Windows has built-in object access auditing that can be used to record changes on NTFS volumes.
Setting auditing of successful file creations in folders most commonly affected by malware, can
facilitate removal of such software.

I think good settings would be auditing of successful file creations in %SystemRoot%, %SystemRoot%\system32 including subfolders and %ProgramFiles% including subfolders.
Auditing can be configured in folders Properties - Advanced Security Settings - Auditing tab.
Additionally Audit object access must be enabled in Security Policy of computer.
With such settings all new file creations in abovementioned folders will be logged to Security event log. Also size and retention of security event log should be adjusted to prevent repletion.
Posted on 2007.04.17. 07:20

اندرويد at 2014.09.30. 21:28
Pretty! This has been a really wonderful post. Thanks for
supplying these details.

Post a comment