue Science) and is VERY much *industrial strength*. It fully interfaces with DrWeb, and also with McAfee & a couple of other AVs. That is, AdInf can be set to *command* DrWeb as to when & what to scan. Thus, AdInf can be used so that on-demand scans by your AV are done only when/where needed (if you wish).

As to why AdInf doesn't list themselves with outfits like Cnet -- your guess is as good as mine. I *think* it's because they take little interest in learning about (or kow-towing to) *big name outfits* in USA. Neither does DrWeb. Neither do many other well-known, overseas malware outfits.

-{ Quote: "I did a search to discover which Topic would be most appropriate for asking a question about File Integrity Checkers {FIC}. Lo & behold, I found this old post which was done by JimIT (blimee!) waaaay back in 2003 anno Domini. Amazingly, it never drew a reply.

- - snip - -

I do hope that this thread doesn't return to oblivion for yet another 2 years. If so, by then BG & M$ will no doubt have totally eliminated malware, & Wilders will have become a forum for discussing plant propagation.*puppy*" }-

Hi Bellgamin,

A more general thread about ADinf32 will soon be up.

Cheers, Jan.

...and thanks Jan for doing a ver nice job!

All interested, please have a look at this (http://www.wilderssecurity.com/showthread.php?t=72131&page=1) extensive review.

regards,

paul

Bellgamin,

Found out that XIntegrity 1.6 (which works also with Win 98 ) does not detect new and deleted files (only detects changes to existing files). You have to get XIntegrity Professional to get the additional feature of detecting new and deleted files. However, XIntegrity Professional will not work on Win 98. So this is an issue for me, since I use a Win 98 PC.

It's too bad, it looked like it was going to be a very good solution for a FIC on a Win 98 PC. I liked the fact that it would make backup of files that could optionally be used to restore the changed file back to its prior image before the chnage.

However, for me its useless on a Win98 PC, since I need to also know about new files created and deleted files between scans. I just can't understand the reasoning behind this feature limitation in the XIntegrity 1.6 product!
Really frustrating!

-{ Quote: "I liked the fact that it would make backup of files that could optionally be used to restore the changed file back to its prior image before the chnage." }-Have you checked out FanJ's description of AdInf? It's grrrreat!

As to the fact that Xintegrity can backup files -- that feature sounded good to me, also, at first. Then I remembered what my Uncle George taught me when I was knee-high to a jack rabbit. To wit, he said: "When you go to a restaurant specializing in steaks, don't order fried chicken."

POINT IS: there are specialized FIC's & there are specialized back-up programs. Generally, a specialized back-up program should do a better job at backing up (faster, better compression, more options, etc.) than an Integrity Checker will do.

In my case (also on the recommendation of FanJ, as I recall) I have for a looong time used a superb backer-upper called ERS (http://www.backtec.com/ers9x.htm). It has saved my glutes many many times. Works great on Win98, too. Give it a trial. It's like the tar baby in B'rer Rabbit -- once you grab hold of it, you won't be able to let it go. 8)

-{ Quote: "

_/JimIT wants to know more about AdInf. Since he asked for that info nearly 2 years ago, he probably already has his answer. Even so, I hope someone else will add to the knowledge of all of us concerning AdInf -- the Russian perfecto.
" }-

I really apologize that I left you all so long waiting !

But finally it is here:
http://www.wilderssecurity.com/showthread.php?t=72131

-{ Quote: "
_/I solicit comments & suggestions as to WHICH file extensions should be guarded by an FIC. Concerning which, here is my present list of extensions that my FIC is guarding: bat bin drv lib pgm xlw ocx dll ini dos pif scr sys com exe vxd. If you think I should add or delete something from this list PLEASE let me know.
" }-

Hi,
I find it a little bit difficult to answer because I myself use two (in fact three) file-integrity-checkers:
1. NISFileCheck
For its great info and strong HASH algorithm.
2. ADinf32 Pro
For its checking of all files !
3. CRC32 check in TDS-3
For quick checking of several files.

Some more about this:
As with all my scanners (AV/AT/etc) I want at least two that do the job more or less (of course no two AV's resident at the same time, but I can use both BOClean and TDS-3 resident if I choose so).
I like both the info from NISFileCheck and ADinf32.
But I like the info from NISFileCheck sometimes more because for example it gives in one view the checksums (old and new), size etc.
As for file-types:
I let NISFileCheck check for at least : exe dll ocx vxd sys bat com.
And I have added manually lots of more files.
Bellgamin posted several good suggestions (!!) for other file-types.
Probably I myself would have added several of them too, but I have choosen not to do so because ADinf32 already checks all files.
It's all a personal choice.

-{ Quote: "
_/I further solicit opinions as to whether you think Process Guard, Prevx, etc. make it unnecessary to run an FIC.
" }-

Even more difficult to answer for me.
I feel that I am not the right person to do so, simply because I cannot run for example ProcessGuard on my W98SE system.
A few things however I think I could say:
ProcessGuard is an extremely good security program.
There is a difference between ProcessGuard and most file-integrity-checkers:
ProcessGuard works pro-active and most file-integrity-checkers not.
That is a very important difference !!!
If I myself would have a system on which I could run ProcessGuard, I definitely would do so.
But even then I myself would use file-integrity-checkers, simply because I want to know what is happening on my system with respect to files.
Again, it's all a personal choice (just like adding a registry-integrity-checker in the mix ;)).


=====

Something different:

We talked about ADinf32.
An alternative could be Inspector which comes with KAV Personal Pro.


=====

-{ Quote: "Have you checked out FanJ's description of AdInf? It's grrrreat!
" }-

Thanks Bellgamin !!! :D


=====

-{ Quote: "...and thanks Jan for doing a ver nice job!

All interested, please have a look at this (http://www.wilderssecurity.com/showthread.php?t=72131&page=1) extensive review.

regards,

paul" }-

Thanks Paul !!! :D

Bellgamin,

1) How does LAN64 (used with adinf32) compare with MD5 and SHA ? .. In terms of strength and speed of execution?

2) In terms of Fingerprint does it work on and desgined to work on Win XP also?

3) What is the web site for the Fingerprint software?

-{ Quote: "Bellgamin,

1) How does LAN64 (used with adinf32) compare with MD5 and SHA ? .. In terms of strength and speed of execution?" }-MD5 is an alogrithm that uses the binary bits of a given file (call it File A) in order to calculate a *value* such that it is a mathematical near-impossibility that ANY other file (such as File B) could yield an identical value -- unless File B were, itself, identical to File A in every respect, down to the bit-by-bit level.
-{ Quote: "The MD5 (Message Digest number 5) value for a file is a 128-bit cryptographic value similar to a checksum. Its additional length (conventional checksums are usually either 16 or 32 bits) means that the possibility of a different or corrupted file having the same MD5 value as the file of interest is drastically reduced.

Because every different file has an effectively unique MD5 value, these values can also be used to track different versions of a file. This value is a highly reliable fingerprint that can be used to verify the integrity of the file's contents. If as little as a single bit value in the file is modified, the MD5 checksum for the file changes.

Forgery of a file in a way that causes MD5 to generate the same result as that for the original file is considered to be extremely difficult. Van Oorschot and Wiener estimate that a collision search machine designed specifically for MD5 (costing $10 million in 1994) could calculate a collision for a given MD5 value in 24 days on average.
" }- Notice that forgery/collision is extremely difficult -- NOT impossible.

There are algorithms that are even HARDER to forge than MD5. SHA-1 is a bit harder than MD5. LAN64 is even harder than SHA-1. And there are algorithms that go well beyond both of these in terms of hardness. With each additional level of hardness, however, comes added cpu time to calculate. For the average home user who doesn't have things like secret Swiss bank accounts, criminal connections, or other disgustingly nasty things to hide, MD5 is more than adequate.

-{ Quote: "2) In terms of Fingerprint does it work on and desgined to work on Win XP also?" }-Yes

-{ Quote: "3) What is the web site for the Fingerprint software?" }-Go HERE (http://www.2brightsparks.com/downloads.html) then scroll down to Fingerprint.

-{ Quote: "Found out that XIntegrity 1.6 (which works also with Win 98 ) does not detect new and deleted files (only detects changes to existing files). You have to get XIntegrity Professional to get the additional feature of detecting new and deleted files. However, XIntegrity Professional will not work on Win 98. So this is an issue for me, since I use a Win 98 PC." }-

I visited the Xintegrity site, but there's no comparison chart between the regular and pro version. I also don't understand their pricing. The Pro version is UK Pound 95 and the regular version UK Pound 24.95, although some download sites list it for $ 24.95. Support is only available via e-mail.

I could locate only one review which wasn't very promising:
"Didn't work for me..." - [snipped] [March 1, 2005] Product Rating: 1/5
For some reason, the software would hang execution part-way through adding files to it's database. Not a good sign...

Bellgamin,

I have just one last question, before trying the "FingerPrint" pgm:

1) In addition, to adding specific extensions to scan for,
..... Can you also add a full specific file (or filename) to scan for in a specific directory???

-{ Quote: "Bellgamin,

I have just one last question, before trying the "FingerPrint" pgm:

1) In addition, to adding specific extensions to scan for,
..... Can you also add a full specific file (or filename) to scan for in a specific directory???" }-In a word, YES.

In the screenshot below, please note that:
1- You set up a given scan by directory -- at any directory level you desire.
2- You can check or uncheck the block as to whether to include subdirectories & files within the chosen directory.
3- You can specify files extensions to be included or excluded
4- Not shown, but also available for configuration is the ability to specify, one-by-one, the sub-folders & files to be included or excluded within the directory.

In other words, you have almost unlimited ability to configure scans, establish groups of scans, modify scans, delete scans etc etc etc.

By the way, there are several other screens in Fingerprint but I haven't shown them all since this is after all an AdInf thread. I'm gratified that the Mods have been generous in cutting us some slack in this area.

Well I downloaded and tried FingerPrint, but I am having the following problem the below problem using FingerPrint v2.1.3, on a Win 98se PC.


Problem:
I can't create a Group Profile because when the Group Profile Screen is displayed on my Win 98 PC, it is missing the 3 buttons on the bottom of the screen for OK, Cancel and Schedule. Since, there is no menu bar on this screen, I can't even click a menu choice for OK.

-- Are you using Vers 2.1.3 of FingerPrint on a Win98 SE PC?. .... If yes, did you ever encounter this problem???


Also strange is the fact that ......
According to screen in help documentation there should be buttons on the bottom of the Main screen (i.e. Run, etc.), but when using Fingerprint on my Win98 pc, I have no such buttons on the bottom of the main screen. Instead I have to go to the menu bar and choose Action, 'Run" to run a profile.