Program to protect the registry from changes. Programs that prevent systemic changes. Protect your registry from spyware and viruses

The option to access the registry of a remote computer is a very convenient method that allows the administrator to effectively perform his user support tasks directly from his own workstation. However, in some cases this feature can be a source of problems, since remote access to the local computer's registry must be authorized.

When a user attempts to establish a connection to the registry of a remote computer running Windows NT/2000, the Server service running on that computer first checks for the existence of the key HKEY_ LOCAL_ MACHINE\ System\ CurrentControlSet\ Control\ SecurePipeServers\ Winreg(Fig. 9.3). The ability for a remote user to gain access to the registry of a protected computer is determined by the following factors:

□ If the \Winreg key does not exist, then the registry can be accessed by ABOUT If the \Winreg key exists in the registry, then the access control list set for this key will determine which users can access the registry from the remote computer.

This means that to secure remote access to the local Windows computer's registry, you must configure an access control list for the key HKLM\ System\ CurrentControlSet\ Control\ SecurePipeServers\ Winreg.

If the access control list (ACL) of the key Winreg grants a remote user read or write access (either explicitly or as a member of one of the groups), that user can connect to the Windows Registry. After establishing such a connection, the actions of the user manipulating the registry will be limited only by access rights to its individual keys. This way, even if a user only has read access to a Winreg key, they will be able to modify other registry keys if their ACLs allow it.

You only need to create the \Winreg subkey on Windows NT 4.0 Workstation computers. On Windows NT 4.0 Server computers, as well as Windows Server Proffetional, this key is created by default

Hive protectionSAMAndSecurity

Windows/Windows Server security information is stored in the SAM (Security Accounts Manager) and Security registry hives. The SAM hive contains user passwords in the form of a table of hash codes, and the Security hive contains information about the security of the local computer, including user rights, password policies, and user membership in local groups.

Note

There is a whole set of utilities with which you can hack a SAM hive. The most famous of them are PWDUMP, NT Crack and LOphtCrack.

How to protect a hiveSAM

Microsoft officially claims that the best way to protect Windows/Windows Server is to protect administrative passwords, but this is clearly not enough. Many users have access to the SAM and Security hives - for example, users from the Backup Operators group, whose responsibilities include registry backups.

By default, no user (not even an administrator) has the necessary access rights that would allow him to access or even view the Windows/Windows Server SAM database using Registry Editor. However, the SAM and Security hives are stored on disk in the same way as other files, and the only thing required for hacking is to obtain copies of these hives. Regular copying cannot do this - when you try to copy the registry of a running Windows/Windows Server system, you will receive an error message

However, the software products include utilities (Regback in the Windows NT 4.0 Resource Kit and REG in the Windows Server Resource Kit), with the help of which users belonging to the administrator or backup operator groups can obtain copies of the registry of a running system

IfWindows/ WindowsServerinstalled on the volumeNTFS, then a user who wants to illegally copy hivesSAMAndSecurity, can use the utilityNTFSDOS (http:// www. sysinternals. com/ ntfs30. htm), The second one allows you to mount NTFS volumes in DOS. This utility and its other modifications (there is also an NTFS for Windows 98 utility) cause conflicting reactions among many (precisely because of the potential security risk). After the first versions of NTFSDOS appeared, Microsoft officially declared that true security is physical security. Nevertheless, this utility is very useful and can be simply irreplaceable when performing disaster recovery procedures (especially if you need to do this work quickly). Personally, she has helped me out more than once.

To summarize, let's say that to ensure proper protection of SAM and Security files from illegal copying, you should install protected computers in a secure room, as well!!!

DEPRIVE USERS THE RIGHT TO RESET THE COMPUTER.

To edit user rights inWindows, log in to the system as a user with administrator rights, open the window ControlPanel, double click on the icon AdministrativeTools, and select the option LocalSecurityPolicy. Expand the MMC console tree and select the option UserRightsAssignment. In the right part of the window, a list of user rights will appear that are available for editing the list of user groups that have the right to restart the computer.

Can we now say that the registryWindowsnow protected? No, you can’t, because there are still backup copies of the registry. On Windows systems, immediately after successful installation of the operating system or at any time when running the Rdisk utility with the /s switch, backup copies of the registry hives are created and stored in the directory % SystemRoot% \Repair. Windows Server registry backups are created whenever System State Data is backed up, and this information is stored in the % SystemRoot%\ Repmv\ Regba. ck These files are not opened by the system, and therefore, if the user is logged in locally (or if the backup directory is shared), these files can be copied without hindrance. On Windows systems, access rights to NTFS file system objects do not protect the directory in any way % SystemRoot%\ Repair, all users have read access to this directory, and this is enough to copy files. In Windows Server, the Users group by default only has View (List) rights to this directory, which does not allow copying files. However, as discussed in this chapter, if you upgraded from a previous version of Windows NT to Windows Server, access rights to registry and file system objects are inherited from the previous version of Windows NT.

To summarize, to prevent ordinary domain users from accessing filesSAMAndSecurityfollows:

- deprive end users of the right to register locally on servers;- use file systemNTFS;

- provide adequate physical protection for servers;

- in systemsWindowsNT4.0 and those systemsWindowsServer, where the operating system was installed as an upgrade from a previous versionWindowsNT, access rights to the directory should be tightened% SystemRoot %\ repair,

- provide secure storage conditions for backups and disaster recovery disks (WindowsNT4.0), as well as copies of data from the setSystemStateData (WindowsServer).

It doesn't take much effort to hack stolen SAM and Security hives. Having these files at his disposal, the user can, in his spare time, carry out as many dictionary attacks on them as are required to crack passwords. If he has utilities such as PWDUMP, PWDUMP2, NT Locksmith at his disposal (http:// www. wintemals. com), LOphtCrack (http:// www.10 pht. com/10 phtcrack) etc., then the success of the attack depends mainly on the quality of the dictionary used for hacking - the greater the number of words, dates, numbers, phrases, most often used as a password, contained in this file, the higher the chances of successful hacking (Fig. 9.6).

Therefore, to protect your system, you should prevent users from using blank passwords and set a system password policy. In any case, the minimum length of passwords should not be less than 8 characters. In addition, it is recommended to use arbitrary combinations of letters and numbers as passwords, and also set a policy regarding the minimum acceptable password complexity.

Try to imagine yourself in the attacker's place and hack your own SAM hive (keep in mind that your tasks are much simpler than the tasks facing this person - you do not need to carry out a remote attack to steal SAM and Security hives). Explanatory work should be carried out with users whose passwords will be revealed automatically. In addition, it is recommended to establish rules for periodically changing passwords.

Restricting anonymous access to your computer

A Windows Server computer can be configured to prevent anonymous login users from accessing all resources except those to which they have been explicitly granted access. This can be done either using the MMC Local Security Policy snap-in or by editing the registry.

Using the MMC snap-inLocal Security Policy

Run the commands Programs | Administrative Tools| Local Security Policy menu Start.

Select options Security Settings\ Local Policies\ Security Options.

IN on the right side of the window, double-click on the option Additional restrictions for anonymous connections and in the window that opens, set the option No access without explicit anonymous permissions under Local policy setting(Fig. 9.7)

Editingregistry

Call the registry editor Regedt32.exe, find the key HKEY_LOCAL_MACHlNE\SYSTEM\CurrentControlSet\Control\LSA, and create a RestrictAnonymous value with the REG_DWORD data type. Set this parameter to 0x2 (Hex).

If the RestrictAnonymous parameter has this value, then access token(access token) for unauthenticated users does not include the Everyone group, and access to resources granted to the Everyone group by default will be denied.

(Note^

Microsoft officially recommends that you carefully evaluate the security benefits of this setting versus the potential problems that may be caused by restricting anonymous user rights. The reason is that some Windows Server services and applications depend on anonymous user capabilities. In particular, we do not recommend setting this value in mixed network environments that include only Windows Server computers. Setting the RestrictAnonymous parameter to 0x2 is recommended only on Windows Server networks and only after thorough testing to ensure that services and applications are not disrupted.

The standard High Secure security template includes this limitation, so using it may also cause unwanted problems

System Scheduler as Another Potential Security Threat

The Task Scheduler, which is available on every Windows NT/2000 computer, can be used to run some MMC tools or other programs on the user's computer under the SYSTEM account. This account is available in all Windows NT/2000 systems, but its presence is not advertised (at least, you will see it neither in the User Manager and User Manager for Domains utilities, which create Windows NT user accounts, nor in MMC systems performing the same task on Windows Server). This allows ai nistrator to give an ordinary user a one-time opportunity to perform some tasks for administering his client computer without granting him the rights to perform other administrative tasks:

For example, to allow the user to launch the Disk Management snap-in, you could issue the following at command<\\machine_name>1:00pm /interactive %SystemRoot%\system32\diskmgmt .msc where<\\machine_name>- Computer NAME.

However, this capability poses a potential threat to system security because the system scheduler by default uses the rights of the SYSTEM account, and therefore any program launched in this way will have full system privileges, including access to the SAM database.

To protect against this danger, you can either block the Task Scheduler service (but this is not always possible, since this service may be needed to run other tasks), or configure it so that the service runs on behalf of the user account.

Throughout its history, Windows has suffered greatly from malware. And the infection rate on older operating systems, where users typically don't use UAC (especially on home PCs) and allow malware such as viruses, spyware and Trojans to create their own registry entries, which then give them access to the heart PC, much higher.

Protect your registry from spyware and viruses

And home computers still suffer more than PCs in enterprises. Typically, in an enterprise, the user receives a pre-configured, already configured system that is largely “locked down” and the PC operator does not have the necessary rights to install additional software. Only IT and help desk members install or add software, and this is usually done centrally through Group Policy. By default, users are registered as members of the Standard Users group, which allows them to make changes only to their PC profile. In some situations, this profile is fixed or limits a person's interaction with the system registry.

Workgroup or homegroup members on networks popular among small businesses with dozens of PCs are often configured to share multiple resources, such as files, folders, and printers. This small shared network provides an ideal environment for sharing software, but in turn often leads to malware infection of all computers within it.

The risk of malware infection and registry corruption is much higher for home PC users, and they are less aware of their vulnerabilities. Users in this group install software much more frequently and from a variety of sources, usually from torrent sites or file sharing sites. Typically, a home user will use an administrator account as a normal account, ignoring security warnings and UAC prompts designed to prevent unauthorized installation of software, and malware quite often comes bundled with free or shareware software.

Protect with Windows Defender

Windows 8 and 8.1 come with their own anti-malware protection called Windows Defender, which is available as an additional download for Windows 7 called Security Essentials. This package constitutes the main internal protection of Windows against viruses, malware and spyware attacks, although system security also depends to a large extent on additional Windows components, such as SmartScreen. As long as this software is running and you have Windows Update enabled, your PC is protected and Windows Defender monitors your system in real time.

To ensure that your protection against malicious signatures is up to date, Windows Defender is configured to run in the background and scan in real time, follow these steps:

Type Defender on the start screen and press Enter.
Windows Defender will open.
Check the protection status in real time (on/off).
Check the status of virus and spyware definitions.
If necessary, click the "Update" button.
Quit Windows Defender.

Because Microsoft uses data from millions of computers around the world to update malware signatures through Windows Update, your Windows PC is protected from the ever-present threat of malware.

Enterprise customers, to protect against malware, configure their PCs to update with enterprise-grade anti-spyware software, which gives more control options such as deployment and quarantine-based isolation.

The introduction of UAC has significantly reduced PC infection rates, although malware also continues to evolve and find new and innovative ways to infect a computer.

UAC user protection

We have already mentioned UAC Account Control in this article, and we want to once again emphasize the importance of keeping this feature by default. UAC protects not only the registry, but the entire Windows system.

Most malicious infections and registry damage are associated with tasks performed as an administrator, the most trusted status. On the other hand, standard user accounts are limited in their ability to make changes to the system, even preventing the launch of suspicious tools that could be used to make unwanted changes, such as installing an application, which is also bad.

Some sources mention User Account Control as a tool to protect the system from the user himself, but, unfortunately, it is often ignored by home computer owners. As mentioned, this is primarily due to a lack of understanding of what UAC actually does and how it impacts the overall PC security strategy that is absolutely necessary in today's computing world. To put it bluntly, User Account Control is your primary weapon against the ever-changing threat of malware.

Within an enterprise, ordinary users usually do not see UAC because they do not install software or make changes to the system. These tasks are performed by IT support specialists. IT professionals have the necessary administrative privileges, tools, and knowledge to properly respond to UAC requests.

As mentioned, most home PC users are computer administrators. For home enthusiasts, UAC is often annoying. Research has shown that over time, persistent UAC prompts backfire, causing users to ignore the warnings and instead consider User Account Control to be a mere barrier to user changes.

However, the main purpose of User Account Control is not to annoy users. Fortunately, in Windows 8, some changes have been made to the interaction between User Account Control and the user. This fine-tuning is certainly welcome, but can mostly be recognized by new Windows users who haven't been disappointed by UAC since its introduction in Windows Vista.

To change User Account Control settings, enter UAC on the start screen and press Enter.

Standard user accounts can be used to perform the following tasks:

Recording to CD/DVD media
Changing your desktop background
Changing your time zone
Changing your user account password
Configuring access settings
Setting Power Options
Connect to Wi-Fi or local network
Installing drivers with Windows Update or those that come with Windows
Installing updates from Windows Update
Changing display settings
Connecting and setting up Bluetooth devices and PC
Troubleshooting and network diagnostics
Playback from CD/DVD media
Recovering your own files from file history
Connecting to another computer using Remote Desktop
View most settings, although you will need to be elevated if you try to change them.

Administrators have more power - they can read, write, execute, change all resources and access rights on the PC.

One of the most noticeable aspects of User Account Control is that even an administrator must work with routine standard user-level permissions. Only when he attempts to perform an administrative task will a UAC pop-up window appear, making it clear that the task requires administrative rights to complete the operation (or cancel it). This principle is known as administrator approval mode.

UAC Elevation - Types

Permission type - Description

Consent(permission) - Only administrators in primary admin approval mode when they attempt to perform an administrative task
Credential(temporary permission) - for regular users when they are trying to perform administrative tasks.

Typical scenarios in which a standard user would need to be elevated to administrative privileges to perform a task include the following:

Add or remove a user account
Go to another user's folder
Changing user account types
Changing Windows Firewall Settings
Setting up automatic updates
Setting up parental controls
Installing device drivers
Installing ActiveX Controls
Installing and uninstalling applications
Change User Account Control settings
Moving or copying files in the Program Files or Windows directory
Restoring system backup files
Schedule automated tasks.

For users of Windows 8.1 and later versions, disabling User Account Control is not possible; it is in fact an integral part of the modern operating system security model. But you can silence it by moving the slider to the very bottom (never notify).

Protect Windows with Shadow Defender

100% Windows protection is possible with Shadow Defender. It will save you from any kind of virus or malware entering your computer. Recently, more and more often, users have been complaining that after traveling through the Internet, changes in the operation of the computer have been noticed for the worse. For example, the computer settings began to change involuntarily, some porn banner constantly pops up, various browser windows open randomly, programs stop running, or the computer is completely blocked by Internet scammers who demand money from you via SMS.

By the way, I wrote about how to remove the ransomware banner here. Of course, there are times when we ourselves unknowingly disrupt the proper operation of the system by installing some third-party programs or drivers. The program will be extremely useful if inexperienced users work on your computer, after which everything needs to be put in order, or you simply need to test the program without clogging up the Windows registry with useless entries.

It is safe to enter a site or forum with viruses, test the work and make changes to the local development of the site, experiment with system files and make some changes to its work. All this is possible with the wonderful Shadow Defender program, which will create a virtual snapshot of the specified area of the hard drive with which you will continue to work. After such a transformation, you will not be afraid of virus attacks or the removal of any information from the protected area. Because after restarting the computer everything will return to normal. Of course, there are other ways to protect your computer, but this will exceed all your expectations.

The Shadow Defender program will put the Windows system in shadow mode with selective data saving, which will help prevent the loss of important information and protect the operating system from various types of viruses. To date, the program is compatible only with all versions of the Windows operating system (XP/7/8). It should be said that this program is paid, but in trial mode Shadow Defender will last 30 days.

You can download the latest version of Shadow Defender on the official website.

To Russify Shadow Defender, you need to download the Russian package (res.ini file) for your version of the program on the official website. All that remains is to move the res.ini file with replacement to the folder where Shadow Defender is installed. Now the program understands Russian. I have been using this program for a long time and I have no complaints about its work, so I recommend that you add it to your arsenal of useful programs. So, let's get to the point. Here's my detailed instructions for Shadow Defender.

How to use Shadow Defender.

— Configuration. I think everything is clear here, I’ll just say that be sure to check the “Notify about lack of free space” option, otherwise if the reserved space is not enough, Shadow Defender will not work correctly, which means there is a risk of losing important information. By clicking on the “More information” button, you can increase or decrease the reserved area for each hard drive partition. It is very important that the program has enough free space.

- Save. A very useful option that is designed to save a file or folder when you are in protected mode. For example, you turned on protected mode on all partitions of your hard drive and went for a walk on the Internet. You walked and walked and suddenly you find what you were looking for.

Download the file to your hard drive, but in order for the file to remain after exiting protected mode, you need to add it through the “Save” option, select the file and click the “Accept” button. Now the downloaded or modified file (If any file has been modified, it will be saved in the modified form) will remain on the hard drive after exiting protected mode.

- Exceptions. The program has a very well implemented function of saving changed content in folders and files that are in the exclusion list. By adding a folder or file to the exclusion list, all changes to that folder will be saved when Shadow Defender finishes. In other words: you enter into the program in advance those folders and files in which you will make changes.

- Settings. The most important option in this program. In the settings, you can choose which partition will be in protected mode and what actions should be taken to exit protection. It is also possible to completely protect your computer if you mark all areas of the hard drive. The program offers several actions to exit the mode:

- Disable Protected Mode and restart your PC now.

- Disable Protected Mode and turn off your PC now.

- Remain in protected mode after reboot.

— System status. Information option in which you can see: which partitions work in protected mode, capacity, how much space is occupied on the partition and how much is free, how much space Shadow Defender took, a list of exceptions.

As you can see, the program is irreplaceable in running an online business and can save you a decent amount of money. In general, it will be useful not only for Internet businessmen, but also for any curious or not so curious user. In my opinion, this is just an excellent program for protecting your computer on the Internet, all kinds of tests and safe browsing on the Internet. This is reliable protection for your computer on the Internet.

This is where I will end this post. I hope the article was useful and easy to understand for you. See you on the blog pages. Bye!

If you find an error, please highlight a piece of text and click Ctrl+Enter.

Registry Cleaner

Every program you install on your computer makes changes to the registry, a database containing information about all the settings necessary for the operating system to function properly. Even if the application is long gone, traces of it are still stored, accumulating unnecessary megabytes and reducing efficiency. To prevent this from happening, download a registry cleaner - the easiest and fastest way to keep your computer running at peak performance.

What is the registry and why clean it?

The Microsoft Computer Dictionary defines the registry as a hierarchical, centralized database for storing information needed to configure the operating system, users, software products, and devices.

To put it simply, this is a set of data for the normal operation of Windows of any series. It looks like a tree of standard folders, which hierarchically contain other directories with files. Every change in the system - installing a program, uninstalling it, changing settings - makes changes to the integrity of the registry. As a result, the tree grows and takes up a decent amount of space. Cleaning the registry helps prevent a number of problems and crashes in Windows.

3 signs that it’s time for you to download a registry cleaner:

The program, which just yesterday launched with a half-click, now slows down a lot during operation and loads slowly.
The operating system periodically crashes - it goes into BSOD or produces system errors.
The settings of one or more programs have been reset to factory settings without your knowledge.

Which program should I choose?

The choice on the Internet is extensive. There are only two disadvantages - free programs are distributed without any protection on software aggregators, and therefore can become a source of problems much more serious than mild system “brakes”. At the same time, be careful - hastily made software can often harm the registry by deleting fine-tuning or system files, mistaking them for “junk.”

The second point is that you will have to pay for paid ones and regularly update versions. But fortunately, there is a third way that almost half a billion people have taken - download and install a free registry cleaner - 360 Total Security antivirus from Qihoo 360.

What else does 360 Total Security give you?

Understanding the needs of users, the antivirus and computer cleaning program from Qihoo 360 gives more than you expect:

Acceleration of the operating system. In addition to cleaning the registry, the antivirus scans hard drives and then offers to delete junk files and programs that have not been used for a long time.
Reduced load on operational resources. To prevent Windows from noticing the presence of an antivirus, it implements Cloud 360 technology, which uses virtual resources to process data.
Simultaneous operation of 5 engines at once. This is a proactive action - even those viruses that have not yet entered the database will be instantly identified and neutralized. For maximum efficiency, you can connect Avira and Bitdefender algorithms.

Complete security of online work - checking Wi-Fi connection, protection from phishing sites and keyloggers, complete security of personal contacts, web cameras.

To download a program to clean the registry and at the same time reliably protect your computer data from viruses, download 360 Total Security from the main page of the site. In just a couple of minutes you can quickly check your file system for errors or foreign keys. Choose a program that has been appreciated by more than half a billion people around the world!

www.360totalsecurity.com

Registry Protection Program

Every day new viruses, spyware, and modules that display advertisements appear. Working without an antivirus is akin to suicide: if earlier the question sounded like “Will you get infected or not?”, now it sounds like “How quickly will you get infected?” The more actively a user spends time on the Internet, downloading files, visiting dubious sites, the higher the likelihood of infecting the computer. Files received from exchange networks are especially dangerous. It is these networks, along with spam, that are used to spread new viruses. And in this case, antiviruses give up: there are no signatures in their databases yet, they pass downloaded files as “clean”. Only after running such a file can the user, based on indirect signs (suddenly large outgoing traffic appearing, strange messages on the screen, decreased computer performance, a running program not performing the functions for which it was supposedly created, and so on), guess that the computer is infected. Most users won't notice anything, and running antivirus monitoring will create a false sense of security. Only a few hours, and sometimes days, after the description of the new virus is added to the anti-virus databases, after the anti-virus downloads and installs updates, the new virus may be detected. And only after this the computer treatment will begin. And during these days or hours, the computer spread a new virus at the speed of an Internet connection, sent out spam, was used to carry out attacks on servers, in other words, there was a zombie that joined the army of the same zombies, bringing another drop of chaos to the Network.

At this stage of development of computer technology, we are approaching the understanding that the current virus detection technologies, the use of anti-virus databases with signatures, are not effective. At the current speed of file distribution on the Internet (exchange networks, spam), antiviruses will always be in the role of catching up.

Quite recently, the author of this article manually cleaned the computer of a new virus that was not detected by the antivirus installed on the user’s computer. For obvious reasons, I will not name the antivirus manufacturer, a very well-known and successful company all over the world. After the virus library was discovered, it was scanned by all available antiviruses with the latest description databases. No one, with the exception of Dr.Web, found anything dangerous in the library. However, the virus successfully collected information about the addresses of sites visited by the user, his logins and passwords entered on these sites, and then sent the collected information to the author of the virus. Judging by the infection mechanism, the computer was infected when visiting a site and, very likely, the source of the virus was a banner shown on one of the pages (a study of the browsing history in the browser did not reveal any crime in the list).

Even more depressing is the infection of a computer with a virus that spams email addresses of the Microsoft.com domain, opens a listening port and tells its author the IP and port of a ready-to-use proxy server. Before opening the port, the virus literally demolished the firewall built into Windows XP SP2, deleting all information about its service in the registry. After the virus library was discovered, it was scanned by several of the most popular antiviruses. Only Dr.Web and Kaspersky Anti-Virus identified it as a virus. Two well-known and popular Western antiviruses still do not detect this file, despite the fact that, judging by information from search engines, the first reports about this virus appeared on the Internet 4 months ago.

There are a huge number of such examples. Today there is an understanding that antiviruses in their current form have no future. This is a dead end. The time gap between the appearance of new viruses and the addition of their signatures to antivirus databases will only increase, which will inevitably lead to new waves of virus epidemics. The careless attitude of Western antivirus companies to the search for new viruses and adding their descriptions to databases leads to a false sense of security for the user. As a result, the harm from such “relaxation” of the user can be O greater than working without an antivirus at all, when the user will think a hundred times whether to work under an account with administrator rights and whether to open attachments from a letter from an unknown sender offering to run an attached file.

In addition to the viruses themselves, several other types of malicious software are actively spreading: spyware - which collects and sends information about the user, adware - which independently opens browser windows with advertisements, and so on. This software is not classified as a virus because it does not directly harm your computer or data. However, when infected, the user experiences discomfort and is forced to install, in addition to the antivirus, another type of software to combat spyware and adware. This type of software, just like an antivirus, has its own database of descriptions of malicious objects that it searches for and destroys in the system.

Exactly the same situation is observed in the fight against spam. If previously, in fact, the only means of combating were “blacklists” of servers or even entire subnets from which spam was sent, today an increasing number of administrators are convinced that the technology of “blacklists” is becoming obsolete. It is too slow, not flexible, and requires a lot of effort from the list administrator to maintain relevance. Very often, because of two or three spammers who have purchased dial-up access for mailings, entire subnets of providers are blacklisted, after which mail from users from these subnets begins to be marked as spam and filtered by recipients. As a result, we are seeing an increasing proliferation of intelligent systems for evaluating the content of emails. Systems that can “read” a letter, including service headers, perform a series of checks and make a conclusion: it is spam or not. It is safe to say that in a few years this anti-spam technology will completely replace the use of blacklists.

We are quietly losing the war: new and new threats appear, and instead of improving and creating new technologies to combat them, the method of describing and distributing description databases is being stamped out.

Fortunately, the first steps to correct the situation are being taken, and a new class of programs is emerging for comprehensive computer protection both from viruses and from various types of adware-spyware, which does not use description databases. Similar to antispam, this is a kind of intelligent algorithm that monitors the actions of running applications. If some actions seem dangerous to the algorithm, it blocks them. One can argue for a long time about too much independence of such programs, but there is no alternative. Let it be better to have a few false positives than tens of megabytes of traffic for updating anti-virus databases and 2-3 applications that are constantly in memory, reduce the performance of file operations and require significant system resources.

In this review, we will get acquainted with one of the representatives of a new class of proactive computer protection programs: Defense Wall HIPS. A non-standard approach to combating malware, ease of setup and inconspicuous operation distinguish this product from the mass of others. It does not download any description databases; instead, the user independently determines the applications through which an infected file can be received on the computer. By default, untrusted applications include popular email clients, browsers, and some system utilities (ftp.exe). Thus, a list of all “doors” through which an infected file can penetrate is created.

Any file that was received from the Network through an untrusted application will be marked as untrusted by Defense Wall HIPS. After launching such a file, all actions that the running application takes on the system will be logged, that is, the user will always have the opportunity to view, for example, a list of registry keys that were created by the running application and delete them with the click of one button.

Program website http://www.softsphere.com/rus/
The distribution size is 1.2 megabytes.
The price of Defense Wall HIPS is 500 rubles.

Installation of Defense Wall HIPS is performed by a wizard. During its operation, you must agree to the terms of the license agreement, select the folder to install the program, and select the operating mode between expert and normal. The computer must be restarted to complete the installation.

The differences between the expert operating mode and the normal operating mode are significant: in the normal operating mode, all files that are created by an untrusted application are automatically added to the list of untrusted ones. In expert mode, no files are automatically added to the list of untrusted files - this must be done manually by the user. It is recommended to work in normal mode.

After the reboot, the product registration window will be displayed.

If the program was purchased, then to register it you can enter the key received from the developer. In demo mode, the program will work for 30 days without limiting its functionality.

The program adds an icon to the tray, with which you can change operating modes and open the main window.

Cleaning Center

The Cleanup Center provides quick access to viewing traces of untrusted applications.

Using the button Traces on the disk and in the registry You can view a list of all changes that were made by untrusted applications.

This screenshot lists the registry keys that FAR created and the text.txt file that was created from the command line. To the right of the list there are buttons with which you can manage changes. Unfortunately, it is not at all obvious from the names what action the program will perform after pressing the button. The purpose of the buttons becomes more or less clear after reading the tooltips that appear above the buttons if you hold the mouse pointer over them. It is impossible to call the help system for the elements of this window: there is neither a Help button on the form nor a button in the window title.

The first button is Put away— removes a line from the list. Changes made by the process (registry keys, files) are not deleted.

Button Delete allows you to undo a committed change: delete a registry key, folder or file created by the application.

Button Rollback allows you to undo several committed changes at once. To do this, you need to select an entry and press the button. All changes, from the first to the selected ones, will be canceled (registry keys, files and folders will be deleted).

Remove everything allows you to clear the list.

When performing a rollback, Defense Wall HIPS asks you to confirm the action being performed.

There are no buttons in this request Delete everything And Cancel rollback. If an attempt was made to roll back 50, for example, changes, then such a request will have to be answered 50 times.

List entries do not have a right-click context menu. Instead of double-clicking to open Registry Editor and view the created key or launch Explorer, you have to launch them manually and search for the file or key.

The changelog does not update automatically. If an untrusted application creates a key in the registry while the list is open, then the new entry in the list will be shown only after closing and opening the list.

To delete objects created by an untrusted application, you must close all untrusted applications. For example, if the browser, the exchange network client, and FAR are open (and all of them are included in the list of untrusted applications), then in order to delete the registry key created by FAR, you will have to close both the client and the browser.

The second button on the Cleanup Center tab allows you to view lists of trusted and untrusted processes running in the system.

There is no option in this window to move a process from the trusted to untrusted list. In addition, you can terminate any process running in the system.

It is unlikely that an untrained user will be happy with such a screen. Not to mention the fact that at the moment winlogon.exe terminates, the user may have some files open that he has been working on for a long time, but did not have time to save the changes.

Third button in Cleanup Center large size and red color. The result of pressing it corresponds to the coloring - no matter how many and what kind of untrusted processes (browser, email client) are launched - all of them will be completed without any warnings and without saving data.

Add or remove untrusted

This list contains all untrusted applications that were detected on the computer during the installation of Defense Wall HIPS. The list of applications that are considered untrusted by the program by default is quite wide: it includes the most popular browsers, email clients, instant messaging clients, and so on. Any processes, folders or applications can be added to the list, with the exception of system ones. For example, explorer.exe cannot be added.

When the button is pressed Put away A menu opens, using the items of which the application can be removed from the list, or you can temporarily exclude it by making it trusted. Button How trustworthy. allows you to run an application instance from the list as a trusted one. Using the button Slide up Entries in the list can be moved. It was not possible to understand why this should be done and why there is no Move Down button (there are no tooltips or mentions in the help).

List of events

Events caused by untrusted processes are recorded in the log. On this tab you can view them and, if necessary, using a filter, leave in the list events caused by the operation of a certain process. As in the previous case, events that occur while the list is open are not included in it. To see them, you need to close and open the window.

Closed files

Any untrusted application will not be able to access all files and folders listed in this list.

Integration

Defense Wall HIPS creates a group of shortcuts in the Explorer context menu. By right-clicking on any file or folder, you can quickly perform basic actions on it.

When untrusted applications are launched, a status is added to their title.

Testing

The first step was an attempt to bypass the ban on adding system processes to the list of untrusted applications. After adding to Untrusted applications Windows folders, all standard applications began to launch as untrusted.

As you might expect, Explorer, which cannot be added to the list of untrusted via a menu item Add application to untrusted, lost confidence in Defense Wall HIPS. In the Start menu, the Run, Search, Help and Support items stopped working. Notepad began creating untrusted files, and after rolling back the changes and agreeing to the requirement to close all untrusted applications first, the shell was rebooted.

After the shell rebooted, Windows asked to insert a CD to restore the files. In order not to aggravate the situation, it was decided to refuse file recovery. The list of untrusted processes after restarting Explorer is shown in the figure below.

Naturally, pressing the big red button Terminate all untrusted processes led to a BSOD, since winlogon.exe was included in the untrusted list. During reboot, Windows reported that:

After clicking OK Windows went into a cyclic reboot with the same message on each turn. To restore, I had to boot into safe mode, find the Defense Wall HIPS settings in the registry (the program itself does not work in this mode because its service does not load) and delete the Windows folder from the list of untrusted ones. After this, the OS booted normally in normal mode.

It was decided to check what would happen if we added the folder where Defense Wall HIPS was installed to the untrusted list.

The treatment recipe is the same: remove the Defense Wall HIPS folder from the list of untrusted folders by editing the registry.

In essence, these are small comments on the program interface that can be eliminated by the author without any problems. At the next stage, the main function of the program was tested: monitoring the activity of processes and marking the files they create as untrusted.

A vbs script was written to carry out the test. It imitated the behavior of the virus and performed the following actions:

I deleted the section in the registry where the Defense Wall settings, the list of untrusted applications and the log of their actions are stored.
I downloaded a small executable file dwkill.exe from the site.
The process was terminated by defensewall.exe (control console).
Created a Windows Scheduler task that launched the dwkill.exe utility under the SYSTEM account after the user logged in.

This sequence of actions was determined after a long and comprehensive study of the working mechanisms of the Defense Wall. It is clear that this script is focused on working with Defense Wall and is unlikely to be used by viruses until the mass distribution of the product on the market. However, this script revealed several significant shortcomings in the work of Defense Wall:

The list of untrusted applications can be easily cleared. After the first reboot, all previously downloaded and emailed files will start running as trusted files.
The list of actions of untrusted applications can also be deleted, making it impossible to roll back changes.
After running the script and the first reboot, it is possible to launch any application as trusted.

In addition, a very unpleasant problem was discovered: when moving an untrusted file from one folder to another, it was removed from the list of untrusted files and, accordingly, was launched from the new folder as trusted.

The Defense Wall help file contains many typos and errors.

Despite all the serious shortcomings, the program deserves attention. I would like to believe that the author will correct errors and expand functionality. Ideally, we see the creation of a module that will intercept all network traffic, determine the application that creates it and, if it is new, then after a request to the user, add it to the list of trusted or untrusted. Based on the testing results, it is obvious that all program settings should be stored not in the registry, but in Defense Wall’s own database. The service must protect its boot by checking for appropriate keys in the registry when stopped.

How to completely remove programs in Windows We all remove programs sometimes. It’s simple: go to the list of programs in the Control Panel, find the desired victim there, right-click on it and select “Uninstall,” right? Yes, everything is true, but this is not the whole truth. If you do not remove the program from your computer correctly, [...]

Registry Error Fixer Computer Accelerator is a professional yet easy to use registry error fixer. In this application, it is enough to run a registry scan, wait for the data to be processed and visually see information on problems that have arisen that […]
Computer portal. Solving problems in Windows. Steam doesn't work - what should I do? One of the most famous and advanced gaming platforms is called Steam. This service provides the user with a large number of functions, for example, the service of activating video games, purchasing programs or games, regular collection, […]
Changing file associations Many personal computer users often have questions related to the association of files with a specific program. Questions of this nature may arise, for example, in cases where […]
How to run an old game on Windows 10 How to launch old games on Windows 10 in different ways: algorithm of actions Games and programs for Windows XP run without problems in the new version of the OS. But not all old programs can work the first time. In this case, the recommendations described below will help [...]
What is the Windows Registry The great and terrible registry of the Windows operating system, which they love to scare novice computer users with. Although it’s really not worth delving into it out of nothing to do, especially for beginners, you should know about its existence and the main functions it performs in Windows […]
System Administrator's Blog The site is dedicated to what the average "Enikey" user may encounter. A couple of interesting Windows registry keys. The given keys are responsible for sorting the list of programs, shared folders and the Internet Explorer header. The keys must be current in Windows XP\Vista\7 How […]

Then you will be offered the uninstall mode. “Moderate” and “Advanced” remove all traces of installed software from the system. You need to be careful with these modes. In the hands of an inexperienced user, Revo Uninstaller can cause irreparable damage. It is better to stop at the “Safe” option. Now all that remains is to start the uninstallation process with the “Next” button. The program will perform the removal and begin scanning the registry for residual keys. Having found them, it will give the user the opportunity to select keys to delete. After all the manipulations, there will be no trace of the installed program on the computer.

Revo Uninstaller has a Hunter Mode feature. By activating it, the main program window disappears. A “sight” sign appears on the desktop. To uninstall, you need to move the program shortcut to this icon or vice versa. After this, the removal process will begin.

Virtual machine

A virtual machine runs in a virtual environment. All actions performed in it do not affect the main operating system. It is worth considering a number of examples where a virtual machine is used. This:
Installing programs that only work on older OSes.
Training to work in a new operating system.
Program testing.

The last point is used when installing new software. By installing the program on a virtual machine, the user does not clog the main system. It can work in a virtual environment and not be afraid of various types of failures. The virtual operating system can always be reinstalled.

Microsoft Virtual PC and Oracle VirtualBox are leaders in creating virtual machines. The first one works only with the Windows family of operating systems. This is a minus for her. The second is capable of creating virtual machines with support for various operating systems. These can be Windows, Linux, etc. systems. Using virtual machines is not always acceptable. It is impossible to work with 3D applications and multimedia programs on them.

Blocking system changes

With virtual machines, as was said, not everything is so smooth. Therefore, you can use software that will return the system to its original state. The operating system will return to its original position until any software is installed.

Toolwiz Time Freeze is another program that allows you to protect the user from himself. It’s worth noting right away that the program is free and will be useful for a novice user. This is an analogue of the well-known paid product Shadow Defender.

As a rule, inexperienced owners of personal computers do not know what software they need, and for this reason they experiment with installations. The principle of Toolwiz Time Freeze is that the program takes a snapshot of your hard drive. All subsequent actions will not be saved the next time you reboot. First you need to install the program, restart your computer and run “Start Time Freeze”.

Protect with Windows Defender

Windows 8 and 8.1 come with their own anti-malware protection called Windows Defender, which is available as an additional download for Windows 7 called Security Essentials. This package constitutes the main internal protection of Windows against viruses, malware and spyware attacks, although system security also depends to a large extent on additional Windows components, such as SmartScreen. As long as this software is running and you have Windows Update enabled, your computer is protected and monitors your system in real time.

To ensure that your protection against malicious signatures is up to date, Windows Defender is configured to run in the background and scan in real time, follow these steps:

Type Defender on the start screen and press Enter.
Windows Defender will open.
Check the protection status in real time (on/off).
Check the status of virus and spyware definitions.
If necessary, click the "Update" button.
Quit Windows Defender.

Because Microsoft uses data from millions of computers around the world to update malware signatures through Windows Update, your Windows PC is protected from the ever-present threat of malware.

The introduction of UAC has significantly reduced PC infection rates, although malware also continues to evolve and find new and innovative ways to infect a computer.

UAC user protection

To change User Account Control settings, enter UAC on the start screen and press Enter.

Standard user accounts can be used to perform the following tasks:

Recording to CD/DVD media
Changing your desktop background
Changing your time zone
Changing your user account password
Configuring access settings
Setting Power Options
Connect to Wi-Fi or local network
Installing drivers with Windows Update or those that come with Windows
Installing updates from Windows Update
Changing display settings
Connecting and setting up Bluetooth devices and PC
Troubleshooting and network diagnostics
Playback from CD/DVD media
Recovering your own files from file history
Connecting to another computer using Remote Desktop
View most settings, although you will need to be elevated if you try to change them.

Administrators have more power - they can read, write, execute, change all resources and access rights on the PC.

UAC Elevation - Types

Permission type - Description

Consent(permission) - only to administrators in primary admin approval mode when they attempt to perform an administrative task
Credential(temporary permission) - for regular users when they are trying to perform administrative tasks.

Typical scenarios in which a standard user would need to be elevated to administrative privileges to perform a task include the following:

Add or remove a user account
Go to another user's folder
Changing user account types
Changing Windows Firewall Settings
Setting up automatic updates
Setting up parental controls
Installing device drivers
Installing ActiveX Controls
Installing and uninstalling applications
Change User Account Control settings
Moving or copying files in the Program Files or Windows directory
Restoring system backup files
Schedule automated tasks.