New Registry Write from ewido?

Discussion in 'ewido anti-spyware forum' started by TopperID, Aug 22, 2006.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    For the last couple of days, when I boot up, I get a message from RD that it has blocked ewido from writing its startup entry to the followig Value:-

    HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders common startup

    This is bonkers! the common startup value should contain the path to the startup folder, i.e.

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    Why is ewido trying to set the value for its startup on that key?

    Or is ewido just confusing RD by constantly writing to a protected key at bootup?

    I do wish this value setting bug could be sorted out at last!
     

    Attached Files:

  2. vinzenz.ewido

    vinzenz.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    425
    Location:
    Brno, Czech Republic
    No we don't set this registry key. We're checking those keys only to avoid showing them in the autostart viewer. If you're deleting a startup entry from the autostart viewer then it will write something. But nothing else.

    Regards,
    Vinzenz
     
    Last edited by a moderator: Aug 23, 2006
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thanks Vinzez, I didn't really think ewido would be writing to that key, so I must conclude that RD was misinterpreting events - perhaps getting confused by ewido setting its value on the usual Run Key, and simultaneously reading the Shell Folder Key, at an 'awkward' moment in RD's cycle!
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Correct me if I am wrong since it has been a while but going by the rule group you are showing and the Full Alert presentation....isn't that from an earlier version of RegDefend where by there was no way of knowing what event was being alerted to ?

    As for the newest version of RegDefend as it relates to that reg key rule....the only event RegDefend logs of the 6 events it can monitor is Read Value....and this happens on start up of ewido.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I'm using RD 2.001, which is the latest full release (as opposed to the beta bundled with AD). However I use my own Rulesets, which include earlier rule Groups to which I have added many later rules/Groups, culled from various sources.

    The events I'm protecting on this value are as per screenshot below. RD popped-up a balloon alert at boot-up informing me it had blocked ewido from setting a value on the Key in question. Consulting RDs log (and I have to disable RD to read its log because of ewido's endless writes!) confirmed that ewido had attempted to set the data:-

    [REG_SZ] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

    on the 'common startup' value of the Shell Folder Key. This is clearly incorrect, so I must conclude that there is a problem in the way RD is presenting its information. When I'm using my super-paranoid ruleset ( ) which covers a huge amount of ground, I often notice that RD is recording ewido's startup value as the data being set on a wide range of Keys and this cannot be right. However this is the first time I've received a 'Block' alert on a Key plausible for 'normal' startups (albeit not from the Registry as such) which is why I posed the question.
    None of this happened with ewido 3.5, which did not have the write bug, but the main source of confusion is certainly eminating from RD!
     

    Attached Files:

  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I can only speak for what alerts RD is giving on this end and can only conclude that with the same setup that you are showing RD does not alert to a Read Value. However....since that's not an ewido problem I'll bail out of this one so as not to take it further OT about RD.
     
Thread Status:
Not open for further replies.