Can't stop application from prompting

Discussion in 'Ghost Security Suite (GSS)' started by share98, Sep 7, 2005.

Thread Status:
Not open for further replies.
  1. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    31
    I have a program called cachcleaner. It runs whenever I close my browser. One of the things it does is to delete my index.dat file.
    The log file shows me the following.


    Event set value
    Action Allowed [user]
    group Special Registry Items
    key HKLM\System\Controlset001\Control\Session manager
    value pendingfilerenameoperations
    Extra data [REG_MULTI_SZ] \??\C:\Documents and Settings\Stephen Hare\Local Settings\Temporary Internet Files\Content.IE5\index.dat

    What do I need to change to stop RegDefend from asking me if I want to delete index.dat? Thanks.
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi share98,

    When you allow cachcleaner to mod the value,did you tick the "Always perform the action i take"? If so then it looks like you having the same prob i'm having to stop alerts from RegWatcher (a registry poller).
     
  3. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    I've got the same problem in regard of that key ù9HKLM\System\Controlset001\Control Session manager), I have a few application that want to read and set value for that key and even if I ticked the "always perform the action I take" box, I still receive alerts from those applicationso_O

    Is this possible that the "always perform the action I take" on the key "HKLM\System\Controlset001\Control Session manager" do not works?
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
  5. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Thanks Tonyjl for the links but I am not sure I understand what is it talk about on this thread (at least on what have been done to workaround)... For me the workaround that I have found is to find every key corresponding to HKLM\System\Controlset001\Control Session manager on each group and remove the tickle on the read and set value box!
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    CCleaner and CleanCache both have apparently gone nuts on me here. Even though I thought I had the problem fixed, it started re-occurring here big-time yesterday (with no changes done by me since I had it "fixed").

    There is definitely a problem here that needs to be addressed. Pete
     

    Attached Files:

  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pete,
    You have shown a log entry for a "Read Value" in HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session manager for pendingfilerenameoperations
    That doesn't happen by default....

    If you have a look at the alert it will show you what group it came from and then next step is to have a look at the rule in that group to see why

    If it was the the ccleaner.exe group in your Application Rules look at the rule that covers "Session manager" you should check and make sure that it hasn't accidently obtained a block for "Read Value"



    • click on the rule
    • then click on the "o Block" so that you see Blocking rules
    • if "Read Value" is ticked and "Ask User" is selected
    • then untick Read Value
    If it was the Special Registry Items group, then click on the rule that covers "Session manager" and check and make sure that the "Read Value" is not ticked

    Let me know if this helps, I run crap cleaner here without any issues and without alert issues like you are describing

    Regards


    NB: Character based cut and paste is a good supplement to a screenshot..


    The default rule from Special Registry Items is
    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session manager | *FileRenameOperations | SET VALUE, DELETE VALUE | Ask User, Log to Disk | RD_1005_Special_Registry_Items | 2

    I have manually added the following application rules for crap cleaner

    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session manager | pendingfilerenameoperations | SET VALUE | | ccleaner.exe | 1
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run | ccleaner | DELETE VALUE |  | ccleaner.exe | 2
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'll see if I can figure all of that out, but I can tell you right now that this is getting way too complex for something that should be simple.

    Why isn't there an "Ignore", "Exclusions" or "Always allow all calls from this app" function for programs that you trust? Pete
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Jason - Did you do something in that last update to solve the problem with CleanCache and CCleaner? I just ran both of them awhile ago and neither of them triggered off any alerts - and I haven't changed anything further, settings-wise, in RD since yesterday. Pete
     
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Pete, yes most likely the new update fixed your issues. The problem was due to the GUI not properly processing value names in application rules, in a format the driver could handle. The update fixed this, which would fix most people issues with "not remembering" their actions.
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks, Jason.

    Should I go ahead and put the allowances for HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session manager back to - um -whatever the defaults were now? (Right now I have checkmarks in all "events" for that key). Pete
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pete,
    Here is what I have
    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session manager | *FileRenameOperations | SET VALUE, DELETE VALUE | Ask User, Log to Disk | RD_1005_Special_Registry_Items | 2
    Regards

    NB: Using copy and paste to describe the rule presents it in a uniform way
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, gottadoit - I set it back to default. Pete
     
Thread Status:
Not open for further replies.