[Dshield] Windoze Questions...

David Vincent david.vincent at mightyoaks.com
Thu Feb 12 17:31:11 GMT 2004


hi jon.

you asked:

>   1) Are there programs equivalent to COPS and TripWire that 
> run on Windows?

http://www.gfi.com/lansim/

>   2) Anyone running SNORT under Windows? Any comparison to 
> how it runs under *nix?

i've done it, but can't compare the two.  you could join their mailing list
and ask.  no doubt that is a topic discussed to death.  maybe read the faq
first.  :)

http://www.snort.org/lists.html

http://www.snort.org/docs/FAQ.txt

http://www.snort.org/docs/

>   3) Does the most common AV software (Symantec, NAI, etc.) 
> catch keystroke loggers and other spyware (not Adware!) that 
> may be present and running or a Windows system?

not in my experience.  for those i use ad-aware, spybot search and destroy,
and spyware blaster.  yesterday i tried out bazooka adware and apyware
scanner, and it seems to catch some things the others missed.

Bazooka:
http://www.kephyr.com/spywarescanner/

Spybot:
http://www.safer-networking.org/

Spywareblaster:
http://www.javacoolsoftware.com/spywareblaster.html

Ad-Aware:
http://www.lavasoftusa.com/

>   4) About the Windows encrypted file system... if someone 
> gets Admin privilege on a system using the encrypted file 
> system, can they disclose or compromise data that would 
> normally be protected?

admins are usually designated as "recovery agents" which means they can
decrypt any files in the system.  they cannot automatically see the data in
the files, there are steps to jump through.  but it is possible.

http://ist.uwaterloo.ca/security/position/efs/agents.shtml

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/winxppro/proddocs/sag_SEprocsAddRecAgent.asp

>   5) When I search for products that detect adware installed 
> on a Windows box, I get dozens of hits... is any given 
> product better than another, or do you really need a 
> combination of products to detect and stop all the various 
> adware downloads in use?

see above.  do you really trust only one virus scanner to detect ALL viruses
ALL the time?  i've been hit with various java scripts in web pages my
paid-for norton did not find, and i had to go to the FREE Trendmicro
Housecall Online Virus scanner to get my system clean again.

http://housecall.trendmicro.com/


>   6) Finally, windows firewalls... Is Zone Alarm still 
> considered the best for Windows? What are the strengths and 
> weaknesses of the firewall built into Win/XP?

depends on the user.  for real dummies i feel the xp firewall is the best
simply because it will keep the badies oud without comfusing them with a
bunch of prompts.  for more experienced, sygate is my fav very closely
followed by kerio and then by zonealarm.

http://soho.sygate.com/default.htm

http://www.kerio.com/kpf_home.html

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.js
p

the main weakness of the xp firewall is no application-layer filtering.  ie,
it will not alert you to programs trying to access the network.  it only
blocks incoming by default.  so if the user gets a virus installed on the
machine, it will be able to "phone home".

-d





More information about the list mailing list