Becoming Familiar with Your PC
To understand, detect, and prevent malicious mobile code, you must know what runs in the background on a Windows PC. You must understand what is normal for a PC, and the PCs under your control. You need to get a baseline understanding about what programs and services should be running in memory, what TCP/IP port numbers are used, and what programs and services should be automatically starting. If you take the time to understand these concepts and become familiar with what should be running on a PC before its attacked, you can detect the culprit sooner. In security circles, this process is known as intrusion detection. There are lots of security programs you can buy that automate these tasks (and we’ll talk about them in Chapter 14), but learning to do manual intrusion detection will benefit you even more.
Startup Programs
When
Windows starts, even if you do not start a single application, dozens
of programs, processes, and services are started each time your PC
boots up. The operating system boot code loader is the first program
to load something into memory. Next, as your operating system loads,
it loads software drivers and services to manage the hardware and
other software on your machine. In NT, the dots on the blue bootup
screen each represent a different (device) driver or process
starting. After the operating system has booted, it checks several
startup areas, such as the AUTOEXEC.BAT
,
CONFIG.SYS
, WIN.INI
,
SYSTEM.INI
, DOSSTART.BAT
,
WINSTART.BAT ...
Get Malicious Mobile Code now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.