problem getting rule to work

Discussion in 'Ghost Security Suite (GSS)' started by nick s, May 25, 2005.

Thread Status:
Not open for further replies.
  1. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi all,

    I was playing with a rule to restrict access to the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key and cannot get it to work. The rule is isolated in its own group and all other groups are disabled. I get no alerts when I add keys or modify values using regedit. The APO list is empty. Am I missing something obvious in the wildcards?

    Thanks,

    Nick
     

    Attached Files:

  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Nick,
    Have you tried monitoring whilst you make your changes ?

    And something you might find useful is to do a copy on the rule (^C) that copies the rule as text for easy pasting into a post and it allows other people to easily paste it in to try it out...
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Nick,
    Looks like an unintended RD feature...
    If I use the actual location rather than the link (currentcontrolset) I get the alert

    Try this rule, it gives an alert for me
    Code:
    hkey_local_machine\system\controlset*\control\safeboot* | * | Key + Value | Mod Key, Mod Value | Ask User
    The alert I got was
    Code:
    regedit.exe [2668] was allowed to set this value to cmd.exi | 14:56:45 - 26 May 2005 | HKEY_LOCAL_MACHINE\system\controlset004\control\safeboot | alternateshell | c:\windows\regedit.exe | !! TEST
    regedit.exe [2668] was allowed to set this value to cmd.exe | 14:56:50 - 26 May 2005 | HKEY_LOCAL_MACHINE\system\controlset004\control\safeboot | alternateshell | c:\windows\regedit.exe | !! TEST
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    You'll need to add both (currentcontrolset and controlseto_O), simply because malware could use both. :)
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi gottadoit,

    Works here too :). I see what you mean.

    Thanks,

    Nick
     
Thread Status:
Not open for further replies.