Michael Kassner explains why WinPatrol’s Cloud Edition makes the 11-year-old security utility even better.


Computers are changing at such a breakneck pace that keeping up can be difficult, and this is something that people wishing us ill will count on. One particularly vexing problem is knowing if and when malevolent changes have been made to our computers.

WinPatrol to the rescue

MVP Bill Pytlovany created his security utility WinPatrol 11 years ago. It’s time to take another look at the app, because the Cloud Edition makes it even better. This is a quote from Mr. Pytlovany on the WinPatrol website:

“WinPatrol takes a snapshot of your critical system resources and alerts you in real-time to any changes that may occur without your knowledge. You’ll be notified of critical system changes and have access to over 30,000 easy to understand program descriptions.”

First, it might be a good idea to review what WinPatrol was capable of before moving to the cloud. As you can see in Figure A, WinPatrol as a client-side app is able to determine all sorts of system information and present it in an understandable manner.
Figure A

I enlisted the help of Mr. Pytlovany to offer insight about WinPatrol, its features, and some of the information the tabs provide.

TechRepublic: Why is the Startup Programs tab important and different from the one in Windows Task Manager?
Mr. Pytlovany: WinPatrol’s top feature is how it monitors and allows you to review the programs that automatically launch when you start Windows. Any type of program determined to infect your system will most likely appear on Startup Programs list (Figure B). This list is essential to detecting nasty software that may insert itself into your PC’s auto-start locations.

The first time you run WinPatrol it will review a list of these special Startup Programs. The startup commands for these programs can be found in the Windows Registry, the WIN.INI file, your Windows Startup Folder, within some system files, and other internal system areas.

Whenever a new program is added to the Startup Programs list, WinPatrol will warn you of the change. You’ll see the name of the new program, and then you can decide if this program is okay.

Figure B

TechRepublic: What are IE Helpers, and why is it necessary to keep track of them?
Mr. Pytlovany: IE Helpers (Figure C) or Browser Helper Objects (BHOs) are programs associated with the Internet Explorer web browser. Every time you open Internet Explorer, all BHOs installed on your PC will be loaded and run along with the browser. Even if you don’t use Internet Explorer, BHOs may be loaded each time you open a new folder in Windows Explorer.

BHOs are useful, unless they are installed by malicious programs you accidentally download. BHOs installed by spyware or adware may log your online habits and send reports back to their creator. Others BHOs can bypass pop-up stopping programs, or redirect your Internet Explorer home page to sites you would never want to visit.

To make matters worse, BHOs typically cannot be removed using the Add/Remove Programs applet.

Figure C

TechRepublic: Scheduled tasks seem harmless enough, so why monitor them?
Mr. Pytlovany: A standard feature in Microsoft Windows is the ability to schedule programs to run automatically at pre-defined dates and times.
While you may not find anything listed in the Scheduled Tasks list (Figure D), WinPatrol will keep an eye on the Task Scheduler to make sure no new programs are scheduled to run without your knowledge.

If at some point, a new task is scheduled, WinPatrol will alert you of the change. If you scheduled the task, let WinPatrol know it’s okay to keep the scheduled task. If you didn’t create the task, you can simply remove it.

Figure D

TechRepublic: I understand bad guys like to hide their malcode; is that the reason for WinPatrol’s Hidden Files tab?
Mr. Pytlovany: The Hidden Files list (Figure E) will display files marked as “hidden” by the operating system. In most cases, these files are legitimate. If, however, your system has been infiltrated, this list will show you the names of files that are associated with the malware.

One good way to keep track is to pay attention to the First Detected column — that way, you will know of any recent additions. Another thing to keep in mind is, if WinPatrol alerts you to anything unusual, it would be a good idea to check for any new hidden files.

Figure E

TechRepublic: I like the fact that WinPatrol will alert me if anything tries to override my file-type association, or if a program (possibly malware) is trying to associate with a particular file extension.
Mr. Pytlovany: While most file types on your system should be legitimate, some malicious programs have been known to add their own file types to the system or modify existing file types. WinPatrol will monitor registered-file types (Figure F) and alert you if a change has occurred. There are two useful reasons to monitor file types.

  • A malicious program may modify standard types, causing you to run dangerous program when you perform normally safe operations. Many virus programs, for example, have been known to change the action taken when a user clicks on an .EXE file.
  • A new legitimate program may reassign file association of file types without your permission. The result; instead of your preferred media program opening, another media program opens. WinPatrol will alert you and allow you to change back to your original program association.

Figure F

TechRepublic: The Options tab (Figure G) offers the ability to detect changes in Internet Explorer, Hosts file, and important systems files. Could you describe why that’s important?
Mr. Pytlovany: We feel monitoring key system settings is essential. For example, WinPatrol will:

  • Detect changes to Internet Explorer Home and Search pages. If you receive an alert regarding changes to your Home page or Search pages, you’ll want to review the Active Tasks that are running on your system for a potentially malicious program that might be the culprit.
  • Warn if changes are made to the Hosts and system files. Malicious programs have been known to use bogus entries in the HOSTS file to misdirect web surfers to potentially dangerous websites. When you type in www.google.com to your browser, you end up going to an unexpected website instead of where you wanted to go.

WinPatrol can monitor your HOSTS file and warn you when changes are made. You can also check your HOSTS file by clicking the View HOSTS File button.

Figure G

UAC notifications

I was not aware that WinPatrol can warn about changes to Automatic Update or User Account Control (UAC) settings. I appreciate that, having written an article about how Windows 7 UAC is not secure. The fact that it is user adjustable makes it vulnerable, especially since attacks leveraging UAC are in the wild. In Figure H, WinPatrol is notifying the user that their UAC has been changed.
Figure H

The Info button

As I alluded to earlier, there’s no way I can keep track of what is and what isn’t supposed to be on my computer. For example, what is jp2ssv.dll, and is it supposed to be on my computer? I don’t know, so I highlight jp2ssv.dll and hit the Info button, and WinPatrol responds with the screen in Figure I.
Figure I

If you would like more information, WinPatrol Plus provides it (Figure J).
Figure J

You could search the Internet and figure out what jp2ssv.dll is, but WinPatrol seems like a simpler solution. Besides, I did not know that jp2ssv.dll existed until I referenced WinPatrol.

Additional tips

I asked Mr. Pytlovany if there was anything else with which WinPatrol is helpful, and this is what he said:

  • One of the features I added for my own sanity was the ability to automatically remove (Disable on the Startup Programs tab) legitimate programs like QuickTime. It is annoying that they keep making themselves autorun programs because they think they’re special.
  • I also receive a lot of feedback from people who make use of the Delayed Start tab. That function allows your system to be available as quickly as possible. Once your system is running, non-essential programs listed to be delayed will load.
  • The Option tab provides some useful reports in a variety for formats. One of the most important safety features is the View History button. The History list will allow you to restore a startup you may have removed, but later realize it was something important to keep.

Collective intelligence

I’ve written about Panda’s Cloud Antivirus and how it assimilates real-time data from the Cloud Antivirus installed base; in turn, the installed base will get pertinent malware information in real-time. The new and improved WinPatrol Cloud Edition also leverages collective intelligence, albeit differently.

The two components to WinPatrol Cloud Edition are: it records information requests and it provides user feedback. Here are more details:

  • WinPatrol Cloud Edition automatically records requests for information about files and whether WinPatrol subscribers decided to allow the files to run. An example would be my interest in jp2ssv.dll. What did other members think about it?
  • Users can provide feedback on files they were researching. The poll data will be available to WinPatrol Free and WinPatrol PLUS users. You can see in Figure K that almost 400 users were asking about jp2ssv.dll.

Figure K

Click the image to enlarge.

Final thoughts

WinPatrol has been a part of my security solution for several years, and I have a certain comfort level with the application. Now that I can see what other subscribers are saying about a certain file or process, it only increases my trust in WinPatrol.

Thank you to Mr. Pytlovany for sharing his thoughts about WinPatrol and for providing a valuable service.