problem getting rule to work

Discussion in 'Ghost Security Suite (GSS)' started by nick s, May 25, 2005.

Thread Status:
Not open for further replies.
  1. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi all,

    I was playing with a rule to restrict access to the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key and cannot get it to work. The rule is isolated in its own group and all other groups are disabled. I get no alerts when I add keys or modify values using regedit. The APO list is empty. Am I missing something obvious in the wildcards?

    Thanks,

    Nick
     

    Attached Files:

  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    603
    Location:
    Australia
    Nick,
    Have you tried monitoring whilst you make your changes ?

    And something you might find useful is to do a copy on the rule (^C) that copies the rule as text for easy pasting into a post and it allows other people to easily paste it in to try it out...
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    603
    Location:
    Australia
    Nick,
    Looks like an unintended RD feature...
    If I use the actual location rather than the link (currentcontrolset) I get the alert

    Try this rule, it gives an alert for me
    Code:
    hkey_local_machine\system\controlset*\control\safeboot* | * | Key + Value | Mod Key, Mod Value | Ask User
    The alert I got was
    Code:
    regedit.exe [2668] was allowed to set this value to cmd.exi | 14:56:45 - 26 May 2005 | HKEY_LOCAL_MACHINE\system\controlset004\control\safeboot | alternateshell | c:\windows\regedit.exe | !! TEST
    regedit.exe [2668] was allowed to set this value to cmd.exe | 14:56:50 - 26 May 2005 | HKEY_LOCAL_MACHINE\system\controlset004\control\safeboot | alternateshell | c:\windows\regedit.exe | !! TEST
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    You'll need to add both (currentcontrolset and controlseto_O), simply because malware could use both. :)
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi gottadoit,

    Works here too :). I see what you mean.

    Thanks,

    Nick
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.