I currently use Ad-Watch, and wanted to know how to achieve the same/better protection with RegDefend. The Ad-Watch options "Lock start-up section", "Block possible browser hijack attempts", "Lock executable file associations" are the options that can be emulated in RegDefend.

1) "Lock start-up section" has already been taken care of with the "AUTO STARTS" group.

2) "Block possible browser hijack attempts" has been partly taken care of by the Browser Helper Objects Registry Item. The other items I can think of are home page, search page, default error page. Which keys/values do I need to protect for these items ?

What else do I need to protect ?

3) "Lock executable file associations" has not been taken care of. All these associations are stored under the HKEY_CLASSES_ROOT key. Should I just protect the whole HKCR key to protect all associations or would this cause problems ?

Why are these not protected by default ?


That aside, what other registry items would you recommend I protect ? eg. KAV key, LnS key, PG, TDS, Ad-Aware/Ad-Watch etc.

Good questions. I hope someone is able to address them. Currently I also own Ad-watch so I would like to feel comfortable that I am receiving at least equal protection before trading it in for RegDefend.

Rich

{QUOTE->
1) "Lock start-up section" has already been taken care of with the "AUTO STARTS" group.
<-QUOTE}

we agree, job already done, lets see the following.

{QUOTE->
2) "Block possible browser hijack attempts" has been partly taken care of by the Browser Helper Objects Registry Item. The other items I can think of are home page, search page, default error page. Which keys/values do I need to protect for these items ?
<-QUOTE}

I am not a spyware expert nor an IE expert, but from a quick look at the registry it seems that the keys involved are :

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_USERS\S-1-5-21-1935655697-515967899-839522115-500\Software\Microsoft\Internet Explorer
HKEY_CLASSES_ROOT\Applications\iexplore.exe

These are I think the global keys to control. If you want precisely to look at the search page or default page, it is in :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
(same for the other one)

RegDefend by default only protect the value StartPage in the above key (\Main), for better security protect the "\Internet Explorer\" root.
EDIT : this is wrong, see my other post below

{QUOTE->
What else do I need to protect ?

3) "Lock executable file associations" has not been taken care of. All these associations are stored under the HKEY_CLASSES_ROOT key. Should I just protect the whole HKCR key to protect all associations or would this cause problems ?
<-QUOTE}

By taking a look at HKEY_CLASSES_ROOT, it seems to only be about files and associations, so protect the whole root seems logical, however there is not only file extensions (begining with a dot such as ".ext") but file descriptions too, and may be other things. I will try to do it and report problems if any.


I join in attachment the "Ad-Watch" group I created containing Internet Explorer protection and file extension locking (runs fine on my comp).
Just remove the .txt extension and move it in your "RegDefend\groups" folder.
Then close and restart RegDefend, it should appear in the groups.
Check that every keys is protected from modifying and set on "Ask user", just to see if all goes well :)

Regards,
gkweb.

Thanks for suggestions and attached group.

{QUOTE-> HKEY_USERS\S-1-5-21-1935655697-515967899-839522115-500\Software\Microsoft\Internet Explorer <-QUOTE}This key (or more precisely the part beginning with S-1-5...) is different on every machine. eg. on my machine it's

HKEY_USERS\S-1-5-21-1960408961-1957994488-1155901827-1004\Software\Microsoft\Internet Explorer

If you use Firefox/Mozilla/Netscape, it's also worth protecting the following keys (ALL VALUES) from modification

HKLM\SOFTWARE\Mozilla
HKCU\Software\Netscape

{QUOTE-> Thanks for suggestions and attached group.

This key (or more precisely the part beginning with S-1-5...) is different on every machine. eg. on my machine it's

HKEY_USERS\S-1-5-21-1960408961-1957994488-1155901827-1004\Software\Microsoft\Internet Explorer

<-QUOTE}

Thanks for the information.

That's why it would be usefull to be able in RegDefender to use wildcards such as :

HKEY_USERS\S-1-5-21-*\Software\Microsoft\Internet Explorer

Would be very usefull.

Gkweb .
I will await your findings on adding all the classes_root and see what happens .

I have just discovered that when you protect from modifying :

\RootKeys\

trying to create any subkey or value is indeed blocked, however modifying or creating any keys or value into an existing subkey such as :

\RootKeys\ExistingSubKeys\myNewValue

Will not be blocked.

So either it is a bug, or it is by design.
If the later, I would so request that settings added for a RootKey be applied for any SubKeys.

The consequence is that you must actually protect the path :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

and not just :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

Sorry for the mistake, will update the group file in my above post.

Last tip before to go to bed ;)

Above, if you block the whole Key :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

RegDefend will ask you about IE trying to modify the values "Main\Fullscreen" and "\Main\Window_Placement".
If you grant IE to modify anything inside this key, sure external spywares still won't be able to modify the registry, but a malicious ActiveX from IE will.
So the point is : how to allow IE to only modify these two values while still protecting the whole Key ?

Since you cannot in RegDefend say "I protect this whole Key except these two values", you have to find something else.

The trick I found is to create a first group on the top of the other, in which you add the values you want to exlude from others groups (either you want them to be allowed or denied, whilst the main group do the opposite), as shown in the screenshot.
Thus then IE will try to modify these two values you will just have to "allow always", and IE will be added in your first group only, will so be able to modify these values without any further prompt, while the Key "\Main" is still protected even from IE.

I hope I am clear... :)

{QUOTE-> HKEY_USERS\S-1-5-21-1935655697-515967899-839522115-500\Software\Microsoft\Internet Explorer <-QUOTE}

The S-1-5-21-xxxx number key is mapped in as HKEY_CURRENT_USER when that user logs in. So if there is only one user on your computer, protecting HKEY_CURRENT_USER will be enough. If there isn't, then you would need to manually add each S-1-5-21-xxxx key currently.

BTW nice spot on what you can do GKWEB. :)

Thanks very much for this thread and info. Have installed on my system where I too use Ad-Watch.

Now if we could get RegDefend to block pop ups, I could just throw Ad-Watch away.... ;) IE's pop up blocker blocks too much on some of the sites I use.

I let Giant work as the memory monitor because it uses much less CPU utilization than Ad-Watch.

You may want to move away from IE as a browser if you want better popup blocking, FireFox and Opera include some nice ones that I have found work quite well. :)

That and Opera/Firefox are faster than IE too, not at loading up, but at displaying and viewing web pages. :)

{QUOTE-> Last tip before to go to bed ;) <-QUOTE}


Nice one GK....thanks for the tip :).

Regards,
Jade.

{QUOTE->

1) "Lock start-up section" has already been taken care of with the "AUTO STARTS" group.

<-QUOTE}
hi

I don't think it was mentioned yet on the board that two auto-start locations not covered by regdefend,are the common and user startup directories.

Does anyone think these areas should be protected by regdefend?

regards
Kaupp

These two startup areas should be protected IMHO; however, I haven't figured out yet how to do it through the registry so RegDefend can control the protection.

Incidentally, Ad-Watch (Build 1.05) does not protect these. I bugged LS about this and never received any responses for LS (forum or otherwise). Giant protects them. I think Spy Sweeper does too.

{QUOTE-> hi

I don't think it was mentioned yet on the board that two auto-start locations not covered by regdefend,are the common and user startup directories.

Does anyone think these areas should be protected by regdefend?

regards
Kaupp <-QUOTE}


If I am following you correctly, you are talking about the

C:\Documents and Settings\All Users\Start Menu\Programs
and
C:\Documents and Settings\yourname\Start Menu\Programs directories etc?

If so, then they haven't been added as they are folders. But maybe Jason could add them....doubtfull though, as this is a registry defence program :).


Regards,
Jade.

{QUOTE-> I have just discovered that when you protect from modifying :

\RootKeys\

trying to create any subkey or value is indeed blocked, however modifying or creating any keys or value into an existing subkey such as :

\RootKeys\ExistingSubKeys\myNewValue

Will not be blocked.

So either it is a bug, or it is by design.
If the later, I would so request that settings added for a RootKey be applied for any SubKeys. <-QUOTE}I've noticed another problem that arises from protecting the HKEY_CLASSES_ROOT key. Some of my tray icons, for apps launched at startup, don't appear. The processes are running, it's just that there's no tray icon. The only way to get the tray icon to appear is to remove the protection, shutdown and restarting the process.

I'm not really sure why since the tray icons do appear when launched manually. I'll do a bit more poking around to see what I can find.

I do not see the link, as it is working pretty well on my computer.
If you just protect the key from modifying, there is no problem, I don't even see a reason for a program starting to read the key.

Anyway if you have troubles protecting it, try to give us more clues, for instance just tick one protection at a time (modifiy/read key/value) and reboot to find the culprit.

May be Jason will have more answers than me.

Regards,
gkweb.

{QUOTE-> I've noticed another problem that arises from protecting the HKEY_CLASSES_ROOT key. Some of my tray icons, for apps launched at startup, don't appear. The processes are running, it's just that there's no tray icon. The only way to get the tray icon to appear is to remove the protection, shutdown and restarting the process.

I'm not really sure why since the tray icons do appear when launched manually. I'll do a bit more poking around to see what I can find. <-QUOTE}I have tried protecting HKCR with the latest version 1.100 and all my tray icons appeared on reboot. I'll post again if I notcie the problem again.

I've just had a few tray icons not appear again. This time all the ones that didn't appear were started from the Startup folders instead of from the registry. I did have a RegDefend confirmation dialog appear, so this might have something to do with the tray icons not appearing.

The apps in question had actually started, and starting them again resulted in the tray icons appearing.

This must be to do with RegDefend because this never happened before I installed RD.

I had this happen once just after I added the Ad-Watch group. On the next reboot, I received a RegDefend alert that C:\Windows\System32\CISVC.EXE was attempting to modify a Key in the Ad-Watch group on HKCR. I permitted it Always. Then another alert came that C:\Windows\EXPLORER.EXE was attempting to modify a Key in the Ad-Watch group on HKCR. I permitted it Always. As the reboot continued, some of the icons did not appear in the Systray.

I rebooted again....no alerts...no missing icons...no missing icons on reboots since these two alerts.

It would appear that the RegDefend alert on startup is somehow preventing some tray icons from displayed.

If you "permit" the alert and also check mark the "Always Allow" box, this should stop the problem starting with the next reboot.

Keep in mind that in Ad-Watch

"Lock Executable File Associations: Blocks (only) the most common associations (used by worms and viruses) so that they cannot stealthily change executable, shortcut, and registry file associations."

We have elected to set up HKCR for blocking all associations in HKCR. So some permits by trusted programs are necessary.

{QUOTE-> If you "permit" the alert and also check mark the "Always Allow" box, this should stop the problem starting with the next reboot. <-QUOTE}

Hmmm, not necessarily.

I have had this happen only the one time so far after a reboot and have not recieved an alert from RegDefend beforehand. The icon is there but once the mouse is moved over it, it disappears.....move the mouse off and then it re-appears. If I end the program in the taskmanager and then restart it, the problem no longer exists. So that leads me to believe it is not just due to an alert from RegDefend. Quite strange.

But given Jason and the beta teams trackrecord of problem solving, it shouldn't take too long to figure out :).

Regards,
Jade.

It just happened again with the missing tray icons. FYI, on bootup RegDefend alerted me that explorer.exe wanted to modify HKEY_CLASSES_ROOT. The TDS, Proxomitron and Wallpaper tray icons were all missing. All three of these apps were started from the startup folder, not the registry.

Actually my last post was wrong in that explorer.exe was trying to modify HKEY_CURRENT_USER, and not HKEY_CLASSES_ROOT. The odd thing about it is that the alert said it was part of the AD_WATCH group, even though HKEY_CURRENT_USER is not part of that group ???

The attached image shows my AD-WATCH group: