RD Issue(s)

Discussion in 'Ghost Security Suite (GSS)' started by redwolfe_98, Jun 1, 2006.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    nothing major.. i had a regkey that i wanted to permanently block so i set an "always block" rule in the app-rules.. the problem was that every time the key was blocked there was an RD balloon-alert that popped up, which was irritating..so i disabled balloon-alerts, in the registry, and now i don't see the balloon-alerts..

    should i have blocked the regkey with a global rule instead of, like i have, with an app-rule?

    another thing, which i have mentioned before.. when i try to add spywareguide's "blocklist" to the registry, RD does not pop up any alerts, asking if i want to allow or block the regkeys.. then it takes some time for the blocklist to finish being added to the registry while nothing about the regkeys' being added to the registry is logged..

    if i create a "regedit" app-rule for what the "blocklist" is doing, which RD should be asking me for in a popup-alert, then the blocklist installs very quickly, and the regkeys are then logged by RD..

    there is some issue when adding the "blocklist" to the registry where RD does not flag the "blocklist".. (maybe the "blocklist" is too large for RD to handle?)

    if i am "installing" "IESPYAD", another reg-file, RD doesn't have a problem with it.. RD pops up alerts, as it is supposed to.. RD flags "IESPYAD", but not the "blocklist"..

    i will attach the "blocklist" reg-file for anyone that wants to test with it, but note that there is not an "uninstall" for the "blocklist" (unless you have "erunt" and so you can roll-back the registry).. (change the "txt" extension to "reg" to convert the "txt-file" to a reg-file)

    regarding the regkey that i blocked, that brings up another issue, but it is not an RD-issue.. the regkey is an "activex compatibility" key.. supposedly, i have a killbit for it, but the regkey installs right over the killbit.. it makes me think that activex compatibility-killbits are useless..
     

    Attached Files:

    Last edited: Jun 2, 2006
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just a thought :doubt: In the content of that file it states....Generated on : 2006-3-06. If the 3 represents March....I would think those entries are already residing in the appropriate IE ActiveX Compatibilty registry location either from them being entered before with this Spywareguide file or by the use of Spywareblaster....which means you should not get an alert but you should see the slowness while they are being added :doubt:

    Also....correct me if I am wrong but did not this post also concern what you are seeing in regards to Spywareguide and did not Tony's post adequately answer this regkeys were already in the registry concern :doubt:

    I agree that is not an RD issue and perhaps it could be discussed in a more appropriate Forum but in any case I believe I am understanding what you are saying but I do believe you have a mis-understanding of ActiveX kill-bits. However....without further clarification I wouldn't be able to comment :doubt:

    Bubba
     
  3. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    yes bubba, i mentioned the issue before, but i don't think that it was recognized that there actually was a problem, which i think should be looked in to, which is why i brought it up again (after doing some more testing)..

    if i create the app-rule for "regedit" that RD SHOULD be prompting me for in a popup-alert when installing the "blocklist", then RD seems to behave as it should: installing the "blocklist" doesn't "hang" and, at least, some of the regkeys that are being "added" to the registry by the blocklist-install are logged by regdefend..

    if i create just a small partial list of the items in the "blocklist" and try adding that to the registry, then RD throws up alerts the way that it is supposed to..

    i don't understand why RD will not flag the "blocklist".. maybe the "blocklist" is too large for RD to handle?

    i uploaded the blocklist file hoping that someone would try experimenting with it so that they could see what i am talking about..
     
    Last edited: Jun 2, 2006
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    bubba, the "activex compatibility regkey" that i was blocking was

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

    the "CLSID" is related to "windows media player".. the "killbit" for that was on one blocklist that i found, but it is not on the others, so maybe it shouldn't be used.. however, a MS-article was cited that referenced the "killbit":

    http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx

    if i don't block the regkey with RD, it writes over the killbit..

    i stopped blocking the regkey seeing that it is not on any blocklists except for the one, and that "allowing" it, up 'til now, has not done me any harm..

    the regkey comes up when i am viewing video clips.. i don't know if it is intended to be some kind of exploit, or not..
     
  5. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    here is what the regkey looks like in the RD logs
     

    Attached Files:

  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    another "strange" thing is that, in the RD logs, "svchost.exe" is shown with the "wgatray.exe"-icon..
     

    Attached Files:

  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since this blocklist contains 3618 items....IMHO to properly test this blocklist.reg file you uploaded to determine what if any problems exist a user would have to:

    1) Start with an empty HKLM....ActiveX Compatibility registry key
    2) Have an app-rule for "regedit" concerning ActiveX Compatibility and only that rule in regards to ActiveX Compatibiltiy
    3) Attempt to add the blocklist.reg file

    One would then have to answer the below questions in regards to a possible RD problem in how it adequately or inadequately handles this blocklist.reg file:
    A) With a properly created rule....did RD alert the user to all 3618 individual entries as they were being added ?
    B) If yes....were there actually 3618 items then contained in the ActiveX Compatibility key ?
    C) Did RD record 3618 Set Values in it's logging function.

    I can answer Yes to item B above....I'll leave items A and C for you :D

    What I can confirm is that I did take the time and individually answered Allow to the first 50 items contained in that blocklist.reg file. All 50 Set Values were recorded in RD's logging function and they were added to the ActiveX Compatibility reg key. I personally will assume it would work as advertised if I took the time and answered Allow to all 3618 items.

    Please take the above as only my way of helping you determine if there indeed exists a problem as you see it :doubt:
     
Thread Status:
Not open for further replies.