|
RegRun against Trojans and Viruses
Trojan programs. What are they?
"A program that neither replicates or copies itself, but does damage or compromises the security of the computer. Typically it relies on someone emailing it to you, it does not email itself, it may arrive in the form of a joke program or software of some sort."
(Symantec Security Response - Glossary)
As you can see a trojan program need to be started automatically to begin its work.
Prevent from starting this program and it will be not more dangerous than a dust on the road.
RegRun against Trojans
|
RegRun Watch Dog provides silent monitoring of the startup programs during your Windows working session.
If RegRun WatchDog has detected changes to your registry or startup files, you will see a window similar to this:
|
|
You may quickly decline changes and restore your working startup.
What the startup holes are monitored by WatchDog?
Windows 95/98/ME
Files:
- AUTOEXEC.BAT
- CONFIG.SYS
- WINSTART.BAT
Startup entries:
- load, run in the WIN.INI
- shell in the SYSTEM.INI
Registry keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Active Setup\Installed Components
Any registry keys added to the trace list using Registry Tracer feature
(for example: Internet Explorer home page.)
Note! RegRun automatically adds to monitoring list:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppInit
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Start Page
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
File Extensions (may be expanded by user): pif, bat, com, exe.
VXD and Device drivers.
Finally: STARTUP and COMMON STARTUP folders.
Windows NT4/2000/XP:
Files:
- %SYSTEMROOT%\SYSTEM32\config.nt
- %SYSTEMROOT%\SYSTEM32\autoexec.nt
Startup entries:
- load, run in the mapped to the registry WIN.INI
- shell in the the mapped to the registry SYSTEM.INI
Registry keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Active Setup\Installed Components
In addition to the registry keys above:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
(by Registry Tracer)
File Extensions(may be expanded by user):
pif, bat, com, exe.
Device drivers.
Services.
Another way to auto run trojan is substitution of the execution files and DLLs used in the startup.
Most of known e-mail trojans substitute WinSock DLL.
RegRun has two features to prevent substitution.
Anti Replacement
RegRun automatically detects files that will be replaced with the next restarting of Windows. Windows needs to use special technology to replace opened files a like system DLL or executable files.
- Windows 9X and Windows ME uses "wininit.ini" file located in Windows folder.
-
Windows NT/2000 uses registry value -
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations".
File Protection
RegRun File Protection copies the original files to the special "storage" folder.
RegRun File Protection supports full file comparison or signature checking.
If you check the box "Use Signature Checking" RegRun makes an MD5 signature of the source file and saves it. While comparing, it compares the original signature with a calculated signature.
File Protection allows to protect any files and to quickly restore them.
RegRun is the effective tool against trojans. The main advantage of the RegRun is its possibility to fight agains unknown trojans!
RegRun is the advanced trojan detector!
Viruses:
"A program or code that replicates, that is infects another program, boot sector, partition sector or document that supports macros by inserting itself or attaching itself to that medium. Most viruses just replicate, a lot also do damage."
(Symantec Security Response - Glossary)
RegRun doesn't replace antiviral software.
It has the Infection Detector feature.
RegRun uses special technology to search for viruses unknown to antiviral software.
This is not signature scanning, but rather "infection scanning".
During a session, RegRun opens and monitors a number of "bait" program and
macro files which are vulnerable to infection by any active virus.
If any of these files change, RegRun will advise you, and facilitate
your communication with your antivirus supplier by
providing you before and after samples.
RegRun uses advanced technology to detect UNKNOWN viruses!
 Purchase RegRun
Read more information...
Would you like to add your opinion?
|
RegRun Security Suite
