RD blocking Online Armor

Hi folks,

how could I go about making a rule for Online Armor? RD has blocked it on it's own. See screen shot.

Thanks for any help.

 

Ah Rilla - well you did ask about auto-blocking in another thread and now I think you've got your answer.

Auto-blocking is a nuisance because you only find out about it when you look at the log; then you must manually create an application rule.

To do that click configure, then click 'Application Rules' in the left hand pane. Now in 'Group Name' (at the top of RH pane) you type Online Armor (or whatever the prog involved is called). In 'Filename' you must give the full file path of OA (I don't know what that is, but you will find it in your RD log). Finally click the Add Group button to create the OA (or whatever) group.

Now you must click the Add Rule button, which brings up a box into which you insert the rule involved, namely HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders

In the Value section I would leave a *.

Click to add the rule, then select it in the main pane and below you will see a section in which you click to allow 'Set Value' to be selected (if it later transpires that you need to allow it to delete values and delete and modify keys then allow that as well).

This all happened because OA was trying to do things at an early stage of boot-up and RD could not pop a box up at you. Whether it is desirable to have Reg protection from both RD and OA (if that is what you are doing) I will leave for someone more knowledgeable than me to answer.

 

Thanks Topper!

I know I asked before, but didn't quite get it, sorry

The part that confuses me is knowing what key to allow such as create key, modify key, read key, read value, etc.

Before when I asked I never made a rule for Adwatch because I uninstalled it. It's a little bit confusing but I will catch on.

In the Value section is there always supposed to be an * when you make a rule? If not, what else would be there?

Thanks for your help

 

from the online FAQ:

Advanced Wildcards

It is a well laid out FAQ Rilla and would be a good read IMHO.

Regards,
Bubba

 

Now, Bubba how would I know if the * was supposed to be there or not. That's why I asked.

I did go over the help file and it's Alien to me. Everyone doesn't perceive things the same way. That's why I posted.

 

In your specific example you could have inserted 'Common startup' as the Value on the Key. But since OA is a trusted app you might just as well allow it to set whatever values it likes. It may not want to set data to other values on this Key, but it will save you from being auto-blocked again if it does want to.

 

That's why I offered the FAQ which explains what the * is for

Appologies....I assumed the graph Jason made concerning the wildcard * would be straight forward enough

I'll give it a go using pretty much one of the same examples in the Help file.

Let's say you wanted to protect the String\Binary\DWORD values in the GhostSecuritySuite key but was not interested in protecting any keys found under the GhostSecuritySuite key....the versions key in the pic below. You would place an * wildcard after the name GhostSecuritySuite as part of the Key section of your rule. It will then protect any values pertaining to that key but will not protect any of it's sub keys....the versions key in this example.

"When used in registry keys it will only match to until a backslash (\) is
found."

What one will see if they are looking at a registry entry via regedit:

• HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostSecuritySuite....We are interested in protecting this keys String\Binary\DWORD values only.
• HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostSecuritySuite\versions....it will not protect the versions key because it is after the backslash (\)

 

I'm extremely sorry Rilla, but I think I may have caused some confusion with my previous post.

The trouble is I'm using my own Ruleset rather than the Tony one, in my case I am indeed protecting all values on that Key by use of a wildcard, and therefore it might be sensible for me to create an applicaton rule using a '*'

But I've suddenly realised that the Tony rules may be different. If you look at the appropriate rule in your Global Registry Rules and find that it is only protecting the 'Common startup' value, then you should put that in your application rule instead of '*'.

If you used the * in that case you would just log events that were not even protected against!

So have a look for the rule and if it is only protecting 'Common startup', that is what you should put in your app rule. Just have it set values too.

Appologies for my brain lapse, however what Bubba says about the wilcards is correct in any case.

 

No, Bubba you're fine. The help file I looked at had a black background and it was very hard to read and like I said even though reading it the majority of it I still didn't understand it. Sometimes I can read something ten times and not get it and the eleventh time a light bulb goes off. Don't ask me, it's weird.

Oh, okay! I wasn't aware that it only protects the key up to the backslash. I wish I had the level of knowledge you guys have with this program.

Thanks Bubba that did help me

 

No biggie! Topper, I was confused from the start with RD. The only thing I can do is laugh at it and learn.

Are you talking about the "current version run" key(s) under Auto Starts which is under Global Registry Rules? I hope I understood that correctly. Let me know if this is correct. If it is I can give you a screen shot.

Ya, remember I said I didn't get but one alert after I installed it but RD said 140. That was puzzling to me.

Your allowed, we all have them from time to time

 

You just need to search for

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders

and, if you aren't sure what Group it is in, the simplest way is to click Configure then click the 'Key' heading of the list in the main pane. That will put everything into alphabetical order so you can scroll down to it.

As I say, I have a strong suspicion your ruleset will only be protecting the 'Common startup' value and so that is what you should put in your rule.

 

Topper here is a screen shot.

 

Ah yes, so by the use of wildcards a single rule is covering both these Keys:-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders

And both these values:- Common Startup, Startup

That is very odd, because 'Startup' only appears in the HKCU version of these keys, while 'Common Startup' appears in the HKLM version. So to be logical the rule you have highlighted should only refer to Common Startup and not *Startup.

Only Tony Klein could explain why this is, but it could be an error. If it is, then it is a very unimportant one since you are still protected either way.

If you had received a pop-up from RD and clicked to allow always, then the app rule created would be as follows:-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\*Shell folders *Startup

If you prefer you can use that in your App Rule, or you can use the Key/Value as they appear in RD's log. The choice is yours, either will work.

 

Topper what do you suggest? The other key may have been from me authorizing a program, no.

Rilla927

 

If by "other key" you are meaning of the Global Registry Rules shown in your pic....those will only show as new additions if the user manually added an entry or the Tony rules have been updated.

If you authorize a program(via an Allow\Block alert) to add the entry....it will show up in the Application Rules section either as a new program entry or as an addition to a program entry that is known to RD by that exact Group Name.

Rilla would mind doing me a favor and upload a copy of your Tony.gsr file as an attachment to a post Please.

As you may know you will have to change the .gsr extension to one of the extensions we except like .txt.

Thanks,
Bubba

 

Hi Bubba,

You want a copy of the .gsr file that is in Ghost Security folder from program files, correct?

 

Am I assuming correctly that you are still using Tony's rules ?

If so....it will be the Tony.gsr file that I was wanting to take a look at Please.

 

Agreed....they are top notch but it can be added to and\or modified. It's that possible modification\additions which I was wanting to peak at

 

Okay! Here ya go.

 

Peter I accidentally clicked on alert from RD and blocked OA. I have never used this program before. I needed help to make a permanent rule for OA.

 

Rita,

While I do not see any earth shattering problems with the 16 additional Application Rules you have made....I do see certain items of interest. According to how you really feel with some of these additions you have made will determine what could be suggested.

Some for instances regarding certain block rules created for certain programs. The below items will come into play when uninstalling the programs or when you attempt to disable\enable them in regards to running on startup.

For instance....if you ever uninstall QuickTime or Online Armor....their associated Run entry will forever remain in the Run key.

HKLM\Software\Microsoft\Windows\Currentversion\Run**

• quicktimefullinstaller.exe DELETE VALUE
• qtplugininstaller.exe DELETE VALUE
• qttask.exe SET VALUE
• quicktimeupdatehelper.exe SET VALUE
• oasrv.exe DELETE VALUE
• ctfmon.exe DELETE VALUE

If I had to make a suggestion @ this moment in time it would be to shutdown RegDefend and remove the present Tony.gsr file. I would then re-download the present Tony.gsr file if you don't have it already saved and then place it in the proper folder location. I would then suggest you start RD and re-enable the Tony rules. At that point in time ask in this thread as many questions as you feel is necessary until the comfort level of having RD enabled reaches a point that that light bulb goes off

HTH,
Bubba

 

When I installed Quicktime it always wants to run on start up that's why I blocked it. Should I just disable RD when I install/uninstall a program? I probably should have stopped it from starting up straight from the program itself instead of RD?

I gather, you mean none of these values belong under this key.

Yes, I kept the original copy of Tony's ruleset. Will the programs that are not in TK's ruleset be auto blocked or ask user? I thought it was ask user. Now, I thought I remember if I exit the ghost icon in system tray you don't get alerts from RD therefore they will be auto blocked, correct?

Since you suggested reinstalling RD, it would probably be a good idea for me to open all my programs that are not in TK's rules in order to make permanent rules for them so they don't get blocked in any way by auto block.

Bubba thanks a lot, I do appreciate your help in more ways than you know

 

There was nothing wrong with your choice. You are the one in control and whether you use the selection in QT or RD....is immaterial because either way the RUN registry entry does not get added.

I personally can't answer with Yes\No to something that needs to be your decision. I will say that is a very good way to not only learn about RD and how it reacts to registry additions but to some degree certain aspects of a programs install/uninstall routine. That in itself helps with your understanding and keeping in control of what's going on.

So there is no mis-understanding on my part with what you mean and so that you do have the latest Tony.gsr file....you will always find the latest file in this post until such time that that ruleset becomes the RDstandard.

You are correct....it is Ask User.

Correct

My pleasure