RegDefend fails to Defend

Discussion in 'Ghost Security Suite (GSS)' started by NormanS, Aug 16, 2005.

Thread Status:
Not open for further replies.
  1. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Yesterday, after scanning the Registry with ewido, this program reported, "HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup"; this key is protected by RegDefend, yet RegDefend did not raise a flag. Why?

    Today, a re scan of the Registry by ewido, resulted in no infections detected. This indicates to me that a change was, in fact, made to the Registry.
     
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Was the key there before you installed RegDefend?
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That is the clsid for Internet Explorers Show Related Links....which means it was there when birth was given to that PC.

    NormanS....would you mind sharing a copy\paste of your RegDefend rule for that item Please.
     
  4. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Hi Jason,

    First I want to thank you for a fabulous program and the help you extended to me on Process Guard issues.

    Now, to answer your question, my guess is that the key was there before installing RegDefend; I say that on the grounds that RegDefend was only very recently installed.
     
  5. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Hi Bubba,

    Thank you for your interest.

    Here is the information you requested, though it was not copy/pasted, since, upon selection, the key as displayed in RegDefend does not lend itself to copy:
    Registry Value: *
    Wildcards: Value
    Events: Mod Key, Mod Value
    Action: Ask User
    These are the default settings, as I neither added nor edited the key at issue.
     
  6. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Hi Jason and Bubba,

    I should have added that upon re scanning the Registry with ewido, I found that the value, {c95fe080-8f5d-11d2-a20b-00aa003c157a} continues to exist, but is now located at HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\. (Notice the addition of the sub-key, CmdMapping.)
     
  7. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Norman, thanks for the compliments. Do you understand that RegDefend only intercepts registry actions when they occur? It cannot intercept registry additions/changes that occured before you installed it. So if you try going to that particular key in regedit now and modifying it, you should get an alert in RegDefend if your rule is correct. Hope that helps.
     
  8. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Hi Jason,
    I must have failed in making the point that ewido edited the file AFTER RegDefend was installed.

    How could it succeed? Yet, apparently it did, for upon re-scanning the Registry, ewido no longer reports an infection.

    Regards,
    Norman
     
  9. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Norman,

    I think the default rule for this particular key is incorrect. It should be protecting the values in the next subkey not the one it is currently. It has been addressed for the next version. Sorry about that.
     
  10. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    Hi Jason,
    Thanks. I'll wait for the update unless you indicate otherwise.

    Regards,
    Norman
     
  11. BILL G

    BILL G Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    80
    Location:
    MN USA
    ALEXA a Freebee from ? I have a Reinstallation CD MS WIND XP Home ED from DELL. Software dated 8-1-2001 to 8-18 2001. Every time I use it I find 1 case of ALEXA with SPYBOT-S&D and 9 with AD-AWARE. Who should I Thank?
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    you should thank yourself cause you bought a pc @ Dell :D that's not the smartest thing to do for keeping your os free from "free" garbage .. I have bought a new cdrom of windows and I had one of dell ... guess what, 4 processes less , cdrom is 100mb lighter (this is all installed) ...
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The Alexa registry key is built-in to Internet Explorer for its "Related Links" function - see Is Alexa spyware? for more details.
     
  14. NormanS

    NormanS Registered Member

    Joined:
    Feb 3, 2004
    Posts:
    84
    I just want to confirm that Version 2.0 does indeed take care of the missing protection problem.

    While I'm at it, I wish to add my voice to all the others who have praised your work. You won't get tired of these accolades, will you?

    Version 2.0 is a vast improvement over 1.3+.
     
Thread Status:
Not open for further replies.