CBOclean and regdefend settings ?

Hello!

I'm a user of Regdefend (full version) and CBOclean.

I use the "Tony.gsr" list.

My problem is that everytime Boclean detects a malware Regdefend asks for permissions of different regkeys.

Offcourse i want to allow Boclean ALL permissions.

The main problem is that Boclean uses the registery in so many different ways when deleting malware that even when you allow (and remember) the queqtions of Regdefend, when Boclean detects another kind of malware it ask (regdefend) for more questions. I have many many rules for Boclean in regdenfend, but it keeps asking for more

Isn't there a (simple) way to give Boclean ALL permissions in regdefend so that it can run undisturbed and do his job without alerts from regdefend ?

Thanks ?

 

Can you try to add global rules in per application setting

like
HKCU/**
HKLM/**

etc ...

 

That shouldn't be necessary for an 'allow' rule, because the only Keys being protected are those within the 'Tony' rules. It should be possible to create App rules for these via the alert boxes; so I can't think why this is not happening for BOClean.

waldovanlaeken could you give some examples of the Registry writes that BOClean is making? Use of a wildcard further along the tree should do the trick.

 

Hey,


The rules FX3 suggested seems to work. No more questions from Regdefend for Cboclean.


I tested it with : Beast trojan , Donald Dick , Rewind , Netbus, Thief 2.

I also run ShadowUser to keep me clean from permanent infections.

TopperID : I don't have anymore qustions from Boclean now (after adding the rules). But when i test another trojan infection an get any messages, i will report them.

.

 

I just tested CBoclean again with a trojan-test from http://www.misec.net/trojansimulator/

And OH my God ! the messages i get from Regdefend are countless when Boclean detects it I even had to kill Regdefend in the taskmanager to stop the messages !

I use the latest Tony ruleset with no modifications on my behalf.

What can i do to stop this, and let Boclean works without questions from regdefend ?

 

waldo, maybe you are not doing something right.. i would try deleting the ruleset that you have and replacing it with a fresh copy of tony's latest ruleset.. here is a link for it:

https://www.wilderssecurity.com/attachment.php?attachmentid=179101&d=1148909762

when i run the "trojansimulator" there is only one key that is created in the registry, which is a startup key (and so there is only one alert from "regdefend").. then, i start c-BOClean and it flags the "tsserv.exe" process, then i allow c-BOClean to remove the file and run its cleaning process.. (i closed c-BOC in order to allow the trojansimulator to run, then i started c-BOC after the trojansimulator had installed)

maybe things are different on others computers because i have some of c-BOC's cleaning-options disabled, but here is my regdefend-log from installing the "trojansimulator" (the first entry in the log) and then c-BOC's cleaning process, the next few entries in the log..

 

This is only a little part of the log i have from testing the simulator before i killed it in taskmanager to stop the never ending messages.

 

waldo, when you see a regdefend-alert, asking you if you want to allow an action, i think you should try clicking "always allow this action" instead of manually allowing each action, individually..

i am not saying that you should always click "always allow" for everything, but do it for things you trust, like when c-BOC is doing its cleaning process.. if you click "always allow", then you won't have to manually allow each of the individual actions..

 

waldo, i see what you mean, now.. when i enabled "automatic cleanup of winsock connectivity" and let BOC run its cleaning process, there were a lot of regkeys that were modified, one way or another.. still, it is managable (i think!)..

you can click "always allow" and then, if you want to go back and tweak the rules, you can do that.. that is what i am doing, now.. i let BOC do its cleaning process, clicking "always allow".. then i tweaked the rules and tried again, and i had more alerts where i had to click "always allow", and so now i will tweak the rules some more, and then try again..

alternatively, you could disable some of BOC's cleaning options, if you wanted to.. i disable some of the cleaning options because i don't want my "HOSTS" file or my activex-controls to be "removed", and i don't want my settings in IE to be modified..

i was going to upload my ruleset for BOClean 424 for you to use, if you wanted to, but i wasn't able to do that..

 

I'm glad somebody seems to have the same regdefend/Boclean problems as me.

You say that disabling some Boclean clean-up settings can be a solution, but this is NO option for me. I'm very happy with Boclean options, so i want to have them ALL enabled. They offer the protection that i want and need.

The meaning of this thread (and my orginal question) is that why it is so diffucult to allow (give) BOclean a simple rule, so that it can do wathever it wants to.

Why can't i just "exclude" Boclean in Regdefend with some simple major rule ?

 

If you create an App Rule for BOClean allowing it to read/create/modify Keys and read/set/delete values on the HKEY_LOCAL_MACHINE\System\*controlset*\Services** tree you should be able to avoid all of the alerts in the log you show.

If it doesn't then there may be a bug somewhere.

I'm using GSS 1.010 which could be different in this respect.

Edit - just a thought, has BOClean's file path changed for any reason?