Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Windows Integrity Checkers

Windows integrity checkers are very useful for finding Trojan programs and backdoors. The typycal way of deploying them is run the tool on startup and shutdown.

Theoretically they are also useful for maintenance, but in reality this goal is pretty difficult to achieve. Perl-written (or Python-written) integrity checkers are more flexible and thus have an edge over C-written tools like Tripwire.  Perl based checkers are now moved to a separate page: Perl-based Integrity checkers

The part of Windows integruty checking is registy monitoring and that should be done with a separate set of tools

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista. 

InstallWatch version 2.5 is provided as a free download and can be used as a monitoring tool during the installation of new software. Epsilon Squared, the distributor of InstallWatch, also offers InstallRite for free. The web site says that InstallRite lets you do "application cloning," in addition to all of the things that InstallWatch does, so you can clone a software installation without going through the installation process.

Old News ;-)

ID Install Watch

• ID Install Watch is an absolute monitoring guardian of all of your installations, securing the accurate installation and proper functioning of all of your programs. The whole installation process of another program and insures it runs smoothly with no interference.
  
  ID Install Watch documents all changes occurring during the installation process. It can also interfere with the process making necessary adjustments and configuration changes.
  
  Oversees the removal process of a software or hardware. It makes sure everything goes as planned and that nothing threatens the process.
  
  Alerts you whenever an unexpected action takes place. ID Install Watch keeps you informed about the status of the installation at all times.
  
  ID Install Watch fixes some memory problems that may occur during the installation process. It protects your entire system and rescues available space on your disk.
  
  Monitors all registry entries, including deletions, modifications, or adding data to the Registry. It also monitors files and folders, as well as .ini files, modifications, deletions, or new entries.
  
  Offers at request, the option to export to XML the log for an installation. ID Install Watch provides you the opportunity to transfer the installation log in XML format, if and when you consider it necessary.
  
  ID Install Watch has a simple, easy to use graphic interface which efficiently monitors all installation processes. It takes minimum space on your computer to operate and provides great surveillance efficiency.
  
  Windows 98 SE or ME, Windows NT or 2000,Windows XP and SP SP2
  300 Mhz processor
  3 MB hard drive space
  128 MB RAM
  Supports Internet Explorer

[Jun 10, 2007] Host Integrity Monitoring Best Practices for Deployment by Brian Wotring

Brian Wotring is the lead developer for the Osiris project and CTO of Host Integrity

Mar 31, 2004 (securityfocus.com)

This article is written with the open source host integrity applications Osiris and Samhain in mind, however the material presented is certainly not unique to these applications.

... ... ...

The basic idea behind host integrity monitoring applications is that they detect and report on change to the system. It gets most interesting when a change is unauthorized or unwanted. Much of the monitoring is focused on the file system. However, other environmental vectors can be monitored as well. For example, Samhain has the ability to search for rootkits and monitor login and logout activities. Osiris has the ability to monitor the state of loaded kernel extensions and the details of changes to the local user and group databases. Detected change is reported in the form of log files, syslog, the Windows Event Viewer, and possibly emailed to an administrator.

... ... ...

To better appreciate the role a host integrity system serves, imagine you find a new link to /etc/passwd that has been created in /tmp, a new kernel module that gets loaded without your knowledge, or a new user gets mysteriously created. How would you know if and when these types of changes occurred? There are commands that can be used to look for these happenings, but how would you know if and when to run them? What if these commands that you depend on for finding such changes were altered to hide specific information? Now, imagine you have hundreds of hosts that need to be monitored regularly to look for changes such as these.

Table One, below, compares features of some popular host integrity applications.

	Samhain	Osiris	INTEGRIT	AIDE
Monitors Files	yes	yes	yes	yes
Monitors Kernel	yes	yes	no	no
Platforms	Linux, FreeBSD, AIX 4.x, HP-UX 10.20, Unixware 7.1.0, Solaris 2.6, 2.8, and Alpha/True64	Windows NT/2k/XP, Mac OS X, Linux, Solaris, FreeBSD, OpenBSD	Linux, FreeBSD, Solaris, HP-UX, Cygwin	Linux, FreeBSD, OpenBSD, AIX Unixware 7.1.0, Solaris True64, BSDi, Cygwin
Multiple Administrators	no	yes	no	no
Supports Modules	no	yes	no	no
License	GPL	BSD style	GPL	GPL
Centralized Management	yes	yes	no	no
Signed Databases	yes	no	no	no
Database Integration	yes	no	no	no

Table One: a comparison of popular host integrity applications

More information on the above products can be found on their websites:

Samhain - http://la-samhna.de/samhain/
Osiris - http://osiris.shmoo.com
INTEGRIT - http://integrit.sourceforge.net/
AIDE - http://www.cs.tut.fi/~rammer/aide.html

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

• Open Directory - Computers Security Intrusion Detection Systems
• [ packet storm ] - packetstorm.securify.com
• Finding Evidence of Your Cracker LG #36
• Intrusion Detection Primer
• Other potentially useful links from Brazil
• Osiris [hostintegrity.com]
• Samhain [sourceforge.net]

Reference

• Intrusion Detection FAQ
• FAQ Network Intrusion Detection Systems
• Linux Security Administrator's Guide by Dave Wreski, dave@nic.com
• Indicators of UNIX Host Compromise by Paul C. Brutch, Tasneem G. Brutch, and Udo Pooch

Recommended Articles

Host Integrity Monitoring Best Practices for Deployment by Brian Wotring

InstallWatch

Open Testware Reviews - InstallWatch by Tejas Software Consulting

Copyright 2003 by Tejas Software Consulting - All rights reserved.

 

This Open Testware Reviews feature article is made available as a public service of Tejas Software Consulting. Go to http://tejasconsulting.com/open-testware/ for more information about becoming a subscriber.

... ... ..

Reviewed: 2003-May-30
Version reviewed: 2.5c, 2000-Aug-25
Maintainer: Epsilon Squared, Inc.
URL: http://www.epsilonsquared.com/
Testingfaqs.org category: Test Implementation Tools
License: custom, binary-only
User interface: GUI, undocumented command line

InstallWatch is a Windows-based filesystem comparator tool, able to compare the contents of your filesystem and system registry between two points in time. It's probably most often used to tell the user what changes a software installation inflicts on a system, but testers can find several other uses for the tool. For example, you can find out exactly what your software's installation process does to your system, and compare this to the expected behavior of the installer. You can verify that the uninstall process removes everything it's supposed to, and no more. And for any kind of testing, you can check the "background" -- see if your software introduced unexpected changes on the disk during the course of testing.

I encountered a fairly long list of issues while using the tool, though it's still useful despite the flaws.

... ... ...

As far as I can tell from externally reported information, the last InstallWatch release was in August 2000. The latest copyright date is 1999 or 2000, depending on where in the product that you look. There are numerous freeware catalogs that list the tool, and a few sites where users describe their experiences. There is a mailing list dedicated to InstallWatch, but it's largely inactive.

Further updates to the tool may be coming, but I don't have much confidence that there will be another release any time soon.
 

The target platforms for the tool are not mentioned in the internal documentation. An external source says it runs on WIndows 95, 98, NT, and 2000. I ran it successfully on Windows 98, NT 4.0, and 2000, though the installation on Windows 98 didn't go very smoothly.

It's worth trying on later Windows releases to see if it's forward-compatible.

There is a mailing list for InstallWatch with fifty subscribers, but practically no activity in the last few years. The InstallRite mailing list does have a bit of traffic and more subscribers, including responses from the tool's author (see the Similar tools section).

There is no public bug tracking system or configuration management for InstallWatch. Epsilon Squared is not marketing commercial support for InstallWatch, but it couldn't hurt to ask the tool's author, Gavin Stark, if he would take your money in exchange for support. He recently stated that he is accepting donations and that a ramp-up in interest would encourage him to accelerate tentative plans to release an updated version commercially.
 

The only documentation for InstallWatch is the on-line help, which is fairly thorough, though flawed in several ways. The screen shots and the text seem to apply to a previous version of the tool, though they're close enough to still be useful. One section of the help file implies that by default, no files are excluded from the snapshot, but a third-party paper and my experience indicates otherwise, and I noticed that it didn't look at the Recycle Bin. There is a command line interface for InstallWatch, but it is not documented at all in the on-line help (see the paper reference in the last paragraph of this section).

There is a contextual help feature - you can click the Help icon and then click on an area of the application for help. However, in many cases I get a "The topic does not exist" error. I also encountered this error once within the on-line help. See the Limitations sections for details.

There is also a "Tour" page within the on-line help that's readily accessible from several places in the application. The tour gives a nice overview of how to use the tool.

I found several other InstallWatch reviews while googling around the Internet, some of them written when it was a commercial tool:
 

• InstallWatch 1.2 Professional (winntmag.com)
• InstallWatch Pro 2.5c review (sacpcug.org)
• InstallWatch review (softpile.com)
• Jumbo Guides Install Watch Pro review (jumbo.com)

It's interesting to see the different uses that people have for this tool. The review from sacpcug.org talks about using InstallWatch to help uninstall software (he said it didn't work well for that purpose). And one writer described how to use InstallWatch as a security tool in "A poor-man Tripwire-like system on Windows 9x/NT", which also includes several insights from the tool's author that can't be found in the documentation.

InstallWatch installs from a Windows executable that weighs in at about three and half megabytes. The "FTP Download" link on the Epsilon Squared web site is not functional, but the "HTTP Download" link works. No reboot is required after installation.

I did have a bit of trouble installing the tool on Windows 98 SE. On the first attempt, the installer had a fatal error. This is perhaps a routine scenario for Windows 98 users. I did not get that error again after a reboot, but there was a problem setting up the uninstaller. I was not able to uninstall InstallWatch on my Windows 98 machine, which makes for wonderful irony.

I also had trouble with interactions between InstallWatch and Netscape 7.02 on Windows NT. I couldn't get Netscape to download the install file, though Opera handled it just fine. Also, the "Updates" button on any platform. With Netscape as my default browser, it brings up the most recently used Netscape window, even it it's not a Communicator window. I believe this is a long-standing Netscape bug. But that's okay, because the URL that the Updates feature uses is not valid anyway.

The "compact" installation option is so compact that even the main InstallWatch executable is not installed. Don't use that option.

At the end of the installation, there is an option to join Epsilon Squared's mailing list. This feature doesn't seem to do anything on my Windows 2000 system. On Windows 98 it starts up a message that you can send with your default mail program.
 

InstallWatch is distributed with a custom binary-only license, so there are no implementation details to report. The source code is not available.

InstallWatch's performance is a factor of how large your registry is and how much data is on your hard drives, and also the particular configuration options that you choose. Checking only the registry is fairly quick, and mostly dependent on your hard drive speed. Checking the files on the hard drive adds more time. If you want to enable more advanced file checking to see if a program changed the contents of a file without changing the modification time, that'll cost you more time, and it'll bind your performance more to cpu speed. I'm not sure what the file version info is on Windows, but I presume it's stored somewhere in the filesystem metadata. The most difficult check is the CRC, which reads all the data on the sections of the hard drive that you specify in order to check that the contents didn't change.

The table below shows times in minutes and seconds from four different runs of InstallWatch, each of which consisted of taking a snapshot, making no deliberate changes to the system, and then running the analysis looking for changes. I recorded these times on a slow laptop with about six and a half gigabytes of data in about 80,000 files to check, and 107,000 registry keys.

 

configuration options	snapshot time (mm:ss)	analysis time (mm:ss)
registry only	1:22	1:04
registry + file modification times	3:57	1:27
all of the above + file version info	7:53	8:43
all of the above + CRC info	66:48	63:41

Because of the extra time required, you probably won't want to do the file version check or the CRC check on a regular basis unless you suspect that something is deliberately resetting file modification times to hide file content changes.
 

InstallWatch is often mentioned in the same breath as InCtrl5. In fact, because InCtrl5 seems to have more of a following, I was originally going to review it instead of InstallWatch. But PC Magazine recently started charging a small subscription fee to download the programs that are on their site, so that put InCtrl5 out of the freeware space. My impression after playing with InCtrl5 a bit is that it offers a feature set very similar to InstallWatch.

Epsilon Squared, the distributor of InstallWatch, also offers InstallRite for free. The web site says that InstallRite lets you do "application cloning," in addition to all of the things that InstallWatch does, so you can clone a software installation without going through the installation process. I probably would have reviewed InstallRite instead if I had taken a closer look ahead of time, especially since InstallRite has more users on its mailing list.
 

A similar free Windows tool I ran across during the review is Total Uninstall. The web page describes the same snapshot and compare process that InstallWatch and InCtrl5 use, plus it claims to be able to reverse the effects of an installation. It's available in several different languages.
 

A Windows & .NET Magazine article, "What's the Difference," describes Microsoft's sysdiff utility that can be useful for installation testing.
 

And finally, Linux users will be happy to hear that they have their own Installwatch tool, no relation to InstallWatch from Epsilon Squared. This tool has a clever design. It monitors all dynamically linked programs by hooking into the system libraries and recording system calls that modify the filesystem. It doesn't work if a statically linked program modifies the filesystem. The web site for this tool also refers to CheckInstall, which can use Installwatch to create an RPM archive to clone the results of a "make install." Therefore, CheckInstall also gives you the ability to uninstall when you use the RPM file, even if the program doesn't have an uninstall feature.
 

Here are the issues that I noted, a few of which are also mentioned elsewhere in this review.
 

1. The "Updates" button brings up a web browser and sends it to a defunct URL. This feature does not work.
2. If I use the "compact" installation option, the tool will not start.
3. The documentation says that by default no folders or files are excluded from the analysis, but the tool seems to exclude the Recycle Bin anyway. A statement by the tool's author repeated in the "A poor-man Tripwire-like system" paper lists several default exclusions, and they apparently can't be turned off.
4. On Windows 98 SE, when I install InstallWatch, I got an error: "unInstaller setup failed to initialize". When I try to uninstall, I get an error complaining about an uninst.isu file, and I can't uninstall the software. When I copied an uninst.isu file from a Windows 2000 installation and try to uninstall, I get an error that says I need to use an administrator account, which doesn't make sense on Windows 98.
5. The InstallWizard will not launch MSI installers. It reports falsely that they completed. It seems to work only with self-extracting executables. (I seem to remember InCtrl5 having the same problem.)
    
6. I can print the summary pane that's visible when I click the top item in the tree for an installation, but I can't export it to html or text. The two export options are active but don't do anything.
    
7. I can edit the summary pane after analyzing an installation (this feature is undocumented). If I click on the font family or font size widgets, the list of choices pops up in the wrong place, and all editing options disappear until I give focus back to the summary pane.
8. I can't print or export all of the analysis data with one action. I have to save file, INI files, and the registry sections separately. The "Print Full Report" feature mentioned in the help text doesn't exist.
9. If I have at least one analysis in the database, a "Search" item will appear in the tree. This appears to be a sophisticated feature for searching for something, but all I get from it is a "Duplicate search name" error when I try to use it. There is no documentation for this feature.
10. When I launched a snapshot and analysis from the command line and then later start the InstallWatch GUI, the analysis data does not show any summary information at the top level.
11. The option to join Epsilon Squared's mailing list during installation didn't seem to do anything on Windows 2000. It seems to work on Windows 98, though I'm not sure if anyone is listening on the other end.
12. The comments on the screen when InstallWatch is doing its analysis refer to "Back up file information," which is confusing. Perhaps it's referring to the snapshot.
13. When I try to export the analysis data for INI Files, there's no default filename like there is for other files and the registry. Also, I can't right-click on INI Files in the tree view to do the export like I can for "All files" and the registry.
14. The usage of the "Wait a while... I'm not finished yet" button is confusing. Processing seems to be going on in the background somehow. Also, the list that the button pops up includes a misspelling - "Indefinate."
     

Some tools start out as freeware and then go commercial. InstallWatch started as a commercial tool and is now available as freeware. I haven't gotten a solid picture of the history of the tool, but I'm very glad that the author, Gavin Stark, decided to release it as freeware when Epsilon Squared stopped marketing InstallWatch commercially. There are quite a few loose ends that seem to be the result of the transition to freeware status, all of them minor or fairly easy to work around. I didn't have any major frustrations with using the tool, and most users won't be looking for trouble on purpose like I was.

InstallWatch is basically a convenient Windows-based mechanism for comparing the contents of your disk between two points in time. Two special cases where the tool parses the contents of a file to give you more details about the changes are the registry, and the registry's older cousins, INI files. It's very interesting to see the changes that occur in the registry during the normal course of using your computer, though it can be frustrating trying to figure out which of the changes were initiated by the software you're testing and which ones were initiated directly by something else.

Typically, you would use InstallWatch to report exactly what the installation process for a software package does to your system. But there are many other possible uses for the tool, such as the security aspect mentioned earlier, or you could run it before and after a test run to see if the software you're testing makes unexpected changes to the system.

Unix users can implement the same filesystem comparison mechanism with a few dozen lines of script code. Or with something more clever like the Linux Installwatch program, the performance would be much faster, since changes are tracked at the source rather than exhaustively analyzing the hard disks.

InstallWatch doesn't go as far as being able to undo an installation, though it can save the added or both added and modified registry keys. It also doesn't make it easy to test the uninstallation process, because after it does its comparison, it erases the snapshot. It would be nice if it could save a new snapshot when it does an analysis, so you could take a snapshot, install something, do the analysis, then uninstall the software and do another analysis.

You can start a snapshot three different ways. You can click "Install" to start the InstallWizard, which will walk you through configuration, taking the snapshot, doing an install, and the analysis. It would be nice if it asked for all necessary information before taking the snapshot, so it could do all the time-consuming tasks without interaction. I did not use the InstallWizard very often, especially since it doesn't work with MSI files.

You can launch a comparison by configuring InstallWatch to detect when an installation is starting. I'm not sure how that works, but it dutifully detected my daughter installing the "Dora the Explorer Backpack Adventure" - it took the snapshot, launched the interactive installation process, and then did the analysis after the installation completed, frustrating my 4-year-old all the while, but giving me a nice real-world test.

And third, the mechanism I used most often - you can ask InstallWatch manually to take a snapshot at any time. Then do whatever you want on the system, and when you're done, kick off the "Analyze" phase to generate the comparison. This is the mechanism that opens up the tool to a number of different uses, and is the only way to check an uninstallation process.

I can't help but throw in a little folklore. While I was searching for background information about InstallWatch, I came across the Jargon File definition for "epsilon squared." It means "A quantity even smaller than epsilon, as small in comparison to epsilon as epsilon is to something normal; completely negligible." Hmmm. Gavin Stark tells me, "We chose this name since in the industry we are small fries compared to the big players such as Microsoft or Symantec, etc."

If you're a Windows user and want a fairly easy-to-use brute force filesystem comparison tool, InstallWatch is worth a look.