Reg Defend or Wormguard -Which would be best purchase over the next few days and why?

Discussion in 'Ghost Security Suite (GSS)' started by zoril, Mar 15, 2006.

Thread Status:
Not open for further replies.
  1. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi there:)

    I have reached a point where I must stop buying software. I do have some excellent security programs including Win Patrol/ Nod32/WebrootSpySweeper /SpywareDoctor/BOC/Trojan Hunter/ Windows Defender Beta2/ Process Guard/Super Ad blocker/ Re the Firewall, currently I use the Windows XP one, although I am thinking of trying the free Ghostwall one - although this is probably not the best place to discuss Firewalls:)...

    The one thing now that is important is what might infect the registry and I am in a real quandry whether to buy Reg Defend or Wormguard over the next two or three days. Both appear to be very similar and I am unable to tell the difference - even after reading the two pages!

    In the past I have purchased software based on the recommendations of people like Tony Klein. I have never regretted any purchase so far....

    Can anyone point out differences between the two programs? Which is the most memory intensive? Do both do the same job? Prices seem the same for both. Anyone who has both would maybe know which is the more user friendly? Are there any known compatability issues etc?

    It is knowledgable people in forums like this that can offer better advice then myself simply downloading short trials, the results of which I could not determined anyway or analyse in any educated way.

    Any replies greatly appreciated....

    Howard:)
     
  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Wormguard is not really useful against most virus'/trojans/spyware/adware where RegDefend is useful against all the above plus some worms.

    Edit: I'm not trying to downplay Wormguard just saying its more specialized towards worms and scripts not virus'/trojans/spyware/adware.

    No RegDefend protects by keeping certain parts of the registry from being modified without your approval. Wormguard protects from scripts and so forth.

    To my knowledge there are very few if any real compatibity issues with either program.

    I hope this helps with your question,

    Chris
     
  3. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hello Chris:)

    Many thanks for the reply. From what you say RegDefend may suit my purpose better in that it is a specialist registry protector with other abilities....

    I would like to think my programs NOD32/BOC/TrojanHunter/WebrootSpysweeper/Process Guard would be adequate re worms and trojans..

    Is there any way of telling which applications (rather then programs) that I should permit to access the registry bearing in mind that I am no expert. With Process Guard I either recognise the program or not, but would it be as straightforward with registry entries?

    I guess in a nutshell I have reached the point where I want to secure my system as near to 100% as possible without running numerous programs that provide the same function some of which now require annual subscriptions. Reg Defend would appear to provide a function that others currently don't so I might opt for it...

    Howard
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Re: Reg Defend or Wormguard -Which would be best purchase over the next few days and

    Hi Zoril.

    That's a fairly difficult Q to answer as every computer is different. But,as your using PG,you should already have a head start. ;)

    The way i play it,is that anything that you only 'permit once' in PG,have them as 'permit once' in RD aswell,give everything else full permission to modify what they want/need.

    Hope that helps mate :)
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Re: Reg Defend or Wormguard -Which would be best purchase over the next few days and

    zoril,
    The two programs really are very different as Chris has indicated, in for you to consider your options it might help a little if you know a little more about what "WormGuard" does. This reply got a little long so I split it into two parts for readability... this first part is about WG

    Wormguard basically intercepts "executions" (*see below) and scans the data in the file for some keywords and tries to be a little smart by applying some rules before reporting potential security issues. It is dating a little but still provides value in certain circumstances. I'd suggest that you a look through the WormGuard forum in the past year or two and see if there are any reported instances of WG stopping an infection. I had a brief look and couldn't find any myself, but I did find a thread praising WG and its good to have a balanced look at things

    There are other alternatives like Script Sentry that provide a lesser level but a similar type of functionality for free. Script Sentry is quite probably a less sophisticated in how it searches the file contents and what it searches for. To give you some perspective on how "dated" these products are, Script Sentry was last updated in July 2002. My wormguard executable is dated August 2001

    * These type of products can hook file execution in a number of ways, in the case of both WG and SS these programs use simple documented techniques

    If you use sysinternals autoruns tool with Wormguard installed you can see that it uses an Explorer "ShellExecuteHooks" entry, this will catch executions done in the normal way (but not using a lower level call like CreateProcess for example).

    ScriptSentry does it slightly differently by plugging itself into the execution entry for certain file types, when activated it scans the script file and then calls the original executable. This is unlike WG which does its keyword searching and rule application on all files (including executables). The ScriptSentry mechanism is easily bypassed by calling the scripting executable directly so that the "file type" is not consulted and then the Script Sentry executable is never invoked. Most "normal" scripts that you would run would probably get scanned but if the script code was as a command line parameter to the scripting executable then the ScriptSentry is never invoked

    As you can see neither method is foolproof and both methods can be bypassed as well as silently removed by making Registry changes unless you have registry protection.
    Some of the AV products that do heuristic checking (like NOD which you already have) would most probably have code fragments of script that would give at least some "script" matches, after all they have had 3+ years to catch up and overtake either or both of these 2 applications

    NB: Regarding compatibility for WormGuard I found a thread (from 2004) in the WormGuard forum about what seems to be an unresolved issue with invoking System Restore from the Help and Support Centre, its probably not a show stopper it might work if you just call system restore directly from the start menu's instead

    And see this MS article that mentions CreateProcess bypassing the Shell Execute hook
     
    Last edited: Mar 16, 2006
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Re: Reg Defend or Wormguard -Which would be best purchase over the next few days and

    zoril,
    RegDefend intercepts every registry read and change request *prior* to it actually happening, it then has a look in its "rules" to see if it is restricting access for the operation. What this means is that with a "good" set of rules you will be able to be notified of changes and stop them from happening if they are not expected.

    RegDefend is a bit "geeky" at the moment because it does help if you understand what a particular key is for when you are seeing the RegDefend Alert but it does provide some help text "Why am I receiving this alert" and "Should I block or allow" which is very useful if you are not particularly interested in the details of what each registry key is for.

    Regdefend is a very flexible program and if you use a good ruleset (there are several to pick from) you will get very good registry security without a load of unnecessary and meaningless alerts. The important thing is to choose a good pre-built ruleset and have a look a the text that comes out with any alert. If you are installing software that is from a trusted source there is a fairly good chance that you will simply answer yes to most of the prompts.

    After you first install the program you will probably want to use the "always perform the action I take" option for your common alerts. RegDefend is a little more advanced than ProcessGuard in that it asks rather than blocks the first time around

    The value in RegDefend is if you see something unexpected like seeing a request to modify CD/DVD filters and getting prompted about installing a driver when you insert an audio cd
    You would also see added value once you are a little more familiar with the important registry locations and seeing the RegDefend prompts might make you curious to do a quick search every now and again. The benefits then would be that you might recognise that the installation of a program might be asking for access that you would rather not give it, or installing an auto-run program that you didn't want. Basically giving you information to make a more informed choice

    As you have probably seen already, Jason has a new program now called AppDefend and it has a "free" mode after the initial trial. That is quite useful because it allows finer control over process executions than Process Guard does and also provides network control for the applications. The pair of RegDefend and Appdefend are bundled together into a single GUI called Ghost Security Suite and if you only want to use one component you simply set the other one to use the <DISABLED> profile

    There is a free alternative to RegDefend as well, MJ Registry Watcher its not in the same "class" as RegDefend because it uses simpler technology to see changes after they have already happened but its pretty good for the price tag and much better than having nothing at all

    If you chose to get WormGuard (which doesn't seem likely based on your subsequent comment) you should definitely get yourself some Registry Protection and MJRW meets the criteria of "having to stop purchasing" :). There is also a "free" RegDefend where you could still get notified of changes but unlike the "paid" version you cannot just block the changes, you either have to allow the change or kill the process. There are circumstances where you wouldn't want to (and cannot reasonably just kill the process) but this is an option and still provides very useful protection for no outlay at all.

    If you choose to get RegDefend you could always use Script Sentry for the tiny extra bit of protection that it may or may not give you, its free after all and only kicks in when you launch one of the specified file types

    I hope some of that helps
     
  7. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I use all three (PG, WG & RD) on my system and there are no conflicts. All three use little resources and provide different types of protection. Why not consider trying both WG abd RD. I assume at some point that DiamondCS will update WG.
     
  8. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Many thanks everyone for the excellent answers:) As you probably all gather my computer knowledge is not that great. I did buy Reg Defend today. Re rulesets I don't have the knowledge to make up my own but based on another forum contributor in a different post, I downloaded Tony's ruleset and put it in the main RD directory.

    When I bring up the main screen under "security components" I enabled the name Tony rather then RD standard, which I hope is the right thing to do?

    Not being knowledgeable I didn't touch the configure button under the name Tony. I have read help files. Hopefully that + reading the different posts here will help...

    Thanks again,


    Howard
     
    Last edited: Mar 17, 2006
  9. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Sounds like you are in business. If you open "configure" you will see a list of programs Tony Klein added. You can then enable/disable any programs. I only have enabled the programs I have installed, start with "Spywareblaster" and work your way down the rest of the list. Anything above it you probably want to leave enabled. To enable a program first click on that program, like Spywareblaster. It will open a box. In the upper right hand corner is a small box that says "app enbled". Click in the box and when a check mark appears it is enabled. Close that box and you will see that the red X goes away. The ones with red "X" in them are currently disabled. That's it. Just set it and forget it.

    The part you will have to learn is what to do if you get an alert. If it is a program you know or just added it you can let it change the registry. If it is after opening an E-mail or visiting a web site. You probably want to deny the change.

    Check the forum here for advice. There are many expert people here. I was a beginner a year ago and addded RegDefend several months ago. It is fairly easy once you get the hang of it.
     
  10. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Much obliged for that information. It is really handy. I will try out configuring now based on your help. So I should enable all trusted programs from Spyware Blaster down that I have installed and trust? I take it enabling gives program rights over processes areas of the registry etc?

    Thanks again................Howard
     
    Last edited: Mar 17, 2006
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Re: Reg Defend or Wormguard -Which would be best purchase over the next few days and

    zoril,
    That is right, those program permissions were configured so that using those applications would either be alert free or at least that minimal alerts would be generated. It is a start on having a set of "standard" configurations for common programs to take away the guesswork when you are getting started and just want to use the product

    One thing to check for each program group is that you have installed the program in the same location as specified in the application rule, this is something that can sometimes be different on different machines depending on what was chosen during each programs installation. If you have installed somewhere else then simply change the path for the executable
     
  12. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    That's great:thumb: - I will check that out although I always install to the default directory so hopefully all will be ok....Howard
     
  13. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    zoril, you said that you were looking for registry protection.. i don't see where "wormguard" fits in to that..

    maybe you meant, or had in mind, "regrun".. i think those are the two to compare, "regrun" and regdefend..
     
    Last edited: Mar 18, 2006
  14. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hiya I did buy RegDefend as a last line of defence....

    I think that I am reaching the stage where I have too much protection! At least with RegDefend it is doing what no other product seems to do!

    Remembering what to switch off before installing a new program/remembering
    what blocker is blocking what ads or popups when surfing/remembering what program is stopping files from deleting properly/ compatability issues etc etc etc...

    In all seriousness while I regard security as essential when surfing, I find it hard to achieve the balance between that and being able to surf without clicking a button every 30 seconds, or remembering what to allow\ disallow....Howard
     
  15. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Re: Reg Defend or Wormguard -Which would be best purchase over the next few days and

    Hi Zoril.

    I'll second that... but don't worry,it all becomes second nature after a while. Just remember one point though... NEVER,EVER let yourself get into the habit of just clicking 'OK' without reading exactly what the alert is for,especially when your getting multiple alerts in a row. Your just asking for trouble then.

    Also,reading up on the apps you've got at the mo',find where they overlap,then disable the part of the apps covering those areas (if you can) leaving just the (one or two) best/strongest for those areas,that way you can reduce the amount of alerts you get. ;)

    I say one or two cause some people prefer two just make sure it's caught,but it's generally not required these days as apps are getting better & better.
     
Thread Status:
Not open for further replies.