Networking Protection problem

Discussion in 'Ghost Security Suite (GSS)' started by paperinik3, Mar 17, 2006.

Thread Status:
Not open for further replies.
  1. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Hi, at every reboot I receive the alarm: " Event:set value; Blocked [Auto user];Value: dhcpclassidbin" I made a rule and imported it (screenshot joined)
    but nothing changed. All the other rules I made work - why this one doesn't?
    Where have I made a mistake? +
     

    Attached Files:

    Last edited by a moderator: Mar 17, 2006
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    paperinik3,
    The rule you have created causes an interactive user prompt to be issued and if the GUI cannot get a response or cannot create the alert it performs the Auto User Block action that you have experienced

    Can you cut and paste your log entry in here to show the application that is encountering the problem. Highlight the log entry and type control-C to get the log entry into your clipboard and then paste the data from the clipboard into your reply (either using right click and Paste or control-V). RegDefend only allows clipboard copy using the keyboard which is a little unusual (but that is the way for now at least).
     
  3. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    thank you gottadoit for your prompt answer; here it comes:

    08:38:22 | Set Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{9aba6d73-8ad2-4046-8e8d-dbfe8186c7be} | dhcpclassidbin | services.exe
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i would start over, using a fresh copy of tony's ruleset..

    if you do have anything that is being automatically blocked, create an "app rule" to address that, not modifying the "global registry rules"..

    it looks like you added an "app rule" to the "global registry rules"..
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    paperinik3,
    It is as redwolfe_98 suggested, you want to have an "allow" for services.exe to make the change without requiring a prompt. By adding the rule to the "Global Registry Rules" tree, the rule you added explicitly requests the prompt when that change is made. Its just a matter of getting used to where to put things, and its not hard after the first time...

    If you click on "Services" under the "Application Rules" tree and add a rule in there for that key and value and use the "Allow" and tick "Set Value"
    I would suggest that you modify the rule slightly from the alert so that it works if you boot into a different control set and replace the Controlset001 with *controlset*; the rule would then look like :
    NB: I got the rules in the format shown above by highlighting a rule that I just created and doing a copy (ctrl-C) and then pasting it in here. Its not quite as nice as a picture but its a little more compact...
     
  6. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Right redwolfe 98, transferred the rule from "Global rules" to "Applications" (Services). Well, here is the log of what I obtained:

    15:33:01 | Set Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{9aba6d73-8ad2-4046-8e8d-dbfe8186c7be} | dhcpclassidbin | services.exe

    Not a great progress, hm?
     
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    paperinik3,
    Can you copy your rule like I did above so we can see what it is please

    I am expecting that you have the rule set to "Block" and "Ask User" which will exhibit exactly the same problem, what you need is to make the rule an "Allow"
     
  8. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Sorry gottadoit, I received your post after having posted my last one. Now I have made the rule:
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces\{d71baee3-772d-448f-86ab-95e3f175d7f5} | dhcpclassdbin | set value | | services | 2 | dhcpclassidbin | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | | Services | 5
    (I got the rule in this format in the same way you did). But at reboot I got:

    16:49:58 | Set Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{9aba6d73-8ad2-4046-8e8d-dbfe8186c7be} | dhcpclassidbin | services.exe

    What does that mean ? Why is that different from the rule I had modified as per your instructions? O my, O my!
     
  9. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Once again gottadoit I have posted before receiving your question! No, I didn't set it to "block" - here is the screenshot of the rule:
     

    Attached Files:

    Last edited by a moderator: Mar 17, 2006
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    paperinik3,
    If you remove everything from the "Key:" field after the '}' in the interface clsid it might work a little better. Basically cutting as pasting the rule back into Regdefend is not user friendly and its easy to make the mistake you have made. You need to separate the parts yourself

    In each field this is what you should see :
    Code:
    Key: HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces\{9aba6d73-8ad2-4046-8e8d-dbfe8186c7be}
    Value: dhcpclassidbin
    and like you have already "Allow" but you probably only need "Set Value" ticked because that matches the log entry that was blocked and its generally best to be very specific so that you do not unintentionally allow something that later proves to be an issue
     
  11. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Gottadoit,
    I have followed your instructions but the result is always the same. One of the (many) things I do not understand is why, having put the rule in the "services" Group, in the "Full Alert Information" it is shown in the
    "Auto Start" Group (see screenshot).
     

    Attached Files:

    Last edited by a moderator: Mar 17, 2006
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    paperinik3,
    Do you have a rule for this key and value in the AutoStarts group ?

    If you do then can you delete it please and if not I might see about getting you to attach your ruleset file so that I (or someone else) can have a look at it

    Having the alert show like that is unusual (even if you do have the rule in AutoStarts) because the Application Rule should handle the operation prior to the Global Registry Rule being consulted
     
  13. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    paperinik3, it looks like the app rule that you have does not match what is being blocked..

    the one that is being blocked has

    {9aba6d73-8ad2-4046-8e8d-dbfe8186c7be}

    your rule has

    {d71baee3-772d-448f-86ab-95e3f175d7f5}

    here is what you should have for the app rule:

    HKEY_LOCAL_MACHINE\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{9aba6d73-8ad2-4046-8e8d-dbfe8186c7be}

    also, i think that the "full alert" info is from regefend's log, which is extending below the "configuration" window..
     
    Last edited: Mar 17, 2006
  14. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Gottadoit,
    no, I haven't.The only rule in Autostarts that faintly resembles is:
    "HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\ Interfaces**" Value: *
    Regards
     
  15. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    gottadoit is the "expert", not me..

    i do not have the same problem with "networking", but i have seen other things that were automatically blocked.. it was not difficult to resolve.. just look in the log to get the information for what is being blocked, and then create an app rule for it, based on the info from the log..
     
  16. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Thank you redwolfe 98 - you are right! I dont understand how it happened, because I highlighted, copied and pasted the darn thing from the log.... But, anyway...
    Anyway, having substituted {9aba6d73-8ad2-4046-8e8d-dbfe8186c7be} in the
    rule - RD immediately blocked it with supreme indifference.
    Back to the drawing board...
     
  17. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    look at the information in the log for the item that is being automatically blocked, and then make sure that your app rule matches it, having the proper "value" (the value should be "dhcpclassidbin") and function (under "event", in the log), like "set value"..

    if you can, paste a screenshot of the log where the item is being blocked.. and you could also include a screen shot of the rule that you are using to try to address the problem..

    also, you said that 'all of the other rules that you made worked.." maybe those rules are what is causing the problem..

    did you start fresh with a fresh copy of tony's ruleset?

    also, it doesn't matter that the log is showing "autostarts".. i think that that is just showing that the item was blocked because of rules in autostarts.. you can ignore that.. (the "full alert information" is from the log, not from the app rule configuration window)
     
    Last edited: Mar 17, 2006
  18. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Redwolfe 98,
    well, I'll (perhaps) have the force to start tomorrow morning everything from scratch again - for the moment I will upload a screenshot (with joined "full alert information") which could perhaps tell or suggest something to eyes more expert than mine.Ciao and sweet dreams.
     

    Attached Files:

    Last edited by a moderator: Mar 18, 2006
  19. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    one thing that is interesting, looking at your log, is that the regkey is being allowed except with the one particular "value"..

    i don't think that you are going to make any headway until you replace the ruleset that you are using with a fresh copy of tony's ruleset..

    i think that the problem is that you have messed up the global registry rules in the ruleset that you are currently using..

    replace the ruleset with a fresh copy of tony's ruleset and run the computer to the point where you run into the problem with the automatic blocking, if anything is blocked, and then simply create an app rule to allow what was blocked, based on the information in the log..

    i would leave the global registry rules alone at least until you establish that things are working properly.. (i don't mess with the global registry rules because i don't know enough about working with them)
     
    Last edited: Mar 18, 2006
  20. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Redwolfe_98,
    yes there certainly are more things on heaven...Now I'll tell you one. This afternoon I went to delete Tony's ruleset and start again from scratch. But just for the hell of it, while booting the system I kept an eye on RD's log: you can see what I saw. No trace of blocks, everything OK, the rule gone spontaneously back to the "Services" Group... Needless to say: I had done absolutely nothing. Can somebody try and explain this magic ? Otherwise I'll begin to believe in little friendly elves...
     

    Attached Files:

    Last edited by a moderator: Mar 18, 2006
  21. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i think that it just means that you finally got the app rule right.. :)

    i would still try starting over with a fresh copy of tony's ruleset, and then see if that rule is still necessary.. maybe it is, on your computer, but i did not need that type of "services" app rule on my computer..

    i did have some other things that were blocked, but that was after i had deleted all of the included app rules.. it was not hard to address that by creating app rules for the things that were being blocked, based on information from the logs (thank goodness for the logs)..

    if you see that there is something blocked, just create an app rule for it..
     
    Last edited: Mar 18, 2006
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    First of all, you MUST use those wildcards in "*ControlSet*".

    Now what you could try is again add your rule to my set but this time edit it slightly by also adding a Wildcard after the key, like so:

    HKEY_LOCAL_MACHINE\System\*Controlset*\Services\Tcpip\Parameters\Interfaces\{9aba6d73-8ad2-4046-8e8d-dbfe8186c7be}*

    Value: dhcpclassidbin

    There can *occasionally* be an issue with the apps override groups where, for a rule to work properly, you do need such a wildcard that should technically not be called for.
     
  23. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I was wondering why you kept putting those wild cards in places that didn't need them.

    Maybe you or someone else can make a sticky about these 'quirks' in RD,Windows etc that aren't in the help file,that evey can look through for references. Cause this sort of thing is very useful to know,as we've just witnessed.
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, it IS a rare occurence, and I've sofar mainly observed it in a few Apps groups, notably when entering this Rundll32 override rule:

    HKEY_CURRENT_USER\Control panel\Desktop* | *wallpaper* | SET VALUE | | Rundll32 | 1

    As I said, it is a rare occurrence, and it remains to be seen whether it is indeed responsible for paperinik3's problem.

    Anyhow, Jason is aware of it, so I wouldn't be surprised if this is going to be fixed in the next beta.

    Meanwhile, it IS always good practice to test any new rule...
     
  25. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi TK.

    Thanks and understood. :thumb:

    Keep up the good work mate. :)
     
Thread Status:
Not open for further replies.