Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
May 16th, 2008, 4:52am
   Mischel Internet Security Forum
   TrojanHunter
   Beta Testing (Moderators: Helena, Gavin_Coe, Magnus)
   Input wanted from network administrators...		 « Previous topic | No topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Input wanted from network administrators...  (Read 1304 times)
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4076
Input wanted from network administrators...
« on: Sep 21st, 2005, 4:20am »		 Quote Quote  Modify Modify
The new version of TrojanHunter saves its settings in the registry under the key HKEY_CURRENT_USERS\Software\TrojanHunter. I would like to know how most admins handle default registry settings.  
 
Example:
 
The TrojanHunter detection rules are normally loaded from the folder where TrojanHunter is installed. This can be changed by altering HKEY_CURRENT_USER\Software\TrojanHunter\Paths\RulesDir to point to the folder to load detection rules from. If you as an administrator wanted to change this setting, which would you prefer?
 

  • (A) That the setting was changed by altering HKEY_CURRENT_USER\Software\TrojanHunter\Paths\RulesDir, e.g. via a login script
  • (B) That the setting could be changed by altering HKEY_LOCAL_MACHINE\Software\TrojanHunter\Paths\RulesDir
  • (C) Doesn't matter

 
Any and all input is appreciated!
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Input wanted from network administrators...
« Reply #1 on: Sep 21st, 2005, 10:51am »		 Quote Quote  Modify Modify
B
IP Logged
claire
Stole All the Forum Stars
********



carpe diem

   


Gender: female
 Posts: 3472
Re: Input wanted from network administrators...
« Reply #2 on: Sep 21st, 2005, 10:57am »		 Quote Quote  Modify Modify
An answer from Phantom
 
http://www.mntolympus.org/phpbb2/viewtopic.php?p=1391#1391
IP Logged
Claire
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4076
Re: Input wanted from network administrators...
« Reply #3 on: Sep 22nd, 2005, 9:03am »		 Quote Quote  Modify Modify
I'm leaning towards the following solution:
 
Check HKEY_CURRENT_USER\Software\TrojanHunter for the configuration value. If it does not exist, check HKEY_LOCAL_MACHINE\Software\TrojanHunter for it and use that value if it exists. Otherwise use the default value.  
 
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Input wanted from network administrators...
« Reply #4 on: Sep 22nd, 2005, 9:28am »		 Quote Quote  Modify Modify
With Current User, it has to be done each time a new user logs into the machine.
 
While managing definitions, I want everyone to have the same updated files.
 
Local Machine affects all users of the machine. It's also easier to check remotely if the user is not logged in. There's only one key to check instead of multiple keys.
 
Also, Current User has write permissions assigned to that user. A lot of malware programs exploit this to add their registry settings.
 
Local Machine will not let a normal user modify the registry. Once it's set on an administrative level, it stays unless changed by an administrator.
 
These are the reasons why I prefer B.
« Last Edit: Sep 22nd, 2005, 9:28am by MadAxe » IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4076
Re: Input wanted from network administrators...
« Reply #5 on: Sep 22nd, 2005, 9:34am »		 Quote Quote  Modify Modify
I'm thinking there could be a setting called NoUserOverride in HKEY_LOCAL_MACHINE\Software\TrojanHunter. If present, TrojanHunter would ignore any settings present in the HKCU part of the registry. This setting could then be the default for the Enterprise version so that users could not modify any TrojanHunter options unless the administrator explicitly removed the setting.
 
In the standard version this setting would not be present and thus every user could have their own settings when they run TrojanHunter.
« Last Edit: Sep 22nd, 2005, 9:35am by Magnus » IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Input wanted from network administrators...
« Reply #6 on: Sep 22nd, 2005, 12:34pm »		 Quote Quote  Modify Modify
Yeah. In the enterprise setting it's important to have a baseline configuration.
IP Logged
Khaine
Newbie
*





   
Email

Gender: male
 Posts: 25
Re: Input wanted from network administrators...
« Reply #7 on: Sep 27th, 2005, 12:44am »		 Quote Quote  Modify Modify
how about having the rules stored in
 
C:\Documents and Settings\All Users\Application Data
 
like kaspersky and spybot do, this also means that the Trojan Hunter directory doesn't need its permissions changed
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4076
Re: Input wanted from network administrators...
« Reply #8 on: Sep 27th, 2005, 4:52am »		 Quote Quote  Modify Modify
on Sep 27th, 2005, 12:44am, Khaine wrote:
how about having the rules stored in
 
C:\Documents and Settings\All Users\Application Data
 
like kaspersky and spybot do, this also means that the Trojan Hunter directory doesn't need its permissions changed

 
Wouldn't that mean that any user could delete the TrojanHunter rule files?  
IP Logged
Khaine
Newbie
*





   
Email

Gender: male
 Posts: 25
Re: Input wanted from network administrators...
« Reply #9 on: Sep 27th, 2005, 5:05am »		 Quote Quote  Modify Modify
I don't believe so, by default the all users directory is read only to "users" and read / write to administrators and services.  I'm not sure about power users.
 
It simply means that the updater must run as a service or as an administrator.
 
But the same applies to trojan hunter currently.  If you want to run  / update it currently as a user you must allow write privilages to the trojan hunter directory which means that a malious program running with the same privilages could delete the rules.  Or you must run the updater as a administrator.
« Last Edit: Sep 27th, 2005, 5:06am by Khaine » IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Input wanted from network administrators...
« Reply #10 on: Sep 27th, 2005, 6:58am »		 Quote Quote  Modify Modify
Our setup
 
Our clients have TH installed at
 
C:\TrojanHunter
 
The folder has full write permissions.
 
A server runs liveupdate every day.
 
Login scripts copy the latest ruleset from that server to the local folder every login.
IP Logged
devnull
Senior Member
****




Division By 0

   
WWW  

Gender: male
 Posts: 277
Re: Input wanted from network administrators...
« Reply #11 on: Sep 27th, 2005, 8:36am »		 Quote Quote  Modify Modify
B
A reason: HKLM is much easier to modify (even by remote registry editing).
IP Logged
::[TWN]::
spockman
Newbie
*






   


Gender: male
 Posts: 16
Re: Input wanted from network administrators...
« Reply #12 on: Dec 4th, 2005, 4:43pm »		 Quote Quote  Modify Modify
on Sep 22nd, 2005, 9:34am, Magnus wrote:
In the standard version this setting would not be present and thus every user could have their own settings when they run TrojanHunter.

Most of my clients don't want any user changing any settings on security software.  HKLM is the prefered location, too, as stated by MadAxe.  It takes fewer resources to scan a known reg key and folder than to seach a registry and HD path for possible multiple entries.
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | No topic »
Search
Members
Login
Register