Please Stop 5 Second Registry Rewrite

Discussion in 'ewido anti-spyware forum' started by siliconman01, Jun 27, 2006.

Thread Status:
Not open for further replies.
  1. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    In Ewido 4, Build 172, it writes to the startup registry every 5 seconds...as has already been discussed in another thread. Please, Ewido Developers, change this practice. It is driving other security programs NUTS that monitor and/or log entries into the RUN registry keys. RegDefend for example is getting 17280 logging entries per day from this tactic. Other security programs keep checking to see if the 5 second rewrite is new or possibly malicious.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, I agree. :(

    Maybe we could have the option whether to allow these writes or not?
     
  3. Remouald

    Remouald Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    99
    I'd like to see it corrected as well...
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I think any software monitoring the registry ought to be able to ignore certain user-specified activity (i.e. have a white list), as well as activity that doesn't result in any real changes... And of course, logging ought to be optional, not mandatory. I don't use RegDefend, but can't you create a rule in it to allow ewido to write/delete its Run value, and not log it?

    The funny thing is that if you disable ewido's option to run at start up, it tries deleting its Run value every 5 seconds...

    In any event, I would be somewhat annoyed if they added a registry SSDT hook to ewido, just to satisfy this gripe (which is really due to deficiencies in other software).
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Its, new for me, will the registry write/ delete will happen even if u are using it on-demand, not running all the time.
     
  6. Remouald

    Remouald Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    99
    I'm using RedDefend but I think I cannot disable the log for a specific software (here EWIDO).

    What I can do is disable the loging for any software that set a value to:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run**

    @aigle Yes, but only when you open Ewido for scanning. The registry writes will stop when you exit the program from the system tray.
     
  7. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    There are numerous security programs that provide protection and logging of the Startup registries....AdAware, SSM, SpySweeper, CounterSpy and on and on. This ewido technique of continously rewriting the startup key is unique to ewido. It is not a deficiency in the other security programs that they do not have an option to allow ignoring specific programs that want to write in the Startup registry area or the Startup folder in Programs list. Personnally I have never encountered a program of any type that does this continuous rewriting.

    It's a totally inadequate method of providing "self protection" because all that has to be done by a malicious program is to kill ewido in memory and then remove its startup registry key.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks, but I asked this as as I know guard.exe is still running even if i exit the prigramme, so does it will write in the registry or not? Can u confirm?
     
  9. Remouald

    Remouald Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    99
    It stops registry writes as soon as you exit ewido even if guard.exe is active. It's ewido.exe that writes into the registry.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks.
     
  11. vinzenz.ewido

    vinzenz.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    425
    Location:
    Brno, Czech Republic
    This seems to be a bug, it shouldn't rewrite it everytime. It should only check if it is set and if the setting in the startup entries is not identical with the settings choosen by the user it should be written.

    I'm sorry. We'll correct it asap.

    BR
     
  12. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Any progress on fixing and issuing pgm update for this annoying bug.o_O?
     
  13. pbparker

    pbparker Registered Member

    Joined:
    Jul 6, 2006
    Posts:
    5
    Me too, I uninstalled until it's fixed. BTW, it isn't 5 second rewrites for me, it's nonstop registry parsing and writing.

    Use regmon at sysinternals.com and you can see how much it's churning away.
     
  14. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    OK here go, I try one more time.
    I wonder what the outcome will be, I had these spikes shortly after ewido 4 was public.
    But they are gone.....and didn't came back.
    In my sig you can see whats running realtime on this box.
    In the attachement you see ewido running and doing a scheduled scan (registry and memory).
    In the next attachement you see ewido running and doing an update.
    Darn: again I can't upload a .gif

    Gerard
     

    Attached Files:

  15. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    And screenshot 2 (the first not being nice)
     

    Attached Files:

  16. GWA

    GWA Registered Member

    Joined:
    May 21, 2005
    Posts:
    59
    Location:
    Albuquerque, New Mexico
    As a result of the registry rewrite issue, I have terminated realtime scanning and no longer have Ewido start with Windows. I am using TH for realtime. As soon as this registry issue is corrected, I'll will reverse those roles.
     
  17. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Any luck in correcting these issues and releasing an ewido update in the foreseeable future?
     
  18. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    can you explain and tell me where to look where ewido does this rewriting? so I can check my computer too?

    thanks
    robin
     
  19. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    It shows up by using Ghost Security's RegDefend which guards the Startup RUN registry key. The logger of RegDefend logs an entry every 5 seconds.

    You can also view the file access activity of ewido by install and running FileMon from SysInternals.

    http://www.sysinternals.com/Utilities/Filemon.html
     
  20. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    does it use up memory or does it use up space?
    and when is ewido going to fix this?

    robin
     
  21. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Yes, and Yes

    That was my question too ;)
     
  22. vinzenz.ewido

    vinzenz.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    425
    Location:
    Brno, Czech Republic
    It will be fixed within the next release of the binaries. It is already fixed in the code actually but we need some more fixes and we have to figure out another problem first.

    Regards,
    Vinzenz
     
  23. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    does that mean you will send out an update for this fix in all versions of 4.0 because i have the pro version of 4.00.172 plus?

    or will you put it in a new version that we will have to download and install over it?

    and how soon do you think this will be?

    robin
     
  24. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    You will probably get the update through automatic update. You don't need to re-install it using the new setup file.
     
  25. vinzenz.ewido

    vinzenz.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    425
    Location:
    Brno, Czech Republic
    correct

    I'm sorry I actually don't know. I hope that it will be asap.

    Regards,

    Vinzenz
     
Thread Status:
Not open for further replies.