Untested Ghost files .gst

Discussion in 'Ghost Security Suite (GSS)' started by Pilli, Jun 17, 2005.

Thread Status:
Not open for further replies.
  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tony - Love the descriptions :) Added this screenshot to help demonstrate how useful they are

    Pilli :)
     

    Attached Files:

  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Thanks, and you're very welcome, Pilli. :)

    A fair number of descriptions still need to be added though, and they will, once I (as well as Gottadoit) find the time... o_O
     
    Last edited by a moderator: Mar 12, 2006
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Small update again, few edits, lots of descriptions added
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    New version uploaded again: added a SVCHost Network Connections apps group, plus a few edits
     
  5. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Ok, a recent windows update is now causing some blocked registry settings by winlogon.exe during the logging out phase of exiting an account with admin privlidges (and maybe other accounts too, I can't tell).
    The registry key is

    "HKLM\Software\Microsoft\Windows nt\Currentversion\Winlogon\Notify\WgaLogon"

    and there are three values:

    logon
    impersonate
    dllname

    Regdefend is doing "blocked set value by Winlogon.exe" for each one of these while logging out. So what happens is after I click logout, a regdefend alert pops on the screen but the machine logs out before I can acknowledge it. Then when I go back in and check the log I see 3 blocked set values for those three keys in the log.

    I think these should be added to the Tony's rules? Or not, let me know! Thanks
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
  7. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    582
    Location:
    South Carolina, USA
    tony, it is good to see that you are "around".. :)

    i haven't seen anything's being blocked in my regdefend logs (i always check for that).. i have the latest "wgatray.exe" update..

    is there anything different in the new "GSR" file?
     
    Last edited: May 26, 2006
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Hi there. :)

    Sorry about the absence. Other things have been taking up too much of my time, and I haven't been able to do much work on the gsr files.

    Nope, not many differences in this one. A few updated app groups, an added Firefox group, a couple of minor edits.

    I do have a number of additional rules lined up, but remember that our first priority is to see that the present group is stable the way it is.
     
  9. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Check for windows update, they are just sending this new thing in the last couple of days. If you go to windows update, it will ask you to install an update prior to letting you check for other updates. That's when you will get the new win gen validation problems with winlogon.exe trying to set those key values.
     
  10. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    582
    Location:
    South Carolina, USA
    jimmy, i disabled regdefend while installing the "wgatray.exe" update.. maybe that made the difference..

    or, maybe you tweaked the "global rules", and that made the difference..

    after reading your post, i tested, logging out of my win xp account, and then logging back in.. i didn't see anything blocked in the logs, but i did get a regdefend error-message (after logging back in to my win xp account), "mismatch between GUI and driver; try rebooting"..

    if you didn't tweak the "global rules", you could try checking any "winlogon" app-rules.. maybe you have something set to "block", there..

    (i don't have any winlogon app-rules)
     
    Last edited: May 26, 2006
  11. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    No, I was just using the unmodified Tony's rules (0313 version). And now that I switched to unmodified 0526 version those blocked winlogon.exe alerts are no longer there. I made no custom changes to either rule set.

    And the regdefend alerts were on winlogon.exe, not wgatray.exe. Before I installed the windows update site update, those three alerts don't show. After, they are there.

    Anyway, I just re-did it on my VPC and same thing. It's the windows update that you have to install (if you want to use the windows update site) during the past couple of days that causes it. Not sure why you didn't have same problem....
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    New file up, this time including the following additions:


    HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main | Enable Browser Extensions | SET VALUE, DELETE VALUE | Ask User, Log to Disk | Web Browser Protection | 46

    Value data of 'no' for this value disables third-party browser extensions for Internet Explorer >

    http://www.sophos.com/virusinfo/analyses/trojcimuzv.html

    ============================================================================================
    In order to prevent a few common ways of unauthorized tampering with services as described here:


    http://www.sophos.com/virusinfo/analyses/w32tilebotdr.html
    http://www.sophos.com/virusinfo/analyses/w32sdbotara.html
    http://www.symantec.com/avcenter/venc/data/backdoor.darkmoon.c.html


    HKEY_LOCAL_MACHINE\System\*controlset*\Services\*\Parameters | ServiceDll | SET VALUE | Ask User, Log to Disk | Drivers / Services | 22

    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Lanmanserver | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 19
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Lanmanworkstation | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 20
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Messenger | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 13
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Remoteregistry | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 14
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Sharedaccess | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 17
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Srservice | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 23
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tlntsvr | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 15
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Wscsvc | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 18
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Wuauserv | Start | SET VALUE | Ask User, Log to Disk | Drivers / Services | 16

    ============================================================================================

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\*shell folders | *Startup | MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Auto Starts | 22
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\*shell folders | *Startup | MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Auto Starts | 23

    http://sophos.com/virusinfo/analyses/trojwock32a.html
    http://www.sophos.com/virusinfo/analyses/trojoptix03c.html
    http://www.sophos.com/virusinfo/analyses/trojspywadc.html

    =========================================================================================

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Wow\Boot | * | MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Drivers / Services | 21

    http://sophos.org/virusinfo/analyses/w32kipisu.html

    =========================================================================================
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\* | * | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Web Browser Protection | 47 (thank you, redwolfe_98 ;) )


    And allow SpywareBlaster to modify those:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\* | * | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | | Spywareblaster | 2


    MOst of my Application Rules groups are also included. Enable those for applications you happen to have as well, feel free to remove the others. Just make sure you leave the Global Registry Groups alone, as well as ALL Application Rules groups pertaining to Windows system files (these are the ones in the gsrfile that are ENabled by default) !

    Enjoy! :)
     
    Last edited: May 29, 2006
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
  14. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    582
    Location:
    South Carolina, USA
    i don't think that a new "GSR" file should be added to a "tested file"-list when it has not been tested..
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    That is a strange comment.
    Tony's .gsr file has been extensively tested by users of this forum and others who have also contributed to it and over time the rules have been tuned to give most users very low alerts i.e. power without intrusiveness this has also added to it's robustness.

    Pilli
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Also, the additions are really pretty minor and extremely unlikely to cause any unexpected conflicts.

    In addition, I've been running this particular configuration for months now, with as only recent change the addition of "Activex compatibility"

    It is absolutely as safe as the previous version.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.