RD blocking Online Armor

Discussion in 'Ghost Security Suite (GSS)' started by Rilla927, Jun 19, 2006.

Thread Status:
Not open for further replies.
  1. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi folks,

    how could I go about making a rule for Online Armor? RD has blocked it on it's own. See screen shot.

    Thanks for any help.
     

    Attached Files:

    Last edited by a moderator: Jun 24, 2006
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Ah Rilla - well you did ask about auto-blocking in another thread and now I think you've got your answer. :D

    Auto-blocking is a nuisance because you only find out about it when you look at the log; then you must manually create an application rule.

    To do that click configure, then click 'Application Rules' in the left hand pane. Now in 'Group Name' (at the top of RH pane) you type Online Armor (or whatever the prog involved is called). In 'Filename' you must give the full file path of OA (I don't know what that is, but you will find it in your RD log). Finally click the Add Group button to create the OA (or whatever) group.

    Now you must click the Add Rule button, which brings up a box into which you insert the rule involved, namely HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders

    In the Value section I would leave a *.

    Click to add the rule, then select it in the main pane and below you will see a section in which you click to allow 'Set Value' to be selected (if it later transpires that you need to allow it to delete values and delete and modify keys then allow that as well).

    This all happened because OA was trying to do things at an early stage of boot-up and RD could not pop a box up at you. Whether it is desirable to have Reg protection from both RD and OA (if that is what you are doing) I will leave for someone more knowledgeable than me to answer. ;)
     
  3. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks Topper!

    I know I asked before, but didn't quite get it, sorry:doubt::doubt:

    The part that confuses me is knowing what key to allow such as create key, modify key, read key, read value, etc.

    Before when I asked I never made a rule for Adwatch because I uninstalled it. It's a little bit confusing but I will catch on.

    In the Value section is there always supposed to be an * when you make a rule? If not, what else would be there?

    Thanks for your help;)
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    from the online FAQ:

    Advanced Wildcards
    It is a well laid out FAQ Rilla and would be a good read IMHO.

    Regards,
    Bubba
     
  5. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Now, Bubba how would I know if the * was supposed to be there or not. That's why I asked.

    I did go over the help file and it's Alien to me. Everyone doesn't perceive things the same way. That's why I posted.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    In your specific example you could have inserted 'Common startup' as the Value on the Key. But since OA is a trusted app you might just as well allow it to set whatever values it likes. It may not want to set data to other values on this Key, but it will save you from being auto-blocked again if it does want to.
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That's why I offered the FAQ which explains what the * is for :blink:
    Appologies....I assumed the graph Jason made concerning the wildcard * would be straight forward enough :doubt:

    I'll give it a go using pretty much one of the same examples in the Help file.

    Let's say you wanted to protect the String\Binary\DWORD values in the GhostSecuritySuite key but was not interested in protecting any keys found under the GhostSecuritySuite key....the versions key in the pic below. You would place an * wildcard after the name GhostSecuritySuite as part of the Key section of your rule. It will then protect any values pertaining to that key but will not protect any of it's sub keys....the versions key in this example.

    "When used in registry keys it will only match to until a backslash (\) is
    found."


    What one will see if they are looking at a registry entry via regedit:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostSecuritySuite....We are interested in protecting this keys String\Binary\DWORD values only.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostSecuritySuite\versions....it will not protect the versions key because it is after the backslash (\)
     

    Attached Files:

    Last edited: Jun 20, 2006
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I'm extremely sorry Rilla, but I think I may have caused some confusion with my previous post.

    The trouble is I'm using my own Ruleset rather than the Tony one, in my case I am indeed protecting all values on that Key by use of a wildcard, and therefore it might be sensible for me to create an applicaton rule using a '*'

    But I've suddenly realised that the Tony rules may be different. If you look at the appropriate rule in your Global Registry Rules and find that it is only protecting the 'Common startup' value, then you should put that in your application rule instead of '*'.

    If you used the * in that case you would just log events that were not even protected against!

    So have a look for the rule and if it is only protecting 'Common startup', that is what you should put in your app rule. Just have it set values too.

    Appologies for my brain lapse, however what Bubba says about the wilcards is correct in any case.
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    No, Bubba you're fine. The help file I looked at had a black background and it was very hard to read and like I said even though reading it the majority of it I still didn't understand it. Sometimes I can read something ten times and not get it and the eleventh time a light bulb goes off. Don't ask me, it's weird.

    Oh, okay! I wasn't aware that it only protects the key up to the backslash. I wish I had the level of knowledge you guys have with this program.

    Thanks Bubba that did help me;)
     
  10. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    No biggie! Topper, I was confused from the start with RD. The only thing I can do is laugh at it:eek::eek: and learn.

    Are you talking about the "current version run" key(s) under Auto Starts which is under Global Registry Rules? I hope I understood that correctly. Let me know if this is correct. If it is I can give you a screen shot.

    Ya, remember I said I didn't get but one alert after I installed it but RD said 140. That was puzzling to me.

    Your allowed, we all have them from time to time;)
     
    Last edited by a moderator: Jun 20, 2006
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You just need to search for

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders

    and, if you aren't sure what Group it is in, the simplest way is to click Configure then click the 'Key' heading of the list in the main pane. That will put everything into alphabetical order so you can scroll down to it.

    As I say, I have a strong suspicion your ruleset will only be protecting the 'Common startup' value and so that is what you should put in your rule.
     
  12. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Topper here is a screen shot.
     

    Attached Files:

    • HKLM.gif
      HKLM.gif
      File size:
      97.8 KB
      Views:
      151
    Last edited by a moderator: Jun 24, 2006
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Ah yes, so by the use of wildcards a single rule is covering both these Keys:-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\User shell folders

    And both these values:- Common Startup, Startup

    That is very odd, because 'Startup' only appears in the HKCU version of these keys, while 'Common Startup' appears in the HKLM version. So to be logical the rule you have highlighted should only refer to Common Startup and not *Startup.

    Only Tony Klein could explain why this is, but it could be an error. If it is, then it is a very unimportant one since you are still protected either way.

    If you had received a pop-up from RD and clicked to allow always, then the app rule created would be as follows:-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\*Shell folders *Startup

    If you prefer you can use that in your App Rule, or you can use the Key/Value as they appear in RD's log. The choice is yours, either will work.
     
  14. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Topper what do you suggest? The other key may have been from me authorizing a program, no.

    Rilla927
     
  15. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If by "other key" you are meaning of the Global Registry Rules shown in your pic....those will only show as new additions if the user manually added an entry or the Tony rules have been updated.

    If you authorize a program(via an Allow\Block alert) to add the entry....it will show up in the Application Rules section either as a new program entry or as an addition to a program entry that is known to RD by that exact Group Name.

    Rilla would mind doing me a favor and upload a copy of your Tony.gsr file as an attachment to a post Please.

    As you may know you will have to change the .gsr extension to one of the extensions we except like .txt.

    Thanks,
    Bubba
     
    Last edited: Jun 21, 2006
  16. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Bubba,

    You want a copy of the .gsr file that is in Ghost Security folder from program files, correct?
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Am I assuming correctly that you are still using Tony's rules ?

    If so....it will be the Tony.gsr file that I was wanting to take a look at Please.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I have been using Tony's files as he updates them on the Ghost forum. They haven't cause any problems with Online Armor, or for anything in reality.
     
  19. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Agreed....they are top notch but it can be added to and\or modified. It's that possible modification\additions which I was wanting to peak at ;)
     
  20. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Okay! Here ya go.
     

    Attached Files:

  21. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Peter I accidentally clicked on alert from RD and blocked OA. I have never used this program before. I needed help to make a permanent rule for OA.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Just out of curiosity, did you just try deleting everything for OA in Regdefend, and then letting it build a new rule? I've never tried that, but in theory it should work.
     
  23. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Rita,

    While I do not see any earth shattering problems with the 16 additional Application Rules you have made....I do see certain items of interest. According to how you really feel with some of these additions you have made will determine what could be suggested.

    Some for instances regarding certain block rules created for certain programs. The below items will come into play when uninstalling the programs or when you attempt to disable\enable them in regards to running on startup.

    For instance....if you ever uninstall QuickTime or Online Armor....their associated Run entry will forever remain in the Run key.

    HKLM\Software\Microsoft\Windows\Currentversion\Run**

    • quicktimefullinstaller.exe DELETE VALUE
    • qtplugininstaller.exe DELETE VALUE
    • qttask.exe SET VALUE
    • quicktimeupdatehelper.exe SET VALUE
    • oasrv.exe DELETE VALUE
    • ctfmon.exe DELETE VALUE
    If I had to make a suggestion @ this moment in time it would be to shutdown RegDefend and remove the present Tony.gsr file. I would then re-download the present Tony.gsr file if you don't have it already saved and then place it in the proper folder location. I would then suggest you start RD and re-enable the Tony rules. At that point in time ask in this thread as many questions as you feel is necessary until the comfort level of having RD enabled reaches a point that that light bulb goes off ;)

    HTH,
    Bubba
     

    Attached Files:

  24. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    When I installed Quicktime it always wants to run on start up that's why I blocked it. Should I just disable RD when I install/uninstall a program? I probably should have stopped it from starting up straight from the program itself instead of RD?

    I gather, you mean none of these values belong under this key.

    Yes, I kept the original copy of Tony's ruleset. Will the programs that are not in TK's ruleset be auto blocked or ask user? I thought it was ask user. Now, I thought I remember if I exit the ghost icon in system tray you don't get alerts from RD therefore they will be auto blocked, correct?

    Since you suggested reinstalling RD, it would probably be a good idea for me to open all my programs that are not in TK's rules in order to make permanent rules for them so they don't get blocked in any way by auto block.

    Bubba thanks a lot, I do appreciate your help in more ways than you know:)
     
    Last edited by a moderator: Jun 24, 2006
  25. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    There was nothing wrong with your choice. You are the one in control and whether you use the selection in QT or RD....is immaterial because either way the RUN registry entry does not get added.

    I personally can't answer with Yes\No to something that needs to be your decision. I will say that is a very good way to not only learn about RD and how it reacts to registry additions but to some degree certain aspects of a programs install/uninstall routine. That in itself helps with your understanding and keeping in control of what's going on.

    So there is no mis-understanding on my part with what you mean and so that you do have the latest Tony.gsr file....you will always find the latest file in this post until such time that that ruleset becomes the RDstandard.

    You are correct....it is Ask User.
    Correct

    My pleasure ;)
     
Thread Status:
Not open for further replies.