RegDefend Wishlist / New Features / Suggestions

Discussion in 'Ghost Security Suite (GSS)' started by gottadoit, Feb 18, 2005.

  1. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I am thinking of implementing a "global option" to watch keys for NULLs. All other characters will show up as certain things and be visible in most editors.

    Also, only * and ? will be supported as wildcards.
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Jason,
    Thanks for the reply to clear that up

    How will we represent arbitrary characters in the pattern?
    The most obvious not easily typable one being a NULL (which would be potentially covered by the option for a global rule)
    Other obvious ones that are potentially hard to type into a dialog box like carriage return or linefeed or ^H (backspace)

    I can most easily envisage a use for rules like this when targeting specific malware with specific definitions

    Thanks
     
  3. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Does that also mean it could watch for keys without nulls? In other words, could I block any attempt to add a key that contains the word "180solutions" anywhere in the registry? So instead of watching just a particular registry location for ANY change, it will also block a particular registry entry in ANY location? That would be great!
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    I'd like to see better handling of rundll32 as mentioned in this thread (for regdefend) and at least a few comments from the process guard thread on the same topic also apply

    I'm not sure if services.exe also needs to be treated as a special case from a registry point of view or even if it can be as that might need an integrated processguard + regdefend pair so that the process interacting with services.exe is identified .... care to comment jason ?

    jimmytop,
    That would indeed be one of the reasons to allow wildcards, but...
    You need to take into account the overheads that you will get when you have a number of patterns defined, and also the fact that if everyone does this then the pattern you are looking for will be changed by the company being targeted...

    Wildcards are more useful when you are targeting specific entries for one or more users and/or the location in the tree is not fixed to specific values.
    With a wildcard you get a simple pattern that is easy to maintain and hopefully have a comment against (as suggested previously) to make the ruleset easier to understand (and debug if issues arise)

    Jason hasn't stated what scope each wildcard character will be able to cover, so we don't know what it would mean if we specified
    HKEY_LOCAL_MACHINE\SOFTWARE\*\*69equations*
    Would this mean that any number of sub-key levels under SOFTWARE would be checked or just one ?

    It would of course be very useful to be able to specify both cases, when we have specific sub-keys that change then we just want * to match a sub-key, for generic catch-all patterns we want something that doesn't require tight specifications...

    We don't know which of the set below would match the expression above
    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\69equations\fred\aa a REG_DWORD with value 1
    HKEY_LOCAL_MACHINE\SOFTWARE\mircosoft\69equations a REG_SZ with value "macrosoft"
    HKEY_LOCAL_MACHINE\SOFTWARE\mircosoft\borednow\69equations a REG_SZ with value "macrosoft"
    HKEY_LOCAL_MACHINE\SOFTWARE\fred\nerk\{NULL}69equations\hideme a REG_DWORD with value 48494445
    HKEY_LOCAL_MACHINE\SOFTWARE\sparky\init a REG_SZ with value "69equations"
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I need to add a way to specify "just this one specific subkey" as you mentioned. Probably another wildcard will handle that. At the moment it would apply to all subdirectories if the last character was a "*"
     
  6. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Assigning different data to a value must surely be considered a registry modification. However, if a program refreshes a value every minute by repeatedly writing the same data to it, that doesn't really modify anything. Currently, RD will issue an alert on each inconsequential refresh.

    I've had no persistent problems, but even one alert can be vexing. Today, RD told me that services.exe was trying to change HKLM\...policies\disablecad. Since I didn't do it, I wanted to know the who/what/why of any spontaneous change in security policy. I still don't know why it happened, but after switching computers and researching the internet I discovered that the "modification" was just "refreshing" the policy already in place (require Ctrl-Alt-Delete before login).

    Since a consistent user complaint about registry monitors is the unwanted and/or confusing alerts, I think there should, at least, be an option to "ignore modifications that result in no change". With or without that option, I'd be in favor of changing the default behavior.

    Thanks
     
  7. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    That is a good point. I might apply that to some registry values like DWORDs, etc. Doing it on strings would increase the resource cost but I still need to test it.
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Jason,
    Please make it an optional global (on or off globally) with the ability to switch it on or off for particular keys/applications

    An unwanted alert might be annoying, but I want to be able to know if an app is dumb enough to set registry values once a minute with the same value, if you make the global default to not show unchanged values then you have it working well out of the box with the ability for customisation

    As I mentioned earlier it would be good to have a trigger for non-monitored keys so that we could generate an alert if something is rapidly overwriting the contents of a key (as some trojan's already do in order to keep their changes in place in spite of polling registry monitors...)

    The other thing that would be good would be to order the text in the alert box so it can be read "like a story", at the moment I could read the text aloud and it wouldn't make sense to a listener until after I got to the end.

    That would save us from having to look up and down at the alert box to see what the actual alert means, this part of the interface should really make things so plain they are really obvious and almost jump out of the screen

    NB: That is a common sense, "is it well written" test, that I was exposed to by an IT technical writer about 10 years ago; not that it really helped me all that much because I'm not exactly a prolific documentation producer...
     
    Last edited: Mar 23, 2005
  9. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I guess that means you can't query the registry from inside a hook function's callback. Perhaps a separate process could relay the existing data to RD?

    IMHO, avoiding false positives and needless anxiety on the part of the user usually tends to trump resource issues. As a possible example of the cost, MJRW (on my system) reports using 168K of memory to save 1,691 registry values. I think it's reasonable to use 3%-5% more memory when enforcing an extensive set of rules. Preferable, at least, to making users decide whether RD is warning them of a real change or just interrupting them with a trick question that looks important. An additional benefit is that alerts will be able to show users both "before data" and "after data".

    BTW, today I've had three more RD alerts about services.exe "not changing" a value under HKLM...\system\policy. Nice to know MS is on the job! o_O
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Seeing as 1.2 isn't out yet, it would be really nice if the timestamp for the registry entry was shown (as is done in Sysinternals Rootkit Revealer)

    Pic available on the Rootkit Revealer page as you might expect
    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

    It is potentially quite useful to know if the key involved was created recently or during the windows install... if getting the information is expensive then it could always be relegated to the display additional information option/button

    FWIW, the option I was asking about for frequently changed (or polled) registry values to be able to be alerted on has been touched on in the March 25th entry in a blog by Mark Russinovich (of Sysinternals fame), the blog is fairly new and ppl interested in regdefend may well be interested in the post

    Thanks
     
  11. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Jason, love the program! :D

    I read through the suggestions and I agree that you need a new/better icon.

    Contact Jairo Boudewyn (jairo[at]jairoboudewyn[dot]com)

    He is a talented iconist who designs beautiful freeware icons.

    Check out his work: http://weboso.deviantart.com/gallery/
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Next suggestion(s)

    #1 Provide a view that shows all of the groups "merged" together so we can see an overview of all the settings combined (with an extra column showing what group the setting is part of); and of course allow editing & group re-assignment in the overview/list mode

    #2 Display the comment for each Registry Key in the Alert


    • not everybody needs to be familiar with
    Code:
    Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run

    • the comment could make this intelligible and by putting it above the key name - the explanation would be the first thing read
    Code:
    Information: Auto Start programs that run for ALL Users during login
    Registry Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
    #3 Create a "stealth" mode so that regdefend is not so easy to identify
    Stealthing for both the driver and user interface binary would be nice
    3 states should cater to different paranoia levels for most people


    • default to non-stealth
    • randomise driver name & chg file size
    • randomise driver name, UI name + change filesize and icon's
    NB: If someone is using ProcessGuard (or similar) with RegDefend then the stealthing is probably more for peace of mind, but does make it a little harder to target...
     
  13. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Some good ideas there. I was planning on adding the information about a registry group/key in a future version since it would be helpful to people who aren't aware about the registry keys/values actual properties.
     
  14. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Jason,
    To be perfectly honest I don't want to have to remember the esoterics of the Registry either.... I don't mind learning about it and have (or make a reference) to go with the alerts but I have enough other things to do and remember without having to clutter my memory with inconsequentials that I don't need very often

    Its nice to hear that you are going to add the information/comment field I think it will expand the usability of the program a lot more than you might expect !!! It is just a small extension to your suggestion earlier in this thread in post 28 so you should take full credit for the idea.

    One thing I didn't suggest in the stealthing mode is to re-pack the executables and driver so simple signatures cannot be used to find the file on disk and maybe allow the files to go into the system32 dir so that they are anonymised... (not sure why this went missing for the earlier post, I typed it in at one point and must have deleted it when I reworded the post)

    Thanks

    NB: As briefly discussed in this thread on rundll32 and services.exe

    I'd really like to see rundll32.exe handled in a better way in a not too distant version, displaying the command line parameters is not *that* hard a thing to do after all... to do it properly and add them into the app side of things would take a bit more work but the first step should be quick and simple...

    services.exe also could do with better handling, but as you mentioned that is a much harder task to do properly; I'd like to see what compromise you eventually reach to provide information without getting it wrong too often...
    Personally I'd be happy with an extra button in the dialog that could provide an "educated best guess" as to what program caused services.exe to make the call and the driver name if you could get it
     
    Last edited: Apr 7, 2005
  15. rmetzger

    rmetzger Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    5
    Location:
    Worcester, MA, USA
    Hi,

    As a newbie to RD, I may be speaking out of ignorance, for which I am sorry.

    My suggestion is one based on experience with many end users who simply forget to do simple things, which in turn, crash installs and systems.

    Using programs like Ad-Watch and TeaTimer is great (though architectually less affective than RD's techniques) but have a flaw. When legitimate software, drivers, and patches are applied, updates to the registry are often needed. Failure to allow these changes can crash the OS, making the system a paperweight.

    When Windows Update takes place, RD, Ad-Watch, and TeaTimer should not be running, so to allow the necessary changes to take place. The flaw is a User Interface issue, where the user must be reminded that the actions they are taking with reason, needs to complete without hinderence.

    My suggestion is:

    Offer other options, besides Allow/Block. Offer these:
    1) 'Suspend RegDefend for next 5 minutes' (put your own time in)
    2) 'Suspend RegDefend until next Reboot'
    3) 'Suspend RegDefend thru next Reboot + 5 minutes' (put your own time in)
    4) 'Suspend RegDefend thru next Reboot + 1 (more reboot)'
    5) 'Suspend RegDefend until manually enabled (reminded at reboot)'

    This would allow for legitimate software/hardware/hotfix changes to take place, but re-enable RD after an appropriate time. So, if the end user attempts to run Windows Update, during the installation phase a warning is issued that changes are attempted. A response can be, 'Yes, allow these changes, as they are intended, until . . .'

    Warnings can be issued regarding the 'Suspend' modes, as well as recommended/suggested/common uses of the 'Suspend' modes.

    examples:
    Method 1) Simple software installs
    Method 2) Complex software installs, hardware (driver) installs
    Method 3) Most Windows Updates, complex hardware (driver) installs
    Method 4) Windows Service Packs, followed by Windows Updates
    Method 5) Advanced Technician mode

    When the timeout has been exceeded, a warning message could be displayed reminding the user to Enable protection or continue suspended, until . . .

    This could be secured by a password to stop bots from having an ability to bypass RD. (Could even be like many 'registration systems' that produce several highly distorted characters, graphically, which the user needs to enter manually.) Anyway, it can be secured against simple bypass mechanisms.

    This improvement would allow me to recommend RegDefend to my customers, knowing that their forgetfulness is not likely to cause a dead system.

    The suspend message I suggested is open to debate, so please chime in with other methods. I only intend this to be a starter of ideas.


    By the way, I really like the idea of a 'report only' mode for RegDefend. This would allow investigative use of RegDefend to isolate malware changes. Couple this with VMware or VirtualPC, and you have a powerful means of researching what programs do and how to protect against them in the future.

    Anyway, just some ideas.

    Thanks
    Ron Metzger
     
    Last edited: Apr 8, 2005
  16. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    The suspend option isn't a bad one and the reminder's wouldn't go astray

    Also a reference to the suggestion for highlighting rules that cannot be reached due to other rules with higher precedence, see thread

    And a reference to checking/verifying the RD group files to stop them being deleted or replaced (or added to) without some notification, see thread
     
  17. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Allow more control on logging and acceptance of events :

    ie: another 2 option boxes ( 3 and 4 )
    1. When the following access occurs
    2. Perform this action
    3. Log this event
    4. Security

    Where "3" log this event allows

    [] Log to RD Logfile on Block
    [] Log to RD Logfile on access [ie: when there is an alert]
    [] Do not log event

    and

    [] visual alert in systray
    [] no visual alert in systray

    And "4" Security allows

    [] allow operator to decide on action
    [] require Human Interaction verification
    [] require admin password before allowing
    [] require H.I verifcation and admin password before allowing

    and also for when the GUI is not running

    [] block if action is "Ask" and UI is not running & Log the event
    [] allow ONCE if action is "Ask" and UI is not running & Log event & Alert when UI is next started (with HI verification)
    [] allow and ADD APO (permissions override) rule for this application to referenced keys [Learning mode of sorts] & Log the events and additions to the ruleset

    This would allow :


    • frequent events to be intentionally ignored without logging overhead
    • important events to make the tray icon red (or visibly different)
    • the logging of acceptance of important events
    • the really important keys to be locked away from change
    • and stop simple sendkeys attacks pressing the Allow button
    • an easy way to "learn" during shutdown/reboots to avoid hard to diagnose hanging/startup problems
    BTW:
    Version 1.2 has a much nicer feel to it or alternately I've just gotten used to it :)
    I'd still like to see the UI do more microsoft app like things (right click, copy and paste, the ability to rename and edit etc) but I'm willing to give it a try now
     
    Last edited: Apr 14, 2005
  18. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    I would like to be able to right-click the icon in the system tray and enable/disable the protection.
     
  19. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    RegDefend only displays the first line of a REG_MULTI_SZ Value on the alert for Current and Proposed Value Data. This means only changes to the first line will be displayed in the alert, otherwise the Current and Proposed Value Data will be the same, which is not very useful.

    Please can you display more than the first line of a REG_MULTI-SZ on the alert. I would be happy if all lines were displayed on the same line in the alert, separated by a space (or some other separator character)
     
  20. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Didn't see this suggestion (probably missed it)

    Can we have an 'Edit Rule' ability
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Likewise... :)

    I already posted this elsewhere, but I guess this is the appropriate place:

    Every time I launch IE, RD warns me that IE is trying to delete the (nonexisting) Googldcclient reg value in the HKCU Run key.

    Now I understand that if I allow it to always do that, that gives IE a "wild card" to in the future delete/modify ANY other reg value it chooses.

    I have a similar case every time I launch Copernic (another nonexistent run value to delete...) See screenshot.

    It would be really nice if in the future this could be fine-tuned so that one can allow a given application to edit/delete one or more specific reg values but nothing else.

    Also, support for 120 DPI settings would be nice. There seems to be an issue there: Look at the top screenshot: "Copernic Agent is trying to delete the following..." and then nothing.

    Not sure what else I'm missing there...

    And, like others, I'd welcome an option to temporarily disable RD.
     

    Attached Files:

    • New.gif
      New.gif
      File size:
      49.8 KB
      Views:
      250
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Update: I'm happy to report that Gottadoit just explained to me the finer details of the "Application Permissions Override" principle in combination with the Groups sort order, and that does take care of that one! :D

    Excellent! :D
     
    Last edited: May 26, 2005
  23. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I had the Googledcclient one when launching IE and wasn't sure what to do but allowed once not all of the time. If this happens again what is the best action to take? please. Sorry to post this in the wishlist :oops:
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Have a look here, where Gottadoit explains the groups sort order/APO principle...

    https://www.wilderssecurity.com/showthread.php?p=467275

    Create a new group called for example "AP Specific". This is then (following the alphabet) automatically placed on top, and rules created therein apparently therefore prevail over what's beneath...

    Here's a screenshot of my AP S group
     

    Attached Files:

    • APO.gif
      APO.gif
      File size:
      33.6 KB
      Views:
      142
    Last edited: May 26, 2005
  25. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thank you Tony - I made a mistake in my post - I blocked once not allowed in case it was something I needed.

    I will study your link and your screenshot as I am very keen to learn about the way RD works. Screenshots are very useful especially when I am in learning mode. ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.