Backups
June 13, 2009 on 8:12 pm | In General | 1 CommentAn important, but quickly forgotten aspect of computer security is backing up important data.
In general there are two types of backups, full and incremental. A full sized backup will have a size in the same order as the original, before compression. An incremental backup will save only the changes since the last backup. By nature these will always be based on a full backup.
Storage is an important factor. How many backups do you need? Will there be circumstances when you need to go back more then one day? Maybe even a week? How often do you make a full backup and how many incremental backups will be made in between?
Another thing to consider is whether the backup device is bootable. In other words, do you need to copy the backup to the original place first or can you boot from the media device?
In case of disaster the data and the backup should be so far apart that the disaster can’t destroy them both. After all if the backup is destroyed in the same fire what good will it do you?
Although some solutions like the ioSafe Solo can withstand a lot. 
New category: programming
February 4, 2009 on 1:34 pm | In General | 1 CommentAs you may have noticed I have started posting snippets of code.
Mostly it is meant as a reminder to myself, since I tend to forget how I solved problems and then spend too much time looking for it.
This should help me find my solutions back easier and faster. And if it’s useful to anyone else, my pleasure. 
Problem in HijackThis
April 26, 2008 on 2:23 pm | In General | 6 CommentsToday (april 26 2008) at 12.36 GMT I downloaded HJTinstall.exe from trendsecure.com
I then installed HijackThis on my Virtual machine running Windows 2000
The header of the log looked like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:09, on 26-4-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal
Then I made a reg file with this content
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”F:\\WINDOWS\\System32\\ffaabb.dll”
and merged it with the registry.
Consequently HijackThis showed this line:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
which is not justified because no startup was added.
For a file to get started from under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\subkey
the subkey needs to contain a value called DLLname which points to the dll that gets loaded.
To clarify, a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
This is not the case here, because this value was not created and did not exist.
Changed the regfile to:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“DLLname”=”F:\\WINDOWS\\System32\\ffaabb.dll”
and merged it with the registry.
Then HijackThis does the correct thing.
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\System32\ffaabb.dll (file missing)
(file missing) because I didn’t bother to plant one. 
Last try I did on the VM to find out where HJT gets the path to the dll
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”%WINDIR%\\ffaabb.dll”
After merge HJT reports:
O20 – Winlogon Notify: ffaabb – C:\WINNT\
So it does seem to look at the value that is present rather then let us know that the value that is required for the autostart is not present.
Screenshot of regedit looking at this part of the registry:
Finally I downloaded the standalone executable HijackThis.exe from the same source and merged the last regfile on my XP computer.
The result is the same in essence:
O20 – Winlogon Notify: ffaabb – F:\WINDOWS\
HijackThis did remove the subkey in question from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify under all the above circumstances.
I would like to add that I reported this problem over a month ago to Trend at which point I was promised they would look into it and fix it if they could reproduce it.
Since I haven’t heard from them since, even after two reminders, I have to assume that they don’t plan to do anything about it.
This is not a very serious problem, but it can be confusing and with the many users of this program it may lead to wrong decisions being made.
It starts … again
November 3, 2006 on 2:30 pm | In General | 2 CommentsThis blog was started at GeeksToGo
to share my research into newly found malware.
I will start transferring my posts from there later on,
because the blog module at GeeksToGo will be discontinued.
Hoping you will still come and read,
Pieter Arntz aka Metallica
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^