Who uses system integrity checkers and what areas do you monitor?

[spindoctor]

Anyone use one or more of the free system integrity checkers around like Watcher, Sentinel, Installspy, Spy-the-spy etc?

I'm wondering if you can advise on what areas/folders you protect with these programs? I'm looking for more than just the most basic areas that many of the programs monitor by default.

I would like to cover as many areas as possible that malware could alter, delete, hide or install into, but I just don't know enough about Windows and malware to figure it out on my own.

Thanks very much for any help.

[Peter2150]

Quote:

Originally Posted by spindoctor

Anyone use one or more of the free system integrity checkers around like Watcher, Sentinel, Installspy, Spy-the-spy etc?

I'm wondering if you can advise on what areas/folders you protect with these programs? I'm looking for more than just the most basic areas that many of the programs monitor by default.

I would like to cover as many areas as possible that malware could alter, delete, hide or install into, but I just don't know enough about Windows and malware to figure it out on my own.

Thanks very much for any help.

I was using watcher and it is okay, but it ended up I was watching watcher watch. Not running any more.

[Rasheed187]

Well, I´m using All-Seeying Eye and File Change Alarm, mainly because they are very easy to operate, I´ve tried others but they were not that easy to figure out. But I´m more a HIPS kind of a guy anyways, I´m not really into "system integrity checkers".

[spindoctor]

Thanks for the info guys.

But maybe I wasn't too clear in what exactly I was asking. I would like to know what areas/folders to add to my system integrity checkers.

For example, I believe the system32 folder and program files folder should be monitored and are often some of the default folders that are scanned by many of the system integrity checkers available.

But what other areas in Windows should be added? Are there any other important areas/folders that malware may hide in? Are there just too many areas to realistically add them all to your S.I. checker(s)?

I just want to know as many areas as possible that malware will commonly and not so commonly use to hide in, so I can add them to my S.I. checkers list of files to be scanned.

I'm certainly not relying on only S.I. checkers, but I do want to use them to supplement my anti-malware defenses.

Thanks again.

[Devil's Advocate]

Quote:

Originally Posted by Rasheed187

Well, I´m using All-Seeying Eye and File Change Alarm, mainly because they are very easy to operate, I´ve tried others but they were not that easy to figure out. But I´m more a HIPS kind of a guy anyways, I´m not really into "system integrity checkers".

HIPS can be viewed as realtime "system integrity checkers".

Tiny Watcher, & Spy-the-spy are my new comers. I been hunting high and low for years just in hopes that some developer would at least create a "free" folder/file Directory Monitor. You'll find .TMP files run as executables and almost always set up camp first in the Local Settings/TEMP sections and i like to know the instant one is landed there. Also of imporatance, to me anyway is when a .dll or .ocx or .exe lands in Windows or System 32 Folder, i even prefer to know when Windows is writing to files in those directories.

FileChangeAlarm is a good one for alerting with both a window prompt and audio alarm (wav file of choice) but becomes combersome to me to run more than one instance of it to monitor that folder plus the TEMP one. Plus it is abandonware and no longer developed leaving it somewhat limited with no support.

For the life of me i still don;t understand after all these years why this type of program is been loyally neglected by developers as it has. If there is ever a need to know when something is slipping into these Folder Areas i can;t think of any more importance than perhaps the registry sections.

[kubicle]

Quote:

Originally Posted by spindoctor

But what other areas in Windows should be added? Are there any other important areas/folders that malware may hide in? Are there just too many areas to realistically add them all to your S.I. checker(s)?

Hi,
It's been long time I read around here to see what people think of watcher (tiny watcher); I often feel like reacting and would do so if I had more spare time...

Spindoctor, this is a very good question. In theory, malware could hide in any directory; so the perfect (or perfectly paranoid) setting would be to scan all your disks...
But most of the time, hopefully, there is no fun for a "malware designer" (sounds like a job title, eh eh) to code a clever behavior for the malware to choose a directory where to install itself. In other words, the easy/lazy choice is always to pick a directory that exists on most machines, like windows or system32; the more crowded the better (to hide it better against human eyes).
Then there is always the possibility for the malware to create a brand new directory (just like polite installers use to do) but its parent directory has to be chosen according to the same rule as above (existing+crowded).

In short, a reasonable choice would be to scan most "common places" like C:\ and the windows system directories. TW does not even scan "c:\Program Files" and I am not sure it would add something to security (for... "behaving malwares"?).
The definition of "Common places" is changing with time; for example these days, what about adding "C:\Program Files\Mozilla Firefox" to the list of common places?
Actually, since scanning for new/changed files is not a 100% guaranty against malware (unless we scan the whole disk), the best is to rely on several types of controls, for example checking the startup points (like registry, browser objects, etc) or the running processes...

Cheers
k

[kubicle]

Quote:

Originally Posted by Peter2150

I was using watcher and it is okay, but it ended up I was watching watcher watch. Not running any more.

Hi Peter,
I liked the pun but not sure why you felt this way. Maybe you had enough anti-malware on your system, hence Watcher became useless (and more of a burden since you felt secure enough with your other programs).
Is that so?

Quote:

In short, a reasonable choice would be to scan most "common places" like C:\ and the windows system directories. TW does not even scan "c:\Program Files" and I am not sure it would add something to security (for... "behaving malwares"?).
The definition of "Common places" is changing with time; for example these days, what about adding "C:\ Program Files\Mozilla Firefox" to the list of common places?
Actually, since scanning for new/changed files is not a 100% guaranty against malware (unless we scan the whole disk), the best is to rely on several types of controls, for example checking the startup points (like registry, browser objects, etc) or the running processes...

I will say this in all honesty and i'm sure most will agree, how long is it been or just how many FOLDER watchers for files have really been taken seriously enough to compile & release such a program to cover those areas just mentioned (ierogram Files).

I know, i know, HIPS monitors most all of those areas, BUT, why in the world hasn't just a little attention been given to a reliable & dependable FOLDERS watcher to ALERT the user the very milisecond some intrusion is landed in one of those Directories?

That's EASTER's biggest beef, i just like to see a trustworthy FOLDERS monitor that can pop up some alert, even if a sound or other file is landed and/or being launched in REAL-TIME which gives us due notice that an entry is just been made, or some other change. FileChangeAlarm does just that but they abandoned it eons ago instead of really ramping up the code for just that type of detection.

I notice C:\Documents and Settings\"NAME"\Local Settings\TEMP, is a hot bed for most any activity, especially when installing software.

Good Topic.

[spindoctor]

Thanks for the info guys.

[Ice_Czar]

I checksum and object audit all security exe and dll as well as arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe

(if they havent been removed\renamed)

[Rilla927]

Quote:

Originally Posted by Ice_Czar

I checksum and object audit all security exe and dll as well as arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe

(if they havent been removed\renamed)

Wow, this looks complicated.