[Dshield] Windoze Questions...

Johannes B. Ullrich jullrich at sans.org
Thu Feb 12 17:17:59 GMT 2004


>   1) Are there programs equivalent to COPS and TripWire that run on Windows?

There is a commercial version of TripWire which runs under windows.

>   2) Anyone running SNORT under Windows? Any comparison to how it runs under *nix?

I have seen it work, but it can be tricky (depends on network hardware
and such)

>   3) Does the most common AV software (Symantec, NAI, etc.) catch
> keystroke loggers and other spyware (not Adware!) 
> that may be present and running or a Windows system?

usually yes.

>   4) About the Windows encrypted file system... 
> if someone gets Admin privilege on a system using the encrypted
> file system, can they disclose or compromise data that would
> normally be protected?

I think they can, but it may be different depending on how the system is
setup. They should be able to change the users password, log in as that
user, and access the files.

>   5) When I search for products that detect adware installed on
> a Windows box, I get dozens of hits... is any given product better
> than another, or do you really need a combination of products to
> detect and stop all the various adware downloads in use?

I hear 'Adaware' from lavasoft is pretty good. there was a nice review 
a while ago about how some adware-blockers are spyware themselves...

>   6) Finally, windows firewalls... Is Zone Alarm still considered
> the best for Windows? What are the strengths and weaknesses of the
> firewall built into Win/XP?

The basic WinXP firewall will only block inbound connections, and it is
not "application aware". Zonealarm can limit outbound connections to
trusted applications. While there has been a lot written about how to
bypass these checks, it is still one of the unique advantages of 
software firewalls.



> 
> TIA for all answers!
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040212/d2d936cf/attachment.bin


More information about the list mailing list