How does RegDefend compare to the same functionality in Tiny Firewall 2005 ?

Jason,
I was wondering if you could comment if the low level protection capabilities are the same, they seem to be similar (on the surface) ...
Similarly if you feel like making a comment about PG and the equivalent Tiny functionality I would be very interested

I'm interested for a few reasons, not the least being that you have hinted on several occasions that you have plugged several undocumented holes in Ring0 that things can slip through....
Its entirely possible that you might have reviewed Tiny 6.0 at some point and might be in a position to comment

Thanks

 

Surely someone has used both and possibly has an idea on their comparative merits

Anyone ?

 

For what is worth, I've found a comment by Paranoid2000 indicating that Tiny does block registry access prior to a change being made

See the thread Tiny Firewall Pro 6.5

Jason I would still be interested in your evaluation, does RegDefend do things any differently or in a better way....

Obviously the Tiny method puts all of your eggs in one basket by combining f/w, process protection and registry protection together so that is one difference...

At least I have an answer of sorts now... even if I am just talking to myself in a thread :-o

 

When I find the time I will give Tine Firewall a run and see how it works exactly. If it does block the change first that means it is using hooking. Now you just need to work out if it is kernel mode hooking or user mode hooking. If it is usermode hooking it can still be circumvented.

As to which is better, that is a different kettle of fish. Is there any noticable system performance drop when Tiny is installed on your system?

 

Jason,
Thanks for the reply, I don't actually have Tiny which is why I was asking the question in the hope that others on Wilders who do might respond.

I like having the idea of having different products in use on different machines and Tiny seems to have some merit for one environment so that I have a proper sandbox to try running unknown programs in. However the price of it and the many comments that it takes a while (and can be a pain) to setup properly has made me think carefully.

 

Seems we have heard the same things about it then.
I'll see if any of my beta testers have any thoughts on the matter.

 

*coughs loudly* Note that I said "Assuming that..." - I'm not an expert on Tiny's capabilities, but it has had the ability to track and reverse registry changes since its Tiny Trojan Trap days. This could be done by polling but it would seem more likely that Tiny intercepts registry modification, given that you can restrict programs to only accessing certain keys.

 

I'm using the latest Tiny Pro 6.5.62 with just the default configuration, out of curiosity I just tried the Reg test of Jasons' I disabled RegDefend 1.500 then executed the test.

1st thing is that Tiny asked how to handle it so I gave it run with default security, when I executed the test again Tiny popped up a couple info balloons saying that it stopped RegTest because of 'spawning' etc

I'm very new to these security products so that's all the info I can give you about how Tiny Pro 6.5.62 handles the Reg test of Jasons', also this version of Tiny doesn't hog the resources as the earlier version Tiny Pro6.0.140.

ps I use XP home SP2, AMD 1g cpu with 512ram, TDS, PG, RegDfnd, WG, etc Nod32 on access, with Kav as on demand & Tiny all behind a router....am I paranoid or what?

If this post is of no use to anyone just delete

peterc

 

Peterc,
Thanks for sharing that information

I guess that RegTest has served more purpose than just to expose a bug in RegDefend, its good for competitive analysis as well, although I don't expect that other competitors are supposed to "pass" the tests...

 

Yeah, I had the same experience with TF 2005. What I did was I went into the Tiny settings and changed a few places from "Block" to "Ask User". I don't remember but I think these were in the detailed Registry rules in the TP Admin Center.

So then the next time, instead of blocking those memory writes, etc and not being able to run Regtest, I was able to allow everything up until the Regtest GUI actually starts. Then I ran Test 1 and TP passed - in other words, it stopped and queried me on the Run keys stuff. I denied them and the test said "modification failed".

On Test 2, I also denied any TP alerts. The result was the machine seemed to freeze at the shut down stage. So I manually reset and the machine started up without the tell-tale Regtest screen, so I think it passed Test 2 as well.

I am very impressed with Tiny Firewall 2005 so far. It's a real bear to configure but has many many features.

 

Peterc,
When registry access is blocked which program pops up first with the warning (ie: RegDefend or Tiny) when they are both configured to monitor the same key ?

It is good to hear that Tiny plays nicely with both PG and RegDefend I might give it a trial

Thanks

NB: I'm quite comfortable with the fact that there is functional overlap here, I don't like having all of my eggs in one basket (like many others on this forum)

 

gottadoit

I just tried the regtest with Tiny 6.5 running default settings with PG enabled and regdefend enabled all default settings.

1: when I 1st execute regtest Tiny pops up asks what to do with it I select run with default security this time only

2:Next PG pops up asks what to do if I deny that is it end of test.

3: If I allow Tiny pops up again with different info saying that regtest is spawning from Parent to Child, I deny and that is end of regtest.

I won't take it any further as I have to work at this pc, I know regdefend works I've used it by itself & I am satisfied with it.
I like the idea of a layered security but Tiny is slightly heavy on resources compared to LnS which is also very good but I haven't experimented with that combination yet.

Last week I ran regtest without Tiny 6.5 or regdefend installed, with just PG, WG and my pc shutdown then rebooted itself, PGs' alerts were over 700+ when it started again.

I was only using CHX-I packet filter in combination with my modem/router

Hope that was of any use

peterc

 

I am trying the Tiny personal edition at the moment and find that it does indeed give one very granular control but at the cost of complexity.
When using RegTest agianst it Tiny (default settings) pops up with an alert (various alerts) asking whether to trust RT If you add it to your trusted programs then Test 1 can make the necessary modifications. When running test 2 after accepting the alerts and trusting RT then Tiny fails and you get the "you could be compromised" screen. Therfore it would be necessary to add all the relevant keys into Tiny for the attack to be stopped at the registry level. Albeit this is only true if you give an application full trusted status.
From the application point of view Tiny and PG both stop and query RT from the outset.
I'll leave it for the Tiny experts to describe exactly what registry rule(s) one need to set in Tiny to prevent attacks once an application is trusted, though this may also involve tweaking other parts of Tiny as well.

Pilli

 

As I said in my post above, all you have to do is change the default rule from "blocked" to "ask user" for the two or three items that Tiny alerts on just prior to the first Regtest window. The items that you see BEFORE the tests which should be allowed for a valid test anyway are blocked by Tiny by default and hence you can't get to Test 1.

Go into the Default Security rules and find the rule related to the things that Tiny is blocking by default (you can tell which ones they are by looking at the Blocked alert window that Tiny puts up when you run Regtest with Tiny at Default).

Find the rule, and there's a line with "*" (wildcard for all other programs) and it by default has those first alert items as "blocked". This is why when you run Regtest with default security, that Tiny won't let you get to the first Regtest window. It's blocking some things by default. Change the rule to "Ask User" instead of blocked for those three or four columns in that rule.

Now, when you run Regtest with Default Security, you will first get two or three alerts asking you to allow or deny. Simply allow them - Jason stated in the following post that the alerts you see prior to the first Regtest window should be allowed because they are just insuring a clean starting point for the tests. It's not until the actual tests that you should deny:
https://www.wilderssecurity.com/showpost.php?p=396024&postcount=12

Finally, you will get to the first Regtest window. Now you can execute Test 1 and Test 2 and Tiny will alert you and ask you to allow or deny. You deny, and it will pass both tests. No modifications and no start-up item.

Running Regtest as a trusted application is a totally bogus test. That would be like running Regtest with Regdefend in Learning Mode (if there was such a thing). Or like running a spyware program with Process Guard in learning mode. Regtest is supposed to simulate a known malicious or unknown software. You wouldn't give a malicious software or an unknown software Trusted status - that is just asking for trouble. Trusted means trusted, why would you expect Tiny to stop anything that a trusted app wants to do? If you want that, then you can do it but you have to change the Trusted app rules to Block or Ask User. But that defeats the whole purpose of the Trusted App philosophy.

Tiny is very impressive if you know how to use it.