Tiny Watcher 2.0

Discussion in 'other anti-malware software' started by kubicle, Oct 1, 2020.

  1. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    Thanks notably to a thoughtful and motivating conversation with Bellgamin, I started spending the hundred hours (and counting) to give Tiny Watcher a new life for Windows 64bit.

    I will be looking forward for your input, especially about mandatory improvements and scanned item lists to use as baseline (for example this list).

    Main changes in TW 2.0 will be:
    - 64bit for Windows 7, 8.1 and 10
    - scanner for Task Scheduler 2.0
    - standardized way to configure the scan (e.g. recommended scanned item lists can be exchanged on this forum easily)
    - some readability enhancements (so seeing what changed is a bit easier)

    Finally, I am considering opening the (C++) source code on GitHub. I am not sure how much collaborative work can be expected from that, but it will have the usual pros & cons, the biggest "pro" being the added transparency (so anyone can verify what TW is doing on your system), and its counterpart biggest "con" being the easier job for hackers to exploit any vulnerability in this code.
    Constructive opinions on this choice are also super welcome!
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,333
    Location:
    U.S.A. (South)
    Wow and Double Wow!

    This program was part of many a system for years & series of Windows I think most always made sure was part of their setups.

    Looking forward with anticipation to finally it being a integral part once again after all this time.

    Many Thanks! EASTER
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    Great idea :thumb: TW is still on my XP and it would be fine use it on higher Windows :)
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    Tiny Watcher is a free security app of the type known as "File Integrity Monitor" (FIM). See HERE. FIM usage is fairly standard among major computer centers & networks managed by ITs &/or SysAdmins. However, the FIM apps that they use are too expensive and powerful for a home user. I know of just a couple of "home user" FIMs:

    1- MJ Registry Monitor: a real-time, patrolling FIM that monitors only the registry.
    2- ADInf: an on-demand FIM that monitors all files EXCEPT the registry.

    Pending completion & release of the on-going update of Tiny Watcher (TW), I will describe its functions as best as I am able to remember them from back in the days when I ran TW on WinXP. I will leave it to TW's developer (kubicle) to describe anything I have remembered incorrectly or omitted.
    • In those days, Tiny Watcher was neither a real-time FIM, nor an on-demand FIM. Instead, TW was mainly designed to do a once-daily check, usually at computer startup. Also, it was able to monitor all types of files -- sensitive registry entries AND sensitive system files, program files, data files, etc.
    • TW came with excellent, developer-set defaults but provided an easy way for users to add additional registry entries & other sensitive files that they wanted monitored.
    • Of course, it was very easy to have TW do an on-demand scan, over & above the daily scan, if the user was a bit paranoid. Conversely, the automatic daily scan at start-up could easily be suspended so that TW was used on-demand ONLY.
    • Windows registry is huge and the daily system-initiated changes thereto are very many and very frequent. Thus, attempting to closely monitor ALL the changes to ALL the registry entries would be grossly impractical for a home user. Fortunately, a relatively small percentage of registry entries & other files are among the most sensitive and vulnerable to malware. Those are the ones that TW is designed to monitor.
    • In the WinXP days there was a very active thread where users of TW were active in discussing what they felt should & should not be covered in TW's scans. As I recall, I ended up with about 80 items to be scanned, including TW's defaults & my own tweaks. It rarely took me more than a moment's glance at TW's daily scan results to be sure things were normal/okay.
    • I used to say that TW was like what you would get if you cross-bred a parrot with a 500 pounds lion. That "parrlion" will mostly just purr and wave at you every morning BUT -- :eek: when it DOES talk -- you bloody well better listen! :p
     
    Last edited: Oct 1, 2020
  5. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    Hahaha (sorry I am still laughing about the "parrlion" :argh:)....

    Thank you all very much and glad to be of help!

    I recap which lists I found so far:

    - Bellgamin's list - July 28, 2007:
    https://www.wilderssecurity.com/threads/any-tiny-watcher-fans-around-here.180714/#post-1048030

    - Melf's registry & file lists for Win7 - Feb 23, 2013:
    https://www.wilderssecurity.com/threads/updating-tiny-watcher-for-win-7.342345/

    I am planning to incorporate/merge these lists (and whichever other lists you point me to) with the old TW default lists.
    I will post again here when the resulting lists are ready so you can review/correct me as you want :thumb:

    BTW, the new config files will allow comments in the text, so we can keep them clearer for future readers and easier to exchange/modify.
    Going back to "the kitchen" now... ;)
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,893
    Interesting! I never used Tiny Watcher.

    Hey Bill, dear old friend,

    Some remarks if you would allow me.

    I usually use the expression "File Integrity Checker", but that doesn't matter ;)

    You forgot to mention the very old NIS File Check and File Change Alarm.
    They are nomore available. Alas, I cannot get in contact for many, many years with Albert.
    I still have NIS File Check on my Win 7. I think that Easter has File Change Alarm; I don't have it.
    Ages ago we had here a sub-forum for them.

    About ADinf: great program, no doubt!! But how much time has Dmitry for it (if needed at all)?
    I do have it.

    Long, long ago there was a great and long article from Vesselin Bontchev.
    It was called "Possible Virus Attacks Against Integrity Programs and How to Prevent Them".
    It used to be here: http://www.people.frisk-software.com/~bontchev/papers/attacks.html
    But at the moment it looks to me that it isn't available there anymore.

    Cheers ;)
     
  7. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,002
    Location:
    UK
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,893
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    @kubicle
    There are 3 smart tools made by Andy Ful discussed on MT
    Hard_Configurator
    https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/
    ConfigureDefender
    https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/
    and imple Windows Hardening (simplified version of Hard_Configurator)
    https://malwaretips.com/threads/simple-windows-hardening.102265/
    I think some information/content in those threads can be useful during composing list of protected objects in the new TW.
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    @ichito -- grrreat links for kubicle. Thanks to the nth!!!

    @FanJ --
    May God grant you many years to live,
    For sure He must be knowing
    The earth has angels all too few
    And Heaven is overflowing.

    :-*
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    Is this love? :isay:
    ;)
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    @ichito -- Since you are still running TW, how about posting some screenshots?

    As to your question --- We are all neighbors on this tiny rock, the 3rd planet out from a G-type main sequence star that we call the Sun. Therefore, Matthew 22:39 most definitely applies.
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    @bellgamin
    It's especialy for you :)
    201007141754_1.jpg
    Due to real-time job of SpyShelter and its registry protection I rely on deffault list of registry entries in TW. But I've added my important locations in files/folders list
    201007101313_3.jpg
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    @ichito -- Thanks!!! Does SpyShelter have a specific list of registry entries that it watches? If so, is that list visible to the user? In your experience, how often has SS alerted you to something concerning your registry?
     
  15. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    No there is no list of protected registry entries like in TW or MJRW - it's hidden. But SS offers in module Settings/Security useful feature called "User defined protected registry keys". Here some info
    https://www.spyshelter.com/blog/spyshelter-10-8-7/
    That's all is realised by "System Protection" module and its monitored and loged but some registry protection is realised automaticaly without user interaction so there is no way to create rule for such actions - it applys to action of restricted apps
    https://www.spyshelter.com/restricted-applications/
     
  16. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    Just an update, time has been flying...

    Many thanks to all of you here for all these pointers... honestly too much data for me at this moment, but I will get back to it with more time later.
    My current plan is to try to deliver TinyWatcher as a generic tool to scan your systems, leaving to you guys and other security experts out there the hard job of figuring out what to scan and how much security this scans will actually add.
    Of course I will stay open to suggested improvements (especially the ones that can be coded within my available free time), but I am not a security expert and I will never be one, if only because of my lack of genuine interest for the endless series of tricks humans can come up with to mess up with a computer or pretty much anything on earth. :rolleyes:

    Good news:
    - SHA-256 is added and working great (I used Windows standard crypto library, which computes a SHA-256 maybe even faster than the old open-source code I used for SHA-1).
    - TinyWatcher is working fine on my Win8.1 machine, and I started testing it on my Win10 yesterday. I will need someone to help me test on Win7 in a couple weeks. At this moment I am fighting with the pesky details of getting the installer to work smoothly (many things have changed since WinXP, haha).

    Stay safe and healthy, wherever you are! :thumb:
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    YOU are the good news! Glad to hear that you (and TW) are happy & healthy.
    Good job. SHA-256 is 99.999% bullet-proof.
    You have a Win8.1 devotee among TW's followers. I know he will appreciate that bit of good news. As for Win10, I'm sure you will find plenty of testers here.
    I will be at least one of the Win7 testers. I am a Win7 die-hard

    Right back at you bon ami! :thumbd::thumbd:
     
  18. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    Me too...is there some "2 beta version"?
     
  19. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    I will give you an installer (setup.exe file) as soon I have one that runs without blatant issue. For example I still found issues today I need to fix about where files are installed because my win8.1 machine had a different user config than my win10; so it was working here but not there...
    There are also issues I will leave for later, like Defender blocking the first run of TW (then it can be told to let it run).

    Do you have any preference for where I should upload the file(s) for you guys? I can share it from google drive and send you a link via PM unless you have a better idea?
     
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    OK...it will be enough good idea but we should waiting on @bellgamin opinion :thumb:
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    I do not have a better idea. I have never before downloaded from google drive, but I'm ready to give it a trial.

    One question: Do Google Drive's regulations place any tight limit on the size of downloads or the number of downloads? Or does Google require payment if downloads go too high? If NOT, why PM the link? Why not just post it in this thread? The more testers, the better, right?
     
  22. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    Ah, this is a great question! I would like to offer as dedicated support as possible to the first brave ones who will try it.
    This will minimize the frustration and wasted time for everyone.
    I expect a couple issues (minor or not) on each system, and I cannot promise I will be able to investigate and fix each of them right away. If I keep people waiting, they give up and then I lose their valuable feedback to fix the issues for good. Etc.

    BTW no matter what kind of issue, at worst I expect Tiny Watcher to crash, or become unresponsive until you kill it - so no real danger for trying it (even though the usual disclaimer says I cannot be sued if your hard-drive burst into flames...:rolleyes:).

    Example of issue I just fixed today, to give you an idea: when starting TW at logon, it was scanning processes "too early" and then refusing the count processes because "winlogon" was not yet here to be seen... I would not like a dozen persons to be annoyed by this issue and waste time to report it several times to me while I rush to figure out what is happening to everyone (including any other issue that will get reported).
     
  23. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    @bellgamin @ichito I have a question for you guys: how do you (or did you) start Tiny Watcher at logon time?
    And as explained below, what is your admin-related philosophy/belief when you think about what you want TW to do for you?

    Context: I used to set a shortcut with the install, so by default TW would start at logon. With Win7+ Windows there is clearer separation between "admin" and "non-admin" access, and I was planning to encourage running TW as admin. Then troubles started... At this moment I have not found a good enough (for me at least) solution.
    - If I make TW start from a shortcut, unless you are login in with an admin user, you cannot scan as admin.
    - Same when I tried to start TW using a scheduled task. There were more options/ways, but none of them worked for me.

    I am about to settle on a compromise like below:
    - If you log in as an admin user, you can scan as an admin as well (so you have full access to disk/registry/tasks)
    - If you log in as non-admin, you can scan only as non-admin (everything works but some process path cannot be seen, some files will be known but their content will not be scanned, and some tasks cannot be seen)

    I suppose these restrictions existed already more or less in the past but I was probably blind to them while I used WinXP always as admin :argh:...
    What do you guys think?
    Thanks as always!
     
  24. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    IIt's not a good praxis but I'm always using "admin" account on my mashines :isay: Both mentioned as "compromise" option are enough good for me...full info for account with full access - basic info for non-admin.
     
  25. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,334
    Location:
    Hawaii
    If I correctly understand kubicle's "compromise," it would work somewhat as follows:
    1) Only Admin can install TW.
    2) TW will have an option whereby a "special" section of TW's settings can be password protected, but ONLY by someone logged in as Admin.
    3) If Admin chooses to password-protect TW's "special" settings then (obviously) changes to those settings can be made only by entering the correct password. Thus, the Admin can easily chose exactly who may have access to TW's settings.
    4) Any user can initiate a scan by TW.
    5) Any user can change any settings that are NOT password protected.

    If I am correct about the "compromise," I think it is a good concept IF the goal is to make TW a tool for all users. However, I feel that File Integrity Monitors (that's what TW is) are specialized and "granular" tools that would best be managed by someone having primary responsibility for a home network's overall stability and security. In other words, I believe that TW should be a tool for use solely by Admins (or ITs, SysAdmins, etc). Therefore I suggest that:
    1) Only Admin can install TW.
    2) Only Admin can configure or execute TW.

    OPTIONALLY:
    1) Give Admin the option to password-protect ALL aspects of TW (settings, scans, etc).
    2) Admin can then give the password to whoever he wishes (or NOT). Thus, Admin will be able to log in as a user (as some Admins prefer to do) and still be able to manage & execute TW.
     
    Last edited: Oct 27, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.