Any Tiny Watcher fans around here?

Discussion in 'other anti-malware software' started by Blue Ring, Jul 22, 2007.

Thread Status:
Not open for further replies.
  1. Blue Ring

    Blue Ring Registered Member

    Joined:
    Apr 13, 2007
    Posts:
    100
    I was wondering what other people who use the program have added to its default protection settings - e.g. other areas in Windows that you feel should be covered but aren't. Or do you just run it as is without changing/adding anything. Thanks.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I am a long-standing user of TinyWatcher (get it HERE or over YONDER).

    I run TW "as is" but am always open to trying out tweaks recommended by others.
     
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I'm a fan too! :) I have it on 3 PCs. One is ran as is. The other two only run their scans on an as needed (IOW, totally manual) basis. In all 3 cases, I have made no changes to the default scan choices...
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I also checked it out but I´m afraid that it´s not really useful for me, I can´t really seem to figure out how I might use this tool to spot a possible malware infection, I just don´t have the knowledge. It´s not exactly the same, but I prefer a tool called All-Seeing Eye.

    http://www.fortego.com/en/ase.html
     
    Last edited: Jul 23, 2007
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Tiny Watcher (TW) is not at all like All Seeing Eye (ASE). ASE is a real-time poller, more or less in the HIPS family, somewhat akin to WinPatrol. TW is an on-demand file integrity checker, NOT a HIPS.

    There is not much *knowledge* that is needed in order to get an excellent added security layer by using TW. All that TW does is as follows...

    (1) On TW's first run, it makes a hash signature (SHA-1) of certain VERY key files on your computer. NOTE: TW has a default list of *key files* (the files most often subjected to attack by malware), but you can add to or delete from that list if so desired.

    (2) After that initial run, when you have TW do a subsequent scan, it will scan those very same key files, make new hash signatures, & compare those new signatures with the ones it made in its initial scan.

    (3) For any given key file, if there is any difference between the initial signature & the new signature, TW will report that fact to you, the user. Also, when a process executable is seen running for the first time, TW will generate a "new process" alert. TW also signals when two executable files run with the same process name (example: a worm calling itself "explorer.exe" running from c:\).

    (4) It is then UP TO YOU to decide whether to accept the change, or to have TW *try* to revert that file back to its initial state.

    a) Upon being notified that a file has changed (or been added), your decision as to whether to accept that change (or addition) would be based on such things as whether the file relates to something you just installed, updated, uninstalled, etc.

    b) If the change can't be explained by those factors, then you must make the decision based on your own computer know-how &/or research. Places to do research include but are not limited to...

    http://www.processlibrary.com/
    http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx
    http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
    http://www.greatis.com/appdata/
    ---- &, of course, Wilders forums is another good place to get help!

    Generally speaking, integrity checkers such as Tiny Watcher are very VERY difficult (but not impossible) for malware to circumvent. Why? Because even the tiniest tinest change of a file will cause that file's hash signature to change.

    TW only runs when YOU tell it to run. TW can be configured to automatically run-once at certain specified events (such as start-up, reboot, shut-down, etc), or it can be run on-demand. BOTTOM LINE - TW is NOT a real-time monitor.

    TW doesn't "take the place" of any other security software, but it is a bloody doggone good added layer of protection, & it uses bloody doggone tiny little bit of system resources (that's why it's called "tiny") -- so WHY ever not use it, I wonder? ;)
     
  6. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    This is exactly what I needed! Have been trying out various HIPS with no success (conflicts, memory probs, etc.) Very similar to HijackThis in that it just shows you what's there...and leaves the decision to the user. Thank you all for bringing this app to my attention. My security set-up is complete and I won't need to try out anything else. rofl
     
  7. interstate ron

    interstate ron Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    65
    Location:
    over the hill from West "By God"
    Thanks Bellgamin for the info. I just put this on and it's nice to see something this informative with no bloat.
     
  8. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  9. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    It scans on boot-up and on-demand, no real-time monitor. It only shows changes made to your system and lets the user decide what action, if any, needs to be taken. Hence my comparison to "HijackThis."
     
  10. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    As does Sentinal.So your saying no differance then?
    Maybe someone that has tried both could answer.
     
  11. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    "The RegWatch portion of Sentinel will warn your anti-virus program of programs that are trying to start up using the Registry." That is the real-time monitor that TinyWatcher does not have.
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I take issue with your use of the word integrity to describe what TW checks. More accurately, does it not merely check changes to a file, with no regard whatsoever for integrity? If, for example, TW performs its initial scan on a compromised system, subsequent scans showing no changes would not be checking integrity, but simply reconfirming the original compromised state.

    Again, the above is true only if the initial scan is done on a clean machine. Otherwise, malware has circumvented TW from the get-go.

    bellgamin, I agree with you that TW is "a bloody doggone good added layer of protection", but I would describe the product as an on-demand file change checker.
     
  13. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
  14. Coff

    Coff Registered Member

    Joined:
    Oct 29, 2005
    Posts:
    53
    Location:
    UK
    However you class Tiny Watcher, it does what it does and is highly effective and fast. Other fast free checkers are Syslog, FileTrac, and FileMap. Other free ones to consider are PCBaseline and FileCRC.

    Syslog (stand alone program) http://www.softpedia.com/get/System/System-Miscellaneous/Syslog.shtml
    FileTrac (stand alone program, you choose which folders to check) http://soucek.clearwire.net/filetrac.html
    FileMap http://www.softpedia.com/get/System/System-Miscellaneous/FileMap-by-BB.shtml
    pcBaseline (free, but registration required) http://www.softpedia.com/get/System/System-Info/pcBaseline.shtml
    FileCRC (command line, you chooose which folders to check) http://www.enigmaticsoftware.com/filecrc/index.html
     
  15. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    9
    Location:
    Tokyo
    Always happy to pass by and see TW is still useful.

    Bellgamin, thanks for your accurate description of TW. Only point I need to correct is about below:
    TW cannot revert a file - I would love it but this would change the program in a resource hog, by keeping a copy of each scanned file for making a later revert possible (note that this is what Windows is already doing when it keeps a copy of many system files to restore them automatically if they get deleted).

    Also, I agree with Page42's comment: if the first scan occurs on a corrupted machine, this will be the reference for future scans. This is said in TW's documentation. Checking files' "integrity" by using a database would require frequent updates of this DB, thing that a freeware can rarely offer.
    I thought a bit about a collaborative way to update this file base - some websites offer such a service but I am not sure if file checkers exist with this feature. For example if 2000 TW around the World got the same checksum for a given XP file, then this file can probably be considered as OK...
    You can see that this would get quickly complex:
    - needs update of a collective DB from each running TW (this uses local resources)
    - this bring privacy concerns from people who don't like their disk scan to be stored somewhere (I am one of those)
    - needs a generous host for the DB (again, this is a freeware)
    - what if many TW machines have the same version of an infected file?
    - etc.

    Always amazed by the quality of the posts I read on this forum.
    Cheers guys
    Olivier
     
  16. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    9
    Location:
    Tokyo
    Just thought again about one of the biggest defect of TW: using it together with Windows auto update turned on is a nightmare. TW keeps on signaling the zillions files updated by Windows. After a while I got sick of it and stopped reading the list of updated files; I was just confirming everything...
    I wonder if people will think I am crazy but I turned off the auto update after another problem with my system (my CD burner had stopped working). I reinstalled XP SP2 since then, turned off the auto updates, and my life is simpler since.
    Anybody in the same case?
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I build an up-to-date XP CD and then I only do manual updates of critical stuff.
    TW is great :)
     
  18. Blue Ring

    Blue Ring Registered Member

    Joined:
    Apr 13, 2007
    Posts:
    100

    I always thought the difference was Sentinel just uses your AV to scan the changes, where Tiny Watcher detects the changes and allows you to delete the files you don't want. So TW is more of an expert tool where Sentinel is better suited for beginners imo.

    Though I don't see how Sentinel can really help that much if you already have a resident AV, because that should already notice any changes.

    I prefer TW myself, after having tried both programs.
     
  19. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    kubicle: Thanks for the great program!!! :)

    As for the list of files after a Windows Update... I guess everyone is different. I like seeing the list! It helps show me where MS has placed all the new "stuff".

    A collaborative database would be nice but as you point out, it would not be something easy to pull off. Add to that one person's treasure is another's junk. A file considered safe on another's PC might still be unwelcome on mine.

    Bottom line is that making TW much better would be very tough to do...
     
  20. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    9
    Location:
    Tokyo
    thank you all!! :D
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @Kubicle - Thank you for your superb Tiny Watcher. I do hope that you will visit here often.

    aloha from Hawaii... bellgamin
     
  22. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    9
    Location:
    Tokyo
    :D will do!
    domo arigatou from Tokyo
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Meanwhile, back at the topic...

    I just added the following "custom" registry items to TinyWatcher. I THINK they're pretty good, but I hope Kees or hojtsy or some of the other registry gurus around here will comment on them.

    I listed the registry items as a quote because I wanted to make them a bit easier to read. By the way, the asterisk at the ends of registry keys, & other formatting aspects, are those required by TinyWatcher's syntax.

     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    A few weeks late bellgamin as only getting around to Tiny Watcher configging again, but after noticing wanted to pass along my thanks for posting the extra "custom" registry items above. Nifty little scanner i set up on ALL my (and others) snapshots or installs and helps keep an eye on occasional changes.

    kubicle :thumb: Good & useful effort, Thanks.
     
  25. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I found this most handy after re4matting to monitor all changes made right from the start.Thanx indeed!!!
     
Loading...
Similar Threads
  1. taleblou
    Replies:
    0
    Views:
    212
Thread Status:
Not open for further replies.