Regarding Documents and Settings\???\start menu\programs\startup

Discussion in 'Ghost Security Suite (GSS)' started by Guzz, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. Guzz

    Guzz Registered Member

    Joined:
    Dec 16, 2004
    Posts:
    13
    I know that RegDefend doesnt protect the folder Documents and Settings\o_O\start menu\programs\startup , but since it is the only startup which is not protected by this program, I decided to ask in this forum cos I think it would be helpful for RegDefend users. How can I set my Windows in order to dont let a malware add itself in the mentioned startup folder ?

    Thanks
     
  2. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    You have to find another program to protect actual startup folders. The registry isn't capable of protecting these folders as you know.

    I use the Access Protection module that comes with my anti virus app, VirusScan 8.0i. Basically I wrote a rule that disallows anything write access to these folders, files from being executed within them, new files from being created inside them, etc. Instead I get a windows prompt saying the folder is inaccessable and it offers to put the object or shortcut onto the desktop. That way I am notified of new start up folder items that may be legit. I keep these folders empty anyway. I usually write a registry entry for start up folder items if I decide I want to use it. Most often it's an unnecessary extra and gets deleted.

    There may be other folder access type programs out there that are available. Maybe others here know of some.
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Programs like Giant/MS-AS and WinPatrol will monitor this location for any changes that may occur.

    I'm not sure exactly how dangerous this is from a practical point of view, because with the critical areas of the Registry already protected by RD, I'd have thought there was little malware could do to prevent you from deleting it once you are alerted to a problem. So it should be sufficient to monitor the folder with your realtime AS program.

    I don't see things like Giant/MS-AS as unnecessary duplication if you run RD, because they will be covering other items in addition to the Registry. You can always disable the registry protection features to avoid double coverage.
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The win.ini and system.ini files can also contain entries to be run on startup (and the boot.ini file should also be monitored since it can be used to modify Windows' startup process) along with config.nt and autoexec.nt.

    As long as you use a limited account for day-to-day use, then changing the files' NTFS permissions to read-only should suffice to protect them from modification. Otherwise you may wish to consider a file protection utility like File Checker to cover these.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The win.ini and system.ini files are also monitored by Giant/MS-AS/CounterSpy (and probably WinPatrol as well)..

    But aren't these locations also covered by the RegRun .ghst file in RD?
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Unless RegDefend has the ability to monitor files as well as registry entries, would this make any difference?
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I don't know, that's why I'm asking. Presumably that's why you're asking too.

    Perhaps someone with a bit more knowledge of these matters than us will kindly explain why the RegRun protection includes those keys when apparently startups from those folders do not affect the Reg key values?
     
Thread Status:
Not open for further replies.