Importing an InCtrl5 log - Revision history

CCRDude: Made InCtrl5 a link

2008-05-27T19:04:53Z

Made InCtrl5 a link

← Older revision		Revision as of 19:04, 27 May 2008
Line 1:		Line 1:
	[[Image:Opensbieditlite-inctrl5-example-3721.png\|thumb\|300px\|Import dialog]]		[[Image:Opensbieditlite-inctrl5-example-3721.png\|thumb\|300px\|Import dialog]]
	InCtrl5 is a popular tool that monitors changes to the registry and file system and logs them to for example HTML files. [[OpenSBI Edit Lite]] is able to import such logs to give you a quick start into writing new SBI files.		[[InCtrl5]] is a popular tool that monitors changes to the registry and file system and logs them to for example HTML files. [[OpenSBI Edit Lite]] is able to import such logs to give you a quick start into writing new SBI files.

	==Quick Steps==		==Quick Steps==

CCRDude: /* Warning */ added limitations of InCtrl5

2008-05-27T17:33:54Z

Warning: added limitations of InCtrl5

← Older revision		Revision as of 17:33, 27 May 2008
Line 25:		Line 25:
	==Warning==		==Warning==
	Not all changes that happen while a malware is installed are associated with that malware. Windows itself does update MRU (Most Recently Used) lists in the registry, for example. Malware might also install legit third party libraries for it's purposes. The InCtrl5 import allows rapid detection prototyping, but you still need to pay a lot of attention to avoid [[False positive\|false positives]].		Not all changes that happen while a malware is installed are associated with that malware. Windows itself does update MRU (Most Recently Used) lists in the registry, for example. Malware might also install legit third party libraries for it's purposes. The InCtrl5 import allows rapid detection prototyping, but you still need to pay a lot of attention to avoid [[False positive\|false positives]].

			InCtrl5 is also not a complete monitoring tool; it will probably not list a lot of rootkit activity, WMI changes are difficult to recognize if at all, and the same goes for various other API calls that update binary files, where you will notice only that the file has changed, not what exactly was changed.

	[[Category:Tutorials]]		[[Category:Tutorials]]

CCRDude: First draft

2008-05-27T17:30:13Z

First draft

New page

[[Image:Opensbieditlite-inctrl5-example-3721.png|thumb|300px|Import dialog]]
InCtrl5 is a popular tool that monitors changes to the registry and file system and logs them to for example HTML files. [[OpenSBI Edit Lite]] is able to import such logs to give you a quick start into writing new SBI files.

==Quick Steps==
* Run [[OpenSBI Edit Lite]].
* Start a new file (menu ''File: New'').
* Open the import dialog (menu ''File: Import: Import InCtrl5 logs'').
* Select one or more HTML log files as created by InCtrl5.
* Make your choice of changes to detect by selecting the checkboxes next to them.
* Finish by pressing the ''OK'' button.
* Add useful descriptions for files (see [[Description templates|description templates]]).
* Update the [[Advanced file parameters|advanced file parameters]] where required (see the tutorial [[Choosing advanced file parameters]]).

==Details==
The import dialog will give you three tabs:
# The tab ''Items'' shows the contents in a structured view:
#* The root level of the structure will be root registry keys and drives that changes appeared on.
#* Levels in the structure that were not changed and are displayed for better viewing are displayed with grey icons and no checkboxes.
#* Where registry items and files are detected to be associated with one another, they share the same background color. As an example, this will combine a BHO, the associated CLSID, typelib, interface and file.
#* The toolbar at the bottom will show buttons that will filter the list to display only those items that belong to the selected group.
#* You can type in any term into the filter field to display only those items that include the filter term. Remove any text in the field to undo the filter.
# The one named ''Filtered'' will show you any items you've suppressed on the main view. If you right click any item here, you'll be able to make it visible in the ''Items'' list again. Reasons for permanently suppressing items would for example be registry changes to various MRU lists that are not related to malware.
# The last tab, ''Preview'', shows you how the OpenSBI code for the selected entries would look like. This is the same code that will be added to the file you've opened in the editor.

==Warning==
Not all changes that happen while a malware is installed are associated with that malware. Windows itself does update MRU (Most Recently Used) lists in the registry, for example. Malware might also install legit third party libraries for it's purposes. The InCtrl5 import allows rapid detection prototyping, but you still need to pay a lot of attention to avoid [[False positive|false positives]].

[[Category:Tutorials]]