Computer Protection: WinPatrol Tutorial

Security Monitor for Windows

WinPatrol for Windows helps in protecting the computer from unauthorized changes. It monitors areas in Windows that some antivirus and firewall programs don't bother to monitor. Find out how to use WinPatrol by reading this WinPatrol tutorial to protect against malware infiltrations, spyware and other changes in the next sections of this article.

Spyware and Adware Piggybacking

Several software packages are now bundled with unnecessary third-party software (see piggybacking article). Many end-users are not familiar which application is required to install which is why they end up with new programs that they don't actually need. WinPatrol can help by providing an alert on unnecessary programs.

An example program is FoxIt Reader, a free PDF reader for Windows. The installer of Foxit Reader is bundled with a search toolbar using the Ask.com search engine. The browser will have

Foxit Search bar

and you'll find Foxit PDF Creator toolbar published by Ask.com in the Add or Remove Programs utility:

Unwanted Toolbar

If the computer is using WinPatrol, several alerts will be displayed on unnecessary changes in Windows:

WinPatrol detects changes in start page
WinPatrol detects new add-on installation

Note that the alert for IE Helper will keep coming back but the second time WinPatrol received the response, the program will block the next time it tries to add itself. By blocking the above modifications or additions in Windows, the toolbar and search page will fail to install. You can now proceed to use Add or Remove Programs to uninstall the Ask.com toolbar.

Malware Infiltrations

Scotty the Watchdog is the notification icon of WinPatrol that monitors not only changes in Windows, but it can also alert you of sneaky items that malware tried to add.

An example below is an alert when I executed a malware file that only a few antivirus programs have detected:

Malware Adds Startup Item in Windows

WinPatrol alerts of a new addition in the PC's startup items. If the antivirus failed to detect it, WinPatrol helps protect the computer from such malicious entries in Windows. However, some malware are sneaky because it keeps coming back. This type of infiltration can be removed using WinPatrol because the program will automatically block it since it keeps coming back.

If any file keeps coming back you block it using WinPatrol with the following steps:

  • Open WinPatrol and click Active Tasks tab.
  • Locate the file in question or other suspicious process e.g. niece.exe (from the above screenshot)
  • Highlight the suspicious processes in Active Tasks tab and then the Kill Task button.
  • Proceed by clicking the Startup Programs tab to remove the offending item.
  • If removing the startup item will not help (this can happen if the malware will add itself again because malicious process is still running), right-click on the startup item and then click Delete File on Reboot.
    Delete File on Reboot Using WinPatrol
  • Restart the computer and then run an online scan using Eset Online Scanner or Housecall. You can also scan the computer using anti-malware scanner e.g. Malwarebytes, Hitman Pro, Norton Power Eraser or SUPERAntiSpyware.

Changes to Windows Update Settings

In this WinPatrol tutorial, you will learn that any changes to Windows Update settings are also monitored by WinPatrol. The changes on Windows Update can occur if there's malware on the computer, if the user change the settings or if a legitimate program or service by Microsoft modified the setting. Below is an example of an alert by WinPatrol on such changes:

WinPatrol Monitors Automatic Update setting

WinPatrol Plus Feature: ActiveX Installation

The free edition of WinPatrol will only display the installed ActiveX in Windows but there's no option to manage existing ActiveX. Also, the real-time monitoring for ActiveX is not available in the free edition. WinPatrol PLUS edition, the licensed version of the program, allows the user to review and remove ActiveX.

ActiveX control is a small program that can be legitimate or malicious. If WinPatrol PLUS detects installation of ActiveX, you will see an alert:

ActiveX Installation

There are security incidents where cyber criminals will install malware as ActiveX component or controls.

WinPatrol Plus Feature: Registry Monitoring

Another feature that you should learn how to use in WinPatrol program is the registry monitoring. Local computer policy or software policy and settings are stored in the registry of Windows. WinPatrol PLUS customers can take advantage of this feature by adding a new registry key to monitor or lock. Below are some of the default registry keys that WinPatrol will monitor or lock:

Registry monitor feature in WinPatrol

To use the registry monitoring, simply click the Add button and enter the registry key to protect or monitor. Example:

Example Registry Entry to Monitor

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore – By adding this entry in WinPatrol PLUS, the System Restore will be monitored by the WinPatrol program. Next, add a name e.g. DisableSR as your description. Enter 0 as registry value and then select REG_DWORD as the value type by clicking from the drop-down menu.

Registry Monitor in WinPatrol

You can choose to automatically lock so no alert will be displayed or unlock to receive an alert from WinPatrol. Another example is by preventing changes on Windows Security Center settings:

  1. Select HKEY_LOCAL_MACHINE as registry key
  2. Enter SOFTWARE\Microsoft\Security Center to protect
  3. Change Value Type to "REG_DWORD"
  4. Name: AntiVirusDisableNotify Value: 0

Repeat steps 1 to 3 and then use the value below for Firewall setting in Windows Security Center:

  • Name: FirewallDisableNotify Value: 0

WinPatrol PLUS Feature: PLUS Database

WinPatrol keeps information about various files and processes, thus allowing paid users to view or learn about an item that WinPatrol has detected. There is also a search and context menu function in WinPatrol where users will simply right-click a file or enter keywords to search the database. The database will not only show the description of the file, but instead provide information whether it is "safe" or "required".

References

  • Image credit: Screenshots taken by the author, courtesy of WinPatrol.
  • Product version: WinPatrol v20.0.2011.2