[Dshield] Windoze Questions...

john beck jbeck80 at hotmail.com
Fri Feb 20 17:28:36 GMT 2004

This may help

GFI has a freeware product called "System Integrity Monitor"

GFI LANguard S.I.M. scans your system for important system files, computes 
an MD 5 checksum for every important system and files this in a database. At 
scheduled intervals, GFI LANguard S.I.M. scans the list of monitored files, 
computes another MD 5 checksum and tests the current value against the 
stored value to determine if the file has been modified. If it detects a 
change, it notifies the system administrator via email, and logs the 
occurrence in the security event log.

Secure file integrity checking using MD5
MD 5, or Message Digest Algorithm, is a standard for creating fingerprints 
of files. It is a one-way hash algorithm that takes any length of data and 
produces a 128 bit "fingerprint" or "message digest".

Highly efficient process
GFI LANguard S.I.M.'s file integrity checking runs in the background as a 

Create multiple scan jobs
GFI LANguard S.I.M. allows you to create multiple scan jobs, so that you can 
monitor different types of files at different intervals.

Email alerts
GFI LANguard S.I.M. can send alerts to different people/email addresses for 
different scan jobs.

Web vandal detection
GFI LANguard S.I.M. scans web site pages for changes, and can therefore 
detect and notify you of web page vandalism immediately.

As it is freeware, GFI LANguard S.I.M. is available for all.

Logs file changes to Windows event log
File/system changes are logged to the Windows security event log, allowing 
you to easily view a list of file changes over time.

Because GFI LANguard S.I.M. logs file changes to the Windows security event 
log you have an undeletable log of changes to your system files.

Integration with GFI LANguard S.E.L.M.
GFI LANguard Security Event Log Monitor (S.E.L.M.) can detect events created 
by GFI LANguard S.I.M. and can archive these events to a database. This 
allows you to consolidate system changes on multiple servers and 
workstations to one database for centralised auditing.

>From: "Jon R. Kibler" <Jon.Kibler at aset.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: General DShield Discussion List <list at dshield.org>
>Subject: Re: [Dshield] Windoze Questions...
>Date: Fri, 20 Feb 2004 11:10:18 -0500
>Corinne Cook wrote:
> >
> > Hi Jon-
> >
> > While not an expert myself, I can answer a few of your questions:
> >
> > 1)Tripwire actually does have products that run on Windows platforms(or 
> > least Win200x, possibly NT4 as well).
>Before writing my original post, I had checked out the Tripwire web site 
>and could not
>find any products for the Windows workstation. They did have some SERVER 
>products, but
>nothing for an end-user workstation. I talked to our Tripwire sales rep 
>yesterday and
>he confirmed that they do not have regular market products for the 
>non-server Microsoft
>environment. To what products were you referring?
>Our potential customer that spawned all of these questions has already 
>experienced a
>problem that I believe that we will all see within the next few months: The 
>propagation of worms before the AV software vendors are able to publish new 
>files. This potential customer was looking for alternative (non-AV) 
>solutions to alert
>them that an end-user's system has been compromised.
>It has been our experience that the length of time between when an AV 
>vendor first
>publishes the signatures for a new worm, and the time that we first observe 
>the worm,
>has been dropping by about half for each major new worm. For Beagle.B, we 
>saw the first
>occurrence of the worm in less than an hour after we received the first AV 
>update for it. (We run 4 different AV scanners. For one of the AV products, 
>it was almost
>a day AFTER we first observed Beagle.B before they had new signatures 
>available.) Since
>we update our most critical AV signatures ever half-hour (more often would 
>be impractical),
>we can easily see the day coming where we will see the widespread 
>distribution of a worm
>before ANY AV signatures are available to detect it.
>Thus, the interest in products that would detect the modification of a 
>desktop system
>independent of any AV product. We have developed email filtering tactics 
>that protect
>our clients should AV fail to detect worms processed by our email systems, 
>but that
>does not protect an organization from some employee's system becoming 
>infected when
>they check their personal email on Hotmail or similar services, or bring an 
>laptop into the organization.
>Why are worms spreading so fast? Although I know of no one with any 
>evidence that would
>hold weight in a criminal court, the preponderance of evidence is that 
>spammers are
>responsible for the majority of the new worms. These new worms are 
>spreading so fast because
>spammers are using their tens to hundreds of thousands of already 
>compromised systems to
>rapidly blast the worm to as many recipients as possible. This results in 
>an ever increasing
>number of compromised systems. Soon (and VERY soon I fear!), spammers will 
>control enough
>systems to make the distribution of a new worm essentially instantaneous! 
>(Are you prepared?)
>Jon R. Kibler
>Chief Technical Officer
>A.S.E.T., Inc.
>Charleston, SC  USA
>(843) 849-8214
>Filtered by: TRUSTEM.COM's Email Filtering Service
>No Spam. No Viruses. Just Good Clean Email.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Watch high-quality video with fast playback at MSN Video. Free! 

More information about the list mailing list