Avoiding writing to the hard disk...
Hi guys,
Here is the problem: I noticed a nasty behaviour from some sites on the net. Many of them download (without user permission) some programs (most of them spyware, adware, even viruses etc.). and immediatly create subdirectories on the Program Files, windows/system group or other parts of the hard disk. Then they run their programs and install monitors that are not easy to get rid of. These sort of programs even write in the registry (they want to be alive as soon the user reboot or restart the system).
I wonder if there is a way to find out (thru delphi), when some program want to write some info to the hard disk or the registry qand to avoid or cancel it before it occurs? Any ideas?
best regards
Manuel López (lopem)
Here is the problem: I noticed a nasty behaviour from some sites on the net. Many of them download (without user permission) some programs (most of them spyware, adware, even viruses etc.). and immediatly create subdirectories on the Program Files, windows/system group or other parts of the hard disk. Then they run their programs and install monitors that are not easy to get rid of. These sort of programs even write in the registry (they want to be alive as soon the user reboot or restart the system).
I wonder if there is a way to find out (thru delphi), when some program want to write some info to the hard disk or the registry qand to avoid or cancel it before it occurs? Any ideas?
best regards
Manuel López (lopem)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks Hypoviax... I will start making some experiments with Ivanov_G comment. Let's see if we get more answers...
Thanks in advance.
Manuel Lopez (lopem)
Thanks in advance.
Manuel Lopez (lopem)
I'm working on a security application myself and so if your question is possible it will be useful to myself too. I will have a specific look into the registry aspect of the question.
Regards,
Hypoviax
Regards,
Hypoviax
2 similar questions specifically on the registry (unanswered unfortunately) but may lead you in the right direction
https://www.experts-exchange.com/questions/21022034/Intercept-registry-changes.html
https://www.experts-exchange.com/questions/20892764/Trap-hook-windows-registry-Changes.html
https://www.experts-exchange.com/questions/21022034/Intercept-registry-changes.html
https://www.experts-exchange.com/questions/20892764/Trap-hook-windows-registry-Changes.html
I guess you need to PREVENT an malevolent program to write to registry and HDD, not just observe, right? This might be just a little more difficult...
But if you can observe the locations you can take action. If it writes to the registry then just delete that key. it writes to the hard disk delete the file. If you can detect it you have minimal problem preventing it.
Hypoviax
Hypoviax
My thoughts on this matter are that you need to redo your security settings in IE or
get rid of it altogether and get Firefox. This is like driving a tack with a sledgehammer.
No need to fix Bill Gates screw ups, just set them correctly.
get rid of it altogether and get Firefox. This is like driving a tack with a sledgehammer.
No need to fix Bill Gates screw ups, just set them correctly.
But EddieShipman such a feature is worthwhile as it would enable complete control over registry changes and disk writing , thus allowing for protection against unknown or undetected spyware, viri etc. Although currently Firefox is safer than IE it will not be long before exploits will be found. By being able to control registry writing is, in my opinion anyway, a very good security feature. You could even automate it. Monitor the registry - if a program writes a known bad entry then the user could be alerted and the key removed. Similarly for disk writing. A new file is detected. It is scanned to determine whether or not it is a malicious exe. It then could be removed.
Regards,
Hypoviax
Regards,
Hypoviax
I have no idea but possible strategies:
A strategy could be to open and keep open the registry file with a delphi program. This would prevent writes to the registry file but would allow other program to read it. You would then have to trap for attempts to write to the file and bring up a window which would allow you to grant permission (in essence you would close the file for a limited amount of time and then reopen it after the change is made) for the change.
Copy the Registry your self and poll for changes to it. Do a file comparison and pull out the changes. If they are OK then Backup the new registry file and if not replace the new file with the old copy.
Of course Spybot v1.3 already does that very well and for free and without ads or anything else so you might want to just use that.
A strategy could be to open and keep open the registry file with a delphi program. This would prevent writes to the registry file but would allow other program to read it. You would then have to trap for attempts to write to the file and bring up a window which would allow you to grant permission (in essence you would close the file for a limited amount of time and then reopen it after the change is made) for the change.
Copy the Registry your self and poll for changes to it. Do a file comparison and pull out the changes. If they are OK then Backup the new registry file and if not replace the new file with the old copy.
Of course Spybot v1.3 already does that very well and for free and without ads or anything else so you might want to just use that.
What about capture every singel attempt to write on disk? And I know, I can use spybot or spy sweeper. The point it how to do the same task in delphi :)
best wishes
Manuel Lopez (lopem)
best wishes
Manuel Lopez (lopem)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hypoviax