Much of the attention of the InfoSec community effort goes towards networks and servers, perhaps that is because they do not have a reasonable chance of affecting windows security holes. This is an intersting approach as one could say, taking it to the other extreme,
If all desktops, user systems, were totally secure, a corrupted server or net would not matter half so much.
As long as desktop security is very bad there will be zombies attacking servers and the net and the security of networks and servers becomes impossible, or at least far, far more difficult and expensive.
There has been little attention to simple things that can be done to improve Desktop resistance to viruses and worms, other than expensive, unreliable, cranky integrated Anti-Virus applications.
An alternative: What follows is a part of making the windows desktop more secure and able to alert others if they have been affected by many viruses or worms.
Many viruses and worms alter portions of the Registry in a highly predictable way.
Any desktop can trivially get its registry keys with standard MS programs.
Any desktop can replace its registry keys. with standard MS programs.
If certain keys have been altered in certain ways, the desktop should alert its user to get assistance. almost entirely with standard MS programs.
In short, many networks and users have had failures and suffered damage that could have been caught and much damage prevented almost entirely with standard MS programs. In a word, pointlessly.
Having a desktop check its registry for comomn registry alterations takes a second, maybe two on loder system. It is so quick it can be
Run at bootstrap time.
Run at NT/Logon time
Run at shutdown.
Getting Registry Values.
To get registry keys, either in DOS at footstrap time, or in Windows, enter
This is clunky as I am restricting myself to MS utilities which are very limited. Your programmer could do better in ten minutes, or you should be able to get a package for $10/seat. (Regedit line is one line to \Run)
fc regrun.dat regrun.sav>comp.dat find /C "****" comp.dat if errorlevel 1 goto OK
: replace the offending area RegEdit /D HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegEdit /I regrun.sav
rem Warning or halt batch statements
:OK rest of batch file.
The MS FC command, file compare does not return an errorlevel code, but Find does, a 1 for 'not found', so we run a FC to generate a change list and then FIND the asterisks which will indicate there was a change.
If there was a change we find the aserisks and the ERRORLEVEL is zero, which is the problem state. So we check for ERRORLEVEL 1, which indicates no asterisks and therefore an equal compare.
It would be a lot easier if MS returned a code from FC. Did I say the words "Shabby design"? No I did not.
Ergo: We can check for various viruses that alter the registry, a tiny bit less than half of them, right now, with MS utilities, on logon, at bootstrap, periodically or shutdown.
So, why are not you doing it? We are, but we use RegCheck, our utility that does just the above, faster.
/L:system Specifies the location of the SYSTEM.DAT file. /R:user Specifies the location of the USER.DAT file. filename1 Specifies the file(s) to import into the registry. /C filename2 Specifies the file to create the registry from. /E filename3 Specifies the file to export the registry to. regpath1 Specifies the starting registry key to export from. (Defaults to exporting the entire registry). /D regpath2 Specifies the registry key to delete.