Earlier today I came across a new tool that might be useful to InfoSec professionals. Though it is not a "security" tool, it can be used by support people to help better understand the modifications that may have occurred to a particular system. Once installed the tool will scan the computer looking for specific types of changes to the computer including....
However in my testing on my laptop, I have found that some software packages appear to make changes in more places then I even knew was occurring. For example, Symantec Antivirus Corporate Edition changes the path to certain driver files with virus definition updates. These will be reported as:
Changed from "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070326.020\navex15.sys" to "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070327.019\navex15.sys"Adobe Acrobat apparently also makes regular modifications to the startup folder for its Speed Launcher program.
Even with these items that may need to be ignored depending on the support issue at hand, the tool may be very useful for determining what end users may have done to their computer. This eliminates the user's need to accurately articulate the changes to you, if they actually admit to changing something. For more information on the tool, please see KB Article 924732 at support.microsoft.com.
Mar 28th 2007
1 decade ago