DHCP entries

Discussion in 'Ghost Security Suite (GSS)' started by Rmus, Nov 27, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello,

    I/m using a trial version of RegDefend, and each time I log on-off the internet,
    services.exe and svchost delete/write domain/dhcp entries to the Registry:

    http://www.rsjones.net/img/regdef-log.gif

    I'm looking at the Help file about creating a group -
    can I put all of those Registry entries into a group so that there will be no more alerts?

    Thanks,

    -rich
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Rmus,
    The best way to stop the alerts would be to create a group for each executable (under Application Rules) and add the keys you have identified (with a minimal set of Allow permissions to match the logged entries you have seen) to each application group

    If you wanted to tie it down a tiny bit more, then when you specify the svchost.exe process add its command line to the group so that only that svchost instance has permissions to make the change without prompting

    For example, I already have an entry for services.exe so in my case I would simply add some extra rules to the existing application group to cover the registry keys being alerted on. I also happen to have an application group for svchost.exe with the command line parameters "-k netsvcs" so I would add the rules for the other keys into that one (assuming that your alert is related to that svchost instance of course)

    Hope that helps
     
  3. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    I may be totally wrong about this, I believe what Rmus is seeing and talking about is when Windows (svchost.exe) is renewing the IP address lease on the NIC. As gottadoit, I too have an Application Rule that allows this without any intervention on my part. What I see as the problem though is there is currently no way, that I have found, to turn off logging for Application Rules.

    The screenshots below, of the Global Registry Rule Group Networking Protection rule for what Rmus showed in his screenshot and my Application Rule for svchost.exe, clearly show that we can turn on/off logging for the Global Registry Rules. However currently we do not have that option for Application Rules. This is something I have added to the Suggestions/Wishlist thread, and may have suggested in an email to Jason concerning the current beta of GSS. Also with the current beta, RD has lost some functionality that was present in the current release version. One thing that comes to mind is the ability to display the cmd line for an application, which for svchost would be very useful to see how it was called.
     

    Attached Files:

  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Disciple and gottadoit -

    I'll study what you've suggested.

    Meanwhile, I just disable RegDef at the log on - off moment; saves 5 "allow" clicks each time.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Thread Status:
Not open for further replies.