Extra RegDefend Ghost File Entries

Re: RegRun Entries

Can't hurt at all to add them. Unless yours is a company computer where restrictions have been set by an administrator, you would want ALL of those keys protected.

For more information on these and the Registry in general, this site holds a lot of useful information: http://www.winguides.com/registry/

I will... I like sharing these...

 

Re: RegRun Entries

You'll have to upload us a Ghst file, one day.

~Please~

 

Re: RegRun Entries

I was afraid you were going to say that... LOL

As it is I have some of this stuff already added to different groups, so it may be best to upload the lot, minus my Application Specific ones...

 

Re: RegRun Entries

... well, maybe not after all...

I'll create a new group, add all my "new" stuff to it, and upload it later on. People can then either choose whether to add the entire group, or just select what they like...

 

Re: RegRun Entries

Sounds good.

Thanks Tony

 

Re: RegRun Entries

Allrighty, here you go:


Attaching the *ghst* file for all browser related values, startups and restrictions I proposed before, less whatever entries are in the existing sets on RegDefend. Just download the file, remove the .txt from the end of the name, and save it in your *\RegDefend\groups folder.

If someone would like to sticky this, be my guest.

I'll be happy to add to it whenever I find something I feel worth adding.

 

Re: RegRun Entries

Thank you Tony - I was reading the posts above and wondered how to add all of those I have downloaded Puff's and now these and hope to have RD defending more than my default settings. Thanks to both of you as when it comes to adding things I am nowhere near confident enough to add keys myself but I would like to increase my security

 

Re: RegRun Entries

You're very welcome, Robyn. I suggest you hang around the more specialized security boards some more, track topics like this one, and you may well come up with a few additional items for RD to monitor yourself .

 

Re: RegRun Entries

Hi Tony - Wilders is top of my list for security forums I love the posts up here and try to learn as much as possible but when it comes to confidence in action Since installing RD I am learning a lot more about my software and what they are up to when I use one of them to clean TIF's etc

I really appreciate the expert advice here and then fact my security layers are not counted as OTT. Security is the main area I want to learn a lot more about and be more confident in the way it works for me. With the experts up here and all the discussion post I am 'learning' but need to make sure what I tweak myself would be correct. Thankfully peolpe like yourself and the Ghost team are her to help.

 

Re: RegRun Entries

OK, I'm starting to warm to this... LOL

Looking at the MSAS check points and elsewhere to see what else we can add.

 

Re: RegRun Entries

Thanks Tony Klein for your .ghst file.

It would be nice if there was ONE (1) location where .ghst files
could be stored. (here or on ghostsecurity.com)
So that it is easy to find the latest regrun.ghst or tonyklein.ghst
Those are very good examples on how to use RegDefend.
If you start using RegDefend those are VERY helpfull!

 

Re: RegRun Entries

OK, adding the following to my uploaded file:

hkey_classes_root\protocols\filter* | * | Value | Mod Key, Mod Value | Ask User
hkey_classes_root\protocols\handler* | * | Value | Mod Key, Mod Value | Ask User
hkey_local_machine\software\microsoft\ole | * | Value | Mod Key, Mod Value | Ask User
hkey_local_machine\system\currentcontrolset\control\lsa | * | Value | Mod Key, Mod Value | Ask User
hkey_local_machine\software\microsoft\security center | * | Value | Mod Key, Mod Value | Ask User
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\zonemap\ranges* | * | Value | Mod Key, Mod Value | Ask User
hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\ranges* | * | Value | Mod Key, Mod Value | Ask User
hkey_current_user\software\microsoft\windows\currentversion\internet settings | MinLevel | None | Mod Value | Ask User
hkey_current_user\software\microsoft\windows\currentversion\internet settings | Safety Warning Level | None | Mod Value | Ask User
hkey_current_user\software\microsoft\windows\currentversion\internet settings | Trust Warning Level | None | Mod Value | Ask User
hkey_current_user\software\microsoft\windows\currentversion\internet settings | Security_RunActiveXControls | None | Mod Value | Ask User
hkey_current_user\software\microsoft\windows\currentversion\internet settings | Security_RunScripts | None | Mod Value | Ask User
hkey_users\.default\software\microsoft\windows\currentversion\internet settings | MinLevel | None | Mod Value | Ask User
hkey_users\.default\software\microsoft\windows\currentversion\internet settings | Safety Warning Level | None | Mod Value | Ask User
hkey_users\.default\software\microsoft\windows\currentversion\internet settings | Security_RunActiveXControls | None | Mod Value | Ask User
hkey_users\.default\software\microsoft\windows\currentversion\internet settings | Security_RunScripts | None | Mod Value | Ask User
hkey_users\.default\software\microsoft\windows\currentversion\internet settings | Trust Warning Level | None | Mod Value | Ask User
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters | DataBasePath | None | Mod Value | Ask User
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces* | * | Value | Mod Key, Mod Value | Ask User
hkey_local_machine\software\microsoft\internet explorer\toolbar | * | Value | Mod Value | Ask User

 

Re: RegRun Entries

Allright: new file including these latest additions uploaded.

 

Re: RegRun Entries

Took out the proxy-related items which caused dialog boxes to come up a little too frequently...

New file uploaded.

 

Re: RegRun Entries

Tony,

Thanks very much for this very nice ghst file. I did not imagine that by the time I posted that last night, and by the time I was able to get on the internet today, that I would see so many replies and a nice ghst file written by yourself.

I just set it up on my pc rebooted and all looks good here. Many thanks to you and puff for putting together this extra security for the RegDefend user community.

I only installed this program myself yesterday, but I like it very much so far as it is easy to use and highly configurable.

Regards,

Jag

 

Re: RegRun Entries

You're very welcome. I think we need to start thinking of combining our efforts in order to avoid having dozens of different ghst files floating round...

I believe we'll be able to work something out there...

I only installed it a couple of days ago myself, and I totally agree with you. It not only replaces many known real time "Registry monitors" such as MSAS Real Time Protection, SpyBot's Teatimer and others, but it does so much faster, more effectively, more reliably, and on top of that it's user configurable so that the number of keys/values you want RD to protect is endless...

And to think that this is only the start....

 

Re: RegRun Entries

I totally agree with this concept. I think a more streamlined approach to ghst files and avoiding overlap (if possible) will result in better protection and also use the KISS methodology.

For example, I am now using the default ghst file setups, puff's regrun file, your file, and one of my own to look out for zones and protocol defaults changes in IE.

I am sure there is a better way to set this up, but I am still learning the product (as I have had it less than 24 hours.)

But if I/we can get say in my case 6 ghst files down to 3 or so, I (and the rest of the user community Im sure) will be happy campers.

I wonder if it is worth watching registry entries for NOD32 and BOClean, or if the just about daily updates of these products will cause far to many alerts by RegDefend. (Sry just thinking out loud here).

Again Tony, thanks for your efforts.

Best Regards,

Jag

 

Re: RegRun Entries

Hi guys,

It looks like there are lots of good things happening. It would be nice if it could be organized and documented in a way that people can make decisions whether or not they would like to utilize the extensions. Maybe someone can recommend a "structure" that would make sense for long term maintenance: e.g. a group represents a specific functional purpose.

Thanks for all of your hard work and your willingness to share with the community.

Rich

 

Re: RegRun Entries

That would be nice, but documenting every single entry would take an awful lot of work....

The restrictions and browser pages I included can be added without a prob, but so can the rest.

I referred to my List of Startup Locations, and that contains a lot of info of some of these reg keys/values: http://forums.subratam.org/index.php?act=ST&f=29&t=1063&st=0#entry8790

As for organizing them into groups, that would be a good idea, were it not for the fact you don't want everyone to individually start messing with existing groups...

I'm hoping to work together with others here so that we'll end up with one additional ghst file that will be added to/modified on a regular basis. Seems to me the way to avoid duplication and general chaos...

Incidentally, as for other reg values/keys I and others referred to, a Google search will often help to clarify what they do.

Take for example the HKCU\SYSTEM\CurrentControlSet\Control\Lsa and HKLM\Software\Microsoft\OLE reg keys. These are hacked by many RBot and SDBot variants, as is for example shown in this TM write-up:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.KB&VSect=T

 

Re: RegRun Entries

Thanks much for the added info Tony. Helps a lot.

Rich

 

Re: RegRun Entries

Aside from Tony's recommendations have a look at http://outpostfirewall.com/forum/showthread.php?t=12663 . It may be wise to create this registry key, set its value to 1 and protect it with RD.

 

Re: RegRun Entries

I did a quick Google search and found that more software (WinIce, Intellisync 1.01 and others) appears to fail to install if this value is set to 1

http://www.securityfocus.com/archive/1/153953

If protected, you'd have to allow it be modified, then manually change it back afterwards...

 

Re: RegRun Entries

Tony, thanks for the additional hint. The crucial point seems to be that this registry entry usually does NOT exist which is equivalent to its default value 1. Without creating it manually any change (or, more exactly, creation with setting a value 0) by whatever software would most probably not noticed at all.

 

Re: RegRun Entries

That's correct. Incidentally, you wouldn't even need to actually create the value in the Registry, if not there.

Simply use RD to drill down to HKLM\System\CurrentControlSet\Control\Session Manager\MemoryManagement, and manually type "EnforceWriteProtection" (without quotation marks) in the value box. Remove the check mark in the 'contains wildcard chars' box.

Once an application tries to create that value you'll be notified

 

Re: RegRun Entries

Tony, Thanx a lot for your list!! It's comprehensive and I managed to tighten it up a bit. Great