Just installed RegDefend...

Discussion in 'Ghost Security Suite (GSS)' started by TonyKlein, May 23, 2005.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Hi all,

    I installed RegDefend about 2 minutes ago, and already I love it... :D

    In fact it was by coincidence: I used to use SpyBot's TeaTimer to watch my registry plus some other things, but after installing the latest beta, the allow/block dialog turned out to miss the check boxes (a 120 DPI issue), thus rendrering it useless.

    I then decided to allow MSAS to watch over me instead, but it was far too slow (?): I was trying to unpack a particularly nasty little b*gger, when LnS alerted me that so and so wanted to phone out.
    I ran Hijack This and discovered it had added itself to the Run key, as well as to ShellServiceObjectDelayLoad without MSAS crying wolf...

    That did it!

    I just added Derek's RegRun entries, and must say I love the application, especially it's configurability.

    As I said, it's been installed for only a couple of minutes, and I really haven't had the time to look at it in detail, but I did notice this key missing:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    I may have overlooked it, but I do believe it isn't there, and if so, you want to add it...

    Anyway, I just wanted to post, because I'm really enthusiastic about the application.

    It's only early days, but should I happpen to find additional keys/values that may be worth watching, I'll be sure to post here. :)
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Tony,

    Yes, RegDefend is an excellent product. I always recommend it as a companion to ProcessGuard.

    Since you added the RegRun extensions, I thought I would make you aware of some pending issues regarding these extensions:

    https://www.wilderssecurity.com/showthread.php?t=67729

    If you are not running multiple accounts with fast switching, this shouldn't affect you.

    Cya around,

    Rich
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Thanks for the heads up, Rich. :)

    I'm the only user of this computer, so this won't be bothering me...
     
  4. FanJ

    FanJ Guest

    IM sent Ton ;)
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Hoi Jan. ;)
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Jan just PM'd me to clobber me over the head and correct me: the post was by puff-m-d, not by Derek...

    Sorry to all... ;)
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Tony,

    No apology necessary ;) ... It can be hard to learn names on the forums sometimes and with me I think a little alzhiemers is starting to set in as I make the same kind of mistakes :'( ...
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    I already have a question... :p

    I added the BHO reg key to the IE.ghst file (through the user GUI, I hasten to add).

    Wanting to test something, I deleted the subkey for my FlashGet browser plugin, but RegDefend didn't alert me.

    I then reinstalled FlashGet in its entirety, the subkey was put back, but again RD remained silent.

    I refuse to believe RD goofed up, so what did I do wrong?

    Attaching my edited IE.ghst as txt...
     

    Attached Files:

  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    BTW this is the (exported) subkey I subsequently removed, remerged, removed, remerged, without RD jumping into action:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
     
  10. FanJ

    FanJ Guest

    ~grin~ Hey Ton,

    LOL, no, my very dear old friend, no "clobbers over heads" ;)
    You are much too dear to me, and to sooo many others !!!
    If you only knew how many mistakes I make....
    The support, info, help, friendship you give to so many people !!!!!
    Only a very BIG THANK YOU can express it :D
    I am most definitely sure that ALL RegDefend users will absolutely give you a warm welcome !!!

    Most warmest regards,
    Groetjes, Jan.
     
  11. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Tony,

    Here is what that key should like like....
     

    Attached Files:

  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Seeing as puff-m-d beat me to it, I might just point out that rules can be copied using control-C and pasted into the forum post as text...

    In this case :

    hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects* | * | Key + Value | Mod Key, Mod Value | Ask User
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Ah, I seem to be missing the * under "Registry Value"....

    Could that be it? Let's see how we can get that there...
     
  14. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    To do that, you will have to enter the key over again and delete the old one.
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    No difference... I deleted the key, and nothing happened...
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Screenshot
     

    Attached Files:

    • RD.gif
      RD.gif
      File size:
      15.9 KB
      Views:
      180
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Whoops: Wildcards: Key AND value....


    Let me see...
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Well, it really makes no difference: I can delete and re-add subkeys there all day long, but no joy... :(
     
  19. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Tony,
    Can you do a control-C on your rule and a control-C on a log entry if you get one please
    Check and make sure you specified wildcards on the Key...

    With the rule I pasted above when I try and create a new Key I get an Alert and this Log entry

    Code:
    regedit.exe [576] was allowed to CREATE a registry key | 04:12:20 - 24 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\new key #1 | | c:\windows\regedit.exe | RD STANDARD [50] - HKLM
    regedit.exe [576] was allowed to set this value to testing | 04:12:39 - 24 May 2005 | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\new key #1 | | c:\windows\regedit.exe | RD STANDARD [50] - HKLM
    Edit: Looking at the pic above there is still a * missing at the end of the key
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    You need an * placed on the end of the key to give you a wild card for the keys....
     

    Attached Files:

  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    So without the * a subkey there can be deleted or added at will?

    Does that really make sense?
     
  22. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    What if you wanted to only monitor values for the one key and not look at the subkeys?
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Aaargh! it works! :D

    I guess I just didn't understand I had to add the asterisk manually....


    Thanks heaps! :)
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands

    I just assumed that by monitoring the main key everything in it would be watched as well
     
  25. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Jason has it where you have total control over what you want to monitor. It takes a little time to learn it, but it really is not too hard. It just takes a little playing with it to learn it. When I did the RegRun entries, I had to do a lot of playing around to figure it all out ;) ....
     
Thread Status:
Not open for further replies.