Alert Counter in GSS

Discussion in 'Ghost Security Suite (GSS)' started by SYS 64738, May 14, 2006.

Thread Status:
Not open for further replies.
  1. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
    I am somewhat confused about the statistics on the main GUI of GSS ("Home") particularly about the alerts counter. If I got this right for AppDefend an event is counted as an alert when an application is trying to perform something which is not defined in the ruleset. For example, when execution for this application is set to Ask User/Allow this will result in a popup window and this event will be counted as an alert, right? When execution is set to allow, there will be no popup and the event is not an alert to Appdefend.

    On the other hand, if there is an application rule in RegDefend which permits an application to delete key or set value this (allowed) event is counted as an alert. Because this particalur event is put to allowed, there is of course no alert popup window. Is this different behavior of RegDefend and Appdefend on counting alerts intended as normal in GSS? (Maybe as an additional information for the user that a change to certain registry keys has occurred?)
     
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Each time Appdefend / Gss have to check if something is allowed or no it counts as an alerts. If you set network access to allow alwais .. network access will still count as an alert.

    There is one exeption with RD. Before there was two count. One for read access the other for write. The read count was increasing far too fast and this could strange comportment on system alwais on. So for RD an alert is every try to write to the registry. (most rules in RD anywais try to stop writting from registry, not reading).
    ( Deleting = Writing in some sort )

    For AD an alert is one comportment monitored.
    Process creation / termination / modification / network etc.


    Hope this help.
    Anywais it's a guess, only Jason would know perfectly but I still think it's a good guess.
     
  3. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    I am completly wrong on this one.
    I was talking about Event/Write part of GSS gui.
    I just saw that there was an alert count of gss also.

    Then one alert = 1 item in log history ?

    RD and AD are devlopped as two different product glues together as they share the same driver.They also serve different purpose.

    RD role is to "freeze" registry entry that should not be modified.
    Thus if an event is allowed it's usefull to know how and when.

    AD role is to let you run program while knowing that undesirable behavior will be filtered out.

    The major difference betwwen the two is that registry is persistent.
    If a change is allowed in registry it'll stay that way unless somthing change it back. This is why RD log _all write to registry.

    If ad let somehting slip, then you reboot and it's gone. Combined to the fact that the behavior monitored by AD happens more frequently, I beleive this explain why not everything is logged and thus count as an alert.
     
Thread Status:
Not open for further replies.