Identifying threats in RegistryProt

Discussion in 'other anti-malware software' started by tepi, Dec 8, 2003.

Thread Status:
Not open for further replies.
  1. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Hello All:

    At http://www.diamondcs.com.au/index.php?page=regprot
    we are shown some screen shots of RegistryProt in action. In the first of these it is shown detecting a nasty which seems to be called uabmruua.exe. Beneath the screen shot we are told: "The above picture is a screenshot of an actual SubSeven infection, as detected by RegistryProt. " Forgive my ignorance, but the question that's puzzled me for a long time is - how do we know that uabmruua.exe is a nasty? How do we learn to distinguish between safe and dangerous registry modifications? o_O Is there a list anywhere that we could check modifications against? My apologies in advance if this question has already been treated in another thread, and thanks to everyone for your past help to this newbie.

    Regards
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    You may not always be able to without a good deal of research. However, the main use I see for these type of tools is to alert you to the unexpected change.

    What I mean is this... RegProt monitors a specific set of startup related run keys. These keys should not normally be changing on your system (at least not frequently) unless you do something to cause a change or the addition of a new startup key.

    When you install a new piece of software which has a resident module or something similar, then you'd expect to see an alert from RegProt either at install time or while configuring the product to auto-start at boot. RegProt is a good confirmation tool under these circumstances.

    But, if you aren't installing anything or modifying the startup options on your system or in any application, and suddenly you get an alert from RegProt that something has tried to add itself to your startup - that's the time to get on your guard and start doing research. In many cases, this could very well be malware related, so it's good to get suspicious and research it.

    There will be some legitimate applications attempting to add keys you really don't want in startup, as well. On my system, Microsoft Word tries to add an auto-upgrade key (wkdetect.exe) every time I start it. I kill it every time with RegProt, but I'm still looking for a way to keep Word from doing it in the first place.

    Not really. Though pacs-portal may be a good starting place. If you find the expanded name of the EXE being added, you can then use that to try to get more information on the item. You can in fact find the one I hate, wkdetect.exe on that page.
     
  3. tepi

    tepi Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    81
    Hello LWM:

    Thank you for your very full and informative post, and for the link. All is becoming clearer. I'll head for that link right now.

    Regards.
     
Loading...
Thread Status:
Not open for further replies.