Regdefend & Wildcard changes for Kent\Tony Files

Can anyone post tony's and Kent's rules with the wildcard changes already done to them. I see that a lot of people and myself have trouble with the changes. I don't know why a lot you mind sharing the files because I know for sure I have asked for them before and no one has dare to post them.

dja2k

 

Hi dja2k.

Here are some of my rules,i have not included all my rules/groups as some are specific to my PC.

--WARNING--

I've been collecting rules for ages (since before RD came out,i had a customizable reg poller) from the net,forums,tv,radio etc.etc,so i already had most Tony's/Kent's and who ever else posted in,but i did add a couple that i didn't have (Thanks guys ). I'm afraid i can't always give info on why a certain value should be protected,as i don't always save the web page or whatever for later reference.

SO USE WITH CAUTION... AND YES,YOU WILL GET A LOT OF ALERTS AS STATED BELOW.

I use RegDefend the same way as AppDefend/ProcessGuard... allow everything on your PC to do want they want/need (PROVIDED YOU KNOW YOUR PC IS CLEAN). After that,you should only get alerts for unusual/infreqent stuff or malware.

I have renamed the file to rdstandard-1 (just delete the .txt part) so as not to over-write your original - just incase,i have also disabled the non-default rules so you can re-enable them one at a time for testing.

Hope this helps mate

Let us know how you get on.

Any feedback is wellcome!!

--------------ONCE AGAIN,USE WITH CAUTION---------------

 

Thanks will try them out....

UPDATE #1:
Replaced the original with your file after I backed up the original. Enabled all of the disabled options and so far working fine. Will post back if I get an error or conflict with your ruleset file.

UPDATE #2:

One thing though, I was having some trouble with my winsock file ws2_32.dll crashing and what I noticed with this list and having regrun registry tracer is that when regdefend is active with all your groups on, I get a prompt from regrun saying that some paremeters were deleted in winsock2 and to accept or not. Well after that I accepted, so they got deleted. Now if I disable regdefend, I get a popup again from regrun saying that the paremeters got added back and well I can do that process over and over and they get added and deleted again after enabling and disabling regdefend. Is that normal?

dja2k

 

Well nevermind the above posts since I am about to do a clean install of windows and using a different approach to security using your way of thinking. I am always up to a different idea to test.

So you say you use this ghost list in regdefend like others use the appdefend/processguard approach? Well if that is true, you don't run appdefend nor processguard right? What else do you run along side your regefend with your custom list if I may ask? I have been mixing and matching a lot of HIPS and other security programs for the past year and now I am ready to give up on that again and just use a minimum way of security and with what I have seen, a good antivirus, a good HIPS program, and regdefend with your list is about enough. Also I might have over done it on hardening my system with what everyone uses here, but don't know if any of those programs conflicts with your ghost list? And yes I understand to install everything first, then install regdefend with your custom list last to avoid popups and installation problems.

dja2k

 

Hi dja2k.

Sorry mate,i forgot to mention about Tay's 'Protect Winsock' / 'Protect MAC Address' rules,they are set to block,so just change them to ask user,and click allow always next time you get an alert for RegRun. You could just delete that group as i don't think it's nessesery,plus,i've never had an alert since adding those rules.

 

Thanks!

By the way, did you forget or you didn't want to coment on what software you run along side regdefend ?

dja2k

 

Hi dja2k.

I didn't really see the need to mention what software i use alongside GhostSecuritySuite,as,as mentioned in my first post,i just allow everything (especially security appz) full access to the registry,so i don't have any special rules for software,apart from the 'allow always' app rules,i'll leave that others who do block stuff,then they can give you reasons as to why.
Whenever i get an alert from something i know,i select 'always allow',it's only when something i dont know/recognize that i block,do a bit of googling to find out what it is,if it's lagit,the next time i get the alert i select 'always allow' (touch wood,had nothing yet/ever).

 

Hi Tonyjl, maybe you know this allready but regsvr32.exe, services.exe and some others could be set too permit once ... cause it will give you some extra protection just in case some process had full access to the registry, regsvr32.exe will still warn you when writing to it...not in all cases I guess, at least that's how I do it on some of my setups.

take care

Inf.

 

Yes i did know that Infinity,thanks for mentioning it as some other people may not of known. I haven't actually set RD to permit once cause i have PG & AD set to permit once,triple protection is good (for security and finger exercise ) but sometimes it slows things down or causes them to hang.

 

off course, I did it the other way around, I gave it full access in PG (exept rundll32.exe - if you wanted to know why I gave those processes full access in PG...well I find Appdefend a lot faster in respons time and never new it hang while doing it with pg I had hickups) so I limited their radius with appdefend ... cause it's overlap and does slow things down.
for myself I'm using the standard rules but I would like to see them more tight.

I asked a question myself regarding this issue, cause we can see RDstandard rules and ADsecure rules but I was hoping to see RDSecure and ADstandard in some update as well ... I know they are working hard to establish this all so let's hope those rules will be more tight!

take care

 

So if you are using Appdefend and ProcessGuard together, do you have something disabled in PG and\or what protection do you have in Appdefend as allow to let PG handle them or vise versa?

dja2k

 

execution protection disabled, registry protection disabled, all the rest is checked regarding global protection. about the exe's, well that's personal but I explained what I did with regsvr32.exe.

 

disabled global hooks in pg as well hence AD is faster and cause of the overlap.

/OT: ... I am looking forward to play with the new beta and I hope it won't take too long

 

Thanks for the info...

dja2k

 

Are Kent's and Tony's original ghost files now useless because of the wildcard difference (* vs. **)?

 

What I read is that you have to modify them to use them properly. Thats why I asked for someone's ghost file cause I didn't understand how to change them. There is however a thread here explaining how to modify them yourself.

dja2k

 

Thanks - I deleted them for now.

 

Hey tonyjl, quick question - Why does RegRun Gold registry tracer flag more objects than regdefend using the list you provided perviously? Are the regrun entries not in there?

dja2k

 

Hi hja2k.

Thanks for pointing that out. I imported puff-m-d's RegRun set and noticed i have the following missing:-

HKEY_CURRENT_USER\Control panel\Desktop / ScrnSave.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Code store database\Distribution units* / *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Inifilemapping\System.ini* / *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Inifilemapping\Win.ini* / *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost* / *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / Taskman
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / VMApplet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon/Notify / *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shellexecutehooks* / *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload* /*
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Winsock2* / *

The rest are already in there,thanks again for pointing that out,don't why i didn't add them.

 

You welcome tonyjl, but now I am lost here. How do I go by to import those rules to your custom list? I get an error saying to pick a profile which is already on. Or if you have time, can you please add them to that previous posted list of yours. I don't understand this wildcard changes and well the order they go in.

dja2k

 

Hi hja2k.

I've just added them on as a seperate group as i like to mine and other people's rules seperate,it makes it easier to track changes etc. Download the file below to somewhere handy (i have it with my backup RD rules-sets),delete the .txt part as before,open GSS,click on RegDefend,high-light 'Global Registry Rules',then in the right pane,click 'Import Group',search this file and select it,it will be added at end (bottom) of the list. Rearange if you prefer,best to put it before (above) the test rules though.

 

Hi hja2k.

Since you pointed out the RegRun stuff,i did a bit of double-checking,and found a few of Tony Klein's rules missing aswell,i didn't bother adding any of those cause if i remember correctly,it was Tony who impressed Jason and became a beta tester or something like that,anyway,a lot those rules are part of the Default set now,so i 'assumed' they were all in there. Anyway add these the same as before mate,would of posted in above post,but can only upload one file at a time. I'll let you know if i find anything else.

 

Cool! Thanks... I have put the file together and added the RegRun stuff to the buttom of your list before the disabled entries were. I of course have them all active.

dja2k

 

Glad to help mate ,let us know if you find anything else.

 

I added the two updated groups back to my protection also. Thanks.