"pclogger" <pclogger_888@hotmail.com> wrote in
news:1122184213.095971.216300@o13g2000cwo.googlegr oups.com:

> nemo_outis wrote:
>>
>> All of those are sensible precautions and will work reasonably well
>> against garden-variety spies.
>>
>> However, they are grotesquely deficient against skilled adversaries.
>> For instance, if one has uninterrupted access to the machine for a
>> short while, it is child's play to install (i.e., substitute) a
>> modified driver
> Good one! To counteract this, besides good sensible precautions, one
> should also have a good pc audit trail logger; an install and forget
> utility that captures normal and unsolicited installation changes
> including
> 1) important directory changes (this would capture dll changes as
> well) 2) changes to nt services
> 3) changes to activex registrations
> 4) changes to auto startups
> 5) changes to standard installations
> 6) changes to schedulers
> 7) changes to shared drives and so on ...
>
> Probably,k depending on the "security needs", one may need to install
> some form of instrusion detector. I think we are going o/t but still
> keen in this discussion - BTW - What is the best intrusion detector in
> the market and how many are using?


An intrusion detector is a good idea, but far from a panacea. While not a
classical ID, I use ProcessGuard (in combination with RegDefend). However,
ANY protection run under the OS is potentially inadequate if one does not
have continuous control and custody.

For instance, in principle, the OS could have been compromised to not show
the keylogger, to misreport its SHA256 or MD5 hash, etc. IOW the keylogger
may be, in essence, part of a rootkit suite.

The only solid defence against this is a scan from OUTSIDE the regular OS
- such as a hash-checker run from a Knoppix CD.

Yes, it's incredibly tedious but anything less is a kludge.

Regards,