Emulating Ad-Watch

Discussion in 'Ghost Security Suite (GSS)' started by Defenestration, Feb 23, 2005.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I currently use Ad-Watch, and wanted to know how to achieve the same/better protection with RegDefend. The Ad-Watch options "Lock start-up section", "Block possible browser hijack attempts", "Lock executable file associations" are the options that can be emulated in RegDefend.

    1) "Lock start-up section" has already been taken care of with the "AUTO STARTS" group.

    2) "Block possible browser hijack attempts" has been partly taken care of by the Browser Helper Objects Registry Item. The other items I can think of are home page, search page, default error page. Which keys/values do I need to protect for these items ?

    What else do I need to protect ?

    3) "Lock executable file associations" has not been taken care of. All these associations are stored under the HKEY_CLASSES_ROOT key. Should I just protect the whole HKCR key to protect all associations or would this cause problems ?

    Why are these not protected by default ?


    That aside, what other registry items would you recommend I protect ? eg. KAV key, LnS key, PG, TDS, Ad-Aware/Ad-Watch etc.
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Good questions. I hope someone is able to address them. Currently I also own Ad-watch so I would like to feel comfortable that I am receiving at least equal protection before trading it in for RegDefend.

    Rich
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    we agree, job already done, lets see the following.

    I am not a spyware expert nor an IE expert, but from a quick look at the registry it seems that the keys involved are :

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    HKEY_USERS\S-1-5-21-1935655697-515967899-839522115-500\Software\Microsoft\Internet Explorer
    HKEY_CLASSES_ROOT\Applications\iexplore.exe

    These are I think the global keys to control. If you want precisely to look at the search page or default page, it is in :
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    (same for the other one)

    RegDefend by default only protect the value StartPage in the above key (\Main), for better security protect the "\Internet Explorer\" root.
    EDIT : this is wrong, see my other post below

    By taking a look at HKEY_CLASSES_ROOT, it seems to only be about files and associations, so protect the whole root seems logical, however there is not only file extensions (begining with a dot such as ".ext") but file descriptions too, and may be other things. I will try to do it and report problems if any.


    I join in attachment the "Ad-Watch" group I created containing Internet Explorer protection and file extension locking (runs fine on my comp).
    Just remove the .txt extension and move it in your "RegDefend\groups" folder.
    Then close and restart RegDefend, it should appear in the groups.
    Check that every keys is protected from modifying and set on "Ask user", just to see if all goes well :)

    Regards,
    gkweb.
     

    Attached Files:

    Last edited: Feb 24, 2005
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Thanks for suggestions and attached group.

    This key (or more precisely the part beginning with S-1-5...) is different on every machine. eg. on my machine it's

    Code:
    HKEY_USERS\S-1-5-21-1960408961-1957994488-1155901827-1004\Software\Microsoft\Internet Explorer
    If you use Firefox/Mozilla/Netscape, it's also worth protecting the following keys (ALL VALUES) from modification

    HKLM\SOFTWARE\Mozilla
    HKCU\Software\Netscape
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Thanks for the information.

    That's why it would be usefull to be able in RegDefender to use wildcards such as :

    Code:
    HKEY_USERS\S-1-5-21-*\Software\Microsoft\Internet Explorer
    Would be very usefull.
     
  6. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Gkweb .
    I will await your findings on adding all the classes_root and see what happens .
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I have just discovered that when you protect from modifying :

    \RootKeys\

    trying to create any subkey or value is indeed blocked, however modifying or creating any keys or value into an existing subkey such as :

    \RootKeys\ExistingSubKeys\myNewValue

    Will not be blocked.

    So either it is a bug, or it is by design.
    If the later, I would so request that settings added for a RootKey be applied for any SubKeys.

    The consequence is that you must actually protect the path :
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    and not just :
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

    Sorry for the mistake, will update the group file in my above post.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Last tip before to go to bed ;)

    Above, if you block the whole Key :
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    RegDefend will ask you about IE trying to modify the values "Main\Fullscreen" and "\Main\Window_Placement".
    If you grant IE to modify anything inside this key, sure external spywares still won't be able to modify the registry, but a malicious ActiveX from IE will.
    So the point is : how to allow IE to only modify these two values while still protecting the whole Key ?

    Since you cannot in RegDefend say "I protect this whole Key except these two values", you have to find something else.

    The trick I found is to create a first group on the top of the other, in which you add the values you want to exlude from others groups (either you want them to be allowed or denied, whilst the main group do the opposite), as shown in the screenshot.
    Thus then IE will try to modify these two values you will just have to "allow always", and IE will be added in your first group only, will so be able to modify these values without any further prompt, while the Key "\Main" is still protected even from IE.

    I hope I am clear... :)
     

    Attached Files:

    Last edited by a moderator: Feb 25, 2005
  9. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The S-1-5-21-xxxx number key is mapped in as HKEY_CURRENT_USER when that user logs in. So if there is only one user on your computer, protecting HKEY_CURRENT_USER will be enough. If there isn't, then you would need to manually add each S-1-5-21-xxxx key currently.

    BTW nice spot on what you can do GKWEB. :)
     
  10. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Thanks very much for this thread and info. Have installed on my system where I too use Ad-Watch.

    Now if we could get RegDefend to block pop ups, I could just throw Ad-Watch away.... ;) IE's pop up blocker blocks too much on some of the sites I use.

    I let Giant work as the memory monitor because it uses much less CPU utilization than Ad-Watch.
     
  11. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    You may want to move away from IE as a browser if you want better popup blocking, FireFox and Opera include some nice ones that I have found work quite well. :)

    That and Opera/Firefox are faster than IE too, not at loading up, but at displaying and viewing web pages. :)
     
  12. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    Nice one GK....thanks for the tip :).

    Regards,
    Jade.
     
  13. Kaupp

    Kaupp Guest

    hi

    I don't think it was mentioned yet on the board that two auto-start locations not covered by regdefend,are the common and user startup directories.

    Does anyone think these areas should be protected by regdefend?

    regards
    Kaupp
     
  14. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    These two startup areas should be protected IMHO; however, I haven't figured out yet how to do it through the registry so RegDefend can control the protection.

    Incidentally, Ad-Watch (Build 1.05) does not protect these. I bugged LS about this and never received any responses for LS (forum or otherwise). Giant protects them. I think Spy Sweeper does too.
     
  15. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    If I am following you correctly, you are talking about the

    C:\Documents and Settings\All Users\Start Menu\Programs
    and
    C:\Documents and Settings\yourname\Start Menu\Programs directories etc?

    If so, then they haven't been added as they are folders. But maybe Jason could add them....doubtfull though, as this is a registry defence program :).


    Regards,
    Jade.
     
    Last edited: Feb 25, 2005
  16. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I've noticed another problem that arises from protecting the HKEY_CLASSES_ROOT key. Some of my tray icons, for apps launched at startup, don't appear. The processes are running, it's just that there's no tray icon. The only way to get the tray icon to appear is to remove the protection, shutdown and restarting the process.

    I'm not really sure why since the tray icons do appear when launched manually. I'll do a bit more poking around to see what I can find.
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I do not see the link, as it is working pretty well on my computer.
    If you just protect the key from modifying, there is no problem, I don't even see a reason for a program starting to read the key.

    Anyway if you have troubles protecting it, try to give us more clues, for instance just tick one protection at a time (modifiy/read key/value) and reboot to find the culprit.

    May be Jason will have more answers than me.

    Regards,
    gkweb.
     
  18. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I have tried protecting HKCR with the latest version 1.100 and all my tray icons appeared on reboot. I'll post again if I notcie the problem again.
     
  19. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I've just had a few tray icons not appear again. This time all the ones that didn't appear were started from the Startup folders instead of from the registry. I did have a RegDefend confirmation dialog appear, so this might have something to do with the tray icons not appearing.

    The apps in question had actually started, and starting them again resulted in the tray icons appearing.

    This must be to do with RegDefend because this never happened before I installed RD.
     
  20. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I had this happen once just after I added the Ad-Watch group. On the next reboot, I received a RegDefend alert that C:\Windows\System32\CISVC.EXE was attempting to modify a Key in the Ad-Watch group on HKCR. I permitted it Always. Then another alert came that C:\Windows\EXPLORER.EXE was attempting to modify a Key in the Ad-Watch group on HKCR. I permitted it Always. As the reboot continued, some of the icons did not appear in the Systray.

    I rebooted again....no alerts...no missing icons...no missing icons on reboots since these two alerts.
     
  21. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    It would appear that the RegDefend alert on startup is somehow preventing some tray icons from displayed.
     
  22. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    If you "permit" the alert and also check mark the "Always Allow" box, this should stop the problem starting with the next reboot.
     
  23. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Keep in mind that in Ad-Watch

    "Lock Executable File Associations: Blocks (only) the most common associations (used by worms and viruses) so that they cannot stealthily change executable, shortcut, and registry file associations."

    We have elected to set up HKCR for blocking all associations in HKCR. So some permits by trusted programs are necessary.
     
  24. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hmmm, not necessarily.

    I have had this happen only the one time so far after a reboot and have not recieved an alert from RegDefend beforehand. The icon is there but once the mouse is moved over it, it disappears.....move the mouse off and then it re-appears. If I end the program in the taskmanager and then restart it, the problem no longer exists. So that leads me to believe it is not just due to an alert from RegDefend. Quite strange.

    But given Jason and the beta teams trackrecord of problem solving, it shouldn't take too long to figure out :).

    Regards,
    Jade.
     
  25. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    It just happened again with the missing tray icons. FYI, on bootup RegDefend alerted me that explorer.exe wanted to modify HKEY_CLASSES_ROOT. The TDS, Proxomitron and Wallpaper tray icons were all missing. All three of these apps were started from the startup folder, not the registry.
     
Thread Status:
Not open for further replies.