Registry Guard - Protect registry keys and values

We've released a new tool to protect registry keys\values:

Read more & download here:
http://www.novirusthanks.org/products/registry-guard/

 

another nice tool seems very similar to SoB ,

@novirusthanks will it be integrated in it (or maybe it is already)?

Do you plan to release portable versions?

 

Won't work with XP??

 

Hi, @novirusthanks . I have some questions on this tool.

1. I guess this version is a stable version rather a beta version. Is that true?

2. Could this tool only use path to match an EXE? Or does it also support hash code and digital sign?

3. Could the [%EXE%] field be used to match any executable files, including scripts? Or does it only match ".exe" files?

4. Does this tool have a passive logging mode?

 

@TomAZ

It only works on Vista+ OS.

@guest

No plan for now to integrate into SOB, we'll see.

Noticed you posted on MT, wanted to clarify one thing, Registry Guard actually does block in real-time specific processes from writing\reading\deleting to\from the Windows registry if the rules match the event, and when an action is blocked, it is then logged in the textarea. It is like a HIPS\real-time protection for custom registry keys and values so they can't be created\changed\deleted\read

Example, with this custom rule:

The program prevents regedit.exe from deleting any registry key that matches the wildcard *DeleteKey*

@Online_Sword

1. Yes, it is stable.

2. It matches only fully qualified process path using wildcards.

3. The alias [%EXE%] matches the process fully qualified file path of the process that requested the registry action.

4. Not for now.

 

ok i will add your clarification

 

Thank you for your reply @novirusthanks .

 

Looks interesting, but again no user friendly GUI, I hope this won't become a trend.

 

@guest Thanks

Released a new version:

http://www.novirusthanks.org/products/registry-guard/

You can now write exclusion rules easily:

 

+1

 

Does Registry Guard prompt the user to allow, or deny the action, or does it automatically block the action?

 

How RG is/can be differ from MJRW?

 

"MJ Registry Watcher is a simple registry, file and directory hooker/poller [...]" (from their site). Registry Guard uses real-time blocking.

 

OK, I agree but MJRW is not so simply
"You can also choose between always prompting your attention when one occurs, automatically
accepting all changes, or rejecting all changes, using the top left radiogroup. Automatic
Rejection will undo all value changes, subkey additions, and file and directory additions..."
From help file...so question would be still valid

 

What I meant is that the way they work is different.As far as I remember MJRW has a lot more facilities.

If you ask me, a real-time blocking tool is always better at protecting the system, because the modification is intercepted before the actual change happens. A tool that uses polling will read the changes after they happen and then it reverts them if the users decides that.

 

NVT"s Registry Goard excludes XP BUT XP doesn't need it -- we've got Tiny Watcher. It's on-demand -- the BEST way (a key link in the *detect & recover* concept of security).

Tiny Watcher is *good* at detecting spooky registry changes right out of the box BUT -- for XP users who want to turn TW from *good* into *formidable*) goto THIS Wilders thread.

 

For the people who are wondering about what reg-keys to protect, you can use AutoRuns as a guideline:

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.howtogeek.com/school/sysinternals-pro/lesson6/all/

 

Released a new version:



[09-12-2015] v1.2.0.0

+ Improved main interface
+ Rules and exclusions are updated in real-time
+ Minor fixes and optimizations

More info & download:
http://www.novirusthanks.org/products/registry-guard/

@Cutting_Edgetech

The program auto-blocks registry events that match your custom rules.

 

Oh this is really going to get good.

Thanks many times over once again Andreas

Now where is that paypal link again.

http://s17.postimg.org/hyhfao4jz/image.jpg
http://s21.postimg.org/ekydoriaf/image.jpg

 

Cool! So potentially we could use this to prevent portable apps from writing to the registry?

Would something like this work for a rule to prevent any process from d:\apps from writing to HKCU/Software?

Code:

[%OPR%: CREATE_KEY] [%EXE%: d:\apps\*] [%KEY%: *\SOFTWARE*]

 

@pasmal

Correct, with that rule the program blocks every process located on d:\apps\* to create new keys to *\SOFTWARE\* (HKLM and HKCU).

 

Windows XP cannot be secured and should no longer be used.

 

Cool! Is it possible to make a separate build for portable use?

 

I have a problem, I think. Probably just a missing character or something in the rule line.

I uncommented the "included" line for DELETE_KEY but I can still delete this simple KEY below each and every time.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WUSA]

So far I have tried these below and no change. What am I doing wrong? The others work perfectly!

[%OPR%: DELETE_KEY] [%EXE%: *regedit.exe] [%KEY%: *DeleteKey*]

[%OPR%: DELETE_KEY] [%EXE%: *regedit.exe] [%KEY%: *\Software*]

[%OPR%: DELETE_KEY] [%EXE%: c:\windows\*] [%KEY%: *\Software*]

[%OPR%: DELETE_KEY] [%EXE%: C:\*] [%KEY%: *\SOFTWARE*] <-- I know this is likely 0ff (experimenting)