Are you using Kent's and Tony's additions with 2.0?

Discussion in 'Ghost Security Suite (GSS)' started by richrf, Sep 12, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Has anyone analyzed the usefulness of adding Kent's and Tony's rules to the latest version of RD 2.0? Is it still worthwhile since there are so many new rules to 2.0? Thanks for the info.

    Rich
     
  2. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I did import them both back in just to be safe with 2.0.

    When in the configure window, if you click on the Global Registry Rules (to display everything) and then click on the Key column to sort by key, you'll see all the duplicate entries in the different groups. Most of them are already incorporated now with the 2.0 defaults.

    You can delete the newly imported duplicates and leave anything not covered by 2.0's defaults behind if you wish. Some not covered by default seem important.

    I haven't encountered a situation where these few extra rules got used yet, so I don't know how necessary they are.

    But personally I'm hoping I never do need them, but there are there if necessary. ;)
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    I agree with rickontheweb. I did the same exact thing Rich.

    No probs at all with doing so as well.
     
  4. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I only have one issue with importing the older sets. Did wildcard handling change in 2.0?

    I'm not sure if they mean "*" or if it now should be "\**" at the end of some of these imported reg entries.

    It appears to me on what's left of Tony's files after duplicate removal that reg entries ending with wildcards should be changed to "\**" instead of "*" at the end of the entry.

    But I get more confused on Kent's entries if he meant "*" or "\**" now.

    I hope these guys get some time to update their files for version 2.0. So what ever isn't being handled by default can be added back in without the confusion.

    Sometimes it just looks like the wildcarding in older imports seems wrong now.
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    You can simply replace any * in the KEY with ** and it will have the same meaning as in 1.3

    The other thing that you should do is replace any instances of


    • controlseto_O
    • controlset*
    • currentcontrolset
    with
    • *controlset*
    That way the rules will work as intended

    The other point to note is that as long as you add the groups in *after* the default groups that Jason provides having duplicates won't cause any issues. RegDefend stops when it finds a match, so if there is a duplicate then it never be seen as it will be matched by Jason's supplied groups first seeing as they are higher up in the groups list

    I have done some fairly simple speed tests and not noticed any slowdown's unless I do something silly like logging every read and run ccleaner. The bottleneck then becomes I/O to disk as the GSS gets busy writing useless entries into the logfile and consuming memory in the alert tab listview. The reason I mention this is because from my use of the GSS/RD a few extra (duplicated) sensible rules hasn't increased the cost in any way that I could notice.
     
  6. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Thanks gottadoit. That helps immensely on cleaning up my rules and eliminating redundant enties.

    But it leaves me a little confused on wildcards in 2.0. How does wildcarding affect these 4 just for example reg rules:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost*

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost**

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost\*

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost\**
     
  7. xxzlmnop

    xxzlmnop Guest

    I guess I should wait to buy this app as it appears to be in beta stage with these changes. I want it to work without having to make changes to additional gst files.
     
  8. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    The default rules in 2.0 are more than adequate protection for most users. I personally don't consider this version to be beta. If the application prompts for allow/deny decisions too often, many will shy away from it as being too complex, yet obviously it has to accommodate advanced, paranoid and or obsessive security minded people as well. So the default rule choices are always a balance between ease of use and advanced decisions.

    But on a security forum like here there are always those like us that want take it further, which any good security application should accommodate. That's all we are discussing here. Many of Tony's and Kent's rules did get incorporated into 2.0 default rules. The others may be unnecessary. I personally would rather have them than not.

    I happen to like most of the changes that came with 2.0. It's much more flexible for the advanced user while still being "out of the box" usable for most people. But the choice is yours.
     
  9. Pollmaster

    Pollmaster Guest

    Indeed. Jason should really allow us to have more control over the log. Being able to turn it off , or to only record certain entries. Is there any other mode other than "alert" ?
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pollmaster,
    I was wondering if you had noticed the "[] Log to disk" option for a rule, as that is what I would normally use in situation that I put myself in.

    In my case I was doing some stress testing of RD to try and see where its limitations were. What I found was that 2.x is much better than 1.x at coping with rulesets containing rules that are triggered frequently.
     
  11. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Well, I've noticed that the option to log or not is available in the global registry rules, but only for blocked exceptions in the application rules. It's only available as a check box in the application rules if you make exceptions to block something; it disappears when setting allows. All the specific exceptions that we allow in the application rules get logged. Since I go back into my application allows and make them rather specific, so I still get prompted for non-routine changes, I consider these rather specific application allows "routine and safe", and I would like the ability to uncheck that log box to eliminate them from cluttering up the log view. So the log/not log feature is nice, but incomplete when it comes to allowed exceptions.

    2.0 seems a very minimal hit on performance here. The only slowdown I notice at all is scanning with a registry cleaner app and I expect that since it's doing nothing but scanning the registry at high speed. Unchecking all the ghst groups in 1.3 made it scan faster, but setting it to disabled in 2.0 doesn't seem to speed it back up anymore. I notice the stats window in 2.0 still gather read/write numbers, maybe that's it. But it's the only app I notice any difference with RegDefend installed and it's not that bad. I don't "clean" my registry too often so it's not an issue.
     
  12. poll2

    poll2 Guest

    I don't think the ability to choose which rule to log is the point.

    In general, I would want all rule to be logged, but once I setup a rule exception allowing an app access, it seems pointless for it to be logged further. It just clutters up the log and makes it difficult for me to see the more important info.

    I think it's almost 100% pointless to log "Allowed" actions (this happens when it matches an application rule right?). Why should they be logged? They aren't really exceptions. Seems unusual, since my personal firewalls logs only exceptions to rules, not allowed transactions.

    In my logs, almost 90% are "allowed" actions and they make it difficult to see what is really important. Not to mention they cause the logs to become really big.

    What is most important for me , I think are the blocked(user) and blocked lines.

    Some quick way of showing only those entries would be nice.








    I might be crazy, but i wish the log was more searchable.
     
  13. poll2

    poll2 Guest

    Exactly. I don't want allowed specific app execeptions to be logged. I already set a rule to allow it, no need to log it. Either make it an option, or turn if off by default.

    I got dozens of svchost "allowed" rules mucking up my ruleset.
     
  14. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i am a newbie.. i tried to import "puff's" ruleset, but i had no idea what i was doing.. after i imported the ruleset, i had an extra group in the global rules, i forgot the name of it, but it was marked with a red x.. i would thing that the red x indicated that something was wrong.. :(
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Try clicking the red X and see if it magically turns into a green tick!

    Actually I still haven't upgraded to version 2, but that is what you do with version 1.3.
     
  16. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    It's not that something is wrong, it's an indicator that the rule set in question has not been enabled. In RD 2.0 highlight the rule set and then look to the right of the Group Name entry field, you will see Group Enabled and a check box. Click in the box and the X will disappear.

    I hope this helped, take care.
     
  17. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Can someone post the modified Kent and Tony ghst files with the wild card changes. I am lost here in trying to change them and finding the duplicates. I might also be lost in inserting them since they have to go in a certain order after the standard set as I was told, but that is another story.

    dja2k
     
  18. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    So I am guessing no one wants to share the modified kent and tony files......

    dja2k
     
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I can only upload as .txt, so you'll have to save as .ghst

    There should be 17 rules - so check I've put up the correct file.
     

    Attached Files:

  20. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Again, there should be 20 rules if I've put up the correct file.
     

    Attached Files:

  21. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yuk! This all seems to have gone wrong.

    The files appear to have got scrambled during uploading. If anyone knows what I did wrong I'll try again.
     
  22. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Yep they sure are scrambled.... Anyone else care to help TopperID out or post their own files?

    dja2k
     
Thread Status:
Not open for further replies.