-aditya > > Sure...Perl scripts. As a security admin in an > FTE > > position, I had scripts that checked all systems > > within the domain for entries in the ubiquitous > 'Run' > > key, as well as for BHOs. Easy stuff, pretty > trivial, actually. > > but then you would have to keep on updating your > bhos and other sigs, and what about the spyware that > when removed from the run key refuse to let the > network connections operate? how do u take care of > them ?
You need to go back and read what I posted again. I never said anything about removing anything...all I did was check. By querying the BHO listings and the entries in the Run key (and others), I was able to narrow down the systems that needed to be visited personally. It's not difficult to figure out how things work on Windows systems. Once you find that out, it's pretty simple. I will defer to Marcus Ranum's title of "artificial ignorance" to describe how the Perl scripts work...by identifying those things that are known to be 'good' entries and filtering those out, you're left with the suspicious stuff. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
