Several tips to enhance the system's defense against Trojans and viruses

I. Question proposal

Most Trojans and some viruses are automatically started through the self-startup items or files in the registry or through system services, is there a way to prevent Trojans or viruses from modifying registry keys and adding services?

Ii. Problem Solving

You can set permissions for the Windows 2003/XP/registry, but we only use less. Set the permissions for the following registry keys:

1. Set the Registry auto-start item to everyone read-only (run, runonce, runservice) to prevent Trojans and viruses from being started through the self-start project.

2. settings. TXT ,. Com ,. EXE ,. INF ,. INI ,. BAT and other files are associated with everyone read-only to prevent Trojans and viruses from being started through File Association

3. Set the Registry HKLM \ System \ CurrentControlSet \ Services to everyone read-only to prevent Trojans and viruses from being started as "services ".

You can set permissions for the registry key in the following ways:

1. if it is in the domain environment, it may be implemented through the Group Policy of the Active Directory.

2. The Group Policy of the Local Computer (use SeCEdit for the command line)

3. This document uses setaclProgramBatch processing.

4. For manual operations, you can use regedt32 (for Windows systems, "Permissions" under "security") or Regedit (for Windows/XP, "Permissions" under the "edit" menu ")

Batch ProcessingCodeIt is provided later.

If you only have the Users Group permission and the above key values are read-only by default, you don't have to worry about this.

3. Applicable audience

1) people who are not familiar with computers and do not often install/uninstall software

2) friends who like to download and install software online

3) the operator of each computer has the administrator privilege.

Iv. Existing Problems

1) install anti-virus software. During patching, you may perform operations on those registries. In this way, you must first restore the permission settings, install the software, and then reset the settings after the installation is complete. Inconvenient

2) cannot defend against 3721. I wonder if the 3721 permission is too high (I heard that 3721 is started through the driver and has the ring level 0 permission)

3) Windows 2003/XP/only.

4) You can only deal with simple viruses and Trojans.

V. Batch ProcessingSource code@ Goto start

========================================================== ======================================

Name: Anti-Trojan Horse

Function:

1. Run runonce runservices)

2. disable file associations such as. txt).comcmd.exe,. inf,. ini, And. bat.

3. Modification of "service" information is prohibited

Principle: Set the Registry permission to read-only

Version revisions

: Start

@ Setlocal

@ REM activity code page set to Chinese

@ Chcp 936> NUL 2> NUL

@ Echo.

@ Echo ************************************** **********************

@ Echo #

@ Echo # Welcome to the anti-Trojan Horse program

@ Echo #

@ Echo #

@ Echo ************************************** **********************

: Chkos

@ Echo.

@ Ver find "2000"> NUL 2> NUL

@ If "% errorlevel %" = "0" Goto: 2000

@ Ver find "Microsoft Windows [version 5"> NUL 2> NUL

@ If "% errorlevel %" = "0" Goto: 2003

@ Ver find "XP"> NUL 2> NUL

@ If "% errorlevel %" = "0" Goto: XP

@ Echo.

@ Echo # your operating system is not one of Windows 2000/XP/2003 and cannot be used.

@ Goto quit

@ REM insert different commands of different systems in the following statement

2000

@ Set updatepolicy = SeCEdit/refreshpolicy machine_policy> NUL 2> NUL

@ Goto Selection

: XP

@ Set updatepolicy = gpupdate/force> NUL 2> NUL

@ Goto Selection

2003

@ Set updatepolicy = gpupdate/force> NUL 2> NUL

@ Goto Selection

: Selection

@ REM user choice

@ Echo.

@ Echo enter the number before the following options

@ Echo.

@ Echo 1: Install anti-Trojan Horse Protection

@ Echo 2: delete anti-Trojan Horse protection (Restore default settings)

@ Echo 3: view technical information

@ Echo 4: Exit

@ Echo.

@ Set/P userselection = enter your selection (1, 2, 3, 4)

@ If "% userselection %" = "1" Goto install

@ If "% userselection %" = "2" Goto uninstall

@ If "% userselection %" = "3" Goto Information

@ If "% userselection %" = "4" Goto quit

@ REM enter other characters

@ CLS

@ Goto Selection

: Information

@ CLS

@ Echo

========================================================== ================================

@ Echo #

@ Echo # Welcome to the anti-Trojan Horse program

@ Echo #

@ Echo # function:

@ Echo #

@ Echo #1. Set the Registry auto-start item to read-only (run, runonce, runservice ),

@ Echo # prevent Trojans and viruses from being started by self-starting projects

@ Echo # 2、set .txt).comcmd.exe,. inf,. ini,. bat, and other files to read-only,

@ Echo # prevent Trojans and viruses from being started through File Association

@ Echo #3. Set the Registry HKLM \ System \ CurrentControlSet \ Services to read-only

@ Echo # prevent Trojans and viruses from being started as "services"

@ Echo #

@ Echo # Note:

@ Echo # The preceding registry key is also used in some installation programs. Run this program before installation,

@ Echo # select 2 to restore the default setting. After the installation is complete, run the program again,

@ Echo # select 1 to implement anti-Trojan Horse Protection

@ Echo ===================================================== ======================================

@ Echo.

@ Echo press any key to return and select

@ Pause> NUL 2> NUL

@ CLS

@ Goto Selection

: Install

@ Set op =/grant everyone/read/P: no_dont_copy

@ Goto doit

: Uninstall

@ Set op =/Revoke everyone/read/P: Yes

@ Goto doit

: Doit

@ Echo.

@ ECHO is executing the operation...

@ REM HKLM

@ Setacl MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/

Registry % OP %> NUL 2> NUL

@ Setacl MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce/

Registry % OP %> NUL 2> NUL

@ Setacl MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices/

Registry % OP %> NUL 2> NUL

@ Setacl MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ runex/

Registry % OP %> NUL 2> NUL

@ Setacl MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ runonceex/

Registry % OP %> NUL 2> NUL

@ Setacl MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ runservicesex/

Registry % OP %> NUL 2> NUL

@ REM hkcu

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/

Registry % OP %> NUL 2> NUL

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce/

Registry % OP %> NUL 2> NUL

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices/

Registry % OP %> NUL 2> NUL

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runex/

Registry % OP %> NUL 2> NUL

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runonceex/

Registry % OP %> NUL 2> NUL

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runservicesex/

Registry % OP %> NUL 2> NUL

@ Setacl CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runservicesonce/

Registry % OP %> NUL 2> NUL

@ REM users

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/

Registry % OP %> NUL 2> NUL

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce/

Registry % OP %> NUL 2> NUL

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices/

Registry % OP %> NUL 2> NUL

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ runex/

Registry % OP %> NUL 2> NUL

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ runonceex/

Registry % OP %> NUL 2> NUL

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ runservicesex/

Registry % OP %> NUL 2> NUL

@ Setacl user \ Software \ Microsoft \ Windows \ CurrentVersion \ runservicesonce/

Registry % OP %> NUL 2> NUL

@ REM services

@ Setacl MACHINE \ System \ CurrentControlSet \ Services/Registry % OP %> NUL 2> NUL

@ REM classes_root

@ Setacl classes_root \ exefile \ shell \ open \ command/Registry % OP %> NUL 2> NUL

@ Setacl classes_root \ INIFILE \ shell \ open \ command/Registry % OP %> NUL 2> NUL

@ Setacl classes_root \ txtfile \ shell \ open \ command/Registry % OP %> NUL 2> NUL

@ Setacl classes_root \ comfile \ shell \ open \ command/Registry % OP %> NUL 2> NUL

@ Setacl classes_root \ batfile \ shell \ open \ command/Registry % OP %> NUL 2> NUL

@ Setacl classes_root \ inffile \ shell \ open \ command/Registry % OP %> NUL 2> NUL

@ ECHO: updating account policy and audit policy ......

@ REM [refresh the Local Security Policy]

@ % Updatepolicy %> NUL 2> NUL

@ Echo account policy and Audit Policy updated

: Complete

@ Echo Operation complete

@ Echo.

@ Echo.

@ Echo press any key to exit.

@ Pause> NUL 2> NUL

: Quit

@ REM clear

@ Del % SystemRoot % \ system32 \ setacl.exe> NUL 2> NUL

@ Del % SystemRoot % \ system32 \ antitrojanhorse. Bat> NUL 2> NUL

@ Endlocal