Is this the same easter that was involved in all the old rootkit debates of past? If so he knows what he is talking about. Maybe fileless maleware that hides it's registry entries like Powwerliks? UAC wont work, How about enhanced protected mode for IE?
AFAIK unless a new EASTER surfaces someplace in here he is the same "old rootkit debate and alert on everything until a rule is made"
After all, so many "easter" posters to keep up with. Surely the one suffices.................................
It's a little dated but as @boredog is touched on this is an avenue that i'm currently digging a bit deeper into myself. If it's of any use to anyone else http://www.kahusecurity.com/2014/registry-dumper-find-and-dump-hidden-registry-keys/
Thank you (i'm the developper ) Dedicated Thread here : https://www.wilderssecurity.com/posts/2497147/
@Kyle_Katarn I noticed it is signed now One small observation: I would prefer to auto start it in HKLM/run
Zemana and SpyShelter are still alive and have been around since 2008. They were smart to add anti-logger functions, and to give an option to turn the HIPS part off. But the problem is that the home user HIPS market is a very small one, so no wonder a lot of HIPS died.
All my products + installers are now signed (using MassCert : http://www.kcsoftwares.com/?masscert ) Regarding use of HKLM : suggestion has been added here : http://www.kcsoftwares.com/bugs/view.php?id=2880
These are far and few between to pin down sometimes but there are a few (not talked about much) nice registry scanners here n there. Hidden Keys Registry Finder supports searching so called hidden registry keys. These are the keys with the null character in the name. Such keys cannot be created, deleted, modified or viewed by standard Windows API, so they are not accessible by regedit and most other registry editors. http://registry-finder.com/
Not sure again if this program has been covered here but the author does an eval of Powerliks using his tools. http://www.kahusecurity.com/2014/registry-dumper-find-and-dump-hidden-registry-keys/ At the bottom of the page is the link to all his programs. http://www.kahusecurity.com/tools/
Thanks. Don't want to over ask an already excellent free program, but would it be possible to run it in two modes. One mode would be all, other would be UAC enabled. In UAC mode it would only guard HKCU autorun entries. Regards Kees
I'm on the same page with that. Many of us miss GesWall but hopefully over time something similar will surprise us when an even better new app is introduced like it.
@ArchiveX @bellgamin @Peter2150 @WildByDesign Why a seperate registry monitor is usefull? Have a look what Sans has to say about it: http://www.sans.org/reading-room/whitepapers/malicious/utilizing-autoruns-catch-malware-33383 When you run a medium level process like word or firefox, they have access to HKCU autorun entries. These applications run rich content (python script, visual basic script, java script, XML, XUL, etc), so an anti-executable would not prevent that because the anti-excutable allows the program interpretating this scripted content to run (word, firefox, PDF reader, etc). Using Sandboxie protects you only when sandboxing applications. When you save data outside the sandbox (e.g. an image, music, movie or office document) and run that application (e.g. Word) unsandboxed you are unprotected also. So only when you run all your user applications in (persistant) sandboxes, you are protected by Sandboxie. Most antivirus scan changes in autorun entries (AVG, ESET, F-secure, KIS, WSA, etc), because it is such a suspicious action most HIPS and behavioral protection modules of AV's will block autorun changes from executables with unknown reputation. Al decent 64 Bits HIPS should have autorun protection. Do I need seperate HKCU autorun protection when I have a: Anti-Executable: 100% YES Application Virtualization (e.g. Sandboxie): 60% YES, 40% NO a) NO when you run all applications in persistant sandboxes (like Sully or Bo) b) YES in all other situations Anti-virus: 40% YES, 60% NO Most antivirus include a behavioral component that monitors autorun changes, ask the support forum of your AV. HIPS: 100% NO When your (layered) protection lacks an USER (or HKCU) autorun protection, I would advise adding StartupSentinel (installer only 1.28 MB).
For info, i'll add in next version of Startup Sentinel an email notification module (optional) in order to be able to "track" attack on remote computers (servers,...)
One option, that I'm sure you know of, is to remove rights on HKCU autoruns registry keys and leave them only for Administrators. That way you get UAC protection from modifying those entries.