WAID

Copyright 2000-2005, Stuart Udall

overview
important bits
installation
configuration and startup
controls and methods
issues and limitations
planned improvements
revision history
latest version

version 1.12: May 9, 2005


 
  overview next section top of page

WAID takes a snapshot of the locations in your Windows system which are used to launch programs automatically on startup. It also monitors certain startup files. If the contents of these locations or files change, WAID suspends Windows' boot and prompts you for an action.

This may be useful if a virus, trojan horse or other such device has primed itself to start next time you reboot. You may not be able to avert infection - but you will at least be alerted to a reconfiguration.

WAID allows you to review the changes to the snapshot, review the new snapshot, shell to DOS, abort the boot, or ignore the changes and allow Windows to continue to boot.

In this way, WAID is an Anomaly and Intrusion Detector for Windows.

WAID also has a "silent mode", which detects possible intrusions as usual, however it does not display anything onscreen. This mode is intended for use in corporate environments, where it may not be desirable to confront the user with an IDS alert.

WAID includes an installation/configuration/uninstallation utility.


 
  important bits next section top of page

  • requires Windows 95/98/98SE only - does not work with Windows ME/NT/2000/XP
  • requires STAMP.COM (included - author unknown)
  • This program is LICENSED SOFTWARE and may not be copied or distributed without prior written permission of the author.
  • Please see the license agreement included with the software for the complete terms and conditions of use of the software.


 
  installation next section top of page

  1. run the self-extracting EXE

If you extract the file manually, run WAIDC.EXE to install WAID.

To uninstall WAID, run WAIDC.EXE and press the Uninstall button (by pressing Alt-U).

Note: WAID uses a small program called STAMP for logging. This file is copied to your \WINDOWS\COMMAND directory during installation.


 
  configuration and startup next section top of page

To configure or reconfigure WAID, at any time, run the program WAIDC.EXE located in the WAID directory.

Settings are as follows:

  • log directory is the directory in which WAID places its log and snapshot files
  • WAID logfile is the name of the file in which to log WAID activity
  • snapshot file is the name of the file in which to place startup snapshots
  • multi-user set this to YES if you have enabled user profiles
  • snapshot directory is the directory in which to place the snapshot files
  • notify on alert set this to YES if you want to see on-screen alerts of possible intrusions
  • bannerfile set this to the name of the text file to display before exiting (leave blank to disable)

Press Enter to save the settings and complete the installation of WAID.

Note: don't place an extension after the snapshot filename. WAID adds an extension automatically.


 
  controls and methods next section top of page

WAID will detect the first time it runs, issue a message, and continue: 

snapshot initialised

In operation, WAID is completely transparent to both Windows and the user, unless the setup snapshot changes. WAID detects these changes by comparing its setup or 'known good' snapshot with one it generates on-the-fly. If there is any change in the snapshot, WAID will interrupt the boot with a message: 

snapshot is different:
and offer an opportunity to view the logfile, show the new snapshot, shell to DOS, abort the boot, or ignore and allow Windows to continue to boot.

If you ignore the changes, WAID will adopt the new snapshot as its 'known good' snapshot.

Note: if alert notification is disabled, no message will be displayed, and Windows will continue to start. This means you are not given a chance to abort the boot. This mode might still prove useful in corporate environments, where presenting a user with an alert might prove as disruptive as a viral infection - they would be calling their "IT person" every time. With alert notification disabled, a log of the possible intrusion is still made; the "IT person" can inspect these regularly (perhaps with an automated scanning mechanism) for trouble.

WAID runs before any Windows programs, but after AUTOEXEC.BAT.

The diskspace consumed is minimal (around 50k total).


 
  issues and limitations next section top of page

  • Windows 9x only (not compatible with Windows 3.x, ME, NT, 2000 or XP)


 
  planned improvements next section top of page

  • monitoring of other files/directories


 
  revision history top of page

November 28, 20000.1initial development
November 30, 20000.2documentation, EXE installer
December 2, 20000.3added monitoring of startup files
January 4, 20010.4bugfix (now works with VFAT32); also, can now place shapshot in a different directory from the WAID logfile, can now review the new snapshot
April 28, 20010.5bugfix
December 10, 20010.6improved security, added Uninstall to config utility
May 20, 20020.7added more registry keys; added abort boot
August 27, 20020.8improved security, speed, interface
July 1, 20030.9added silent mode
December 15, 20030.10added banner support, and support for SIGNON (a log dumper)
January 5, 20040.11bugfix (no longer gives 'key not found' and/or 'path not found' under Windows 95)
November 11, 20040.12bugfix
May 9, 20051.12commercial release