Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks for all of the suggestions guys. I will give SSM a try and see what happens.

    I agree that Registry Watcher has a very nice approach, but I decided on Prevx (sorry about the previous typo) because it appeared to have additional functions besides registry monitoring and they seemed to be very useful. Correct me if I am wrong.

    If you guys had a choice between Process Guard 3.0 and SSM for additional registry and program protection, would it be a toss-up or do you have specific reasons to choose one or the other. On my system, PG 2.5 was slightly more stable than SSM (current full-release version) but neither was as stable as the other programs in my system tray at this time, which is why I decided to uninstall both until the next full-releases. What have you guys been experiencing. I sort of like it now that my system has pretty good protection and isn't crashing from the protection software.

    Just for the fun of it, I am trialing NOD32 as a backup AV scan for KAV, though I doubt it will be necessary. I may be getting bored now that everything is so stable. :)

    Cya,
    Rich
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There is a lot of overlap between the two but also significant differences. Process Guard is more "set it and forget it" requiring little involvement after the initial configuration - but you need to remember to check its logs if any problems arise with installing (or running) new software. It's settings are somewhat simplified in this vein (you can allow a program to install any driver or no drivers at all - you cannot limit it to a specific driver which has raised an issue about svchost.exe which does do driver installation for third parties).

    SSM prompts you for everything - you essentially (constantly at first, sporadically thereafter) create its rules by answering popups. It offers a finer degree of control (you can specify that application X is allowed to run program Z but that application Y is blocked from doing so) including being able to limit driver installation to specific drivers only. However this makes it more difficult to use on a shared computer (it does offer a restricted user mode where prompts cannot be answered - but you need to spend time defining what is then to be allowed). The plugins (registry, service, IE settings) are useful in that they give more information on program activities which can help you decide whether a program is benign or not - but other software can also cover their function if you use PG.

    Process Guard's main role is that of process protection - SSM's is program control. SSM can provide a good degree of process protection by intercepting terminate, debug or DLL injection attempts - but it cannot cover all the bases like PG can. PG on the other hand cannot offer SSM's level of control over program actions.

    For simplicity and unattended use I would suggest Process Guard. For control and program activity monitoring I would advise SSM. For paranoids and control freaks :D I would recommend both. :)
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Paranoid,

    Thanks for the detailed explanation. I think I will try both out and see which on works better. If I buy both, it will not be because I am Paranoid, it will be because I am bored with tooooo much stability on my system. :)


    Thanks again,
    Rich
     
  4. nillr2

    nillr2 Guest

    Wrong. The true paranoids run SSM+Processguard+PrevX
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    nillr2, You forgot Abtrusion Protector :D

    Pilli
     
  6. jon_fl

    jon_fl Registered Member

    Joined:
    Sep 4, 2004
    Posts:
    242
    Sorry if this was asked before; does Prevx and Tea Timer do basically the same thing? If you had a choice of one of these, which one would it be?

    I have Spywareblaster, Spywareguard, Ad-Aware, SpyBot, BOClean, Win Patrol, NAV2005, ZA free and I will probably get PG 3.0 when it comes out. Am I pretty well covered? I'm running XP with SP2. :cool:
     
  7. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Ad-watch, Teatimer, Regrun, Winpatrol, RegProt, RegWatcher - all are pollers, meaning they repeadetly read and check the registry in every x seconds. They do not block the change of the registry in the first place, they only undo the detected change if you choose so. The questionable marketing/GUI of these application tend to oversimplify the explanation of the working method making the false statement that the application "blocks changes".
    BUT Process Guard protects a few selected registry keys with a completely different way: it blocks any changes from happening in the first place by being in between the user applications and the registry. That is what we call "real time". BTW it is the primary reason for PG being present in the Registry Monitor list. DiamondCS already developed the framework for this kind of registry protection for PG - yes, they told so. I hope it is only a question of time until they release a full featured registry protection application.
    As for Prevx - I don't know. For what I know it could as well block the changes in the first place, or it could be a poller. Anyone with specific technical information is welcome. It is easy to check: Sysinternals Registry Monitor shows repeating registry reads for every poller.

    -hojtsy-
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    If DiamondCS makes a Registry Guard (whatever they decide to call it), I will buy it.

    (not RegProt, I mean a configurable Registry Guard that would include all these keys by default and allow others)
     
    Last edited: Oct 25, 2004
  9. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    How about Regrun with the blacklist in block all mode , that would count as being able to block certain registry changes , without needing to prompt the user first.

    So far I've seen it work well to auto-protect these registry keys:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
     
  10. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The incorrectly called "block" here is actually only an "auto-undo" or "unconditional undo". Pollers detects the registry change only after it was successfully made and completed by the malware, and then they attempt to undo it. Let me explain the weakness of this concept. A malware could be implemented in a way that it
    1) modifies the registry, inserting itself into some autostart location, and removing defensive apps from autostart
    2) immediately reboots/crashes the machine
    3) next boot happens with malware happily running without your defensive apps

    What can pollers do here? They are either
    1) don't even notice the change during the short time period left until reboot, or
    2) they pop up the user dialog, but the already running shutdown closes them alltogether, so the user has only 0,01 second to observe the dialog before it closes. :D

    Maybe I was clear why I think pollers are weak. On the other hand, if the user need to press "allow" for the change to enter into registry in the first place, rebooting would not help the malware in anything.

    -hojtsy-
     
  11. Billr2

    Billr2 Guest

    Actually I did consider that, but it conflicts too much with the others espically prevx.

    You could have a case that the other 3 - SSM, processguard, and Prevx cover different areas.
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Bill,

    I've been experimenting with SSM and Prevx on my machine just to see what is being covered by each program. SSM covers the initial execution while Prevx covers the file management. I guess each kind of "backs up" the other against a clever virus. Process Guard would protect the program once it is running. At some point it is overkill - I guess. I'll just continue to run the setup and see if I get a better feel of the balance between the "nuisance factor" and the "security factor" as time goes on.

    Rich
     
  13. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I agree rich. There has been and I am sure there will be the fact of losing convenience to gain security. Sure there's a way for your system to be safe...don't use any removable media or connect to any network and if you want ot be extra secure don't turn it on. But seriously one things for sure is that as many people are on the net not one of them can say they are untouchable. There will alway be a zero day threat that may get them.

    This is a great thread.

    Thanks,

    Chris
     
  14. bill2r

    bill2r Guest

    My thoughts exactly. Abtrusion protctor overlaps with PrevX a little.

    With SSM, PrevX, Process guard, plus the usual PFW,router, antitrojan,AV maybe realtime antispy scan you only covered the basics.

    Probably to be safe, you also need 2 backups scanners for each of the above category of scanners in case anything slips by one of your scanners, a fingerprinting tool to ensure that nothing is altered without your permission (for cases where you install stuff and turn off Prevx). Then there is the privacy stuff, for cleaning, annoymity browsing, spam filtering.Lots of other stuff i'm missing probably.

    Hardening your OS, specific special tweaks to your system..... etc
     
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    WHAT IF a polling registry monitor were set up as follows...

    1) Scans very frequently -- say once in every 5 seconds
    2) Upon detecting any change to a monitored registry item, the monitor IMMEDIATELY deletes that change, then holds a copy of it in memory
    3) Monitor asks user if change is acceptable
    4) If user says "Yes" then monitor reinstates the change.

    Granted, malware could still slip in between scan intervals, but it would have to be bloody fast, right?
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    that would have been perfect bellgamin, where is the link :D
     
  17. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    Ya, it ben one dodgosted fine dream, yah? :cool:

    IF it's a *good idea* I can only hope that one of the registry monitors will adopt it. I already submitted it as a suggestion to the author of Registry Watcher. Maybe some day.......
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    System Safety Monitor does this currently - it polls every 7 seconds (you can alter this) and can either alert only or "block and alert" (i.e. undo the change but restore it if you permit it later on). This is set on a key-by-key basis (so the only the most critical keys have changes blocked).

    The downside, as Hojtsy has indicated, is that sophisticated malware can keep a process running in memory (though SSM would give you the option to block this from starting) which can monitor and restore its registry entries - and if it only has to guard a single key that gives it a performance edge over registry monitors that have to cover dozens... :(
     
  19. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I am a licenced user of regrun gold and processguard, I tried ssm quite a lot now and I hated the bsod I was getting. now with those progs I mentioned I feel quite secure but like you and bellgamin said, it is after the changes regrun alert. it would be better to block it, and when I admit it would be a setting. and some exclusion options would be making regrun a topnotch thingie.

    thanx for your input paranoid2000, maybe after all I will try it again (ssm) only for reg prot... I am thinking bout it.


    cheers
     
  20. I have just put up a new improved version of RegWatcher on my website ( http://www.jacobsm.com/index.htm#sft )

    It still polls (every 5 seconds by default) but it automatically restores the original when a change is detected, and asks whether you want to allow the change to happen, instead of offering to restore the original, as per your suggestion. This seems to work really well.

    I have also allowed the refresh interval to be adjustable between 2 and 600 seconds. I have introduced a message window, so you can copy and paste the history of alerts and missing keys. I also corrected a couple of minor bugs and irritations.

    I have tested everything thoroughly. Try it, and let me know what you think.
     
  21. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    Wow!!! It works like a dream. VERY light on resources, and super easy to configure. I would pay $$ for this superb program, but (amazingly) it is still free.

    Another great feature is that Registry Watcher now comes pre-configured to monitor hojtsy's full list of recommended registry items. As before, it can be added to or deleted from very very easily. Excellent!

    Thank you very much to ***Graphic Equaliser*** & welcome to Wilders.:D
     
    Last edited: Oct 30, 2004
  22. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, Graphic. :) I've been using the old version for a while and it worked great too. Thanks for your efforts. :D
     
  23. May I just say what a great thread this is, and that the ideas in it are what have made the watcher what it is. Thanks everyone for your input, and keep it coming (but not too fast!).
     
  24. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Graphic - One note I would like to add. There does seem to be some type of conflict between your RegWatcher and DCS's TDS-3 (Anti-Trojan). Every time I start TDS-3, Regwatcher closes. It's not really that big a problem for me since I use TDS-3 sparingly. Just thought I would let you know. I should also probably let the DCS folks know too.

    Thanks again. :)
     
  25. Question 1 for Daisey :-
    In the new version of RegWatcher, I intercept any request to close the program with a confirmation question. Does this question appear? Or does it just disappear from the system tray when TDS-3 is started?

    Question 2 for everyone :-
    On my PC at home, I have entries in the following keys which I am not sure of. Has anyone else got these entries? I am running Windows XP Pro SP1 with latest updates (not SP2 itself, but some SP2 updates have been applied from windowsupdate.com).

    1 Values for hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks :-
    {AEB6717E-7E19-11d0-97EE-00C04FD91972})

    4 Values for hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload :-
    PostBootReminder) {7849596a-48ea-486e-8937-a2a3009f31a9}
    CDBurn) {fbeb8a05-beee-4442-804e-409d6c4515e9}
    WebCheck) {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
    SysTray) {35CEC8A3-2BE6-11D2-8773-92E220524153}

    2 Values for hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler :-
    {438755C2-A8BA-11D1-B96B-00A0C90312E1}) Browseui preloader
    {8C7461EF-2B13-11d2-BE35-3078302C2030}) Component Categories cache daemon

    Regards
    Graphic
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.