Any Tiny Watcher fans around here?

I was wondering what other people who use the program have added to its default protection settings - e.g. other areas in Windows that you feel should be covered but aren't. Or do you just run it as is without changing/adding anything. Thanks.

 

I am a long-standing user of TinyWatcher (get it HERE or over YONDER).

I run TW "as is" but am always open to trying out tweaks recommended by others.

 

I'm a fan too! I have it on 3 PCs. One is ran as is. The other two only run their scans on an as needed (IOW, totally manual) basis. In all 3 cases, I have made no changes to the default scan choices...

 

I also checked it out but I´m afraid that it´s not really useful for me, I can´t really seem to figure out how I might use this tool to spot a possible malware infection, I just don´t have the knowledge. It´s not exactly the same, but I prefer a tool called All-Seeing Eye.

http://www.fortego.com/en/ase.html

 

Tiny Watcher (TW) is not at all like All Seeing Eye (ASE). ASE is a real-time poller, more or less in the HIPS family, somewhat akin to WinPatrol. TW is an on-demand file integrity checker, NOT a HIPS.

There is not much *knowledge* that is needed in order to get an excellent added security layer by using TW. All that TW does is as follows...

(1) On TW's first run, it makes a hash signature (SHA-1) of certain VERY key files on your computer. NOTE: TW has a default list of *key files* (the files most often subjected to attack by malware), but you can add to or delete from that list if so desired.

(2) After that initial run, when you have TW do a subsequent scan, it will scan those very same key files, make new hash signatures, & compare those new signatures with the ones it made in its initial scan.

(3) For any given key file, if there is any difference between the initial signature & the new signature, TW will report that fact to you, the user. Also, when a process executable is seen running for the first time, TW will generate a "new process" alert. TW also signals when two executable files run with the same process name (example: a worm calling itself "explorer.exe" running from c:\).

(4) It is then UP TO YOU to decide whether to accept the change, or to have TW *try* to revert that file back to its initial state.

a) Upon being notified that a file has changed (or been added), your decision as to whether to accept that change (or addition) would be based on such things as whether the file relates to something you just installed, updated, uninstalled, etc.

b) If the change can't be explained by those factors, then you must make the decision based on your own computer know-how &/or research. Places to do research include but are not limited to...

http://www.processlibrary.com/
http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.greatis.com/appdata/
---- &, of course, Wilders forums is another good place to get help!

Generally speaking, integrity checkers such as Tiny Watcher are very VERY difficult (but not impossible) for malware to circumvent. Why? Because even the tiniest tinest change of a file will cause that file's hash signature to change.

TW only runs when YOU tell it to run. TW can be configured to automatically run-once at certain specified events (such as start-up, reboot, shut-down, etc), or it can be run on-demand. BOTTOM LINE - TW is NOT a real-time monitor.

TW doesn't "take the place" of any other security software, but it is a bloody doggone good added layer of protection, & it uses bloody doggone tiny little bit of system resources (that's why it's called "tiny") -- so WHY ever not use it, I wonder?

 

This is exactly what I needed! Have been trying out various HIPS with no success (conflicts, memory probs, etc.) Very similar to HijackThis in that it just shows you what's there...and leaves the decision to the user. Thank you all for bringing this app to my attention. My security set-up is complete and I won't need to try out anything else. rofl

 

Thanks Bellgamin for the info. I just put this on and it's nice to see something this informative with no bloat.

 

How does Tiny Watcher differ from say Sentinal ?
http://www.runtimeware.com/sentinel.html

 

It scans on boot-up and on-demand, no real-time monitor. It only shows changes made to your system and lets the user decide what action, if any, needs to be taken. Hence my comparison to "HijackThis."

 

As does Sentinal.So your saying no differance then?
Maybe someone that has tried both could answer.

 

"The RegWatch portion of Sentinel will warn your anti-virus program of programs that are trying to start up using the Registry." That is the real-time monitor that TinyWatcher does not have.

 

I take issue with your use of the word integrity to describe what TW checks. More accurately, does it not merely check changes to a file, with no regard whatsoever for integrity? If, for example, TW performs its initial scan on a compromised system, subsequent scans showing no changes would not be checking integrity, but simply reconfirming the original compromised state.

Again, the above is true only if the initial scan is done on a clean machine. Otherwise, malware has circumvented TW from the get-go.

bellgamin, I agree with you that TW is "a bloody doggone good added layer of protection", but I would describe the product as an on-demand file change checker.

 

Actually, he used the word correctly. You would be correct if we were talking about morality-issues, not data. http://en.wikipedia.org/wiki/Data_integrity

 

However you class Tiny Watcher, it does what it does and is highly effective and fast. Other fast free checkers are Syslog, FileTrac, and FileMap. Other free ones to consider are PCBaseline and FileCRC.

Syslog (stand alone program) http://www.softpedia.com/get/System/System-Miscellaneous/Syslog.shtml
FileTrac (stand alone program, you choose which folders to check) http://soucek.clearwire.net/filetrac.html
FileMap http://www.softpedia.com/get/System/System-Miscellaneous/FileMap-by-BB.shtml
pcBaseline (free, but registration required) http://www.softpedia.com/get/System/System-Info/pcBaseline.shtml
FileCRC (command line, you chooose which folders to check) http://www.enigmaticsoftware.com/filecrc/index.html

 

Always happy to pass by and see TW is still useful.

Bellgamin, thanks for your accurate description of TW. Only point I need to correct is about below:

TW cannot revert a file - I would love it but this would change the program in a resource hog, by keeping a copy of each scanned file for making a later revert possible (note that this is what Windows is already doing when it keeps a copy of many system files to restore them automatically if they get deleted).

Also, I agree with Page42's comment: if the first scan occurs on a corrupted machine, this will be the reference for future scans. This is said in TW's documentation. Checking files' "integrity" by using a database would require frequent updates of this DB, thing that a freeware can rarely offer.
I thought a bit about a collaborative way to update this file base - some websites offer such a service but I am not sure if file checkers exist with this feature. For example if 2000 TW around the World got the same checksum for a given XP file, then this file can probably be considered as OK...
You can see that this would get quickly complex:
- needs update of a collective DB from each running TW (this uses local resources)
- this bring privacy concerns from people who don't like their disk scan to be stored somewhere (I am one of those)
- needs a generous host for the DB (again, this is a freeware)
- what if many TW machines have the same version of an infected file?
- etc.

Always amazed by the quality of the posts I read on this forum.
Cheers guys
Olivier

 

Just thought again about one of the biggest defect of TW: using it together with Windows auto update turned on is a nightmare. TW keeps on signaling the zillions files updated by Windows. After a while I got sick of it and stopped reading the list of updated files; I was just confirming everything...
I wonder if people will think I am crazy but I turned off the auto update after another problem with my system (my CD burner had stopped working). I reinstalled XP SP2 since then, turned off the auto updates, and my life is simpler since.
Anybody in the same case?

 

I build an up-to-date XP CD and then I only do manual updates of critical stuff.
TW is great

 

I always thought the difference was Sentinel just uses your AV to scan the changes, where Tiny Watcher detects the changes and allows you to delete the files you don't want. So TW is more of an expert tool where Sentinel is better suited for beginners imo.

Though I don't see how Sentinel can really help that much if you already have a resident AV, because that should already notice any changes.

I prefer TW myself, after having tried both programs.

 

kubicle: Thanks for the great program!!!

As for the list of files after a Windows Update... I guess everyone is different. I like seeing the list! It helps show me where MS has placed all the new "stuff".

A collaborative database would be nice but as you point out, it would not be something easy to pull off. Add to that one person's treasure is another's junk. A file considered safe on another's PC might still be unwelcome on mine.

Bottom line is that making TW much better would be very tough to do...

 

thank you all!!

 

@Kubicle - Thank you for your superb Tiny Watcher. I do hope that you will visit here often.

aloha from Hawaii... bellgamin

 

will do!
domo arigatou from Tokyo

 

Meanwhile, back at the topic...

I just added the following "custom" registry items to TinyWatcher. I THINK they're pretty good, but I hope Kees or hojtsy or some of the other registry gurus around here will comment on them.

I listed the registry items as a quote because I wanted to make them a bit easier to read. By the way, the asterisk at the ends of registry keys, & other formatting aspects, are those required by TinyWatcher's syntax.

 

A few weeks late bellgamin as only getting around to Tiny Watcher configging again, but after noticing wanted to pass along my thanks for posting the extra "custom" registry items above. Nifty little scanner i set up on ALL my (and others) snapshots or installs and helps keep an eye on occasional changes.

kubicle Good & useful effort, Thanks.

 

I found this most handy after re4matting to monitor all changes made right from the start.Thanx indeed!!!