Please Weigh in on Registry Protection!

Hello Reader-

I would like to think that most of you have some sort of protection against changes made to your registry. I am talking about "resident", real time blocking of important system file changes. While I am not up on all the terminology, key players and product comparisons I can say that they are valuable not only for protection but to keep you informed of what your programs are doing behind the scene.

I am looking for a good one. I am not all that hard to please, but here are a couple of things I have not liked about the ones i've used.

The notification area is so small that as often as not the name of the object you are being warned is changing got truncated so far from the end that you don't even see the last couple levels of the ojects name.

The notification is a moving notice, demanding you to look now or take your chances because it will automatically hide itself.

Either do not remember your previous answer or don't even ask to remember a particular change.

Are worded in such a way as to make it unclear if you are being told X is proposing to replace Y, or it is an attemp to change the value X to the value Y.

Insist on notifying you of every single operation that goes on no matter how small.

Only give you X microseconds to decide before it decides for you.

Notify you of something, but you would need a phd in computer science to know what.

Soooooooo, any ideas?



- HandsOff

 

Hi HandsOff,

For me, I am very pleased with the combination of RegRun and RegDefend. One feature of RegRun that may suit you is that it has adjustable security settings. The highest security setting can drive you crazy with alerts, the medium setting is fairly quiet but secure. RegRun, like most registry monitors is a poller, meaning that it periodically scans for and spots changes after they are made and offers you the ability to undo. The risk to that method is that malware could, for example, make the changes, kill the registry monitor, and reboot your system. RegDefend proactively protects the registry by requiring permissions for processes to access the registry.

Nick

 

Thanks Nick!, as usual, some good information from you.

I appears I may have been a little to critcle of registry protectors, it's just possible that I may have even sounded a bit hard to please after all!

The thing is, I don't like being confronted by my ignorance all of the time, and so many of these programs erode my confidence by asking me to make yes and no decisions that appear to be of criticle importance...and I have no clue what the alert is about.

Anyway, I decided to try DCS RegistryProt. It is free. It is efficient. It is powerful. Just by reading their overview I got that it is NOT a polling monitor. It hooks into key spots in the registry? I don't understand the method but i do understand the superiority of the method (if it does what it says it does). See, I have become an expert on the subject.


Ooops, i click on post and not upload so i am adding this comment and will just say that to me all I get are glipses visual basic shell, NAME = ...what does that mean? something about script....only it seems to me there are entries of a similar format in ASViewer....so i am guessing something is being placed in autostart....It must be reporting itself?


- HandsOff

For some reason I really really like DCS Programs. ASViewer, and RegistryProt 2.0 are both alike in that they give more compete information than the others but who knows what they mean?

Please, if you could spare the time to look at this one you can see what I mean.

 

see what I mean. This is what I have seen in ASViewer (auto start viewer) also by DCS. I know something...but what?


- HandsOff

 

Hi HandsOff,

In case you missed it, hojtsy maintains a definitive registry monitor comparison here: Registry Monitor comparison. I used DCS Registry Prot for quite a while but eventually settled with RegRun because of its wider coverage.

Nick

 

I have the same entries in ASViewer. They associate files with script extensions (.js, vbs, or .wsf) to wscript.exe (Microsoft Windows Script Technologies). They are autostarts in the sense that if you double-click a script file, wscript.exe is then executed.

Nick

 

Hey Nick,

well as a matter of fact I did miss it! I suppose it is a good idea to list those file associations. I have read that sometimes malware can associate itself with other programs this way. My problem is that since I don't really know the syntax of the assignment and the names of the legitamite files I doubt I would actually spot anything there unless it called itself "fileassociationofdeathanddestruction" which they actually might considering some of the names they do use.

At first I thought coverage was important, i will take a look, but i might be shifting my emphasis. The polling vs. non-polling seems important, even from a resource conservation standpoint.

One time I tried processguard (DCS) trial but it seemed to complicated. However, just supposing one grabbed the free 1-process version and tied it to RegProt. That would seem like a strong protection. A strong, free protection. Do you think it would be worthwile to give PG another look?


-HandsOff

 

Hi HandsOff,

If I were forced to run only one security app, it would be PG. The execution protection available in the free version alone makes it worth using. Another option for you might be combining PG free with Ad-Aware's Ad-Watch, which monitors parts of the registry as well.

Nick

 

Hi Nick,

You know, I really did like adwatch part of Ad-Aware. It was my first experience with this type of protection and back in those days it made me favor Ad-Aware over spybots S&D.

That is an extremely strong endorsment for PG. Malware seems to be getting extremely hard to detect. Certain software companies seem as though they want to give you just enough protection to survive for another few days, but DCS actually seems to be substantially adding to the control of the user. You see it in Port Explorer, Taskman, PG, APC...

I'm a little frustrated now because it is starting to look like I have been infiltrated by a trojan since about january. I happened to notice a file called iis6.log, which i think is a server process log for 2003 server. it says some stuff like

[3/6/2005 19:54:45] Initial thread locale=409
[3/6/2005 19:54:45] returned from France fix with locale 409
[3/6/2005 19:54:45] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
[3/6/2005 19:54:45] OC_INIT_COMPONENT:[iis,(null)] Start.
[3/6/2005 19:54:45] OC_INIT_COMPONENT:1/3/2005 20:41:31 ________ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: C:\WINDOWS\System32\Setup\iis.dll

i posted about it in the trojan forum, but my point is I have had a lot of security programs running, and i keep a close eye on my running processes but it just doesnt seem enough. There are tons of processes that appear legitimate. Anyway, i'm not sure what would have stopped it...maybe PG.

Always good to get your input. I'm going to have this computer locked down yet!


-HandsOff