Extra RegDefend Ghost File Entries

Discussion in 'Ghost Security Suite (GSS)' started by puff-m-d, Mar 1, 2005.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    You're welcome. :)

    It may be comprehensive, but I'm pretty certain it will never be complete...
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: RegRun Entries

    It never will :) that's what I like so much about Windows xp lol ;)

    Thanx again and keep it coming if I may say :)
     
  3. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Re: RegRun Entries

    Is the current .txt posted by Tony the one to download and add to RD's groups as I have got myself a little bit lost with additions/substractions o_O I have Puff's in my group and then was going to add Tony's but read the post about proxy prompts being removed. I will download again but need to make sure first as I know Tony is working hard on this for people like me who do not know what to add manually :oops:
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    The Group has been working perfectly fine here after I removed the proxy related values, and I recommend adding it. :)
    It contains a lot of keys and values you want RD to protect!

    The one now uploaded is indeed the final one.
     
  5. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Re: RegRun Entries

    Thank you Tony - will download in add now :) I really do appreciate these extra protection keys from the experts ;)

    Edit: all done now added :cool: thank you very much.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    You're welcome, Robyn.

    As I said elsewhere, I hope to be working with the beta team, and possibly others in order to avoid duplication and chaos in general.

    To my mind, ideally we'd end up with one or several pretty comprehensive and thoroughly tested ghst files which can subsequently be added to on a regular basis...
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    OK, I uploaded a slightly tweaked ghst file. Nothing terribly wrong with the old one, just a couple of minor changes re wildcards.
    I do recommend those who've installed it to replace it with this one.
     
    Last edited: May 30, 2005
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Re: RegRun Entries

    I uploaded a new ghst file, adding the following two reg keys, as they're vital:

    hkey_classes_root\comfile\shell\open\command | * | Value | Mod Value | Block
    hkey_classes_root\exefile\shell\open\command | * | Value | Mod Value | Block

    The forums abound with people complaining that they can't launch an application because suddenly "exefiles have stopped working"

    This is due to the fact that literally hundreds of trojans and worms hack that value in order to point to themselves, so it needs protecting.

    Comfile should be protected as well.

    I opted to block instead of prompt, as nothing should be allowed to tamper with these two reg keys.

    Direct download link:

    <Removed invalid link... - puff-m-d>
     
    Last edited by a moderator: Jun 20, 2005
  9. dog

    dog Guest

    Sorry Tony, ;) I never did thank you :oops: I meant to, but forgot. ~Thanks~ Great Stuff :)

    Steve

    And thanks to Kent too ... for the RegRun set. ;) :)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Not to worry, Steve - it's a pleasure! :)
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Tony,

    I just downloaded and installed your supplementary entries. Thanks for being so generous with your work and time. I will let you know how it goes.

    Thanks again,

    Regards,
    Rich
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    You're welcome, Rich. And don't worry: every single item was put there for a reason and should normally not keep you busy answering RD prompts...

    At the same time, should anyone have a problem with any one of these entries, please holler!

    After all no two systems are identical, and someone's mileage may very.
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks Tony.

    Rich
     
  14. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Just downloaded and added puff-m-d's and Tony Klein's Ghost Files. Thanks guys for the great work.
     
  15. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Tony - I am not too sure but I downloaded and installed your updated list yesterday (have only found the extra items now) but when I launched TDS a little while ago - the initial scan went through my processes but then stopped responding on the memory scan.

    Would there be an entry in the list which would have done this as when I disabled the key set added (Tony) - rebooted and TDS ran without any problems. I have re-enabled the list provided but thought it best to ask if there is a conflict or if the memory scan takes a lot longer with the protection. It is the first launch which when ran then allows me to update the database but today it only worked (stopped responding with RD fully active) when I disabled RD extra's o_O

    I have the default ones plus Puff's RegRun plus Tony direct download from yesterday if this helps.
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi Robyn,

    I do not know if this will help you or not but I use TDS-3 also along with both Tony's ghost file and mine. I do not have any problems with TDS-3 finishing its scan. Perhaps you can try it again with everything enabled in RegDefend and doing the TDS-3 scan. If it hangs again, see if anything shows in the RegDefend log.
     
  17. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hi and thanks

    I enabled Tony's again and re-booted - initialised TDS and this time no problems it ran through the initial start up scan as per usual o_O last time when I checked Task Manager RD was at the top of the list which was when my scan could not finish. Thankfully this time all is working with both sets of extra protection running. Maybe a glitch somewhere but I am relieved I can still use RD with the extras now.
    I will have to find the extras Tony has added and add them to my list now.

    Thanks again everything is working for me & a big thank you to both of you for the pre-made protection keys.
     
  18. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi Robyn,

    You are most welcome ;) ...

    I am glad to hear all is working now. You are right in the fact that is was probably just a one time glitch.

    I am not sure what you mean by this exactly as Tony's ghost file is the most recent and all the entries he discussed are included in it. As long as you have the most recent ghost file, you will have all the entries.

    And again you are most welcome ;) !!!
     
  19. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thank you puff :)

    I didn't have the two .exe protection keys added last night when I was offline. I noticed them on my e-mail notification so knew they were in addition to the set I had downloaded yesterday. I downloaded again and now see the block keys added.

    I know I am depending on the experts for the list but I am learning a lot from the way RD protects and works with my applications. I am so pleased I decided to install this software and have the forum for a huge guide ;) Just need to keep watch for all the new keys to add now, appreciate all the hard work it takes to find & protect them :)
     
  20. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    OK, I've added the following to my Ghst file, and removed two wild cards that weren't called for elsewhere:

    hkey_classes_root\batfile\shell\open\command | * | Value | Mod Value | Block
    hkey_classes_root\piffile\shell\open\command | * | Value | Mod Value | Block
    hkey_local_machine\system\currentcontrolset\control\session manager\environment | pathext | None | Mod Value | Ask User

    My uploaded ghst file has now been replaced by the new one, so everyone please go ahead and grab it:

    <Removed invalid link... puff-m-d>
     
    Last edited by a moderator: Jun 20, 2005
  21. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Tony,

    Thanks for all your efforts with this, I just downloaded your latest file. :)

    Regards,

    Jag
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    You're very welcome. :)
     
  23. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Just curious.

    Upon launching MS Paint, RD alerted me that svhost.exe was trying to delete something at HKLM\software\microsoft\windows\currentversion\run

    Something about stillimagemonitor.

    Any clue as to what that is and why I would be prompted by just opening up MS Paint?

    Thanks to all,

    Jag
     
  24. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Jaquar, I get the 'StillImage Monitor' one and worried about it myself. It is related to a scanner/camera start up entry. I was curious and found that when I used my scanner (which I had previously disabled from running at startup - long before I installed RD) I got the alert about SIM.
    I have not set an always do this rule etc but have allowed and have blocked to see if I notice any difference and I don't o_O

    My scanner still works and I was able to download my photos from the SD card (via a card reader) STM alert on booting next day. Mine seems to be realtd to mainly my scanner but has not had any effect on its operation o_O

    Note: this happened when running at the default settings so is not related to any of the additions I have now installed.
     
  25. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I have just booted my main PC and had an alert about the security console firewall settings o_O I do not use SP2 firewall and it is disabled - I run Outpost Pro

    I blocked this key but did not set always etc until I aksed advice, please

    svchost.exe [1688] was blocked from setting this value to 0x00000001 (1) | 10:25:38 - 01 Jun 2005 | HKEY_LOCAL_MACHINE\software\microsoft\security center | firewalldisablenotify | d:\windows\system32\svchost.exe | TONY

    The current data read 0x00000000 (0) looking at my log I see the antivirus key similar to this was blocked without my interaction. I am just thinking it may be due to the fact I manually start Outpost after boot (covered by my router) which is why I was prompted?

    o_O thanks in advance.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.