Jump to content
dellyfry

Offline/remote registry scanning

Recommended Posts

Hi,

One feature I would like to see SUPERAntiSpyware Pro have is the ability to scan a registry hive file(s) on another drive slaved to a host system or run from some kind of Windows PE/BartCD disc.

I find this to be an excellent way of ridding a system of spyware, especially the nasty variants that try really hard to hide themselves.

If you ever include the functionality of direct startup, BHO, service, process, and ActiveX editing/manipulation... this would be very nice indeed, especially if it could be used remotely on another installation's registry files.

Thanks for a great program,

Robby

Share this post


Link to post
Share on other sites
Hi,

One feature I would like to see SUPERAntiSpyware Pro have is the ability to scan a registry hive file(s) on another drive slaved to a host system or run from some kind of Windows PE/BartCD disc.

I find this to be an excellent way of ridding a system of spyware, especially the nasty variants that try really hard to hide themselves.

If you ever include the functionality of direct startup, BHO, service, process, and ActiveX editing/manipulation... this would be very nice indeed, especially if it could be used remotely on another installation's registry files.

Thanks for a great program,

Robby

Thank you very much for your excellent suggestions. We do have technology to read the hives directly, but modifying the hives can be a "tricky" process so that may not be as practical as the file scanning aspects - the files are what represent the "real" threat - meaning, once the files are gone, 99.99% of the harmful portion of the infection will be removed.

Share this post


Link to post
Share on other sites

Thanks for the reply.

I can see how direct editing of the registry while you are live within the Windows enviroment in question would be tricky, but is this the same for offline editing when that enviroment is not even live? I dunno, I'm not a programmer nor do I have the technical know how.

I did notice that Spybot S&D, when you start the program using the /allhives switch, will import attached drive's registry entries into a special "PE" like entry (during the entire time the program is open) that permits me to scan it not only with Spybot, but also (limited) Ad-Aware, and TrendMicro. I don't recall if SUPERAntiSpyware scans those areas or not. If it does not, could you add a special ability to ensure it scans areas of the registry that begin with "PE.." and then when all detections and corrections have been performed, the user can close out of Spybot S&D which will then write the hive files back to their host?

As for deletion of the spyware files. I agree completely, I think I had more in mind the (rarer) times when malware that is removed, often will cause issues with the O.S. until the associated registry values are also corrected.

Thanks and take care,

Robby

Share this post


Link to post
Share on other sites
Thanks for the reply.

I can see how direct editing of the registry while you are live within the Windows enviroment in question would be tricky, but is this the same for offline editing when that enviroment is not even live? I dunno, I'm not a programmer nor do I have the technical know how.

I did notice that Spybot S&D, when you start the program using the /allhives switch, will import attached drive's registry entries into a special "PE" like entry (during the entire time the program is open) that permits me to scan it not only with Spybot, but also (limited) Ad-Aware, and TrendMicro. I don't recall if SUPERAntiSpyware scans those areas or not. If it does not, could you add a special ability to ensure it scans areas of the registry that begin with "PE.." and then when all detections and corrections have been performed, the user can close out of Spybot S&D which will then write the hive files back to their host?

As for deletion of the spyware files. I agree completely, I think I had more in mind the (rarer) times when malware that is removed, often will cause issues with the O.S. until the associated registry values are also corrected.

Thanks and take care,

Robby

The Hives can be "mounted' - we could do that, that is essentially what Spybot is doing - or importing the entire hive into a key under the Spybot key and scanning it there.

Share this post


Link to post
Share on other sites

I hope that it is a feature you might consider in the future. Especially if you make a plugin that would work with a BartCD, which, by the way... are you considering doing a BartCD plugin? :D

Oh, one last thing I forgot to mention. During the scan SUPERAntiSpyware performs, it would be nice to see the malware processes separated into a special delimiter that would permit what I believe to be an easier review of found components. Maybe add some kind of RAM icon, or other symbol, would inform the user of "component ABC" is currently in memory, as opposed to grouping it into the entire list.

Robby

Share this post


Link to post
Share on other sites
I hope that it is a feature you might consider in the future. Especially if you make a plugin that would work with a BartCD, which, by the way... are you considering doing a BartCD plugin? :D

Oh, one last thing I forgot to mention. During the scan SUPERAntiSpyware performs, it would be nice to see the malware processes separated into a special delimiter that would permit what I believe to be an easier review of found components. Maybe add some kind of RAM icon, or other symbol, would inform the user of "component ABC" is currently in memory, as opposed to grouping it into the entire list.

Robby

Not sure about the BartCD thing (yet) :) When the items are detected, they are separated into memory, files and registry - it will display that in the tree view at the end.

Example:

IMGSASScanning2Full.gif

Share this post


Link to post
Share on other sites

Hmm, I think I had more in mind during the initial scanning phase, before the selection screen you referenced above. Minor squib(le) on my part but really nothing important.

Last thing.. :oops: ... if you ever do a process viewer, using your excellent direct kernal engine, I hope you can create a viewer that will show hidden processes, highlight Microsoft processes, and highlight malware processes (especially those names like a Windows processes). Linking it to your database "fileresearchcenter" would be interesting as well.

Okay, thank you for all your time. :)

Robby

Share this post


Link to post
Share on other sites
Hmm, I think I had more in mind during the initial scanning phase, before the selection screen you referenced above. Minor squib(le) on my part but really nothing important.

Last thing.. :oops: ... if you ever do a process viewer, using your excellent direct kernal engine, I hope you can create a viewer that will show hidden processes, highlight Microsoft processes, and highlight malware processes (especially those names like a Windows processes). Linking it to your database "fileresearchcenter" would be interesting as well.

Okay, thank you for all your time. :)

Robby

We actually have such a tool that we use in-house - we may release it for public consumption (in the future).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...