MJ Registry Watcher

Discussion in 'other anti-malware software' started by Graphic Equaliser, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. Cassy

    Cassy Registered Member

    Joined:
    Jan 8, 2010
    Posts:
    6
    Thanks!

    Whatever I end up doing on my other 2 machines, at least I'll think carefully about un-exempting it on my Asus!

    Thanks again.
    C.
     
  2. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    %system%acovcnt.exe was put in the exemptions list because I have an Asus laptop and it must have been irritating me with alerts! If you don't have an Asus, then you can safely remove it from the exempt keys and filespecs list. You can also remove %bootdrv%mjutq.bat since this was for a utility program that no longer uses the root directory for temporary storage.

    P.S. Thanks Han for "holding the fort" while I dawdled, thinking this thread had become "dead".
     
  3. Alan Baxter

    Alan Baxter Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    35
    The lack of questions may be due to the reliability of the program. I still run it all the time in Accept mode as a monitor, but I haven't had any issues for a long time. Stay subscribed to this topic, Mark. :D
     
  4. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    You must be running mjrw in accept mode. Change to prompt mode and mjrw will undo registry changes before prompting you something changed. In the case of files being added to the system, the prompt allows you to quarantine the files. When a registry change is accepted, it is re-applied to the key.
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    Mature: It's a great program. Very "tweakable". If you decide to move to Prompt mode, keep in mind that if some items that are safe bother you too often, you can exempt them.

    Also, something to keep in mind on Prompt mode is Windows/Microsoft Update. I would advise going into Accept mode at least temporarily when doing this. It will prevent you from accidentally messing up the updates (lots of things change and Reg Watcher may alert on many of the changes.)

    GE: Your welcome! :)
     
  6. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    The problem with undoing file system changes has been discussed before. It would require too great a resource usage in order to protect any changes that may befall, for example, the windows system directory. One would have to store copies of all ~2,000 files (many larger than a megabyte) when mjrw started up. This would twonk your system at every startup. Even doing CRCs would put heavy strain on the system at startup. I have calculated on my "lean and mean" system, mjrw is protecting over 364 MBytes of files in the windows\system32 directory alone! How long does it take to copy 2,000 files occupying that much space on your system!?! As it stands, mjrw does pick up any changes to the file system in the directories you specify in the keys and filespecs list, and can quarantine additions, but it cannot undo changes at byte level to system files, and it cannot put back deleted files or directories. The HIPS you mention must hook into the file system at a lower level than mjrw, in order to pre-empt every single file read/write access in the system. I should imagine that such a solution would slow down the PC to some extent, something which mjrw manages to avoid doing!
     
  7. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    Mature: Registry Watcher is GE's baby. I'm just a big fan of his app.

    I will say that I like Registry Watcher as is. Don't really want it to be something different than it is. It provides much better protection than might initially meet the eye...
     
  8. Alan Baxter

    Alan Baxter Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    35
    Me too!
     
  9. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    To establish pre-emptive file monitoring, where changes are reported before being effected, I would have to write a "Ring 0" device driver (sys file) that redirects kernel32.dll calls for file operations to my routines, which would then hand on to the original routines in the kernel. This is definitely beyond the remit of MJRW. As it stands, MJRW can sit with other anti-malware software and usually co-operates fairly well, because it doesn't do anything too deep to the system when it runs. This would no longer be the case if I were to implement your ideas, and MJRW would have to be manually exempted from the likes of KAV, NAV or whatever else may be running. Do you know of a product (free or chargeable) which allows you to protect a directory or set of files, and prompts you before changes are made to them, as to whether to allow those changes or not?
     
  10. Mark 2010

    Mark 2010 Registered Member

    Joined:
    Jan 27, 2010
    Posts:
    3
    MJ Registry Watcher new automatic functionality

    hi...
    After using this great program I would like to ask if it would be possible to add an automatic network shared dir options ?

    Recenlty I have found several virus/ malware that keeps "poping" from the network shares ...

    I have put in some of them MJ Watcher but it becomes a bit awkward to edit and add all the network shares directory that are available in different machiines...

    My idea (if possible) add "automagicaly" the shared directorys to be monitored by MJ Watcher...

    Thanks for a light and great software to protect the system ...
     
  11. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Re: MJ Registry Watcher new automatic functionality

    I am not sure what you mean by "Network Share". Can you show me what you mean by "I have put in some of them MJ Watcher"? Did you put "them" in exemptions or the keys lists? TIA,
     
  12. Mark 2010

    Mark 2010 Registered Member

    Joined:
    Jan 27, 2010
    Posts:
    3
    Short answer : yes.
    I have added "manually" the local directorys that I "know" and need to have a share...
    I have found recently that some malware/virus simply write themselves in any available network share and stays dormant until someone starts it.

    Although they were not active it is becoming a bit annoying to have several network shares with several exe s (depending of variants of the malware) that could be simply stopped by small warning ... :)

    I do not know in the registry where I can find the full available network shares but if MJ Registry simply monitored the request of such action in a network share that would great.
    It seems that the malware exploit some \PIPE\srvsvc bug or something.... :(

    Nowadays I have MJ Registry watching the *.exes in those network shares ...
    So far so good... :)

    Thanks in advance ...
     
  13. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    You can get a complete list of network shares by issuing a "net view" command at a DOS prompt. I am not sure what you want me to do with this list. I could not protect all files on all directories and subdirectories discovered on these shares, and some I won't have rights to access, so what do you want me to do with this list?
     
  14. Mark 2010

    Mark 2010 Registered Member

    Joined:
    Jan 27, 2010
    Posts:
    3
    Sorry for the delay in answering ...
    The idea could some kind of warning (pop up info or logging ) reporting a any new entry in the "network shares" for instance giving the information of the the name of the file being created , timestamp , remote machine, remote user ...
    The idea of a log file of the new files being created would be a great ...

    In pratice to avoid lots of file overhead (checking all shared files would be a daunting CPU task) only the new (after starting MJR program) would be monitored.

    To avoid even more cpu use a default filter like "*.exe" could be also be used,to keep the CPU low.


    Another idea would be the ability to "stop" and or ignore the writting of the new file in the "network share" ...

    So the idea would be warning the user that somewhere (?) inside his own shares a new EXE file has appeared ...
     
  15. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Nah! That's not going to work. If you have massive network shares (and plenty of places do) then hunting all of them for creation anywhere of any type of file (let alone .exe's) even after MJRW has loaded, is going to cripple the light resource usage we are all used to. Network shares also take some time to wake up if they're not in the local PC's cache which means more waiting around for OS rights checking. I don't think I'll be implementing any of your ideas. Thanks anyway. Regards,
     
  16. Sorry to resurrect this thread, but I have a question re the registry watcher...

    I don't know much about the internal aspects of Windows, but as far as I know, a Windows driver must create an entry in a certain registry area in order to load properly. Could MJ Registry Watcher be set to intercept this, and therefore block the loading of drivers without the user's permission, or would that be ineffective? Can applications load drivers in current Windows versions while completely bypassing the registry?
     
  17. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Sorry if I am repeating the question. Does this program run on Windows 7 32 bit?
     
  18. Okay... So I installed MJRegWatcher and ran some tests using ARK tools that I know load drivers.

    - GMER: driver blocked!
    - Rootkit Revealer: driver blocked!
    - Radix: driver blocked! (Radix scanned merrily along anyway, turning up a screen full of nothing - no results at all, good or bad. Presumably because it wasn't actually working. Which I guess proves that Radix is buggy.)

    And just for kicks...

    - Samurai (the obsolete hardening tool): registry changes were interecepted, but Samurai was unfortunately able to install its hook. Not sure how to prevent this, looks like that maybe can't be done via the registry? Damn Windows' crazy complexity.

    Finally: the three finger salute. I attempted to kill RegWatcher in the Task Manager... And unfortunately, it died without putting up a fight.

    The upshot? This thing won't intercept other hooks (I don't think anyway), so it's strictly a complement to other security apps - but it *can* prevent driver loading. Maybe a good complement to an AV that's weak against rootkits and trojans? HOWEVER, it has no self protection at all, which means that anything running on the same privilege level can and probably will kill it.

    Not sure what I ought to suggest regarding this. Self protection would be nice, but might be bloaty, or just unmanageable in userspace. At any rate, MJRegWatcher is pretty nice for what it is, despite the fact that it probably wouldn't hold up for a second against a real rootkit.
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    @Gullible Jones,agree with you man:) that is why i stoped using all this programs and i am starting to use behabiour blockers:D and defensewall:thumb:
     
  20. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    @sg09 - Yes, it should run fine under Windows 7. It would have to run with Admin privilege and, to run at startup under a non-admin user, instructions are the same as for Vista (use the task scheduler to launch MJRW with administrator rights and set it to run at log on).

    @Gullible Jones and jmonge - I have looked into protecting MJRW from being shut down, and there is no easy way of doing it under Windows. MJRW cannot intercept programs that try to install hooks. Hooks are notoriously unstable in Windows, usually because they are not properly programmed by the hook writer. There are other tools that spot whether your system is being mucked around at this level (eg. SanityCheck at https://www.wilderssecurity.com/showthread.php?t=228297). MJRW is designed to be simple and light on the system. I will be considering methods for prevention of shutting it down, but I don't feel pressure on this since most trojans have never heard of MJRW, so they won't look for it in the task list to close it!
     
  21. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Thank you Graphic Equaliser ..:)
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks Graphic Equaliser :)
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i will give it another try now this time with trojans only:) good program:thumb:
     
  24. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    A new version (1.2.7.1) of MJRW is available at http://www.jacobsm.com/mjsoft.htm#rgwtchr - it has the following changes :-

    Changes 1.2.6.9 to 1.2.7.1
    1) Devised a watchdog process which ensures MJRW is difficult to terminate with a process manager (like Windows Task Manager). The process is called arwwdwin.exe and resides in the same installation directory as MJRW. It is invisible when it is launched by MJRW. MJRW and arwwdwin.exe ensure that each other are running at all times, and only a PC restart/shutdown/logoff or a manual exit of MJRW can stop both processes.
    2) Commented out Internet Cookies key from all key sets.

    Enjoy!
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks alot GE;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.