Access blocked re services .exe for trusted application? Advice appreciated

Discussion in 'Ghost Security Suite (GSS)' started by zoril, Mar 21, 2006.

Thread Status:
Not open for further replies.
  1. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi there:)

    I have found that a few products are unable to function as they should as services.exe is blocking modification or deletion etc etc in the following key:-

    Filename: c:\windows\system32\services.exe

    Cmd line: C:\WINDOWS\system32\services.exe

    Key: HKLM\System\Controlset003\Services\Fsbl-beta

    I should emphasise that Fsbl-beta is a trusted program F-SecureBlackLight beta.

    I want this program to be able to access the above key.

    In the configuration menu services.exe is listed. I was wondering which options should be enabled Read/Create/Modify Key or ReadValue/Set Value or delete value. There would not appear to be an option to ask first....

    I have experienced a similar message with another trusted program that monitors installs and uninstalls - but can't work properly if unable to modify key etc in that same control set section. I enabled all rights for the program itself (under configuration for the specific program)...

    Replies appreciated,

    Howard
     
  2. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    zoril, regdefend does not cause any problems for me with running "blacklight".. when i run "blacklight", a RD alert pops up, and i click "allow", another one pops up and i click "allow", then i can run a scan with the program.. when i close blacklight, another RD alert pops up and i click "allow".. (there is an option to click "always allow" instead of just allowing the regkeys to run once)

    you could try replacing the ruleset that you are currently using with a fresh copy of tony's ruleset..

    here is the link for downloading tony's ruleset

    https://www.wilderssecurity.com/attachment.php?attachmentid=175729&d=1142271988

    also, you could try temporarily disabling RD's protection to see if blacklight will then run for you.. maybe regdefend is not what is keeping it from running.. if you are using processguard, and that is what is keeping "blacklight" from running, you can either give blacklight the necessary allowances in PG or temporarily disable PG's protection..

    incidentally, PG does cause a problem for me with running sysinternal's "rootkitrevealer" because "rootkitrevealer" uses randomly generated names.. i have to disable PG's protection temporarily in order to be able to do a scan with "rootkitrevealer"..

    another issue might be if you are trying to run "blacklight" in a "limited" account, one that does not have "administrator" priviledges..
     
    Last edited: Mar 22, 2006
  3. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hiya Redwolfe:)

    Yes normally I get asked to accept or block, so don't need to amend the rules. I did download Tony's rulset earlier. It is excellent.

    Blacklight runs ok, but as seen in the earlier post was unable to remove one entry which was listed under alerts as being blocked by Reg Defend....

    Howard
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I ran BlackLight to test. It has services.exe create the key, set a value, and when done delete the key.


    20:43:48 22 Mar 2006 | RegDefend | Allowed create key by services.exe | HKLM\System\Controlset001\Services\Fsbl-beta | |
    20:43:49 22 Mar 2006 | RegDefend | Allowed set value by services.exe | HKLM\System\Controlset001\Services\Fsbl-beta | imagepath |
    20:44:32 22 Mar 2006 | RegDefend | Allowed delete key by services.exe | HKLM\System\Controlset001\Services\Fsbl-beta | |

    The following rule ought to do the trick:

    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Fsbl-beta | * | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | | Services | 2
     
  5. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Much obliged Tony:thumb:
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    np, my pleasure. :)
     
Thread Status:
Not open for further replies.