Sham, > A quick question. > If you where to monitor the windows system files > (access ect) and exe's. > >From a security point of view which ones would you > monitor and why. > Ive been to the usual places and cant seem to get a > answer. When you say "monitor", are you referring to enabling auditing on objects, or process tracking via the Event Log? A great reference for files to monitor access to is a listing of the files in dllcache. Yes, these are monitored by WFP, but the only time anything happens is when you attempt to modify/delete a protected file. This is also true for wrapper Trojans, but not ADSs. >From a security perspective, though, I'd be interested in monitoring much more, to include ports that are opened. MS has a tool called PortReporter that may be of use to you. HTH, Harlan ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Sep 08 2006 - 09:54:59 PDT