Please Stop 5 Second Registry Rewrite

siliconman01 · #1 June 27th, 2006, 12:55 PM

In Ewido 4, Build 172, it writes to the startup registry every 5 seconds...as has already been discussed in another thread. Please, Ewido Developers, change this practice. It is driving other security programs NUTS that monitor and/or log entries into the RUN registry keys. RegDefend for example is getting 17280 logging entries per day from this tactic. Other security programs keep checking to see if the 5 second rewrite is new or possibly malicious.

TopperID · #2 June 28th, 2006, 07:04 PM

Yes, I agree.

Maybe we could have the option whether to allow these writes or not?

Remouald · #3 June 28th, 2006, 09:44 PM

I'd like to see it corrected as well...

nameless · #4 June 28th, 2006, 10:18 PM

I think any software monitoring the registry ought to be able to ignore certain user-specified activity (i.e. have a white list), as well as activity that doesn't result in any real changes... And of course, logging ought to be optional, not mandatory. I don't use RegDefend, but can't you create a rule in it to allow ewido to write/delete its Run value, and not log it?

The funny thing is that if you disable ewido's option to run at start up, it tries deleting its Run value every 5 seconds...

In any event, I would be somewhat annoyed if they added a registry SSDT hook to ewido, just to satisfy this gripe (which is really due to deficiencies in other software).

aigle · #5 June 28th, 2006, 11:41 PM

Its, new for me, will the registry write/ delete will happen even if u are using it on-demand, not running all the time.

Remouald · #6 June 28th, 2006, 11:46 PM

Quote:

Originally Posted by nameless

I don't use RegDefend, but can't you create a rule in it to allow ewido to write/delete its Run value, and not log it?

I'm using RedDefend but I think I cannot disable the log for a specific software (here EWIDO).

What I can do is disable the loging for any software that set a value to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run**

@aigle Yes, but only when you open Ewido for scanning. The registry writes will stop when you exit the program from the system tray.

siliconman01 · #7 June 29th, 2006, 12:29 AM

There are numerous security programs that provide protection and logging of the Startup registries....AdAware, SSM, SpySweeper, CounterSpy and on and on. This ewido technique of continously rewriting the startup key is unique to ewido. It is not a deficiency in the other security programs that they do not have an option to allow ignoring specific programs that want to write in the Startup registry area or the Startup folder in Programs list. Personnally I have never encountered a program of any type that does this continuous rewriting.

It's a totally inadequate method of providing "self protection" because all that has to be done by a malicious program is to kill ewido in memory and then remove its startup registry key.

aigle · #8 June 29th, 2006, 01:16 AM

Quote:

Originally Posted by Remouald

@aigle Yes, but only when you open Ewido for scanning. The registry writes will stop when you exit the program from the system tray.

Thanks, but I asked this as as I know guard.exe is still running even if i exit the prigramme, so does it will write in the registry or not? Can u confirm?

Remouald · #9 June 29th, 2006, 01:23 AM

It stops registry writes as soon as you exit ewido even if guard.exe is active. It's ewido.exe that writes into the registry.

aigle · #10 June 29th, 2006, 01:48 AM

Thanks.

vinzenz.ewido · #11 June 29th, 2006, 03:47 AM

This seems to be a bug, it shouldn't rewrite it everytime. It should only check if it is set and if the setting in the startup entries is not identical with the settings choosen by the user it should be written.

I'm sorry. We'll correct it asap.

BR

siliconman01 · #12 July 5th, 2006, 02:46 AM

Any progress on fixing and issuing pgm update for this annoying bug.

?

pbparker · #13 July 6th, 2006, 03:59 PM

Me too, I uninstalled until it's fixed. BTW, it isn't 5 second rewrites for me, it's nonstop registry parsing and writing.

Use regmon at sysinternals.com and you can see how much it's churning away.

gerardwil · #14 July 6th, 2006, 05:30 PM

OK here go, I try one more time.
I wonder what the outcome will be, I had these spikes shortly after ewido 4 was public.
But they are gone.....and didn't came back.
In my sig you can see whats running realtime on this box.
In the attachement you see ewido running and doing a scheduled scan (registry and memory).
In the next attachement you see ewido running and doing an update.
Darn: again I can't upload a .gif

Gerard

gerardwil · #15 July 6th, 2006, 05:37 PM

And screenshot 2 (the first not being nice)

GWA · #16 July 7th, 2006, 06:38 AM

As a result of the registry rewrite issue, I have terminated realtime scanning and no longer have Ewido start with Windows. I am using TH for realtime. As soon as this registry issue is corrected, I'll will reverse those roles.

siliconman01 · #17 July 18th, 2006, 02:53 AM

Any luck in correcting these issues and releasing an ewido update in the foreseeable future?

robinb · #18 July 18th, 2006, 11:15 AM

can you explain and tell me where to look where ewido does this rewriting? so I can check my computer too?

thanks
robin

siliconman01 · #19 July 18th, 2006, 11:48 AM

It shows up by using Ghost Security's RegDefend which guards the Startup RUN registry key. The logger of RegDefend logs an entry every 5 seconds.

You can also view the file access activity of ewido by install and running FileMon from SysInternals.

http://www.sysinternals.com/Utilities/Filemon.html

robinb · #20 July 18th, 2006, 12:53 PM

does it use up memory or does it use up space?
and when is ewido going to fix this?

robin

siliconman01 · #21 July 18th, 2006, 01:15 PM

Quote:

does it use up memory or does it use up space?

Yes, and Yes

Quote:

and when is ewido going to fix this?

That was my question too

vinzenz.ewido · #22 July 18th, 2006, 01:41 PM

It will be fixed within the next release of the binaries. It is already fixed in the code actually but we need some more fixes and we have to figure out another problem first.

Regards,
Vinzenz

robinb · #23 July 18th, 2006, 01:44 PM

does that mean you will send out an update for this fix in all versions of 4.0 because i have the pro version of 4.00.172 plus?

or will you put it in a new version that we will have to download and install over it?

and how soon do you think this will be?

robin

Chubb · #24 July 18th, 2006, 02:07 PM

Quote:

Originally Posted by robinb

does that mean you will send out an update for this fix in all versions of 4.0 because i have the pro version of 4.00.172 plus?

or will you put it in a new version that we will have to download and install over it?

You will probably get the update through automatic update. You don't need to re-install it using the new setup file.

vinzenz.ewido · #25 July 19th, 2006, 05:08 AM

Quote:

Originally Posted by Chubb

You will probably get the update through automatic update. You don't need to re-install it using the new setup file.

correct

Quote:

Originally Posted by robinb

and how soon do you think this will be?

I'm sorry I actually don't know. I hope that it will be asap.

Regards,

Vinzenz

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search