CBOclean and regdefend settings ?

Discussion in 'Ghost Security Suite (GSS)' started by waldovanlaeken, Jul 11, 2007.

Thread Status:
Not open for further replies.
  1. waldovanlaeken

    waldovanlaeken Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    35
    Location:
    Belgium
    Hello!

    I'm a user of Regdefend (full version) and CBOclean.

    I use the "Tony.gsr" list.

    My problem is that everytime Boclean detects a malware Regdefend asks for permissions of different regkeys.

    Offcourse i want to allow Boclean ALL permissions.

    The main problem is that Boclean uses the registery in so many different ways when deleting malware that even when you allow (and remember) the queqtions of Regdefend, when Boclean detects another kind of malware it ask (regdefend) for more questions. I have many many rules for Boclean in regdenfend, but it keeps asking for more :(

    Isn't there a (simple) way to give Boclean ALL permissions in regdefend so that it can run undisturbed and do his job without alerts from regdefend ?

    Thanks ?
     
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Can you try to add global rules in per application setting

    like
    HKCU/**
    HKLM/**

    etc ...
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    That shouldn't be necessary for an 'allow' rule, because the only Keys being protected are those within the 'Tony' rules. It should be possible to create App rules for these via the alert boxes; so I can't think why this is not happening for BOClean.

    waldovanlaeken could you give some examples of the Registry writes that BOClean is making? Use of a wildcard further along the tree should do the trick.
     
  4. waldovanlaeken

    waldovanlaeken Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    35
    Location:
    Belgium
    Hey,


    The rules FX3 suggested seems to work. No more questions from Regdefend for Cboclean.


    I tested it with : Beast trojan , Donald Dick , Rewind , Netbus, Thief 2.

    I also run ShadowUser to keep me clean from permanent infections.

    TopperID : I don't have anymore qustions from Boclean now (after adding the rules). But when i test another trojan infection an get any messages, i will report them.

    .
     
  5. waldovanlaeken

    waldovanlaeken Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    35
    Location:
    Belgium
    I just tested CBoclean again with a trojan-test from http://www.misec.net/trojansimulator/

    And OH my God ! the messages i get from Regdefend are countless when Boclean detects it :( I even had to kill Regdefend in the taskmanager to stop the messages !

    I use the latest Tony ruleset with no modifications on my behalf.

    What can i do to stop this, and let Boclean works without questions from regdefend ?
     
  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    waldo, maybe you are not doing something right.. i would try deleting the ruleset that you have and replacing it with a fresh copy of tony's latest ruleset.. here is a link for it:

    https://www.wilderssecurity.com/attachment.php?attachmentid=179101&d=1148909762

    when i run the "trojansimulator" there is only one key that is created in the registry, which is a startup key (and so there is only one alert from "regdefend").. then, i start c-BOClean and it flags the "tsserv.exe" process, then i allow c-BOClean to remove the file and run its cleaning process.. (i closed c-BOC in order to allow the trojansimulator to run, then i started c-BOC after the trojansimulator had installed)

    maybe things are different on others computers because i have some of c-BOC's cleaning-options disabled, but here is my regdefend-log from installing the "trojansimulator" (the first entry in the log) and then c-BOC's cleaning process, the next few entries in the log..
     

    Attached Files:

    Last edited: Jul 18, 2007
  7. waldovanlaeken

    waldovanlaeken Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    35
    Location:
    Belgium
    This is only a little part of the log i have from testing the simulator before i killed it in taskmanager to stop the never ending messages.
     

    Attached Files:

  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    waldo, when you see a regdefend-alert, asking you if you want to allow an action, i think you should try clicking "always allow this action" instead of manually allowing each action, individually..

    i am not saying that you should always click "always allow" for everything, but do it for things you trust, like when c-BOC is doing its cleaning process.. if you click "always allow", then you won't have to manually allow each of the individual actions..
     
    Last edited: Jul 18, 2007
  9. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    waldo, i see what you mean, now.. when i enabled "automatic cleanup of winsock connectivity" and let BOC run its cleaning process, there were a lot of regkeys that were modified, one way or another.. still, it is managable (i think!)..

    you can click "always allow" and then, if you want to go back and tweak the rules, you can do that.. that is what i am doing, now.. i let BOC do its cleaning process, clicking "always allow".. then i tweaked the rules and tried again, and i had more alerts where i had to click "always allow", and so now i will tweak the rules some more, and then try again..

    alternatively, you could disable some of BOC's cleaning options, if you wanted to.. i disable some of the cleaning options because i don't want my "HOSTS" file or my activex-controls to be "removed", and i don't want my settings in IE to be modified..

    i was going to upload my ruleset for BOClean 424 for you to use, if you wanted to, but i wasn't able to do that..
     
  10. waldovanlaeken

    waldovanlaeken Registered Member

    Joined:
    Jul 11, 2007
    Posts:
    35
    Location:
    Belgium
    I'm glad somebody seems to have the same regdefend/Boclean problems as me.

    You say that disabling some Boclean clean-up settings can be a solution, but this is NO option for me. I'm very happy with Boclean options, so i want to have them ALL enabled. They offer the protection that i want and need.

    The meaning of this thread (and my orginal question) is that why it is so diffucult to allow (give) BOclean a simple rule, so that it can do wathever it wants to.

    Why can't i just "exclude" Boclean in Regdefend with some simple major rule ?
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you create an App Rule for BOClean allowing it to read/create/modify Keys and read/set/delete values on the HKEY_LOCAL_MACHINE\System\*controlset*\Services** tree you should be able to avoid all of the alerts in the log you show.

    If it doesn't then there may be a bug somewhere.

    I'm using GSS 1.010 which could be different in this respect.

    Edit - just a thought, has BOClean's file path changed for any reason?
     
    Last edited: Jul 19, 2007
Thread Status:
Not open for further replies.