Windows registry modification verification

摘要

A method and system is provided by which unauthorized changes to the registry may be detected and that provides the capability to verify whether registry, or other system configuration data, changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system. A method for verifying changes to system configuration data in a computer system comprises generating an identifier representing an entry in the system configuration data, packaging the identifier, and sending the packaged identifier to a client for verification. The identifier may be generated by hashing the first portion of the entry and the second portion of the entry to generate the identifier, or by filtering the first portion of the entry and hashing the filtered first portion of the entry and the second portion of the entry to generate the identifier.

主权项

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by a processor:
prepare entry data of a registry entry for a computer system; create one or more identifiers based on the entry data, wherein the one or more identifiers indicate an attempted change to a registry of the computer system; package the one or more identifiers; send the packaged one or more identifiers to a client for verification, wherein the client comprises software configured to process the one or more identifiers in order to determine whether the registry entry is authorized and whether the registry entry is associated with data that is free from malware, wherein the one or more identifiers are merged with at least one other identifier of a different registry entry in order to package the one or more identifiers and the at least one other identifier as either desirable or undesirable registry entries.