Monitor installation process

Discussion in 'other anti-trojan software' started by Reve_Etrange, Nov 4, 2005.

Thread Status:
Not open for further replies.
  1. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    I download quite a few freewares/sharewares, and I would be more comfortable if there were some kind of program to monitor what is really going on when I double-click on setup.exe -- like, all the files created, the regkeys added, and so on. I do have ProcessGuard paid, so I get a chance to see if another exe is called or if the setup exe tries to install some driver/service, but I do not have the full picture. I've heard of progs like uninstall pros that take a snapshot of virtually everything before installing somthing, but this is a really ugly solution to me (let alone that it takes ages to do such snapshots). I believe a HD/FS interception strategy would be much more reliable.
    Does such a monitoring tool exist, for winXP ?
    If I recall correctly, netware had such a thing for network installation setup -- so it's definitely doable.

    -RE
     
  2. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Tiny has this option to monitor the files created and registry entries and delete them.

    There was another freeware program which took a snap shot of registry and files on the system before the installation and after the installation. It was a bit of the pain in the a** waiting for the snap shot to finish. Will let you know if I recall the name of the program.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  4. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    TY for the replies. Actually snapshot-based solutions, freeware or not, are not what I am looking for. I've seen threads on sandbox strategies (eg. sandboxie, shadowuser...), and this is more like what I want -- though I don't a need a real sandbox, only the "write routines" interception/hooks and a status report when the installation process is done. I don't necessarily want to block, I just want to know.

    -RE
     
  5. AsianTiger

    AsianTiger Guest

    Take a look at installwatch @ http://www.epsilonsquared.com/

    Be sure to leave me positive feedback if this is what you want... oh right thats ebay. lol

    AsianTiger
     
  6. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    I already knew this one, and it crashes before completing the 1st scan (and it already takes a looooong time to do that). Scanning the whole box doesn't seem practical on a 200GB DD. The trashit, TU and others all work on the same paradigm. The only (sensible) alternative would be real sandboxes, ala sandboxie, greenborder and co. A bit too heavyweight for my purposes (let alone that sandboxie has pbs with sandboxing installers than install low-level hooks/drivers....). Some people have also tried to repackage some installers into MSI installers with wininstall, so as to get full logs. Dunno if it's practical either.

    -RE
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  8. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
  9. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    TY, but it seems to be browser-security tool with some processguard-like feature, and I already got what I need on that side. It doesn't work with Opera either, which is my default browser. TY anyway.

    -RE
     
  10. clipshow

    clipshow Guest

    Norton Goback can do that. It has a feature called Safe Try Mode that will allow you to test any new software in complete safety, and if you then don't want it you can completely remove it.
     
  11. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    TY for pointing Goback out. Actually it is the "Norton" part that makes me cringe ;-) I simply do not trust their products, for different reasons. I checked out some recent user reviews and it confirmed my suspicions. Though the safe try mode sounds nice, I don't imperatively need to be able to revert an installation automatically; just knowing what happens during the installation would be good enough, for a start.

    -RE
     
  12. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    InCtrl5 ? (IIRC it was a PCMag utitlity; I used to use it and it did what you're asking for. Haven't used it since I upgraded to XP though.)

    Edit : found it again here : http://www.pcmag.com/article2/0,1895,1655158,00.asp
    It's NOT for XP, only 98, 2000, ME acc.tp PCMag.
     
  13. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    Right, I'm on XP, hopefully.
    Actually only two programs got my attention so far: sandboxie and shadowuser. The latter is expectedly better, but more, er, "intrusive". Like, if it goes haywire, it's gonna screw your box big time. I'm also concerned about being able to make drive images with Acronis stuff and co. OTOH, sandboxie is simple and light, but one has to fish into its special mock-up folder to see what has been done. Well, I'm still looking for alternatives....

    -RE
     
  14. ``1100``

    ``1100`` Guest

    InControl will work with XP
     
  15. J at A

    J at A Guest

    As for file-changes, you might have a look at ADinf32.
    See following thread with some info:
    https://www.wilderssecurity.com/showthread.php?t=72131

    As for reg-entry changes: maybe RegDefend and/or RegRun for the most important parts of the Reg.

    Cheers, Jan.
     
  16. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    I've been trialing RegDegend for about a week and I will possibly buy it.
    As for ADinf32, while it could probably do the job like the other tripwire-like softs mentionned, scanning the whole machine more frequently than once a month is too big a hassle for me (and my HD).

    -RE
     
  17. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    I have a couple of virus/trojans which I use to test security programs and when testing with Online Armor, using the "Track" option, I was not only able to see the .tmp files and the Registry entries made but an .exe file in system32 dropped during the installation. At the time I was in a 'sandbox' (Racxo First Defense) and also had Process Guard monitoring the install and the subsequent activities. When I'd had enough of this test, I used OA to stop the overall functioning of the trojan and then to also remove the .tmp files and registry entries. The .exe files were listed but not deleted by OA, however I just used explorer to get the one out of system32. I kept the 'original' for testing other security apps.
    So, OA may be what you want. It tracks anything you ask it to, good, bad or unknown.... and helps remove them.

    Jim
     
  18. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    Their site is not explicit enough on how this feature works. It really seems to me like I already got 95% of OA features covered.
    Lately I've been playing with BufferZone, and it's pretty nice, even if it's still beta. The product is still under development (though the bulk of the work is done) so there's room for adding what I would like to have.
    BTW First Defense seems like a very nice toy, but I cannot install it as non-english versions of windows are not supported :-(

    -RE
     
Thread Status:
Not open for further replies.