[Dshield] Windoze Questions...

Doug White doug at clickdoug.com
Thu Feb 12 17:45:44 GMT 2004

See reply integrated:

Stop spam on your domain, Anti-spam solutions
For hosting solutions http://www.clickdoug.com
Aspire to Inspire before you Retire or Expire!

----- Original Message ----- 
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Thursday, February 12, 2004 8:26 AM
Subject: [Dshield] Windoze Questions...

: Greetings,
: As I have said several times before, I am not a windows expert and we use few
windows machines in our shop. Thus, I have a few questions about Windows
security from a Unix perspective.
: Questions:
:   1) Are there programs equivalent to COPS and TripWire that run on Windows?
:   2) Anyone running SNORT under Windows? Any comparison to how it runs under

There is a windows version of Snort and it works exactly like the Linux version.

:   3) Does the most common AV software (Symantec, NAI, etc.) catch keystroke
loggers and other spyware (not Adware!) that may be present and running or a
Windows system?

Symantec's Norton Anti-virus will detect "some" malware, but not all.  An
additional tool which goes deeper than Adaware, is "Spybot - Search and Destroy"
This will catch them.  Another good tool is :Trojan Hunter"

:   4) About the Windows encrypted file system... if someone gets Admin
privilege on a system using the encrypted file system, can they disclose or
compromise data that would normally be protected?

If an intruder gets admin privileges, it is the same as getting root priveleges
on a Linux Box.  Ther are several methods that are considered besdt practices to
reduce this risk.
Good passwords, etc.

:   5) When I search for products that detect adware installed on a Windows box,
I get dozens of hits... is any given product better than another, or do you
really need a combination of products to detect and stop all the various adware
downloads in use?

I don't know of any that will prevent the download andf installation of spyware
other than edication of the users, however, periodic running of Spybot-Serch and
Destroy will reveal most of these and provide a means of removing them.

:   6) Finally, windows firewalls... Is Zone Alarm still considered the best for
Windows? What are the strengths and weaknesses of the firewall built into

I strongly recommend ZoneAlarm Pro (The paid for version) as among its meany
features it will block both incoming and outgoing, whereas the XP firewall (Same
for Win2003, will only block incoming (generally speaking)  No one really can
tell what protection y9ou have with the XP firewall, and little information is

ZA also have web content filtering, mail filtering (renames executables so they
will not auto-execute) and more.

If you run Snort and ZA on the same Windows box, ZoneAlarm will block much stuff
before it gets to Snort, and as a result Snort will not ever see all of the
stuff.  I used Snort on both platforms for awhile, but have now disabled it,
because it seems to be just too processor intensive.

Your mileage may vary.....
: TIA for all answers!
: -- 
: Jon R. Kibler
: Chief Technical Officer
: A.S.E.T., Inc.
: Charleston, SC  USA
: (843) 849-8214
: ==================================================
: Filtered by: TRUSTEM.COM's Email Filtering Service
: http://www.trustem.com/
: No Spam. No Viruses. Just Good Clean Email.


: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:

More information about the list mailing list