Application Rule Set Incorrectly

Discussion in 'Ghost Security Suite (GSS)' started by meargh, Dec 3, 2005.

Thread Status:
Not open for further replies.
  1. meargh

    meargh Guest

    I'm using RegDefend 2.050 on Windows XP. I ran Nero BackItUp 1.2.0.60, and received an alert from RegDefend that BackItUp was trying to create the value nbj under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. I instructed RegDefend to block that action, and remember the response.

    A rule was created, as shown below. The problem--or at least I think it's a problem--is that the rule wasn't created correctly, or at least doesn't display correctly. Look at the Permissions line, and it says that SET VALUE is blocked. But under Allow these events (which really should be marked simply Events), Allow is selected, and the Set Value check box is not selected.

    The only manual change I made to this rule was to enter nbj on the Value line. I didn't uncheck the Set Value check box, not did I select the Allow radio button.

    http://img338.imageshack.us/img338/9056/cap0023my.th.png
    (Click thumbnail for a full-size image.)
     
  2. meargh

    meargh Guest

    If I do click the Block radio button, I can see that Set Value is already selected. And sometimes, it stays that way--other times, after viewing other rules, or whatever--it reverts back to Allow being selected instead (as pictured).

    It seems to me this is a real problem, but is only a problem in how the rule is displayed. The setting is actually being stored and applied correctly.
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi meargh,

    It isn't actually a problem, just a confusion on how that part of the interface works. When you click the BLOCK radio button, it shows you what items you are going to be blocking, when you click the ALLOW radio button it shows what will be allowed. Just because it is "ticked to show allow" by default, doesn't mean it is going to allow. When you click those radio buttons you are switching from showing what is being allowed, to what is being blocked. Those radio buttons don't affect the operation of a rule, they just allow you to select between showing what is allowed and blocked.
     
    Last edited: Dec 3, 2005
  4. meargh

    meargh Guest

    OK, I think I get it. So what I assumed was correct.

    May I suggest that if a rule is set to block, that the Block radio button always be selected, by default? (And vice-versa, of course.)

    The behavior I'm seeing now is unpredictable. When the rule shown above was first created, it was a Block rule, but the Allow radio button was selected. When I'd click the Block radio button, it would sometimes remain that way after navigating other parts of the interface and going back to view the rule, other times not.

    For example: Just now, after a reboot, the Block radio button was selected for the rule in question. Then, after clicking a different application rule and going back, Allow became selected.
     
  5. meargh

    meargh Guest

    What I'm trying to say is that any given time I view a rule, I can't predict whether the Allow or the Block radio button will be selected. Sometimes it's one, sometimes it's the other--without me even doing anything. That behavior wouldn't seem to be intended.
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The viewing of the "Block or Allow" settings for each rule is dependant upon what you were viewing last. If you were viewing the BLOCK settings for one rule, then switched to another rule, it will also show the BLOCK settings.

    By default it is set to show ALLOW settings, so the first time you load up the editor it will be set to ALLOW. You can have both ALLOW and BLOCK settings for each rule, you just can't obviously have something like SET VALUE ticked for both BLOCK and ALLOW.
     
  7. meargh

    meargh Guest

    You'd think I would have noticed that, but I didn't. Thanks.
     
Thread Status:
Not open for further replies.