How good is it? I have not done the statistics but it looks like it would get changes from any of the top worms including Magistr, SubSeven, Klez, Nimda, mayby 80 to 90% of the common infections by worms.
The main thing is that it is fast enough to be run at boot, about 6 seconds, and it is cost efficient. As it looks for traces by principle, not by pattern matching it does not need the almost daily updates of A-V scans.
As I said, the program is intended for Tech Support to have a user run and then send the files, so it drops reaults on the desktop, which makes it easy for an end user to find them.
I, Jay, did such a wrapper that spawns ScanLog and collects it's results in order to compare them against a previous run.
This allows us to decide whether an incursion is likely. If not the wrapper goes away.
If there is a change in the various things Windows uses to start, the user is alerted (or the Logon to NT nay be aborted).
+----------------------+ | | | Call Tech Support | | | | Something is wrong. | | | +----------------------+
In short it makes StartLog into a efficient, effective, small IDS tool.