Regarding Documents and Settings\???\start menu\programs\startup

I know that RegDefend doesnt protect the folder Documents and Settings\\start menu\programs\startup , but since it is the only startup which is not protected by this program, I decided to ask in this forum cos I think it would be helpful for RegDefend users. How can I set my Windows in order to dont let a malware add itself in the mentioned startup folder ?

Thanks

 

You have to find another program to protect actual startup folders. The registry isn't capable of protecting these folders as you know.

I use the Access Protection module that comes with my anti virus app, VirusScan 8.0i. Basically I wrote a rule that disallows anything write access to these folders, files from being executed within them, new files from being created inside them, etc. Instead I get a windows prompt saying the folder is inaccessable and it offers to put the object or shortcut onto the desktop. That way I am notified of new start up folder items that may be legit. I keep these folders empty anyway. I usually write a registry entry for start up folder items if I decide I want to use it. Most often it's an unnecessary extra and gets deleted.

There may be other folder access type programs out there that are available. Maybe others here know of some.

 

Programs like Giant/MS-AS and WinPatrol will monitor this location for any changes that may occur.

I'm not sure exactly how dangerous this is from a practical point of view, because with the critical areas of the Registry already protected by RD, I'd have thought there was little malware could do to prevent you from deleting it once you are alerted to a problem. So it should be sufficient to monitor the folder with your realtime AS program.

I don't see things like Giant/MS-AS as unnecessary duplication if you run RD, because they will be covering other items in addition to the Registry. You can always disable the registry protection features to avoid double coverage.

 

The win.ini and system.ini files can also contain entries to be run on startup (and the boot.ini file should also be monitored since it can be used to modify Windows' startup process) along with config.nt and autoexec.nt.

As long as you use a limited account for day-to-day use, then changing the files' NTFS permissions to read-only should suffice to protect them from modification. Otherwise you may wish to consider a file protection utility like File Checker to cover these.

 

The win.ini and system.ini files are also monitored by Giant/MS-AS/CounterSpy (and probably WinPatrol as well)..

But aren't these locations also covered by the RegRun .ghst file in RD?

 

Unless RegDefend has the ability to monitor files as well as registry entries, would this make any difference?

 

I don't know, that's why I'm asking. Presumably that's why you're asking too.

Perhaps someone with a bit more knowledge of these matters than us will kindly explain why the RegRun protection includes those keys when apparently startups from those folders do not affect the Reg key values?