Eyeball your event logs to discover any suspicious activities

Detailed Information

1. Make Sure All Update Patches Installed

Windows Security Center should be configured to automatically apply all new security updates as they are available. But you should verify this occurs by periodically examining the history log.

Operating System Security Configuration Updates

You should periodically visit the Microsoft Update site. It will run a scan and find all the updates you need to download. You may also check the history of updates applied to your system to verify that updates have been taking place automatically.

Here is a sample update history log you are provided when accessing the Windows Security Center:

Microsoft Update is for customers using Windows XP, Windows 2000 or Windows Server 2003 and requires an Internet connection and Internet Explorer 6.0 or greater. Most users will be required to accept an ActiveX control and install the Microsoft Update software before reaching the Microsoft Update Welcome Page. 

Operating System and Program Audit Tool:

Microsoft Baseline Security Analyzer - Source This is a highly recommended tool you download and install from Microsoft. MBSA is a FREE, best practices vulnerability scanner assessment tool for Windows 2000, XP and Server 2003. Once installed, run it to scan your system. Any vulnerabilities found are provided a link with a description where to obtain the patch to correct it.  It also finds security weaknesses beyond missing patches and makes suggestive corrections. Version 2.0 is now the latest. See screenshots of MBSA audit results.

Belarc Advisor - Source is a free program that quickly performs a survey scan of your system and reports all software, licenses, keys and security patches installed. This is an easy way to help you verify that specific patches are installed. The sample screen shot below shows part of a Belarc report. You can see the list of Microsoft security patches I have already installed on my system. It is neat is that Belarc also provides a hyperlink for details about each patch if needed. License keys are also shown for registered installed packages. A good backup to keep key information:

Software and Hardware Driver Audits

VersionTracker Pro Source $29.95 for 3 computers Installed program gives you an automated, simple and cost-effective way to inventory and keep all your software and drivers current and secure. Check out their Take a tour  demo!

Driver Updates at Source offers a $30 yearly subscription you can use for unlimited number of computers. You simply go to their site, log in, scan your system, they show you all your hardware drivers and flag the ones that are in need of updates, providing you the download link. Convenient and Efficient!

2. Eyeball Your Event Logs to Discover Unusual Activity

Your preventative shields (firewall, antivirus and antispyware) aren't perfect. You need to look for unusual or suspicious events and activities. One important responsibility is to activate and configure your logging features and then periodically look at them to discover changes, abnormal events and suspicious activities. 

A. Operating System - Event Log Files:

• Know that you cannot trust the event logs on a compromised system. Once an attacker gets full access to a system, it is simple to modify the event logs on that system to cover his tracks. If you rely on the event logs to tell you what the attacker has done to your system, you may just be reading what they want you to read. BUT - you may see signs in the log files that alert to you suspicious activity and compromise soon enough to catch and thwart activity before it causes damage or goes stealth!
• Verify that system settings have not changed. Is the USER Account you set up still LUA or does it now mysteriously have Administrator rights?
• Are the Windows Services you disabled still disabled? (Telnet, Alerter and Messenger services should definitely be disabled for security reasons.) See how and which services to disable. 
• Check your system files for tampering using a free program like FILECHECKER. It  will alert you to any attempts to alter program and system files.

Windows 2000 and XP Administrative Tools provides 3 system EVENT LOGS you should configure and examine to audit your security:

Event Viewer

In Windows XP, an event is any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log. The Event Log Service records application, security, and system events in Event Viewer. With the event logs in Event Viewer, you can obtain information about your hardware, software, and system components, and monitor security events on a local or remote computer. Event logs can help you identify and diagnose the source of current system problems, or help you predict potential system problems.

Event Log Types

A Windows XP-based computer records events in the following three logs:

•	Application log The application log contains events logged by programs. For example, a database program may record a file error in the application log. Events that are written to the application log are determined by the developers of the software program.
•	Security log The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log. (Non-Administrators can view the App and Sys logs.)
•	System log The system log contains events logged by Windows XP system components. For example, if a driver fails to load during startup, an event is recorded in the system log. Windows XP predetermines the events that are logged by system components.

Event Viewer is found under Control Panel – Administrative Tools. A shortcut to quickly view the event logs, go to START – RUN and enter eventvwr.msc and OK

You can SEARCH for specific keywords in the viewer logs by going to VIEW – FIND.

You can also FILTER events by VIEW – FILTER. Only events that match your filter criteria are displayed in the details pane.

From: How to view and manage event logs in Event Viewer in Windows XP: http://support.microsoft.com/kb/308427

 

Have you set up your system to record event in the log? First - Log in with Administrative rights. Then: START - RUN - enter secpol.msc and OK Under local policies\audit policy, check that your security setting is set to either: success\failure\both (depending on what you want to audit.) You right-click and go to properties for each of the 9 settings. See Microsoft recommendations chart:	Click to see sample Event Logs screen:
	Click to see details on a sample Event Log:
Table 3.2 Audit Policy Setting Recommendations Setting EC desktop EC laptop SSLF desktop SSLF laptop Audit account logon events Success Success Success, Failure Success, Failure Audit account management Success Success Success, Failure Success, Failure Audit directory service access Not Defined Not Defined Not Defined Not Defined Audit logon events Success Success Success, Failure Success, Failure Audit object access No Auditing No Auditing Failure Failure Audit policy change Success Success Success Success Audit privilege use No Auditing No Auditing Failure Failure Audit process tracking No Auditing No Auditing No Auditing No Auditing Audit system events Success Success Success Success For further details about AUDIT POLICY SETTINGS, see: Windows XP Security Guide: http://www.microsoft.com/technet/security... Windows 2000 Auditing and Intrusion Detection: http://www.microsoft.com/technet/security...

Note: These security log files can grow quite large if you enable the logs to track too many types of activities. On a hard drive with little free space, you could encounter a boot up error and have to go into Safe Mode (F8) to remove or delete the log file to be able to boot up Windows. Here are the file locations in a Windows XP system:

 

B. Other Security Programs - Log Files:

• Check the history log files or your firewall, antivirus and antispyware scanner programs to make sure the programs are working correctly and proper access has been approved or rejected and verify if they are effectively doing the job you purchased them for.  
• Are the scheduled updates and scheduled scans being performed as planned in your firewall, antivirus and antispyware protection programs?

 

Here are some sample screenshots for auditing two security program log files:

 

ZoneAlarm Internet Security Suite Sample:

Make sure EVENT LOGGING is turn on for Zone Alarm or other Firewall programs:

Go to Alerts and Logs section and verify your scans are completing as scheduled:

View the log directly using this page in ZoneAlarm:

You can archive log files and by right-clicking on one previously stored, you can open it in Notepad to look over past events.

Webroot SpySweeper Sample:

On this page in Webroot SpySweeper you see the choice on the lower right to VIEW SESSION LOG:

Here is a the session log sample where you see scheduled antivirus and antispyware scan results:

 

3. Use Utilities to check for Suspicious Activities

A. Verify your Firewall Protection:
Windows XP's built-in Internet Connection Firewall (ICF) does not monitor the outgoing connections from your computer. This means, the trojans and other malicious programs or data-miners are not detected when they may try to upload data they have collected from your computer. Any information can be sent by a malware program from your computer, as you are not alerted about that. Consider using a third-party Application based firewall like ZoneAlarm from www.zonelabs.com. ZoneAlarm is truly an application based firewall which alerts you whenever a program accesses the internet. You can configure the rule if you want to allow Internet access to an application permanently or on a case-by-case basis. You can also configure if your application should act as a server or just an application.

If a trojan accesses the internet ( to steal your passwords or other valuable information,) ZoneAlarm or any other App-based firewall alerts you that a new program <programname.exe> is accessing the internet. Think well before allowing access to a program. Otherwise, the very purpose of a Firewall is defeated. If you see any suspicious names, search Google using the keyword and find out what application is the file related to. Or, seek assistance from experts in Microsoft Newsgroup or any reputed online Technical support forum. Then decide whether to allow access or not.

B. Monitor which processes are accessing the Internet using your computer:

The NETSTAT program that ships in Windows lets you quickly see which programs have "established" or opened a connection to the Internet. Open a Command Prompt window (Start - RUN - and enter CMD) and type "NETSTAT -o". This shows the Process IDs which have established connections to a server. This is a quick way to identify a possible active Trojan.

TCPView - Source - is a free Port Scanner tool that is better than using NETSTAT.

TCPView is a Port Scanner Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP - TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. TCPView works on Windows NT/2000/XP and Windows 98/Me. You can use TCPView on Windows 95 if you get the Windows 95 Winsock 2 Update from Microsoft. 

Info from: http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx  

Using TCPView
When you start TCPView it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. You can use a toolbar button or menu item to toggle the display of resolved names. On Windows XP systems, TCPView shows the name of the process that owns each endpoint. 

By default, TCPView updates every second, but you can use the Options|Refresh Rate menu item to change the rate. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green.

You can close established TCP/IP connections (those labeled with a state of ESTABLISHED) by selecting File|Close Connections, or by right-clicking on a connection and choosing Close Connections from the resulting context menu.

You can save TCPView's output window to a file using the Save menu item. 

C. Test the your firewall effectiveness for outbound connections originating from your computer using an online leak test. The tests are offered by many third-party sites:

• https://grc.com/x/ne.dll?bh0bkyd2
• http://grc.com/lt/leaktest.htm
• http://www.hackerwatch.org/probe/
• http://www.auditmypc.com/
  

The above tests are to check the inbound protection only. As the Internet is a two-way data transmission, you will have to test the outbound protection for extra security. Test the firewall's outbound protection using Steve Gibson's LeakTest Utility.

Quoted from the LeakTest HowTo page:
"Perform a LeakTest: Look through your firewall's permissions for the filename of any program that is granted access through the firewall. Then simply rename LeakTest to that name (just as a Trojan, virus, and spyware would) and run it"

D. Test your system for dangerous Rootkits:

RootkitRevealer - Source is a free advanced rootkit detection utility.

RootkitRevealer runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).

Read about RootKits.

E. Examine your system PROCESSES that are RUNNING:
Ever wondered which program has a particular file or directory open? Now you can find out. 

Process Explorer - Source - is a free utility that shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. 

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. 

Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 processors, and Windows Vista. 

PsFile - Source - is a command-line utility that shows a list of files on a system that are opened remotely

PsFile is part of a growing kit of Sysinternals command-line tools (PsTools) that aid in the administration of local and remote Windows NT/2K systems. 

The "net file" command shows you a list of the files that other computers have opened on the system upon which you execute the command, however it truncates long path names and doesn't let you see that information for remote systems. Better is the PsFile command-line utility that shows a list of files on a system that are opened remotely. It also allows you to close opened files either by name or by a file identifier. 

Whois - Source - is a free tool that performs the registration record for the domain name or IP address that you specify.

Whois helps you identify web sites to see if the address is the correct and legitimate one.

Usage: whois domainname [whois.server]

Domainname can be either a DNS name (e.g. www.sysinternals.com) or IP address (e.g. 66.193.254.46). 

  

MS Technical Bulletins/patches history of releases: http://www.microsoft.com/technet/security/current.aspx

MS Security Tools Site - http://www.microsoft.com/technet/security/tools/default.mspx

Microsoft Update  

Bigfix – a free program that “calls home” daily and then automatically alerts you to all new patches and updates needed by your specifically configured system.

Microsoft Baseline Security Analyzer  

MBSA audit results

Belarc Advisor  

Versiontracker

http://www.DriverAgent.com

Upgrade MS IE browser to Internet Explorer 6 SP1