Question on Protection Settings

Discussion in 'Ghost Security Suite (GSS)' started by WilliamP, Sep 13, 2005.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I am considering RegDefend. I am very interested in security,but don't want a program that is going to drive me crazy with popups. In looking at Protection Settings it has [Reading] and [modifying]. It looks to me that checking Reading will give a lot of popups and is there any danger in not checking Reading?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi William, there are very few popups with RD in general use, I am very impressed with it, very much a set and forget program.

    Cheers :D
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Hi Blackspear, do you have the read and modify boxes checked? Also is it needed to have the read box checked? How would that provide added security?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have left everything at default settings with RD.

    Cheers :D
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    WilliamP,
    I agree with BlackSpear in that you are probably better off using supplied rulesets (either distributed by Jason or "Tested" ones from the forum once they appear for 2.x)

    About the READ permissions, normally they should be left unticked (explanation and example below)

    If you are creating your own rules, then you should tick the fewest number of boxes to trigger on changes to exactly what you want to protect. (Unless of course you want Regdefend to be chatty and give you lots of popups)

    Stopping programs from reading certain registry KEYS and VALUES (that are not normally accessed) probably contributes more to protecting your privacy more often than your security. If you are going to do this as a learning exercise make specific rules and don't use wildcards as that helps think about the reason why you are adding the rule in the first place.

    If you choose to restrict reading then you are likely to have more logged block alerts (or more popups if you choose ask user), and that is another reason why you should give careful thought to what you add for read protection (and preferably avoid wildcards to avoid false positive alerts)

    I can give you an example of one key that you could read protect that could *possibly* give you some additional security when you are being paranoid but it will also lead to false alerts unless you allow registry scanners/cleaners and a specific rundll execution (for add/remove programs) to read in there (and the various programs that windows update uses)

    The keys I am talking about are in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and there is an entry in there for each program you have installed, however the useful thing that malware might be interested in is the KB###### keys which show what patches you have applied.

    Now you have to consider if this would be a useful key for most people to have RegDefend protect READ KEY in order to stop malware looking for what patches you have applied ?

    I would think during normal use that its overkill in most cases due to the annoying behaviour you need to deal with to stop false alarms, however it may be useful to have on a test PC or an infected PC if you are dealing with malware and want to stop it in its tracks while you remove it.

    Example rule that would just notify on read for this key
    note: this will *not* add anything useful to your security but it will lead to quite a few annoying alerts (and for that reason they are not logged to disk)
    Code:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Uninstall |  | READ KEY | Ask User | TEST | 10
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Uninstall\Kb?????* |  | READ KEY | Ask User | TEST | 11
     
Thread Status:
Not open for further replies.