System intrusions, both from the Internet and locally, are on the rise. Intruders exploit vulnerable system areas by entering a setting to start or load malicious code automatically, either at boot-up or during user logon. For example, an intruder might place a load=c:\killsys.exe statement in the system.ini file (after copying the code to the local system) or use the RunOnce key in the HKEY_LOCAL_MACHINE Registry hive to configure a similar setting.
To confront such threats, Greyware Automation Products created Greyware Registry Rearguard (Grr!) 1.20.b.19990915R. The product monitors activity in the startup folder, startup files, and areas of the Registry where an attacker can configure malicious code to run. Grr! then alerts the user or systems administrator if the program detects unauthorized activity.
I installed the product with little effort. The configuration settings include a splash screen during startup, an SMTP email account for alerts, and specifications that let users accept unauthorized system changes. An icon in the Windows NT Control Panel lets you change these settings if necessary. Another icon enables and configures the system as a Grr! server, so you can create uniform settings for all clients. You can customize the Grr! server setup to monitor nonstandard files and folders (e.g., *.hlp files if you suspect an attacker might add malicious code to Help files) with the default client setup. Grr! also includes configuration settings for sending alerts to a dial-up recipient (if your only SMTP server is your ISP's server) and a setting to log all alerts to a text file on the local system. An optional setting lets you configure the software to play a growl sound when the Grr! warning dialog box, which Screen 1 shows, pops up.
After installation, I tested the functionality of Grr!'s alerts. Because I'm not familiar with building malicious code, I simply mimicked the results that such code creates. I used two methods for testing. First, I made changes to monitored Registry keys and modified a monitored configuration file. After I made each change, an alert dialog box appeared that displayed the affected hive or configuration file and the setting before and after the changes. When the box appeared, I had the option of accepting or rejecting the changes because I'd configured Grr! to let users accept changes. Second, I used the Copy command and the Microsoft Windows NT Server 4.0 Resource Kit's reg.exe tool to push Registry and configuration file changes remotely from a script file. The content of the fictitious malicious files didn't matter because Grr! detects only system changes. Grr! responded to these changes with its alert dialog box, which displayed the system changes and waited for me to accept or refuse the new settings. Grr! also sent an SMTP email message when these alerts appeared, delivering a useful outline of system settings before and after the change.
I wondered what an end user might see when an alert triggered. I was concerned that in an enterprise installation, if an authorized upgrade changed a monitored area, the upgrade might trigger a growling alert box affecting hundreds of users. I emailed Greyware's technical support with my question and promptly received a response with a useful solution. Fortunately, you can disable all end-user interactions and email alerts. You can also have a third-party application monitor the local log files. I prefer the latter setup in a large user environment, provided that systems administrators promptly address alerts.
I liked Grr!'s concept, design, and functionality, especially when you configure alerts to go to a central control point. I prefer that the email alert be configurable for Microsoft Exchange Server (because I had to install an SMTP email server specifically for this review). But as I've seen in other new management products, SMTP email appears to be the generic, Web-oriented email system of choice. Grr!'s per-machine price is reasonable, and I recommend the product for clients that require tight, thorough monitoring of system configuration.
End of Article
