Shortly after I first released this paper, I was contacted by Gavin Stark, author of InstallWatch Pro and President of Epsilon Squared. I actually sent him an e-mail that didn't get through, apparently because of ISP problems. But my paper generated quite ebough traffic to his site to get his attention, and that's how he found out about this paper. We have exchanged a few e-mails, mainly for answering questions araised in the first version and thinking of ideas for a future release of InstallWatch. Some questions that proved to be irrelevant from InstallWatch Pro were simply dropped, others have been annotated in the text. Here is some more info that we exchanged on this project that might be if interest to the reader.
The CRC algorithm is CRC-32 compatible with the version used by WinZip, etc. Perhaps not as strong as MD5 or something, but sufficient for the current use which is to find files that are content-different but have the same date/time, etc. Some sneaky install programs do this to you) I would like to get feedback from you, and the community, on how to make InstallWatch more useful in the scenario you are documenting. For example, we have the following command line options available in InstallWatch: As an intrusion detection system I would recommend removing the file "skipit.dll" from the installation directory and we will not skip any files by default. SkipIt.DLL is a plugin where we can update the list of skipped files dynamically. If you don't want us to skip any of the default files, just zap skipit.dll.
The "All Files" / "All Registry" listing will now (when 2.5d is released) show as the first column the action that happened to the item (added, deleted, modified) (note: this will improve output clarity in text or html files)
From:Gavin Stark
----------
Floydman, As the author of InstallWatch, I read with interests your discussion of InstallWatch Pro. You were very accurate and reasonable in your review and I am intrigued with the idea of using InstallWatch as a security application. We did not, as you accurately ascertained, originally design the application for such but I am always looking for ways to improve
the software. I'd like to respond to several things in your document and perhaps solicit some input from you on ways to improve the software.
(snip)
-snapshot (perform a snapshot)
"-analyze=Name of Install" (perform an analyze - quotes are required if you want a space in the install name)
-configure (configure)
-wizard (go through an install in wizard mode)
- I have added a "-quiet" option to the command line switches which will prevent InstallWatch from displaying any UI during the various batch processes the other command line switches offer.
(snip)
Here is a list of the default files we skip:
Anything in the \RECYCLED directory (The directory named RECYCLED in the ROOT directory)
Anything in the EPSILON SQUARED directory (This is any directory named EPSILON SQUARED - not very secure for an intrusion detection system as the hacker could put his tools there...)
Anything in the "TEMPORARY INTERNET FILES" directory
Any files named: FFASTUN, WIN386.SWP, PAGEFILE.SYS, *.IWT, *.IWC, *.IWS, *.IW_, *.IWK, *.LDB, *.TMP, SYSTEM.DAT, USER.DAT, SYSTEM.DA0, USER.DA0, NTUSER.DAT, NTUSER.DAT.LOG, DEFAULT, DEFAULT.LOG, SAM, SAM.LOG, SECURITY, SECURITY.LOG, SOFTWARE, SOFTWARE.LOG, SYSTEM, SYSTEM.DAT
(snip)
Although the -quiet switch could help improve stealth of InstallWatch or be useful to regular users, it is still not ideal for an IDS file integrity checker. Even if no visual output is shown, an intruder could still notice decrease in performance as InstallWatch works. To solve this, I suggested an -ids switch that could do the following:
- implement correct configuration for IDS purpose (i.e.: does not launch on startup, does not detect "setup procedures")
- that means that Install Watch Pro can only be launched manually
- a time-out could then close InstallWatch if left open and unnantended for 5 minutes (removing it form memory until it is manually started again)
This may come in a future release, but nothing is confirmed yet.
Comments and questions about InstallWatch and InstallRite should be directed to Epsilon Squared inc. (www.epsilonsquared.com), unless it also relates to it's use as a Tripwire-like system, then I'd like to know about it too (floydian_99@yahoo.com)
7. In conclusion
Appendice B. A lot of Perls
Table of contents