TAZ Forum Community

cemetric · **Posted:** Mon May 22, 2006 8:04 am

I've seen someone on AO talking about this program, so I decided to look into it, especially because it's free.

Winpooch can be found here: http://sourceforge.net/projects/winpooch/

Quote:

Winpooch is a watchdog for Windows (2000, XP and above). It detects modifications in your system, so as to detect a trojan or a spyware installation. Set your own security level for anti-spyware, anti-trojan, firewall, antivirus (need ClamWin installed)

Seems interesting enough ...and it's still gets development ...

Quote:

Winpooch is a watchdog for Windows that helps you increase the security of your computer.
Winpooch can prevent suspicious programs from doing dangerous actions such as writing to system directories or sensible registry keys.
It acts as a powerful anti spyware and anti trojans, and if you have ClamWin installed, you can tell Winpooch to scan every program before it runs.
This new release provide a cache for antivirus, this prevents from scanning the same file several times and thus increase the computer speed.
It also contains many bug fixes.

Now this cache thing looks very interesting ... But probably only works with ClamWin, wouldn't this improve the performance of your computer to (think about Mcafee and it's on-access scan scanning your drive up and down) ... Or will it not make much of a difference ...

After I install VMWare tonight, I'll be installing this on a testmachine and let you guys know what's it like, unless someone beats me to it (with all my promises lately :sad:

) I need to catch up

.C.

cemetric · **Posted:** Mon May 22, 2006 8:11 am

Well bugger for waiting 'till this evening, I'm bored at work anyway.

I'm installing it on a Windows XP SP1, here's the readme:

Quote:

Winpooch - Readme
*****************

Author Benoit Blanchon
Date 02/02/2006
Version 0.5.10
Web site http://www.winpooch.com/

About Winpooch
--------------
Winpooch is a watchdog for Windows. It watches running
programs and prevents them from doing dangerous operations.
This very simple program helps you to detect Trojans and
spywares. I can also detect virus : if ClamWin is installed on your
computer, you can tell Winpooch to scan each executable file before
allowing it to run.
Winpooch runs under 32-bits versions of Windows 2000,
Windows XP and Windows 2003. Support for 64-bits versions will come later.

About version 0.5.10
--------------------
It's been a very long time from the release date of the 0.5.9.
Many reasons to that : new job, new home, new computer... I was several
months without having a second to type a line of code. Anyway, the new
branch 0.6 is still under development.

What Winpooch watches ?
-----------------------
By default, Winpooch will not spy services, but this can be
activated by modifying the value "Use debug privilege" in the configuration
Window.
With default rules, Winpooch will ask the user before allowing
a program to write sensible files or registry keys. Default rule are
very rich, you may choose to reduce them or to change default action.
Don't hesitate to create you own filters, this new Winpooch is
highly customizable.

Which API function are hooked ?
-------------------------------
This section is intended to users with some knowledge of the Win32 API.
If you don't know about it, you can skip it.
- Functions in ntdll.dll :
+ NtSetValueKey
and so :
. RegSetValueExA
. RegSetValueA
. RegSetValueExW
. RegSetValueW
+ NtCreateFile and NtOpenFile
and so :
. CreateFileA
. CreateFileW
. CopyFileA
. CopyFileW
. CopyFileExA
. CopyFileExW
+ NtSetInformationFile
and so :
. MoveFileA
. MoveFileW
. MoveFileExA
. MoveFileExW
. MoveFileWithProgressA
. MoveFileWithProgressW
+ NtDeleteFile
and so :
. DeleteFileA
. DeleteFileW
- Functions in kernel32.dll :
+ CreateProcessA
+ CreateProcessW
- Functions in ws2_32.dll
+ connect
+ listen

Next evolutions
---------------
What you may expect for next versions :
- Wizard to help you configure filters
- Kernel-mode API hooking (planned for versions 0.6.x)
Please note that version 0.6.0 is keeping us very busy
so it's difficult to add new features into 0.5 branch. Thanks
for your comprehension.

I'll update later with more details.

.C.

J_K9 · **Joined:** Fri Feb 24, 2006 10:47 pm **Posts:** 8167

It sounds interesting! I'd also like to give it a go (I've got a couple of compressed + encrypted malware on an external HDD), but I can't download the software.. Back in school

Let us know how it goes

Especially with the caching - I haven't looked at how it works (does it recognise the same file just by size, or a hash, or something like that?), but you could try to trick it

cemetric · **Posted:** Mon May 22, 2006 8:41 am

Quote:

Let us know how it goes Very Happy Especially with the caching - I haven't looked at how it works (does it recognise the same file just by size, or a hash, or something like that?), but you could try to trick it

Well as I suspected, this only works if you have ClamWin installed (Maybe also with Kaspersky as there is a refference about it in the program) ...So I won't be able to test this right now ...I'll test it on a testmachine at home.

The installation went smoothly, not much config is necessary, it comes installed without filters (logic), but it does set a default filter (wildcard)... It can be completely tuned to ones liking.

Quote:

Winpooch uses a completely different approach : as a watchdog, it watches
program and detect when a suspicious action is done. Winpooch uses filters
so a to prevent dangerous actions : with default filters, most of the
sensible points used by spywares are protected (mainly start-up techniques).

So some fine tuning might be nice

There is another nice action, called the "feign" action :

Quote:

When Winpooch feigns an action, it simply tell the application that
the requested action has succeeded but in reality, not action is
performed.

In programming terms, this means that Winpooch returns a value
indicating no error but doesn't execute the real function.
This is opposed to the "reject" feature : in this mode Winpooch
returns a value indicating an error, which means that the calling
programs knows that the function failed.

That's it for now ... Have some actual work to do for about 15 minutes :mrgreen:

.C.

DaFoxx · **Posted:** Mon May 22, 2006 11:10 am

link to clamwin :?:

and a brief description too please

got my interest piqued
anything that helps to make my system safer is fine by me

of course, that does mean safer from outside interference
NOT safer from me bolloxing it up AGAIN

J_K9 · **Joined:** Fri Feb 24, 2006 10:47 pm **Posts:** 8167

DaFoxx wrote:

link to clamwin :?:

ClamWin

Quote:

and a brief description too please

ClamWin is a Free Antivirus for Microsoft Windows 98/Me/2000/XP and 2003.
ClamWin Free Antivirus comes with an easy installer and open source code. You may download and use it absolutely free of charge. It features:
High detection rates for viruses and spyware;
Scanning Scheduler;
Automatic downloads of regularly updated Virus Database.
Standalone virus scanner and right-click menu integration to Microsoft Windows Explorer;
Addin to Microsoft Outlook to remove virus-infected attachments automatically.
The latest version of Clamwin Free Antivirus is 0.88.2.3
Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

^ Based on the FOSS ClamAV for Linux btw

Quote:

NOT safer from me bolloxing it up AGAIN

As if we don't know that yet! :mrgreen:

Foxy, are you A+ certified? I seem to remember reading that you are... but I can't remember where

cemetric · **Posted:** Mon May 22, 2006 11:36 am

As per request:

Here are links to the free anti-virus software named ClamWin:

http://www.clamwin.com/

It's a spin-off from the well known (to some

) free anti-virus ClamAV for *nix flvoured machines.

Website ClamAV: http://www.clamav.net

ClamWin:

Quote:

MS Windows front-end to Clam Antivirus (http://www.clamav.net). Includes scheduler, virus database updates, standalone scanner, context menu integration to MS Windows Explorer and Addin to MS Outlook. Also features easy setup program.

Quote:

ClamWin is a Free Antivirus for Microsoft Windows 98/Me/2000/XP and 2003.
ClamWin Free Antivirus comes with an easy installer and open source code. You may download and use it absolutely free of charge. It features:

* High detection rates for viruses and spyware;
* Scanning Scheduler;
* Automatic downloads of regularly updated Virus Database.
* Standalone virus scanner and right-click menu integration to Microsoft Windows Explorer;
* Addin to Microsoft Outlook to remove virus-infected attachments automatically.

The latest version of Clamwin Free Antivirus is 0.88.2.3
Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

Now I'm not sure not having an on-access scanner is something bad... It might even be good in that sense it doesn't take up resources... On the other hand ...Is it less secure ??

Anyway ...Reading some reviews, it gets good points ...especially being free and all

...

.C.

cemetric · **Posted:** Tue May 23, 2006 7:05 am

Ok, I know I promised an update last night :oops:

...But I have an excuse, you'll see the excuse in another thread. :mrgreen:

Anyway ... I did get some tests done, I've installed winpooch on a testmachine and configured it with standard filter... Then I closed it and opened IE.

I didn't get the chance to test Clamwin yet, this will be done today.

Anyway ... I went through some sites, known to have some nasty buggers when you access them, I used IE with standard settings so I was sure to get compromised

So after visiting astalavista and the links on that site (you all know this site, don't tell me otherwise

)... I knew I had to have some nasty things, as I tested it before

Ok ..So I fired up Pooch, ... Went to work normally with the testmachine ..let pooch do it's thing ... pretty soon I got pop-ups left and right ... Pooch asking me "Do you want to allow this program to do this" along with a path to the program ... I could see it wasn't something legit from Windows , So I blocked it, you can also "feign" the action, that's like saying to your OS that the program has succesfully done the task, but infact it has not, pooch has given the "ok" but has blocked it anyway... So pooch does as it tells, dedects trojans and spyware.

So the first test looks promising ... I'll keep you guys updated after I install the Clamwin along with pooch, so I can see performance .. Now I need to find some virusses to test ... Anyone know where I can find some :mrgreen:

.C.

J_K9 · **Joined:** Fri Feb 24, 2006 10:47 pm **Posts:** 8167

cemetric wrote:

Now I need to find some virusses to test ... Anyone know where I can find some :mrgreen:

http://offensivecomputing.net/

cemetric · **Posted:** Tue May 23, 2006 7:46 am

Sweet, thanks JK

.C.

cemetric · **Posted:** Wed May 24, 2006 11:22 pm

After some testing ... I've decided that I won't install the program in production ...meaning ...It's a good program, it does exactly what's it supposed to do, if you install it on a machine that isn't changing configuration much (installing new software and all

) ... It's a good program to install on 'inert' machines that need that little extra protection for it's users (parents' pc, kids, etc...)

So I recommend it for such things ... It's a sweet app. It slows down the windows startup a little (especially when you don't have alot of memory) because it's trying to 'hook' all processes it thinks that are safe ... It's quite configurable to, just need to put in the time to tinker with it some more for that ... But that might be after I reinstall clamwin, hell I'll just take another snapshot and start fresh

.C.

Home

FAQ

Search

TAZ Forum Community

Login

Register

Options

Winpooch

Topic Options

Who is online


	TAZ Forum Community For all your Computer and Security Needs