Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The full Windows Registry can take up dozens of megabytes on some systems and there are some entries that are continuously updated. Keeping track of all Registry changes would therefore kill performance on virtually any system.
     
  2. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Paranoid2000,
    I will add the HKLM\SYSTEM\CurrentControlSet\Services key now. Files and folders were intentionally not included, because I focus on registry monitoring features, and not startup monitoring. In an other thread perhaps?

    Dazed,
    SSM could possibly monitor all the registry keys listed here. It seems that this list was never collected, only parts of it, so the SSM author might not had the info at the time of release. Note that process protection features of SSM are outdated. They are no match for DCS Advanced Process Termination, so you should still use DCS Process Guard for this purpose.

    -hojtsy-
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hojtsy. Thanks. :D

    Just to confirm - Your saying that SSM's registry monitoring capabilities are worthwhile, considering its ability to allow the user to add additional critical registry keys. But its Process Protection capabilities are outdated (as evidenced by the fact it is no match against DCS APT disabling capabilities) , and that a user should disable this feature of SSM and rely on DCS PG for this protection?

    P2K - Understood - Thanks! I'm assuming the most critical ones are listed in the #1 post by Hojtsy.
     
  4. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Hojtsy,in your post you said that only SSM and Regrun could be configured to add registry keys. If I'm not mistaken Grr is also configureable.
     
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    While I'm at it ,I have a question. Why does different programs monitor different keys? By the way Hojtsy, you did a great service putting this together. Which keys would be the most important to monitor? o_O
     
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    WillieP - I was wondering the same thing. I'm going to start out by adding everything in post #1. I'll bet the list in post #1 will grow as others visit...
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Disabling this would mean losing SSM's application monitoring capability altogether (at least I cannot see how you can configure SSM to ignore termination attempts otherwise) - if you have other software that monitors which applications get executed (and gives you the same level of control that SSM does) then this application monitoring would be unnecessary duplication but otherwise it should be a valuable feature.

    Also SSM maintains a checksum of monitored applications and will warn if any change - this acts to "inoculate" these files against virus infection so you should only consider disabling this if you have it covered elsewhere (some anti-virus/anti-trojan software does this, a firewall will do also but only for applications requesting Internet access).
     
  8. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Admins,
    I suggest this thread to be sticky. Many could benefit from the info collected here.

    WilliamP,
    Grr is not truly customizable. You can not add freely any registry keys, only monitored extension associations, and files. All of these keys are important to monitor. If you monitor 20 out of 30 autostart methods, you can be quite sure that the next trojan variant will use those non-monitored keys.

    If you need that precise control over execution where you specify which app could start which one, then you need SSM application monitoring, as nothing else provides this. But if you just would like to control which apps could be executed: that is provided by Process Guard. I personally don't need that granularity of control here, so I disable the app protection of SSM, and enable the registry protection plugin. I use Process Guard for application protection.

    AFAIK, the same checksums are provided by Process Guard.

    I requested the authors of DCS Registry Prot, Teatimer, Grr, and Ad-Watch to state the list of monitored keys. None of them did. This seems to be a secret. Are we dancing into illegality?

    -hojtsy-
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi hojtsy, Regarding autostart entries, DCS's Free Autostart viewer is a useful tool but as far as I know there is no complete list of autostart methods available.

    Autostart viewer covers over 50 methods and these are listed here:

    http://www.diamondcs.com.au/index.php?page=autostarts

    Agreed this would make a good sticky :)


    HTH Pilli
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    off topic post removed
     
  11. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    I'm sure that if you sent the author of SSM an email and point him to this thread he will add the registry keys to SSM, he sometimes frequents here so maybe he will see this.

    Anyway this is a very informative thread, and I think that it should be stickied.
     
  12. Justhelping

    Justhelping Guest

    I fully agree ,on both counts.
     
  13. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    I was under the impression that nothing could change the registry without executing. Consequenly, if Process Guard keeps the baddies from executing, why the need to monitor the registry? :rolleyes:
     
  14. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    WilliamP,
    -consider the example of CoolWebSearch. Initially it is not a separate executable on your computer, just some web component downloaded and executed by iexplorer. Process Guard will not stop it from executing, and it can freely overwrite any registry area.
    -Alternatively VBScript or Java application executions are only visible to Process Guard as execution of the VB engine, and Java virtual machine. It can not distinguish between different java applications, so either it blocks the engine completely, or allows all without any checksum or whatever. Of course VBScript or Java can freely write into your registry.
    -If any of your trusted applications are successfully attacked with buffer overflow attack (either internal or external attacker), the trusted app could be commanded to make any registry modifications.
    And the list goes on and on...
    Process Guard can not stop all malware from execution! It can only decrease the unwanted effects of already running malware.
    Similarily registry protection is only decreasing the unwanted effect of already running malware.
    Anyway we are going off-topic. If you would like to continue this discussion about Process Guard please start a new thread.

    -hojtsy-
     
  15. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Hojtsy,thank you for your reply. I didn't mean to get off course. I had been told in another post that something has to execute to change the registry. the registry is not "a file".

    the registry is an in-memory database which has backing store (for persistent keys) in one or more files on disk.

    Why the nit-picking? Because the only agent that opens the registry hive files is the registry-management code in the exec. Programs that modify the registry do not open files, they open registry keys by issuing system calls to the registry manager. the files are already open (they're part of the exec's address space) and do not need to be re-opened for each user.

    therefore, nothing you do to the hive files will restrict the ability of user programs to access registry keys in those files.

    registry keys have their own security descriptors, enforced by the security reference monitor just as it enforces file security (the registry, the file system, and everything else that maintains secureable objects just store the security descriptor 'somehow' and then call the security monitor to actually interpret it, thus the whole system has consistent security behaviour).

    the usual 'do not run as an administrator' advice should protect the entire HKLM subtree.

    Back to the question:

    Something has to execute to modify the registry, since something has to execute in order to cause any actions at all. the registry does not spontaneously change.

    So you may or may not be ok by restricting process execution. Me, I think that's intolerable in the same way I think that software firewalls are intolerable - they require familiarity with each and every program's internal behaviour. the registry is where programs are supposed to store certain data. Programs might very well modify the registry several times a second.

    there are probably registry-monitoring tools that offer that level of micromanagement for registry ops.

    I go for the "don't take software from strangers" approach myself.
     
    Last edited: Jun 7, 2004
  16. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Come on ,someone please respond to my post. I didn't write it. I only copied and pasted. I would like to have been smart enough to write it. :D
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well, since you asked...
    There are several techniques (known as "escalation of privilege vulnerabilities") that malware can use to gain administrator access. Running as a restricted user (power users can amend many of the HKLM entries) will add an extra obstacle but is not a universal fix - and can be pretty inconvenient in some cases.
    Well that pretty much rules out doing anything useful on your system, does it not? After all, when you purchase software from a vendor, how sure can you be that one of their systems has not been compromised allowing an outsider to add "a little extra" to their product? (few vendors will have the security knowledge shown by many on this board).

    Assuming that you do choose to run software, you then need to be able to judge whether it is "safe" or not. Signature-based scanners (anti-virus and anti-trojan) can detect much (but not all) malware so "behaviour monitors" (firewalls, registry monitors, process protection) need to be the next line of defence in securing your system.

    In the case of registry monitors, those listed here will warn you of changes in key parts of the Registry which you then need to decide to allow or deny. While this does require technical expertise (just as using a firewall requires experience in judging what network access programs need), most entries are straightforward and attempted abuse (a Java applet named "xyaedlt.jar" that tries to add itself to the startup list for example) easy to spot.
     
  18. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Thank you Paranoid 2000 for the reply. In the first post by hojtsy is the list of the keys that are watched by different programs. Which ones are the keys that need to be watched? Thank you for the help.
     
  19. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    You already asked this and I already answered.
    -hojtsy-
     
  20. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Hojtsy, I humbly apologize for my mistake. I hadn't taken your post literally when you said to watch them all.
     
  21. WYBaugh

    WYBaugh Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    122
    Location:
    Florida
    Hi,

    I wanted to throw another program into the mix...

    WinPatrol (http://www.winpatrol.com) handles the following keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKCU\Microsoft\Windows\CurrentVersion\Run
    HKCU\Microsoft\Windows\CurrentVersion\RunOnce
    HKCU\Microsoft\Windows\CurrentVersion\RunOnceEx
    HKCU\Microsoft\Windows\CurrentVersion\RunServices
    HKCU\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

    Thanks,

    Bill
     
  22. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
  23. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Thanks WYBaugh,
    Those keys don't exist for me on Win2k. Are they present on Win9x or what??
    The others will be added soon.

    Thanks nick s,
    The new Sysinternals Autoruns 4.2 is very recommended. They just added several new keys, some of which was already listed here. Others will be added soon. Suprisingly they also removed some keys as compared to 4.03. I would be more satisfied to see an explanation for the removal of those.

    -hojtsy-

    -hojtsy-
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Based on the information given in Windows 2000 Registry: System and Startup Settings and a root through Usenet, it may be worth including the following:
    • HKLM\SYSTEM\ControSet001-003 - one of these sets is copied into the CurrentControlSet on startup (which one will depend on the type of startup chosen). This could produce a big list of changes though if a different startup type is chosen!
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - the AppInit, Shell and UserInit fields of this key are already included on your list. In addition, "System" can contain applications that are started with system privileges and "VMApplet" determines what is run when you right-click on the My Computer icon and select Properties.
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager - the Utility Manager can be configured to start accessibility programs on Windows startup so a trojan could be slipped in here by altering the Application Path and setting the Start with... field.
    • HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - processes to be run by svchost on startup could be added here.
    There's doubtless dozens more possibilities, some needing more user intervention (e.g. modifying the Control Panel so that one of the options there runs a trojan instead). MS sure know how to make securing a system awkward... :(
     
  25. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hi,
    I added several more keys to the table, from the posts here and from Sysinternals Autoruns 4.2.

    Interesting app here: Registry Protector. Customizable keys and system driver level checking. This means dialog is displayed *before* the change is entered into the registry as compared to most other softwares discussed here. Support forum seems totally empty. o_O Maybe the first released version of the app. If anyone evaluates post your experiences.

    -hojtsy-
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.