Tony Klein's RD Standard .gsr file - Comments

Something I've just noticed:-

HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Explorer bars**

is protecting Create/Modify Key and Set/Delete Value; whilst

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Explorer bars**

is only protecting the Keys and not the Values.

Is this disparity intentional?


HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges\*

is similarly only protecting Keys; but both have a '*' in the Value column, which seems incongruous.

 

Nope, just an oversight... The keys should obviously be treated the same way.

Will correct it for the next update. Thanks for bringing it to my attention.

 

New file uploaded - some minor edits and additions

 

thanks tony

 

Thanks Tony, downloaded it and enabled the protection for the programs that I am running.

 

Hi Tony, I tried to get the file using the link
https://www.wilderssecurity.com/attachment.php?attachmentid=174705&d=1140202265
tony.zip
but it didn't work, (again). Is there something that I'm doing wrong?

Jim

 

Hi Jim,

You'll always find the latest file here:

https://www.wilderssecurity.com/showpost.php?p=676747&postcount=3

 

Yes! That's works, I guess somehow I had bookmarked the wrong link. I saved the Book mark and then used it and lo and behold, went right to the post.
Thanks so much Tony,
Jim

 

You're welcome, Jim - my pleasure.

 

Small update again, a few edits, lots of descriptions added

https://www.wilderssecurity.com/attachment.php?attachmentid=175690&d=1142189349

 

Thanks Tony, got it. Thanks for putting the date in the name of the zip file. It makes it easier to fugure out which file is the most recent.

 

You're very welcome. I had been getting a number of requests to do that.

 

New version uploaded again: added a SVCHost Network Connections apps group, plus a few edits

https://www.wilderssecurity.com/attachment.php?attachmentid=175729&d=1142271988

 

Pardon my ignorance but how should I install the new file ? If I delete the old one and replace it with the new, I shall lose all the rules I have added.Can I install over the old one ?

 

This new ruleset actually replaces the old one. It contains a relatively small number of additions and edits.

If you added your own rules to existing groups I'm afraid you'll again have to enter all of them to this new ruleset...

Rather than adding your rules to existing rules groups, it's much more practical to create a brand new group for them.
That way, when installing a updated ruleset, you can first export (back up) your personal rules group, replace the original ruleset by the more recent build, and finally again import your Personal Rules group back into the new set.

 

genus, like tony was saying, you can "backup" your app groups by exporting them, and then import them later, as needed..

to export an app group, highlight it by clicking on it, and then click "export group"..

 

Thank you Tony and Redwolfe - I (unhappily) understand where I did wrong...Oh well, the night is young and who needs to sleep ?

 

LOL, well, it'certainly is a familiar feeling, I can assure you...

 

Lower Filter ?

I was searching for what exactly was adoing the rule

HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\Upperfilter
Under driver / service category

but pretty much anywhere the upperfilter is in duo with lowerfilter
however lowerfilter isn't covered in the rules
is there any particular reason why ?

 

Re: Lower Filter ?

The UpperFilters value has been known to be "hacked" in order to help implement a keylogger by specifying a filter driver that intercepts I/O requests going to the keyboard driver.

here are a few examples:

http://www.symantec.com/avcenter/venc/data/spyware.actmon.html
http://www.symantec.com/avcenter/venc/data/spyware.invisiblekey.b.html

I happen to have neither a UpperFilters nor a LowerFilters value in that key myself, but all information I was able to find points to the UpperFilters value being key here

 

Re: Lower Filter ?

... all the same, we might consider using a wildcard as in "*filters". It can certainly not hurt.

 

Thank you for your quick answer.

I personnaly don't like having rule containing data in the form of
{4d36e96b-e325-11ce-bfc1-08002be10318}

From my understanding those are GUID and thus are more a form of unique number indentifying an object or something like that.

Some tools like Javacool ID Blaster are designed to change those random number no ? If so how can you be sure of it pointing to the rigth place ? How come something in the form of an unique number can be teh same acros all computer ?

Those garbage like number are really something that annoy me as i can't understand them.

 

Well, I'm afraid that's not something for us to decide... LOL
It's the way Windows works.

As you rightly remarked these GUIDS are unique identifiers identifying a particular object and as such they aren't able to change all by themselves.

For example, this HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318 ) registry key is present in all Windows XP systems. It represents the class of network adapter devices that the system supports, and the UpperFilters and LowerFilters values there are invariably the ones Windows checks for the presence of a filter driver.

 

It may be off topic but is there any reference list of such stadard GUID that come with winxp?

I'll go check MSDN, maybee there is something about those
However i'd prefer somthing more vulgarized

 

... incidentally, all ID-Blaster does is change the GUIDS for certain applications.

As for a reference list of ALL CLSIDs, I'm afraid there isn't one.

At CC we do maintain several Lists, among them for example a database of Toolbar and BHO CLSIDs, but that's obviously only a tiny part of waht's being used.

Googling a particular GUID will frequently help identify its nature, though.