Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

2 Pages V   1 2 >  
Reply to this topicStart new topic
> Microsoft Anti-spyware Beta 1, well, let's see... screenshots.
phawgg
post Jan 15 2005, 04:17 PM
Post #1


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Brief Comments at Langa.com got me thinking, maybe a preview would be good for our members.
Microsoft Anti-spyware Beta 1
Part I
"getting started"

Seems like it might be helpful to show screenshots of the newly released product.
Numbers link to pictures of the screens.
Sequentially.

1. Download and install this & it will appear as a 15.72MB program in Add/Remove programs.

2. Welcome screen introduces four key points which include:
A. Automatic Updates. B. Real-time Protection. C. SpyNet Community D. Scan

3. For testing purposes, I chose not to automatically update.

4. Real-time Protection is introduced as a Team of Security Agents working over 50 Security Checkpoints
while using your computer(s).

5. Here you are offered an opportunity to be involved in "the world's first anti-spyware network".
Automatically alert the community .

6. The final step in initial configuration.
All configurations can be changed later using either tools or the bold icons.

7. The Scan screen. Default setting is Quick Scan.
Two minutes estimated completion time.

8. The Scan screen. Optional Full system scan.
28 minutes estimated on my PC to completion.

At this point you are ready to scan & fix problems.
I thought I'd pause and check into the additional features more.
Starting with the files on the upper left.
Just curious.

9. Dropdown menu offers two choices. Check for updates is shown.

10. Choose to update, and this sorta thing will likely happen the first time.
It connects to www.giantcompany.com now.

Help menu on the toolbar might come in handy.
Overviews of what can be done are explained.
It turns out to be fairly comprehensive.
Informative in such a way that sheds light on the entire subject of Internet Security in fact.

11a. Select topics include:
  • How do you get spyware?
  • How does anti-spyware work?
  • Maintaining protection from spyware.
  • What to do when spyware is discovered.
  • Is all spyware hazardous?
11b. and continue with:
  • Understanding what is running on your computer.
  • Running Tracks Eraser for privacy.
  • Keeping spyware definitions current.
  • Microsoft Anti-spyware features: Security Agents-->Application Agents.
11c. A good list of vulnerabilities needing attention continues:
  • Microsoft Anti-spyware featurs: Security Agents-->Internet Agents
  • Microsoft Anti-spyware featurs: Security Agents-->System Agents
11d. Further explanations are available...
  • The use of Advanced Tools include a dozen specific problem resolvers.
  • System Explorers are used to target more specific malfunctions.
  • Terminology & Definitions involving spyware issues.
  • The basic Help Appendix.
11e. Ending with the EULA & Privacy Statements.

12. Click About Microsoft Anti-spywre Beta 1 and learn they do not offer technical support.
  • What they do offer is a outline of sensitive areas found within windows.
  • Much like HijackThis!, only specific enumeration is offered in this highly granular program.
Microsoft Anti-spyware is available free to windows OS users

BTW, Brief Comments at Langa.com are available to anyone who wants to recieve an email from a subscriber.
That'd be me.
phawgg"at"gmail.com.
PM me or let me know your address if you're interested in what was said.

You can subscribe yourself, also.
Visit his well-respected site for details.

This post has been edited by phawgg: Jan 15 2005, 10:06 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 15 2005, 07:27 PM
Post #2


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



More screenshots of the newly released product.

Microsoft Anti-spyware Beta 1
Part II
"settings"

The file and help toolbar buttons have been clicked & briefly examined.
There is more to see & learn.

The toolbar also contains options and tools, and three big icons.
Open the program (after having used it a few times) and you'll see this screen.
1. Options dropdown menu is highlighted.
Settings = Options since it is your only choice.

2. Settings include:
  • Startup options. Good programs will allow you to control these yourself.
  • Real-time Protection
  • Script-Blocking options
On the left are additional big icons.
  • AutoUpdater.
  • Real-time Protection.
  • Alerts.
  • SpyNet Anti-spyware Community.
  • Spyware Scan.
  • General.
3. AutoUpdater. Two types are involved here:
  • New spyware definitions, or signatures.
  • Software updates.
Included also on this page:
  • Option stating "new spyware definitions can be applied without interupting you." or
  • you will be aleted to manually update.
  • Choice regarding notification of software updates is available.
4. Real-time Protection. Several options exist:
  • Startup at reboot (or not)
  • Real-time protection enabled or disabled.
  • Script-blocking involving .vbs or .reg files set either on alert or prevent running.
5. Alerts. Three basic types of alerts.
  • Alerted to the preventation of action. Enable or Disable.
  • Alerted to changes that occur when known non-malware acts. Enable or Disable.
  • Alerted to Ignored Threat not being prevented. Enable or Disable.
6. SpyNet Anti-spyware Community. More or less an error reporting feature.

7. Scan Settings. Two.
  • Display Results of scan. Enable or Disable.
  • A place to copy/paste threats to ignore in future scans.
  • False positives & tolerable positives, perhaps belong here.
8. General Settings. Three final settings:
  • Select mode: Knowledgeable User or Novice User
  • Include technical Information in selection details? Yes or No
  • Hide Microsoft Anti-spyware tray icon (if applicable)? Yes or No.
That about does it for the settings.
They are accessible from other clicks.
A wide variety of uses can be arranged to suit user preferences with this program.

This post has been edited by phawgg: Jan 15 2005, 10:07 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 15 2005, 09:29 PM
Post #3


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools"

1. Dropdown menu tools has five options:
  • Summary
  • Spyware Scan
  • Real-time Protection
  • Advanced Tools
  • Suspected Spyware Report...
1. Summary shows six areas are identified as requiring attention:
  • Date of Last Scan
  • Results of Last Scan
  • Scan Schedule.
  • Status of Real-time Coverage.
  • Date of Last Definitions Downloaded
  • Status of AutoUpdater.
Additional links to other screens of course are included.
I think all screens can be accessed from the toolbar.

2. Spyware Scan yields a flyout menu with four additional options:
  • 2a. Run a scan now (Quick)
  • 2b. Run a scan (Full)
  • 2c. Manage Spyware Quarantine.
  • 2d. Manage Spyware Scan Schedule.
  • 2e. View Spyware Scan History.
3. Real-time Protection will allow you to choose from five subjects:
  • Internet Agent
  • System Agent
  • Application Agent
  • View All Blocked Events
  • View Security Agent Events
This is where things get real interesting, IMO.
The 50+ areas of involvement, that malware can foul up in the operating system, are brought into the light.
Logically and with adequate definitions, for the most part.

This post has been edited by phawgg: Jan 15 2005, 11:35 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 15 2005, 11:35 PM
Post #4


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

Basically the real-time protection, or resident protection is against spyware/malware.
Resident protection also is a feature of several other applications, or programs.
  • Anti-virus programs use resident protection against viruses.
  • They reside in your PC and monitor specific functions of it.
  • Blocks things.
  • Firewalls provide resident protection.
  • They block files or "traffic" coming in & going out while connected online.
  • Host file programs offer a form of resident protection.
  • They block individual website access.
  • ActiveX & some Java downloads are blocked by SpywareBlaster/SpywareGuard.
  • SpywareGuard does this running as a resident program.
  • Dynamic Library Link (.dll) changes are identified by Spybot S&D's Tea Timer.
  • It is a resident protection program, allowing a user to accept or deny the changes,
  • whether they be good, bad or unknown to the user.
A wide variety of Internet Security programs are no different.
Variations on the theme, so to speak,
and essentially effective to varying degrees of success.
The updating of signatures & definitions of the specific
problems they intend to combat largely influence the effectiveness.

Microsoft's purchase and re-introduction of this product reflects
an effort to illuminate the concepts involved of what seems to be a complex issue.

If for no other reason, the help menus and the documentation of
options available create a good opportunity to learn some hows & whys of security software.
Presently it is available at no charge.
I recommend downloading it.

Once again,
Real-time Protection will allow you to choose from five subjects:
  • Internet Agent.
  • System Agent.
  • Application Agent.
  • View All Blocked Events.
  • View Security Agent Events.
I think each should be examined exactly as they are presented in the sequential screens.
Each offers malware authors an opportunity to foul up our PC's.

1. Internet Agent. Nine checkpoints are listed & defined in the "detail" column. 1a
  • Dialup Connection.
  • Monitors for unauthorized dialup activity on your computer modem(s).

  • Helps to prevent dialer spyware from running.
  • Dialer spyware is software that dials a phone number over your computer's modem.
  • Most dialer programs connect to toll numbers without your knowledge
    or permission and incur phone charges on your phone bill.

  • WiFi Connection.
  • The WiFi Connection Agent monitors access from other users on your wireless network.

  • When a new user enters your WiFi network, the agent notifies you.

  • Internet Safe Sites.
  • The Internet Safe Sites agent monitors to prevent unauthorized Web sites
    from being added to your list of Internet safe sites.

  • Safe sites are Web sites that you trust not to damage your computer.
  • When you visit a safe site, IE uses a lower security setting and allows scripts,
    including potentially dangerous ones, to run on your computer.


  • Winsock Layered Service Providers.
  • Monitors additions and modifications to Windows Winsock layered service providers.

  • Layered service providers are sometimes manipulated by spyware applications known as Winsock redirectors.
  • Layered service providers are a way to connect a piece of software to the Winsock implementation on your computer.

  • Because the layered service providers are connected together, when Winsock is used,
    the data is transported through each layered service provider in the chain.
  • Spyware can use layered service providers to view all traffic transported over your Internet connection.
  • You should use extreme caution when deleting these objects,
    because if it is removed without properly fixing the gap in the chain, you can lose Internet access.

  • Windows Messenger Service.
  • Monitors the Windows Messenger service.

  • Messenger service protection helps prevent Windows Messenger service spam on your computer.
  • The Windows Messenger service, also known as net send,
    can be exploited to spread unsolicited commercial e-mail.

  • There is no update to prevent receiving such spam, although most firewall software prevents it.
  • Disabling the Windows Messenger Service will also prevent such spam.
  • The Windows Messenger Service,
    not to be confused with the Microsoft MSN Messenger chat client,
    is enabled by default on Windows 2000 and Windows XP operating systems.

  • Unauthorized users of your computer can use the Windows Messenger Service
    to cause a pop-up window to appear on your computer.
  • Every Windows XP and Windows 2000 computer has a service running
    in the background called the Messenger service.
  • This is a part of the operating system that is used by network administrators
    to send messages to users on a company network.
  • The Messenger service allows the net send function to communicate across networks.

  • Alerters are another function that can use the Messenger service to communicate across networks.
  • If you have ever received a message from the uninterruptible power supply—
    that it has passed a self-test,
    or went to battery for a moment due to a spike in the power supply—
    then you have received an alerter message.


  • Spam Zombie Protection.
  • Prevents spyware from sending spam from your computer.
  • It prevents your computer from becoming a source of spam.

  • Spammers take advantage os security exploits and spyware to
    install spam "zombies" on personal computers with the intention
    of sending out spam emails from that computer without your knowledge.
1b each of these targeted areas can be activated or made inactive dependent on the user's preference.
  • Internet Proxy Server.
  • Monitors unauthorized changes or additions to your Internet Explorer proxy server.

  • A proxy server is a server between your Internet Explorer Web browser and a network server.
  • It intercepts all requests to the network server to check whether the proxy server can fulfill the requests.
  • If not, the proxy server forwards the request to the network server.
  • Proxy servers have two main purposes: improve performance and filter requests.

  • Name Server Protection.
  • There is a file on your computer that Internet Explorer uses when you reset options to the Windows default.
    The file c:\windows\inf\iereset.inf contains the default settings for your computer.

  • When you reset a setting, Windows reads the file and changes the setting to whatever is in the file.
  • If spyware changes the information in the file, your computer is re-infected each time you attempt to reset
    the settings.
  • A copy of the original file needs to be installed
    or the default settings must be manually reentered.
  • Computer manufacturers or system administrators can change
    the default Internet settings according to corporate requirements.


  • TCPIP Parameters.
  • Monitors spyware threats that can modify
    various TCP/IP parameters used by Windows to send and receive network data.

  • TCP/IP configuration parameters are registry parameters
    that are used to configure the protocol driver (Tcpip.sys)
    and implements the standard TCP/IP network protocols.

  • Some spyware threats such as CoolWebSearch can modify
    these parameters and take advantage of your computer.

  • There may be unusual circumstances in customer installations
    where changes to certain default values are appropriate.
  • To handle these cases, optional registry parameters can be created
    to modify the default behavior of some parts of the protocol drivers.
  • The Windows TCP/IP implementation is largely self-tuning.

  • Adjusting registry parameters without careful study may reduce your computer's performance.


This post has been edited by phawgg: Jan 16 2005, 06:03 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 16 2005, 01:19 AM
Post #5


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

2. System Agent.

1 of 25 checkpoints are listed & defined in the "detail" column.
one of twenty-five, seems to teach the concept fairly well
(Not all of these are available at this time, it seems)
  • Windows Hosts File

  • Monitors changes to your system hosts file.
  • If a new entry is made, or an older entry is modified or deleted,
  • an alert prompts you to confirm the change.

  • The host file is used to perform domain-name-to-IP-address translation,
  • also known as host file redirection, for Web sites.

  • Assume the following entry is in the hosts file: 192.168.0.12 www.microsoft.com.
  • If you enter www.microsoft.com in the Internet Explorer address bar,
  • Windows uses the hosts file to resolve the entry to IP address 192.168.0.12
  • and the browser is directed to that address.

  • However, the Web site may not be the one you expected;
  • some spyware applications attempt to change your hosts file
  • to redirect your browser to a different Web site.

  • If spyware adds an entry like 192.168.0.12 www.woodgrovebank.com to the hosts file
  • (and 192.168.0.12 is not the correct IP address for Woodgrove Bank),
  • when you type www.woodgrovebank.com in the address bar
  • you would be redirected to 192.168.0.12 and not to www.woodgrovebank.com.

  • Some redirectors use this technique to redirect browsers from popular sites to their own sites.

  • It's possible to redirect all popular search engines to a Web site of your choice.

  • This kind of attack can be difficult to fix, and repair often requires special software
  • or detailed instructions from a technical support person.

  • Another attacker might change auto.search.msn.com to redirect the browser to his Web site.
  • Then, whenever you enter an incorrect URL, your browser is redirected to auto.search.msn.com.
  • The name is then resolved to a different IP address.

  • Resetting browser settings does not repair this issue because this sets your search page
  • back to auto.search.msn.com, and leaves the hosts file unaltered.


This post has been edited by phawgg: Jan 16 2005, 05:50 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 16 2005, 04:15 AM
Post #6


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

2. System Agents.

Numbers 2-6 of 25 checkpoints
listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)
  • Windows Services
  • Prevents unauthorizes programs from adding themselves to Windows Services.
  • A Windows service is a process or processes that add functionality by providing support to other programs.
  • These services can run in the background without any user interaction and load a boot intialization, prior to logon.

  • Context Menu Handler
  • Monitors unauthorized changes to Windows Context menus.
  • A context menu handler is a shell extension handler that adds commands to an existing context menu.
  • They are associated with a particular file class.
  • They're called on any time a context menu is displayed for a member of that class.
  • While you can add items to a file class context menu with the registry,
  • those items are the same for all members of the class.
  • By implementing and registering a handler, you can dynamically add items to an object's context menu,
  • customized for the particular object.

  • Shell Execute Hook
  • Monitors changes to the system Shell Execute Hooks.
  • A shell execute hook is a program that is loaded into the Windows shell, Explorer.exe.
  • Any shell execute hook program will receive all execute commands that are run on the computer.
  • This type of integrated program can either accept or reject a command to start a particular program.

  • Shell Open Commands
  • Monitors changes to the system shell open commands.
  • Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the registry.
  • Any command imbedded here will open when any .exe file is executed.
  • If keys don't have the "\"%1\" %*" value as shown, and are changed to something like
  • "\"somefilename.exe %1\" %*" they willautomatically run the specified file.

  • As part of their routine, many worms and Trojans make changes to the registry.
  • Some change one or more of the shell\open\command keys.
  • If these keys are changed, the worm or Trojan will run each time that you run certain files.
  • For example, if the \exefile\shell\open\command key is changed,
  • the threat will run each time that you run any exe file.
  • This may also stop you from running the Registry Editor to try to fix this.

  • Windows System.ini File
  • Monitors additions and modifications to the Windows
    system.ini file.
  • The C:\windows\system.ini file is an initialization file
  • used by the OS to initialize system settings.
  • Including the fonts, keyboard, language and various other settings.
  • The shell = statement in the system.ini is used to designate
  • which program will act as the shell for the operating system.
  • The Shell is the program that would load your desktop,
  • handle window management, and allow you to interact with the system.
  • Any program listed after the shell statement will be loaded when Windows starts, and act as the default shell.
  • It is also possible to list other programs that will run as Windows loads in the same Shell = line,
  • For example Shell=explorer.exe spyware.exe.
  • This line will make both programs start when Windows loads.


This post has been edited by phawgg: Jan 16 2005, 05:49 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 16 2005, 02:50 PM
Post #7


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

3. System Agents.

Numbers 7-12 of 25 checkpoints
listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)
  • Windows Directory Trojans
  • Monitors spyware threats that can load a particular file when Windows starts.

  • A common technique that spyware, viruses, keyloggers, and others use to hide the damage
  • being done is to drop files that use the same name as a legitimate OS file.
  • Trojans using names such as spoolsv.exe or csrss.exe have been found.

  • Windows Extensions
  • Monitors unauthorized changes to the system's list of Windows extensions.

  • Windows Win.ini File
  • monitors additions and modifications to the Windows Win.ini file.

  • The Windows initialization file is located at C:\windows\win.ini.
  • Win.ini is used to load various settings each time Windows starts.
  • The communications drivers, wallpaper, screen saver, languages, and fonts,
  • are loaded each time win.ini is initialized.
  • If this file becomes corrupt, Windows will either not load, or will have several errors as it loads.
  • Any programs listed after run= or load= in win.ini will load when Windows starts.
  • This run= statement was used with older versions of Windows and is included for backward compatibility.
  • Most programs today do not use this setting, and if you do not use older programs these entries should not exist.
  • The load= statement was used to load drivers for hardware but is no longer used.

  • Control.ini Policy
  • Monitors for changes to the controls in Control Panel.

  • It's possible to disable controls in Control Panel by adding an entry to the C:\windows\control.ini file.
  • In Control.ini, you can specify which control panels can be viewed.
  • If inetcpl.cpl=no, your settings may have been changed by software or by your system administrator.

  • Ini File Mapping
  • Monitors applications that install in an .ini file mapping location.

  • Win2000, WinXP, and other more recent Microsoft OS versions, don't generally use the system.ini and win.ini files.
  • For backward compatibility, they use a function called IniFileMapping.
  • IniFileMapping puts all the contents of an .ini file in the registry with keys for each line in the .ini file.
  • When you run a program that normally reads settings from an .ini file, Windows first checks the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping for an .ini mapping.
  • If found, Windows reads the settings from the registry instead of the .ini file

  • Shared TaskScheduler
  • Monitors unauthorized programs that can add themselves as start values when
    Windows loads.

  • The files listed in Shared TaskScheduler run automatically when you start Windows.
  • Windows executes instructions in the Windows Task Scheduler,
  • or any other scheduler that supplements or replaces the Task Scheduler.
  • The Task Scheduler is part of all Windows versions except the first version of Windows 95,
  • but is included in Windows 95 if the Microsoft Plus Pack was installed


This post has been edited by phawgg: Jan 16 2005, 05:46 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 16 2005, 03:59 PM
Post #8


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

4. System Agents.

Numbers 13-17 of 25 checkpoints listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)
  • Approved Shell Extensions
  • Monitors unauthorized changes to Windows shell extensions.

  • Shell extensions enable developers to add functionality to the existing Windows shell.

  • Examples of shell extensions are context menus
  • (menus that change based on what object has focus when you right-click),

  • property sheet handlers
  • (tabbed pages that appear when the Properties menu item is selected from an object’s context menu),

  • icon overlays
  • (the arrow on top of an icon that points to a shortcut or the hand that appears on shared folders),

  • or folder customizations.


  • Shell Service Object Delay Load
  • Monitors unauthorized programs that add themselves as start values when Windows loads.

  • Files listed in ShellServiceObjectDelayLoad are loaded automatically by Explorer.exe at startup.
  • Because Explorer.exe is the shell for your PC, it always starts loading the files under this key.
  • These files are loaded early in the startup process, before any human intervention occurs.

  • The ShellServiceObjectDelayLoad registry is
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad,
  • and it contains values in a way similar to the Run key.
  • The difference is that instead of pointing to the file itself, it points to the CLSID InProcServer,
  • which contains the information about the particular .dll file that is being used.

  • User Shell Folders
  • monitors unauthorized changes to the system's User Shell Folder settings.

  • Shell folders indicate the default location for many types of settings and data.
  • These folders are usually common system folders such as My Documents, My Pictures, Program Files,
  • and other standard Windows folders.

  • The default user shell folders location is in %USERPROFILE% which is C:\Documents and Settings\user.
  • Some common shell folders include:
  • CD Burning
  • Desktop
  • Document Templates
  • Favorites
  • Installation Path Windows Installer default install folder location
  • My Documents
  • My Music
  • My Pictures
  • Programs
  • SendTo
  • Shared Documents
  • Shared Music
  • Shared Pictures
  • Start Menu
  • Startup
  • Common Admin Tools
  • Common AppData
  • Common Desktop
  • Common Favorites
  • Common Programs
  • Common Start Menu
  • Common Startup
  • Common Templates

  • Winlogon Shell
  • Monitors unauthorized changes to your Winlogon Shell setting.

  • The Winlogon Shell is automatically loaded when you log on to Windows.
  • The shell is the main user interface (UI) that you use to manage Windows.

  • In most cases, this is Windows Explorer (Explorer.exe).
  • However, the Windows shell can be changed to point to another program.
  • If this is the case, that program will start every time you log on.

  • Winlogon Userinit
  • Monitors unauthorized changes to your Winlogon Userinit setting.

  • The Winlogon Userinit setting specifies the programs that Winlogon runs when you log on.
  • By default, Winlogon runs Userinit.exe, which runs logon scripts,
  • reestablishes network connections,
  • and starts Explorer.exe, the Windows user interface.

  • You can change the value of this entry when you add or remove programs.

  • For example, to have a program run before the Windows Explorer user interface starts,
  • substitute the name of that program for Userinit.exe in the value of this entry,
  • then include instructions in that program to start Userinit.exe.
  • You might also substitute Explorer.exe for Userinit.exe if working offline and are not using logon
    scripts.

  • Note: The entry remains in the registry to support programs designed for Windows NT 4.0 or earlier.


This post has been edited by phawgg: Jan 16 2005, 07:02 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 16 2005, 05:40 PM
Post #9


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

5. System Agents.

Numbers 18-22 of 25 checkpoints listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)
  • AppInit DLL
  • Monitors unauthorized changes or additions to the AppInit_DLL files registry value.

  • The AppInit_DLL files registry value contains a list of .dll files that are loaded when user32.dll is loaded.

  • Because most Windows executables use user32.dll,
  • any .dll file that is listed in the AppInit_DLL files registry key is also loaded.
  • This makes it difficult to remove the .dll file because it is loaded with multiple processes,
  • some of which cannot be stopped without causing operating system instability.
  • User32.dll is also used by processes that are automatically started when you log on.
  • This means the files loaded in the AppInit_DLL files value are loaded early in the Windows startup routine,
  • allowing the spyware to hide itself or protect itself before you have access to the system.


  • The AppInit_DLL files are loaded with LoadLibrary during the DLL_PROCESS_ATTACH of User32.dll.
  • As a result, executables that don't link with User32.dll do not load the AppInit_DLL files.
  • Very few executables do not link with User32.dll.
  • Because of their early loading, only API functions exported from Kernel32.dll are safe to use within the initialization of the AppInit DLL files.


  • The AppInit_DLL files value is type REG_SZ.
  • This value should specify a NULL- terminated string of .dll files,
  • which is delimited by spaces or commas.
  • Because spaces are used as delimiters, no long file names should be used.
  • The system does not recognize semicolons as delimiters for these .dlls.


  • Only the first 32 characters of the AppInit_DLL files value are picked up by the system.
  • Because of this 32-character limit, all the AppInit_DLL files should be located within the system32 directory.
  • This eliminates the need to include a path, thus allowing multiple .dll files to be specified.

  • Normally, only the Administrators group and the LocalSystem account have write access to the key containing the AppInit_DLL files value.


  • Explorer Trojan
  • Monitors known explorer Trojans.

  • Windows loads the file explorer.exe, typically located in the Windows directory, at startup.
  • However, if the file C:\explorer.exe exists, it is executed instead of the Windows explorer.exe.
  • If C:\explorer.exe is corrupt, you can effectively be locked out of your computer.

  • If C:\explorer.exe is a Trojan, it is executed.
  • Unlike other autostart methods, there is no need for any file or registry changes—the Trojan just has to be named
  • C:\explorer.exe to be disruptive.


  • Windows Password Protection
  • Monitors unauthorized changes to your Windows auto-logon preferences.

  • In Windows XP Professional you can automate the logon process by storing your password
  • and other pertinent information in the registry.
  • Using this feature, other users can start your computer and use your account to log on automatically.


  • Enabling auto-logon can make it more convenient to use WinXP Pro, but this feature is a security risk.
  • Setting for auto-logon means anyone who can physically access to computer can access all of the computer's content,
  • including access to any networks it is connected to.

  • Another risk is that enabling auto-logon causes the password to be stored in the registry in plain text.
  • The registry key that stores this value is remotely readable by the Authenticated Users Group.
  • As a result, this setting is appropriate only when the computer is physically secured,
  • and unauthorized users are prevented from remotely accessing the registry.


  • Windows Update Service
  • Monitors modifications to your Windows Update access settings.

  • Newer versions of Windows OS include an Automatic Updates feature,
    which can automatically download the latest security and application updates
    from Microsoft while your computer is on and connected to the Internet.
  • Windows Update access restriction prevents computers from connecting to the Windows Update Web site.
  • This restriction would prevent the computer from receiving the latest Windows updates from Microsoft.


  • Windows Protocols
  • Monitors redirector (hijacker) threats from overriding standard protocol drivers.

  • One spyware technique is to take control of the Windows protocol filters and handlers
    used to send and receive information.

  • IE uses two mechanisms to register new URL protocol handlers.
  • The first method is to register a URL protocol and its associated application --
  • All attempts to navigate to a URL using that protocol launch the application.
  • For example, registering applications to handle mailto or news URLs.

  • The second method uses the Asynchronous Pluggable Protocols API,
    which enables you to define new protocols by mapping the protocol scheme to a class.


This post has been edited by phawgg: Jan 16 2005, 07:03 PM


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg
post Jan 16 2005, 07:29 PM
Post #10


Learning Daily
******

Group: Members
Posts: 4,543
Joined: 9-July 04
From: Washington State, USA
Member No.: 1,322



Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

6. System Agents.

Numbers 23-25 of 25 checkpoints listed & defined in the "detail" columns of the system agents screen.
  • Windows Restrict Anonymous
  • Monitors modifications to your Windows Restrict Anonymous settings.

  • Windows has a feature where anonymous users can list domain user names and enumerate share names.
  • Users who want enhanced security can restrict this functionality.
  • Windows provides a mechanism for administrators to restrict the ability for anonymous logon users,
    also known as NULL session connections, to list account names and enumerate share names.
  • Listing account names from domain controllers is required by the Windows NT ACL editor, for example,
    to obtain the list of users and groups to select who a user wants to grant access rights.
  • Listing account names is also used by Windows NT Explorer to select from lists of users and groups to grant access to a share.


  • Windows NT networks based on a single Windows NT domain
    can always authenticate connections to list domain account information.
  • Windows NT networks that use multiple domains may require anonymous user logon to list account information.

  • A brief example shows how anonymous connections are used.
  • Consider two Windows NT domains, an account domain and a resource domain.
  • The resource domain has a one-way trust relationship with the account domain.
  • That is, the resource domain "trusts" the account domain, but the account domain does not trust the resource domain.
  • Users from the account domain can authenticate and access resources in the resource domain based on the one-way trust.
  • Suppose an administrator in the resource domain wants to grant access to a file to a user from the account domain.
  • They will want to obtain the list of users and groups from the account domain to select a user/group to grant access rights.
  • Since the account domain does not trust the resource domain,
    the administrator request to obtain the list of users and groups from the resource domain cannot be authenticated.
  • The connection is made using a NULL session to obtain the list of account domain users.

  • Windows Logon Policies
  • Monitors unauthorized additions and modifications to Windows logon policies.

  • The Windows logon utility manages user logon and logoff actions.
  • The utility prompts you for the password when you log on and enables you to log off or shut down.

  • Windows logon is designed around an interactive logon model that consists of three components:
  • the Winlogon executable,
  • a graphical user interface, GUI
  • an authentication dynamic-link library, DLL, referred to as the GINA,
    and any number of network providers.

  • WOW Boot Shell
  • monitors spyware threats that can load a particular file when Windows starts.

  • WOW\Boot\Shell is a Windows registry entry
    that allows a particular program to be shelled (loaded) when Windows starts.


--------------------
patiently patrolling, plenty of persisant pests n' problems ...
Go to the top of the page
 
+Quote Post
phawgg