How does RegDefend compare to the same functionality in Tiny Firewall 2005 ?

Discussion in 'Ghost Security Suite (GSS)' started by gottadoit, Mar 4, 2005.

Thread Status:
Not open for further replies.
  1. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    I was wondering if you could comment if the low level protection capabilities are the same, they seem to be similar (on the surface) ...
    Similarly if you feel like making a comment about PG and the equivalent Tiny functionality I would be very interested

    I'm interested for a few reasons, not the least being that you have hinted on several occasions that you have plugged several undocumented holes in Ring0 that things can slip through....
    Its entirely possible that you might have reviewed Tiny 6.0 at some point :) and might be in a position to comment

    Thanks
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Surely someone has used both and possibly has an idea on their comparative merits

    Anyone ?
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    For what is worth, I've found a comment by Paranoid2000 indicating that Tiny does block registry access prior to a change being made

    See the thread Tiny Firewall Pro 6.5

    Jason I would still be interested in your evaluation, does RegDefend do things any differently or in a better way....

    Obviously the Tiny method puts all of your eggs in one basket by combining f/w, process protection and registry protection together so that is one difference...

    At least I have an answer of sorts now... even if I am just talking to myself in a thread :-o
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    When I find the time I will give Tine Firewall a run and see how it works exactly. If it does block the change first that means it is using hooking. Now you just need to work out if it is kernel mode hooking or user mode hooking. If it is usermode hooking it can still be circumvented.

    As to which is better, that is a different kettle of fish. Is there any noticable system performance drop when Tiny is installed on your system?
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    Thanks for the reply, I don't actually have Tiny which is why I was asking the question in the hope that others on Wilders who do might respond.

    I like having the idea of having different products in use on different machines and Tiny seems to have some merit for one environment so that I have a proper sandbox to try running unknown programs in. However the price of it and the many comments that it takes a while (and can be a pain) to setup properly has made me think carefully.
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Seems we have heard the same things about it then. :)
    I'll see if any of my beta testers have any thoughts on the matter.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    *coughs loudly* Note that I said "Assuming that..." - I'm not an expert on Tiny's capabilities, but it has had the ability to track and reverse registry changes since its Tiny Trojan Trap days. This could be done by polling but it would seem more likely that Tiny intercepts registry modification, given that you can restrict programs to only accessing certain keys.
     
  8. peterc

    peterc Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    37
    Location:
    Australia
    I'm using the latest Tiny Pro 6.5.62 with just the default configuration, out of curiosity I just tried the Reg test of Jasons' I disabled RegDefend 1.500 then executed the test.

    1st thing is that Tiny asked how to handle it so I gave it run with default security, when I executed the test again Tiny popped up a couple info balloons saying that it stopped RegTest because of 'spawning' etc

    I'm very new to these security products so that's all the info I can give you about how Tiny Pro 6.5.62 handles the Reg test of Jasons', also this version of Tiny doesn't hog the resources as the earlier version Tiny Pro6.0.140.

    ps I use XP home SP2, AMD 1g cpu with 512ram, TDS, PG, RegDfnd, WG, etc Nod32 on access, with Kav as on demand & Tiny all behind a router....am I paranoid or what?

    If this post is of no use to anyone just delete

    peterc
     
  9. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Peterc,
    Thanks for sharing that information

    I guess that RegTest has served more purpose than just to expose a bug in RegDefend, its good for competitive analysis as well, although I don't expect that other competitors are supposed to "pass" the tests...
     
  10. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Yeah, I had the same experience with TF 2005. What I did was I went into the Tiny settings and changed a few places from "Block" to "Ask User". I don't remember but I think these were in the detailed Registry rules in the TP Admin Center.

    So then the next time, instead of blocking those memory writes, etc and not being able to run Regtest, I was able to allow everything up until the Regtest GUI actually starts. Then I ran Test 1 and TP passed - in other words, it stopped and queried me on the Run keys stuff. I denied them and the test said "modification failed".

    On Test 2, I also denied any TP alerts. The result was the machine seemed to freeze at the shut down stage. So I manually reset and the machine started up without the tell-tale Regtest screen, so I think it passed Test 2 as well.

    I am very impressed with Tiny Firewall 2005 so far. It's a real bear to configure but has many many features.
     
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Peterc,
    When registry access is blocked which program pops up first with the warning (ie: RegDefend or Tiny) when they are both configured to monitor the same key ?

    It is good to hear that Tiny plays nicely with both PG and RegDefend I might give it a trial

    Thanks

    NB: I'm quite comfortable with the fact that there is functional overlap here, I don't like having all of my eggs in one basket (like many others on this forum)
     
  12. peterc

    peterc Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    37
    Location:
    Australia
    gottadoit

    I just tried the regtest with Tiny 6.5 running default settings with PG enabled and regdefend enabled all default settings.

    1: when I 1st execute regtest Tiny pops up asks what to do with it I select run with default security this time only

    2:Next PG pops up asks what to do if I deny that is it end of test.

    3: If I allow Tiny pops up again with different info saying that regtest is spawning from Parent to Child, I deny and that is end of regtest.

    I won't take it any further as I have to work at this pc, I know regdefend works I've used it by itself & I am satisfied with it.
    I like the idea of a layered security but Tiny is slightly heavy on resources compared to LnS which is also very good but I haven't experimented with that combination yet.

    Last week I ran regtest without Tiny 6.5 or regdefend installed, with just PG, WG and my pc shutdown then rebooted itself, PGs' alerts were over 700+ when it started again.

    I was only using CHX-I packet filter in combination with my modem/router

    Hope that was of any use

    peterc ;)
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I am trying the Tiny personal edition at the moment and find that it does indeed give one very granular control but at the cost of complexity.
    When using RegTest agianst it Tiny (default settings) pops up with an alert (various alerts) asking whether to trust RT If you add it to your trusted programs then Test 1 can make the necessary modifications. When running test 2 after accepting the alerts and trusting RT then Tiny fails and you get the "you could be compromised" screen. Therfore it would be necessary to add all the relevant keys into Tiny for the attack to be stopped at the registry level. Albeit this is only true if you give an application full trusted status.
    From the application point of view Tiny and PG both stop and query RT from the outset.
    I'll leave it for the Tiny experts to describe exactly what registry rule(s) one need to set in Tiny to prevent attacks once an application is trusted, though this may also involve tweaking other parts of Tiny as well.

    Pilli
     
    Last edited: Mar 18, 2005
  14. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    As I said in my post above, all you have to do is change the default rule from "blocked" to "ask user" for the two or three items that Tiny alerts on just prior to the first Regtest window. The items that you see BEFORE the tests which should be allowed for a valid test anyway are blocked by Tiny by default and hence you can't get to Test 1.

    Go into the Default Security rules and find the rule related to the things that Tiny is blocking by default (you can tell which ones they are by looking at the Blocked alert window that Tiny puts up when you run Regtest with Tiny at Default).

    Find the rule, and there's a line with "*" (wildcard for all other programs) and it by default has those first alert items as "blocked". This is why when you run Regtest with default security, that Tiny won't let you get to the first Regtest window. It's blocking some things by default. Change the rule to "Ask User" instead of blocked for those three or four columns in that rule.

    Now, when you run Regtest with Default Security, you will first get two or three alerts asking you to allow or deny. Simply allow them - Jason stated in the following post that the alerts you see prior to the first Regtest window should be allowed because they are just insuring a clean starting point for the tests. It's not until the actual tests that you should deny:
    https://www.wilderssecurity.com/showpost.php?p=396024&postcount=12

    Finally, you will get to the first Regtest window. Now you can execute Test 1 and Test 2 and Tiny will alert you and ask you to allow or deny. You deny, and it will pass both tests. No modifications and no start-up item.

    Running Regtest as a trusted application is a totally bogus test. That would be like running Regtest with Regdefend in Learning Mode (if there was such a thing). Or like running a spyware program with Process Guard in learning mode. Regtest is supposed to simulate a known malicious or unknown software. You wouldn't give a malicious software or an unknown software Trusted status - that is just asking for trouble. Trusted means trusted, why would you expect Tiny to stop anything that a trusted app wants to do? If you want that, then you can do it but you have to change the Trusted app rules to Block or Ask User. But that defeats the whole purpose of the Trusted App philosophy.

    Tiny is very impressive if you know how to use it.
     
    Last edited: Mar 18, 2005
Thread Status:
Not open for further replies.