Registry Guard - Protect registry keys and values

Discussion in 'other anti-malware software' started by novirusthanks, Nov 24, 2015.

  1. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    M$, is that you?
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    @novirusthanks

    Is there a reason why DELETE_KEY is not engaging the driver's preprogrammed instructions to prevent deleting ANY key/folder in my Windows 8.0 64bit registry branches?
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you! I will give it a try when there are some example rules for me to go by. I also need to do a little research to see what registry keys are most prevalently used by malware.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Could anyone conduct a brief flash analysis on the DELETE_KEY function and report your results if any. Thanks
     
    Last edited: Dec 14, 2015
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Ok so the EVENTS LOG respond the Rule but DOES NOT prevent deleting identified KEY

    Datetime: 12/15/2015 7:59:29 PM
    Operation: Delete Key
    Process: [6872]C:\Windows\regedit.exe
    Parent: [2908]C:\Windows\explorer.exe
    Thread Id: 7092
    Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WUSA
    Rule: [%OPR%: DELETE_KEY] [%EXE%: *regedit.exe] [%KEY%: *\Software*] [%VAL%: *DeleteKey*]
     
  6. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    Did you try doing a "Refresh" from within regedit after deleting the KEY?
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Sure did whether it needed it or not.

    Patience is the Key now. Andreas is working on multi-projects and he even said as much before that when there is time to fine tune this one it will be done.

    Honestly didn't even think this super cool Registry App would even factor into any development, but, well, here it is in early stages
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Has anyone tested this one besides me? Just curious of your own findings or results if you think it's a good addition to your current security set up or if any issues have been noted.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Bumping (sorry I never do this) for our resident NVT Genius Andreas.

    @novirusthanks I really would like some feedback on the failing to prevent deleting issue with this app when you have a chance. This app is much to vital IMO to ignore. Not many (IF ANY AT ALL) even bother to offer a decent Registry Guard like this one.

    Regards, EASTER
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @EASTER

    I just tested it now and it works fine:

    When you delete the key with regedit.exe, they key disappear and Registry Guard logs the event it has blocked, now press F5 on regedit to refresh and find the key (it is listed in alphabetic order), it should be there since the deletion is blocked by Registry Guard (according to your rules)

    key.png
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Oh Andreas. You are good, real good. You know what should work and best of all HOW.

    Thanks ever so much. And so after trying it again and REFRESH regedit, it was gone anyway or so I thought, but after refreshing I caught that it simply moved up the alphabetical name chain, (I no doubt missed this all along) so YES no deleting occurred just as expected per the RULES. :thumb:
     
  12. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Released a new version v1.3:
    http://www.novirusthanks.org/products/registry-guard/

    Example of exclusion rules:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\tunnel] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\WinSAT.exe] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [%VAL%: WinSATRestorePower]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\browser_broker.exe] [%KEY%: *\Software\Microsoft\Windows\CurrentVersion\Internet Settings*] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\Internet Explorer\iexplore.exe] [%KEY%: *\Software\Microsoft\Windows\CurrentVersion\Internet Settings*] [%VAL%: *]
    
    They can be written same as you write block-rules (better to exclude only specific events based on the operation, process, key, value).
     
  13. NT Five

    NT Five Registered Member

    Joined:
    Aug 23, 2015
    Posts:
    16
    Location:
    Stuck in NT 5 land...
    That's Nonsense.... :argh:

    Running XP here and still getting M$ security patches every month.
    Use it almost every day doing online shopping and even banking with this "obsolete" and "insecure" system...
    No antivirus installed but using AppGuard, ERP and Sandboxie.
    Running the entire C drive from ramdisk so modifications to the filesystem and registry won't stick after a simple reboot.
    Oh... by the way... I always run as Admin. :p

    Last malware infection ?
    Probably 7 or 8 years ago, before I started using ramdisk mode...
     
    Last edited: Feb 23, 2016
  14. NT Five

    NT Five Registered Member

    Joined:
    Aug 23, 2015
    Posts:
    16
    Location:
    Stuck in NT 5 land...
    Just a simple question for Andreas; why doesn't Registry Guard run on XP ?
    Is it calling functions that are not supported by XP's API ?
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Is there any chance for an audio/popup alert which might can be implemented in it similar like NVT-ERP?

    Thank You for the new version.
     
  16. guest

    guest Guest

    Registry Guard v1.4 Released (21 May 2017)
    http://www.novirusthanks.org/products/registry-guard/
     
    Last edited by a moderator: May 21, 2017
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    @novirusthanks Andreas, would it be possible to add these settings from the service-only version to Registry Guard settings as well?

    DeleteLogsOlderThanNDays = 30
    PassiveMode = y
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Also - am I right it has to be manually started (or through Task Scheduler) ... there is no 'Start with Windows' option?

    It's just I am used to the service version, which runs automatically. May revert to that, though the GUI is nice to have.
     
  19. guest

    guest Guest

    It needs administrator rights and if you are logging in as a normal user it can't launch automatically.

    For example SOB doesn't support LUA (and needs administrator rights too)
    As long as you are logging in as an administrator, you can add a task for Registry Guard.
    But a normal user has to start it manually.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @mood. I do log in as an administrator, so I will add a task.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Even though I run with Admin rights, I also had to tick 'Run with highest privileges' else it would not start at log on, code 0x800702E4 ... 'requires elevation' ...
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Gone back to the service version. Actually find it easier to work with :).

    For example, with task scheduler start, can't start in disabled mode. Or maybe you can with a command parameter (didn't RTFM), but not via settings. Which could be a problem with stuff that installs on reboot.
     
  23. guest

    guest Guest

    I use the service version too.
    There is no GUI, but it is running and protecting all the time.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Does this program protect anything more than Appguard does? That is what I am using now.
     
  25. guest

    guest Guest

    It is kind of a secret, what registry keys AG is protecting.

    With Registry Guard you have control of what Registry Keys/Values you want to protect (or not protect).
    And you can add exclusions for applications, which should have access to specific registry keys even if the protection is enabled.
    It can prevent the writing, creating and deleting of Registry Keys.
    I think Registry Guard provides a good granular protection of the registry.

    If you want a always-on protection, you can use the service-version of Registry Guard.
    It also provides a Passive Mode. In this mode it is only logging without blocking anything.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.