AppDefend ruleset like Tony's in RegDefend?

Discussion in 'Ghost Security Suite (GSS)' started by sweater, Mar 21, 2006.

Thread Status:
Not open for further replies.
  1. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    I am just wondering if there are rulesets available for AppDefend aside from its default rules just like the Tony's rulesets in RegDefend...:rolleyes: :) :cautious:
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    sweater,
    There isn't anything like that at the moment mainly because responding to the prompts is fairly easy and it gives you a properly customised ruleset for your machine. The current audience for the beta most probably have at least a moderate amount of technical know-how

    There are quite a few things to consider to make a generic ruleset useful, checksums are one and the file posted at the forum would have out of date checksums before too long. Another issue is the fact that not everybody installs software in the same location

    I think the best thing to do on the appdefend side of things is to wait and see what features it has when it comes out of beta (or in the first one or two minor releases). I would imagine that usability and ease of configuration is bound to be something that Jason considers to make the product useful to a broader range of people

    On the other hand there are some small tweaks that you could make in order to lessen logfile entries and depending on the software you have installated you may want to have some small additions that you need to configure by hand

    Here are some that I added in as a proof of concept :
    To stop prompts at logout :
    To stop local DNS client (svchost thread) logging DNS requests, log entries look like
    Appdefend rule to stop them being logged :
    One thing to be aware of using this rule is that you create a "leak" where a thread created in the NetworkService svchost would completely escape your notice. In order to do this properly (and before this rule is useful) Appdefend would need to be able to specify that this Network Allow was *just* for DNS traffic going to your set of valid DNS servers. Even then there are still potential threats with DNS, see Black Ops of DNS (2004) and Black Ops of TCP/IP (2005) paper by Dan Kaminsky)
     
    Last edited: Mar 21, 2006
  3. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Ok, I'll try it. Coz, I was thinking that some of the common applications software should have a rules that don't need to be for the ordinary pc users to be informed by lots of pop-ups. And advanced users or any users can still have the options to configure it one-by-one if he/she likes to. ;)
     
  4. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    If an expert make some rules for the Windows files will be great! :)

    Some like we have on ProcessGuard...
     
Thread Status:
Not open for further replies.