application rules

Discussion in 'Ghost Security Suite (GSS)' started by tonyjl, Sep 7, 2005.

Thread Status:
Not open for further replies.
  1. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hay people,like the new version of RD/GSS,GREAT WORK GUYS.
    Anyway there seems to be a bug regarding application rules,i have RegWatcher which polls the registry (as well as files/folders),and i get alerts about it wanting to read certain keys/values,i kept ticking the "always perform this action" which creates a rule in app rules section (obviously). But i still get the alerts,it's like the app rules should come before the reg rules (if you know what i mean). I've stopped Regwatcher scanning those keys/values now,but i was wandering if this could be a prob with other apps aswel or not?

    Anyone else had any probs like that?

    Thanks

    Tontjl
     
  2. passing thru

    passing thru Guest

    Hi tonyjl. Not a RegWatcher user, but took it for a spin. I set all of RD's default global rules to "Ask User" on read attempts and then started RegWatcher. After all the RD prompts for permission (and there were quite a few), the new RegWatcher application rules did work and I saw no more alerts. It might help to post the keys/values in question.
     
  3. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi passing thru, glad yours is working ok. I have created a custom group of rules to protect my personal info (name,home address,e-mail,tel no. etc)
    Some rules in q are:-
    KEY - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion VALUE - RegisteredOwner EVENTS \Read Value,Set Value,Delete Value ACTION \Ask User

    KEY - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion VALUE - ProductId EVENTS \Read Value,Set Value,Delete Value ACTION\Ask User

    KEY - HKEY_CURRENT_USER\Software\Axialis\Customer info* VALUE - * EVENTS \Read Key,Read Value,Set Key,Set Value,Delete Key,Delete Value ACTION\Ask User

    Hope that helps,could be that i've just missed something.

    Thanks

    Tonyjl
     
  4. passing thru

    passing thru Guest

    Hi tonyjl. I was still not able to duplicate the problem you are having. My setup looked like this:

    Global RD rules for my test group:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion | ProductId | READ KEY, CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | test | 1

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion | RegisteredOwner | READ KEY, CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | test | 2

    Keys added to RegWatcher's "Highest Key" set:

    hkey_local_machine\software\microsoft\windows\currentversion
    hkey_local_machine\software\microsoft\windows nt\currentversion

    RD application rules for RegWatcher:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion | RegisteredOwner | READ KEY | | regwatcher.exe | 1

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion | ProductId | READ KEY | | regwatcher.exe | 2

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run** | * | SET VALUE, DELETE VALUE | | regwatcher.exe | 3

    RD prompted me as soon as RegWatcher started polling. After giving permanent permission, I was not prompted again. I rebooted a few time to make sure.
     
  5. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287

    Hi PassingThru,

    I don't know if it's a typo or not but i noticed you haven't set RD to monitor "Read Value" which i have. I've tried changing the RD rules and added "Read Key" but it doesn't make any differance.
     
  6. passing thru

    passing thru Guest

    Thanks for spotting that. My mistake. After setting "Read Value", I indeed duplicated your problem. I may have also found a workaround. If I change the two application rule values to lower case letters, the alerts stop:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion | productid | READ KEY, READ VALUE | | regwatcher.exe | 1

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion | registeredowner | READ KEY, READ VALUE | | regwatcher.exe | 2

    See if it works for you.
     
  7. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287

    Yep it works!! Thats really odd.
    Thanks alot passing thru
     
  8. passing thru

    passing thru Guest

    It's not a perfect solution. I see a "Read Value" event (in the RD logs) for the "productid" value, but not for the "registeredowner" value:

    10:52:55 | Read Value | Allowed | HKLM\Software\Microsoft\Windows\Currentversion | productid | regwatcher.exe

    I guess this is something for Jason to look at.
     
  9. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Same here,definately something for Jason to work on,but RD is still quite young and can only get better and better.
    Maybe a Jason could add a feature to the app rules to turn off logging as i you don't really want/need to know an always allowed app has read/modified something,especially something like reg pollers that add hundreds of loggs each day.
     
    Last edited: Sep 9, 2005
  10. passing thru

    passing thru Guest

    Just a quick update: when I used regedit to manually poll the values, both events showed up in the logs.

    13:37:14 | Read Value | Allowed | HKLM\Software\Microsoft\Windows\Currentversion | productid | regedit.exe

    13:37:16 | Read Value | Allowed | HKLM\Software\Microsoft\Windows nt\Currentversion | registeredowner | regedit.exe
     
  11. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Thanks passing through for finding that lowercase issue. It was something recently tweaked and it was overlooked. An update will be out soon to address it.
     
Thread Status:
Not open for further replies.