How to protect Startup folder?

Discussion in 'Ghost Security Suite (GSS)' started by UCI_MECH, May 14, 2005.

Thread Status:
Not open for further replies.
  1. UCI_MECH

    UCI_MECH Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    15
    I'm wondering if RegDefend can prevent applications to be added to the Startup folder. If yes, what registry key should I add?

    Although I have RD, I keep WinPatrol running in the background just to cover this Startup group which apparently is not covered by RD.

    One more thing, does RD by default monitor the services group the way WinPatrol does?
     
  2. tayasimggg

    tayasimggg Registered Member

    Joined:
    May 3, 2005
    Posts:
    102
    Location:
    israel
    regaurd is more powerfull then winpatrol becouse not like winpatrol that sniff the registry to check chanches every 30s regdefend monitor the registery all the time without sniffing and take mach less cpu and ram.

    when you install regdefend you have by default "Auto Starts protecting Group".
    try to turn off winpatrol and install application that whant to add startup run and regdefend will ask you if you what it or not.
    try it !!!
    enjoy the power ......
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Here is a screenshot of the default Autostart group. As far as I know Winpatrol has only polling abilities whereas RD blocks any Reg changes before they occurr.
    If you disable the RD groups and run RegTest does winpatrol stop test 2 from completing? If not then enable RD and test 2 will be defeated.

    Regtest can be found here: http://www.ghostsecurity.com/index.php?page=regtest
     

    Attached Files:

  4. Kaupp

    Kaupp Guest

    No. It can't protect startup folders,it's designed specifically to protect the registry and nothing else

    Give MJ Registry Watcher a try,it's works by polling the registry which strictly speaking is not as secure as Regdefend but it does monitor both folders and registry keys

    http://www.jacobsm.com/mjsoft.htm

    regards
    Kaupp
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Actually a combination of the two things would probably be your best bet

    The registry contains keys that specify where the startup folders are so you wouldn't want something changing the startup directory

    Equally well you don't want something adding entries to the directory so use MJRW to perform polling monitoring of directories and files
    You can't argue with the price of MJRW after all...
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    One method of protecting startup folders, for those running XP Pro, is to use Software Restriction Policies. You can create path rules to startup folders, with wildcards, and set the security level to Disallowed.

    Nick
     

    Attached Files:

  7. UCI_MECH

    UCI_MECH Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    15
    I think my post was misunderstood. I was not saying that WinPatrol is better than RD. All I said is there is still one startup group not monitored by RD and that’s why I’m still running WinPatrol… not because it’s more powerful but just to cover the startup folders. It’s a waste of resources to run WinPatrol in the background just to protect that folder and that's why I’m asking is it possible to monitor the startup folders by RD.

    I already tried Registry Watcher and did not like the GUI besides I want a real-time protection not just polling abilities.

    Thanks Nick, that is a good idea to lock the startup folders. But what if there is a legitimate application trying to add something to that folder?
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi UCI_Mech,

    To the best of my understanding, ProcessGuard essentially guards the folder since no program that updates the folder can run without PG's permission. I understand that there may be a "hole", in that scripts can be executed by a browser which is why I also run WormGuard. Whether this is entirely sufficient to plug the hole, I do not know.

    Of course, it would be nice if either RegDefend or ProcessGuard actually gave alerts when key folders are accessed - sort of a double safety measure - and maybe the authors of the software might consider this capability for future versions.

    I am looking forward to reading other comments on this subject.

    Rich
     
  9. UCI_MECH

    UCI_MECH Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    15
    I use PG too, but let's say you run an application or script which is supposed to do a certain thing for you. When it asks for PG's permission, you will allow it because you ran the application yourself. So if that application was not authentic or it has unannounced bad tasks which include adding something to the startup folder, then neither PG nor RD protected you from this attack.
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi UCI_MECH,

    After you set up a path rule for the startup folder, then create a hash rule for the app you want to allow and set it to Unrestricted. Hash rules take precedence over path rules. Take a look here for more specific instructions: Software Restriction Policies for Windows XP Clients. Note that although the usual files (shortcuts, scripts, etc) can still be placed up in the startup folders, they cannot execute. Blocked executions will show up in the application event logs.

    Nick
     
    Last edited: May 14, 2005
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I understand what you are saying. It is interesting that it seems (from what I can tell) that the read-only attribute is ignored by Windows system programs. Probably so that it is easy for programmers to modify its contents. :rolleyes:

    Rich
     
  12. Ronin

    Ronin Guest

    Well, given that you as an user with administrative rights can easily over-write a read-only attribute any other applications will have the same previlage.

    I do think that despite it's name, it's a big hole that Regdefend covers only registry startup keys, After all, we are not covering the registry for the sake of doing so, but rather to prevent startups.

    As already mentioned PG is not the answer because PG filters on processes, not on specific attempts to create startup methods.

    As you probably already know startup folders is not the only file/folder where startups can insert themselves, there are other files autoexec.bat etc..

    PrevX is the answer in this case.
     
  13. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    I am still using Mike Lins free apps http://www.mlin.net
    I feel like it is a complement to the other ones I have. The ease just to uncheck an app and it will not autostart and check it again if I want has also been useful some times.

    Maybe its not very secure - you tell me.

    Best regards
     
  14. nameless1

    nameless1 Guest

    This is a worthwhile tip, though it can be very inconvenient when it comes time to add/remove startup shortcuts.

    Just FYI, you can use the following environment variable and path to point to the current user startup folder:

     
  15. pasito

    pasito Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    22
    Sorry if someone said this above but, you should never use the startup FOLDER for launching programs at startup (in my opinion, I don't know why, but it's fine) and just set the security permission on the folder to "Everyone - Deny all"

    (the path can be found in the post above mine)
     
  16. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Can one use both RegDefend and Startup Monitor without any issues? I too am not crazy about leaving the Startup folder unwatched...
     
  17. f3x

    f3x Guest

    if you protect yourself by denying acess to a folder, just be sure that this will alwais be the rigth folder


    HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders
    >> Startup

    HKCU\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders
    >> Startup


    HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders
    >> Common Startup

    HKLM\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders
    >> Common Startup

    (it is already included in the regrun ghost file)

    someone migth try to seth those path to nothing .. maybee it'll effectively disable those folder ?
     
  18. pasito

    pasito Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    22
    Like this.

    http://img43.imageshack.us/img43/4015/untitled4jm.jpg

    Win2000: Naviage to %homedrive%%homepath%\Start Menu\Programs and right click on startup folder. Right click go to properties. Click security tab, Add or Edit the everyone name and set the permissions to Full controll:deny all.

    Windows XP PRO: Go to Control Panel, Folder Options and click the view tab. Uncheck "Use Simple File Sharing (Recommended)" then follow the Win2000 steps.

    Windows XP HOME: N/A. :[


    http://support.microsoft.com/default.aspx?scid=kb;en-us;304040#XSLTH3125121124120121120120
     
    Last edited: Dec 13, 2005
  19. nameless1

    nameless1 Guest

    Just FYI: The ACL of the Startup folder(s) can easily be changed back, invisibly and from the command line, using cacls.exe. (In other words, the security measure outlined above can be undone.) This could be done any time a member of the Administrators group is logged in, or using a privilege-escalation method, if any exists.
     
  20. nameless1

    nameless1 Guest

    Also, I believe you can change the permissions on the Startup folder(s), under Windows XP Home, using cacls.exe. Not as nice as the GUI, but it actually works better in a lot of cases (since it lets you edit, rather than always replace, ACLs).

    I vaguely remembering there being some workaround to get acess to the Security tab under Windows XP Home. Safe Mode? I can't remember...
     
  21. tlu

    tlu Guest

    There are several workarounds but the easiest is http://www.fajo.de/portal/index.php?lang=en&option=content&task=view&id=6&Itemid=0
     
Thread Status:
Not open for further replies.