Please Weigh in on Registry Protection!

Discussion in 'other software & services' started by HandsOff, Mar 13, 2005.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hello Reader-

    I would like to think that most of you have some sort of protection against changes made to your registry. I am talking about "resident", real time blocking of important system file changes. While I am not up on all the terminology, key players and product comparisons I can say that they are valuable not only for protection but to keep you informed of what your programs are doing behind the scene.

    I am looking for a good one. I am not all that hard to please, but here are a couple of things I have not liked about the ones i've used.

    The notification area is so small that as often as not the name of the object you are being warned is changing got truncated so far from the end that you don't even see the last couple levels of the ojects name.

    The notification is a moving notice, demanding you to look now or take your chances because it will automatically hide itself.

    Either do not remember your previous answer or don't even ask to remember a particular change.

    Are worded in such a way as to make it unclear if you are being told X is proposing to replace Y, or it is an attemp to change the value X to the value Y.

    Insist on notifying you of every single operation that goes on no matter how small.

    Only give you X microseconds to decide before it decides for you.

    Notify you of something, but you would need a phd in computer science to know what.

    Soooooooo, any ideas?



    - HandsOff
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi HandsOff,

    For me, I am very pleased with the combination of RegRun and RegDefend. One feature of RegRun that may suit you is that it has adjustable security settings. The highest security setting can drive you crazy with alerts, the medium setting is fairly quiet but secure. RegRun, like most registry monitors is a poller, meaning that it periodically scans for and spots changes after they are made and offers you the ability to undo. The risk to that method is that malware could, for example, make the changes, kill the registry monitor, and reboot your system. RegDefend proactively protects the registry by requiring permissions for processes to access the registry.

    Nick
     
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks Nick!, as usual, some good information from you.

    I appears I may have been a little to critcle of registry protectors, it's just possible that I may have even sounded a bit hard to please after all!

    The thing is, I don't like being confronted by my ignorance all of the time, and so many of these programs erode my confidence by asking me to make yes and no decisions that appear to be of criticle importance...and I have no clue what the alert is about.

    Anyway, I decided to try DCS RegistryProt. It is free. It is efficient. It is powerful. Just by reading their overview I got that it is NOT a polling monitor. It hooks into key spots in the registry? I don't understand the method but i do understand the superiority of the method (if it does what it says it does). See, I have become an expert on the subject.


    Ooops, i click on post and not upload so i am adding this comment and will just say that to me all I get are glipses visual basic shell, NAME = ...what does that mean? something about script....only it seems to me there are entries of a similar format in ASViewer....so i am guessing something is being placed in autostart....It must be reporting itself?


    - HandsOff

    For some reason I really really like DCS Programs. ASViewer, and RegistryProt 2.0 are both alike in that they give more compete information than the others but who knows what they mean?

    Please, if you could spare the time to look at this one you can see what I mean.
     

    Attached Files:

  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    see what I mean. This is what I have seen in ASViewer (auto start viewer) also by DCS. I know something...but what?


    - HandsOff
     

    Attached Files:

  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi HandsOff,

    In case you missed it, hojtsy maintains a definitive registry monitor comparison here: Registry Monitor comparison. I used DCS Registry Prot for quite a while but eventually settled with RegRun because of its wider coverage.

    Nick
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I have the same entries in ASViewer. They associate files with script extensions (.js, vbs, or .wsf) to wscript.exe (Microsoft Windows Script Technologies). They are autostarts in the sense that if you double-click a script file, wscript.exe is then executed.

    Nick
     
  7. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hey Nick,

    well as a matter of fact I did miss it! I suppose it is a good idea to list those file associations. I have read that sometimes malware can associate itself with other programs this way. My problem is that since I don't really know the syntax of the assignment and the names of the legitamite files I doubt I would actually spot anything there unless it called itself "fileassociationofdeathanddestruction" which they actually might considering some of the names they do use.

    At first I thought coverage was important, i will take a look, but i might be shifting my emphasis. The polling vs. non-polling seems important, even from a resource conservation standpoint.

    One time I tried processguard (DCS) trial but it seemed to complicated. However, just supposing one grabbed the free 1-process version and tied it to RegProt. That would seem like a strong protection. A strong, free protection. Do you think it would be worthwile to give PG another look?


    -HandsOff
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi HandsOff,

    If I were forced to run only one security app, it would be PG. The execution protection available in the free version alone makes it worth using. Another option for you might be combining PG free with Ad-Aware's Ad-Watch, which monitors parts of the registry as well.

    Nick
     
  9. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Nick,

    You know, I really did like adwatch part of Ad-Aware. It was my first experience with this type of protection and back in those days it made me favor Ad-Aware over spybots S&D.

    That is an extremely strong endorsment for PG. Malware seems to be getting extremely hard to detect. Certain software companies seem as though they want to give you just enough protection to survive for another few days, but DCS actually seems to be substantially adding to the control of the user. You see it in Port Explorer, Taskman, PG, APC...

    I'm a little frustrated now because it is starting to look like I have been infiltrated by a trojan since about january. I happened to notice a file called iis6.log, which i think is a server process log for 2003 server. it says some stuff like

    [3/6/2005 19:54:45] Initial thread locale=409
    [3/6/2005 19:54:45] returned from France fix with locale 409
    [3/6/2005 19:54:45] OC_PREINITIALIZE:[iis] End. Return=1 (OCFLAG_UNICODE)
    [3/6/2005 19:54:45] OC_INIT_COMPONENT:[iis,(null)] Start.
    [3/6/2005 19:54:45] OC_INIT_COMPONENT:1/3/2005 20:41:31 ________ 6.0.2600.1106: 6.0.2600.1106 (xpsp1.020828-1920): x86: C:\WINDOWS\System32\Setup\iis.dll

    i posted about it in the trojan forum, but my point is I have had a lot of security programs running, and i keep a close eye on my running processes but it just doesnt seem enough. There are tons of processes that appear legitimate. Anyway, i'm not sure what would have stopped it...maybe PG.

    Always good to get your input. I'm going to have this computer locked down yet!


    -HandsOff
     
Loading...
Thread Status:
Not open for further replies.