What's a good way to know about changes to the system & software? HIPS, BBs, etc.

Discussion in 'other anti-malware software' started by justenough, Nov 8, 2010.

Thread Status:
Not open for further replies.
  1. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    SysTracer does look like what I had in mind, it is a good price for the home user, and there is a version for 7x64. On first look, a snap-shot gives a ton of information, but I'm not seeing an easy way to compare what changed. I'll have to look into it further. Thanks for telling me about it.
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i haven't loaded it yet but on their website i see a couple of screenies: one is called "Registry differences list" and the other "Exporting differences".

    i'll try it out later on when i get some times...
     
  3. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    I have the Plus version, and have a fondness for Scotty. You are right, with all its features it is the best answer for what I am looking for. Except for one thing. People seem to either love it or feel it isn't up to the task. I don't have the expertise to test it myself, and haven't found any professional tests.

    The person who compiled "Probably the Best Free Security List in the World", Antti Koponen uses WinPatrol Plus, and it is recommended at some high-powered tech sites. On the other hand, several knowledgeable people here who I trust have said WP isn't much defense, that it can't even protect itself. When I have talked to Bill about it, who obviously knows what he is talking about and is a great person in his own right, he has said that WinPatrol is designed to protect where the vast majority of attacks occur. So I just don't know what to think.
     
  4. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    I added Online Armor free, because from my reading last night it seems that a vulnerability with Sandboxie is if malware tries to connect out. I am guessing that OA will cover that.
     
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i never thought of Winpatrol as an anti-malware app.
    more like a system info tool.

    but that's me.
     
  6. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    A system monitor/file-integrity-checker, such as Tiny Watcher (TW), will watch over your stuff, even 64-bit (with the exception of the 1 area mentioned by MrBrian).

    TW is best used in conjunction with a disk imager:

    +Image your HD at least weekly PLUS just before installing or uninstalling any major/large software app.

    +Run TW's deep scan on-demand every day at startup. If it reports changes that relate to whatever you installed or uninstalled or updated the previous day, THAT is to be expected. No worry. However, if a change is NOT understandable to you, here are sites where you can check for safe VS dangerous processes...

    http://www.greatis.com/appdata/
    http://www.processlibrary.com/
    http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx
    http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
    **You can also post a query here at Wilders, of course.

    For checking questionable processes added to startup, goto
    http://sysinfo.org/startuplist.php

    After research, if you feel you might have some bad stuff, simply restore the latest clean image.
     
  7. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    You give a different perspective to WP. From his name, I should have guessed that Scotty is a friendly companion and not a pit-bull.
     
  8. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Bellgamin, after your several suggestions over the months that I try TinyWatcher, and now knowing it will work on 7x64, I have finally installed it to see if I can handle it. I will use the sites you provided for information on changes I don't understand. Might be over my head, but certainly worth a try. And I'll use Acronis to image as I go along. Thanks.

    later: Guess I still don't know enough to be able to run Tiny Watcher. Every time I scan, I get this:

    Process TrueImageMonitor.exe <C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe> :
    Another process is using the same name but a different executable file: <C:\Program Files (x86)\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe>

    Available actions for this item: 'Remove'
    ** 'Confirm' action is not available because this item is never normal **

    So I remove, and it pops up again next scan. Also I get two items showing that aren't listed in any of the sites you linked to, so I don't know what to do with them:

    File C:\Windows\setuperr.log

    and

    File C:\Windows\setupact.log
     
    Last edited: Nov 9, 2010
  9. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    For system changes you can run TinyWatcher which will watch files and registry changes and only scan on demand. There is also another free app called DiskPulse that watches file changes on the HD.
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    why would you want to remove the Acronis exe?
    can't you confirm the change as safe so it doesn't bother you again?
    anyway, it probably is normal for that item to change.
    it doesn't mean because it changes that it is automatically bad.

    as for you 2 other item i think they are part of Windows,
    do a Google search and you'll see...

    if you find out Tiny Watcher eventually gives you too many headaches get rid of it.
    try to stick to it for awhile though and see if integrates into your setup.
     
    Last edited: Nov 10, 2010
  11. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    I don't want to remove Acronis.exe, that's the point. TinyWatcher says it is never a normal situation and only gives me the option to remove it. I remove it, and it is back next scan.

    Yes, I looked on Google, and found that the files are Windows. Other than the problem with Acronis, TW seems like what I was looking for. But I am using WinPatrol for now until I figure out what to do about the Acronis file.

    Have you tried SysTracer yet?
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    just ignore the Acronis file.
    it changes every time you reboot and Tiny Watcher is doing it's job in letting you know.
    too bad you can't tell TW to ignore it.

    i just installed SysTracer.
    it seems very thorough and informative.

    the only use for me would be when uninstalling software to make sure everything is gone.

    i guess it could be used like Tiny Watcher to check for suspicious change but i'm not that paranoid yet. ;)
     
  13. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    100% correct!!! :thumb:

    I tried to download a copy of Systracer from Snapfiles but got a 404. Moontan -- if you have a better d/l location please let us know.

    From its description, it sounds like SysTracer reports ALL changes to files & registry unless re-configured by the user. To me this sounds like an overload of information. However, I haven't thus far been able to get a copy of that program for trial. Therefore, if you have given this program a trial, your comments would be very welcome -- also some screenshots, if it isn't too much trouble.

    Unlike SysTracer, Tiny Watcher's default settings cause it to monitor & report changes to *sensitive* areas ONLY -- where nasties often seek to intrude. Thus, it seems to me that SysTracer (ST) would have a lot more FPs than does Tiny Watcher (TW). However I await moontan's comments because -- as stated earlier -- I haven't yet been able to give ST a trial.

    In my view, now that we have good & cheap imaging software, "on-demand system-watching software" (such as TW & ST) is an essential component of *light but effective* security. Thus, although I am a TW fanboi, I am deeply interested in finding anything that might do the job better. Maybe ST is it.
     
  14. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    belgamin,
    here's the link to the company:
    -http://www.blueproject.ro/systracer-

    i think you might like it.
    it is very complete but you can use filters to cut down on the information overload.
    and you can see the difference between 2 snapshot at the click of a button.

    they have a free version and the only major thing the free version is missing compared to the Pro version is driver checking.
    the Pro version has 2 prices, a business and home price but it's the same product.

    let me know what you think about SysTracer as a value your input. :)
     
    Last edited: Nov 10, 2010
  15. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    I used the compare button with SysTracer after uninstalling a program, and it is giving me more information than I know what to do with. I will wait for other opinions on the usefulness of the software before plodding deeper into it.
     
  16. pintas

    pintas Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    179
    Maybe the All Seeing Eye works for you. Very light and it has a Learning feature.
    I haven't read all the posts, so maybe it was already posted. If that's the case, disregard it. :)

    find it here: http://www.fortego.com/en/ase.html

    Edit: RegShot is my favourite to record changes to the registry and files.
     
    Last edited: Nov 10, 2010
  17. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    at the bottom right you have 2 buttouns:
    - View differences list: shows ALL the difference
    - Compare: you can see the difference based on the registry, Application, and File tabs.
    you can then click the "Only Differences" button in the upper lift and click on the tree branches on the left to see the differences.

    all in all, i think this is a pretty cool app and i might just buy it.
     
  18. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    When viewing differences, do you have to click down through the folder trees to see what is different in each one?
     
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    yes.
    i haven't had time to dig into it deep though.
    i gotta get ready for work but i'll try to spend an hour or so with it tomorrow morning.
     
  20. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Interesting looking programs, but I wouldn't be able to use them since it doesn't look like they are for 64bit.
     
  21. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    WP+ is a limited-scope HIPS that monitors in real-time. It is NOT a system integrity checker.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Per Regshot's website, HERE, it only monitors the Registry -- NOT other types of files. For a system integrity monitor to be effective, it must also monitor system files, key applications, etc. RegShot does not do this. As the "Reg" part of Regshot's name connotes, it only monitors the registry.

    Quoted from the Regshot website:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Per suggestions by other posters here are some comments relative to 2 other system integrity monitors:

    1- SysTracer -- SysTracer is a splendid app, especially if you are an IT who is responsible for a network, or you are a Security Analyst responsible for tracking down changes made by a given process -- whether malware or not. For those purposes/users, SysTracer will give abundantly detailed data on any & every change in any user-specified area (including registry & all other files) of a computer, server, network, etc.

    It is *possible* to filter SysTracer so as to reduce its scope of snapshots to only *sensitive* areas. However, doing so requires going through a complete listing of EVERY file on the computer, & laboriously narrowing it down to sensitive items.

    NOTE: Installing SysTracer does NOT require a reboot. Ergo, you can trial SysTracer using Shadow Defender, et alia.

    2- DiskPulse - DiskPulse monitors user-specified files/areas of the HD in real-time, and reports changes to the user instantly as they occur.

    DiskPulse Pro (NOT the free version) allows the user to filter detected file system changes by the file extension, file type and change type.

    In order to simplify disk monitoring process of numerous disks or directories using customized sets of parameters, DiskPulse provides the user with the ability save a number of profiles and specify pre-defined directories to process and configuration options for each of them.

    IMO DiskPulse is much too powerful & convoluted for simple system integrity monitoring by homeusers. But it could do that job - somewhat in the same sense as you could use a sledgehammer to kill a housefly. :eek:

    NOTE: Installing DiskPulse (DP) does not require a reboot. Ergo, you can trial it using Shadow Defender, et alia.
     
    Last edited: Nov 11, 2010
  22. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    For me, it was too difficult to find the changes in SysTracer, but then I'm not an IT. I have re-installed Tiny Watcher now that I know it is okay to ignore the Acronis alert. I'll run it with WinPatrol Plus for a while and compare the two, that might make it easier to learn what the changes mean.
     
  23. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    yes,

    and i forgot to mention you can also get a "global" view by clicking the "View differences list" button instead of the "Compare" button on the Snapshots tab.
    that global view is classified in major sections so it's relatively easy to check by category.
    though there can be a lot to sift through if you don't filter out some of that info. ;)

    i think this is the perfect computer geek toy. :D
    you can peer inside the "guts" of the machine so to speak.
     
  24. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    Thank you Bellgamin for the review on DiskPulse. Does it allow registry monitoring?

    If so you could use it to watch the main entry points for malware much like TW and have the option to expand further if you were susceptible.
     
  25. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Yes. However, DP isn't pre-configured with "Hojtsy's Sensitive Registry Items". (OTOH, TW is pre-configured with a registry-watch-list that merges lists by Hojtsy & Tony Klein.)

    Further, DP isn't easily user-configured for adding registry items. DP doesn't allow adding LISTS of registry items (TW does) but requires item-by-item entry. PITN

    Besides DP is a real-time app & I am totally disinterested in real-time monitorship of system integrity BECAUSE, with drive imaging, real-time integrity monitoring is a waste of cpu cycles IMO.

    IMO, the best replacement for TW that I have seen thus far is SysTracer. If you want to suspercede TW and are willing to spend $29.95, SysTracer is a good choice.

    As for me and my house, we will stick with TW (but I continue to watch for something better)..
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.