RegDefend Feedback

Discussion in 'Ghost Security Suite (GSS)' started by Jason_R0, Aug 9, 2005.

Thread Status:
Not open for further replies.
  1. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Load up regedit, and go to this key :-

    HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostSecuritySuite

    Then delete the VERSIONS subkey in there, and try again. SHIFT clicking does force a download, I just need to make sure that updater.exe takes the new files aswell, which will be in the next update. If you delete the "versions" SUBKEY however, you will be able to update.
     
  2. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    786
    Location:
    West Virginia (USA)
    This worked! I am now on V1.003 and all seems to be functioning WAD.

    And thanks for fixing the X not shutting down the GSS GUI. ;)
     
  3. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Jason,

    With Regdefend version 1.003 on, I can't download Kasperky pro updateso_O If I disable the regdefend protection than I can download without any problem Kasperky updateso_O

    Best regards,
    Atomas31
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I am running KAV with 1.003 and have no issues with it's autoupdate feature.

    Test 1. This KAV Personal 5.0.227 is running with RDstandard ruleset and no Application rules -

    Test 2. A large set of 451 rules with one KAV Application rule:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settings | * | DELETE VALUE | | kavsvc.exe | 1

    So I am not sure what your problem may be. Hopefully Jason or others may be able to help. :)

    Pilli.
     
  5. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    With the latest update I am getting a loop in the new Network Protection Rules Group, in particular on the entry HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces**. What I am seeing is svchost.exe continuously deleting and setting values related to the dhcp; nameserver, domain, subnetmaskopt, and defaultgateway. These are the alerts I received in almost a 2 hour period:

    19:11:01 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    19:11:04 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    19:13:42 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpsubnetmaskopt | svchost.exe
    19:13:46 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    19:13:52 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdefaultgateway | svchost.exe
    19:13:54 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    19:13:57 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    19:14:05 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    19:14:08 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdefaultgateway | svchost.exe
    19:14:11 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpsubnetmaskopt | svchost.exe
    19:38:01 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    19:38:02 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    19:38:03 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpsubnetmaskopt | svchost.exe
    19:38:03 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    19:38:04 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdefaultgateway | svchost.exe
    19:38:04 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    19:38:04 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    19:38:04 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    19:38:05 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdefaultgateway | svchost.exe
    19:38:06 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpsubnetmaskopt | svchost.exe
    21:04:18 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    21:04:21 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    21:04:25 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpsubnetmaskopt | svchost.exe
    21:04:27 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    21:04:29 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdefaultgateway | svchost.exe
    21:04:31 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    21:04:33 | Delete Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdomain | svchost.exe
    21:04:34 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpnameserver | svchost.exe
    21:04:35 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpdefaultgateway | svchost.exe
    21:04:36 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{7a875053-5054-4309-b500-1aad276ec29f} | dhcpsubnetmaskopt | svchost.exe

    I am at a loss as to whether to permanently allow or block this. My system is clean and I completely trust the running svchost.exe is not infected in any way.

    So what do the registry gurus have to say/suggest about this behavior and the best way to handle it?

    TIA for your time and help.
     
  6. passing thru

    passing thru Guest

    I saw a similar pattern today after updating RD on my laptop (which uses SBC DSL via a Linksys Etherfast PCMCIA card). I will double-check my laptop's RD logs tomorrow, but I believe they are similar. I have set RD to permanently allow what svchost.exe is doing in this instance. What svchost.exe is doing may depend on the type of connection you have. RD does not show this behavior on my cable-connected systems.
     
  7. Hagbard

    Hagbard Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    13
    same here, allowing "always" doesn't help either, each time I connect to the net I have to click through a lot of alarms, all svchost-related.

    Plus the update deleted rules, e.g. IE, quite a lot of clicks again.
    Could it be related to the access violation error I always seem to get when updating, before restart?
     
  8. confirmed

    confirmed Guest

    Confirmed. Big bug here.
     
  9. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Could you go to the "CONFIGURE" RegDefend window, and paste the RULE you have for SVCHOST. When you click REMEMBER it will automatically add a rule.
     
  10. voirdire

    voirdire Registered Member

    Joined:
    May 26, 2005
    Posts:
    13
    Same SVCHOST problem on dsl here. Adding permissions to the application rules solved the problem. However, I started with 87 Global rules, rebooted and now have 89 Global rules.
     
  11. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Voirdire,

    That rules statistic includes application rules aswell, not only global rules.
     
  12. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    I get an error message when I open more than one link in the menu. That is if after opening one link go back to the menu and try and open a second an error message appears and the gui closes.
     
  13. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Same thing here.
     
  14. passing thru

    passing thru Guest

    I am having a DSL-related issue that I am unable to resolve. I typically disconnect manually (via the tray connection icon context menu). When I do, I get an alert that System (4) wants to change a value protected by the Networking Protection group. Despite selecting "Always perform the action I take" and then allowing the value to be changed, the created application rule is ignored the next time I manually disconnect. Detailed info:

    Alert:

    09:47:03 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Tcpip\Parameters\Interfaces\{ff9f3812-3ce7-4997-a679-7855acc2345c} | ntecontextlist | system

    Global Rule:

    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces** | * | CREATE KEY, MODIFY KEY, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Networking Protection | 5

    Application rule for System (always PID 4):

    Key: HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces**
    Value: *
    Allowed: Set, Delete values

    Registry state when DSL is connected:

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF9F3812-3CE7-4997-A679-7855ACC2345C}]
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
    "SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
    "DefaultGateway"=hex(7):00,00
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    "NTEContextList"=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,\
    33,00,00,00,00,00
    "DhcpIPAddress"="************"
    "DhcpSubnetMask"="255.255.255.255"
    "Domain"=""
    "NameServer"="*********************"
    "DhcpClassIdBin"=hex:
    "RegistrationEnabled"=dword:00000000
    "RegisterAdapterName"=dword:00000000

    Registry state when DSL is disconnected:

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FF9F3812-3CE7-4997-A679-7855ACC2345C}]
    "UseZeroBroadcast"=dword:00000000
    "EnableDHCP"=dword:00000000
    "IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
    "SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
    "DefaultGateway"=hex(7):00,00
    "EnableDeadGWDetect"=dword:00000001
    "DontAddDefaultGateway"=dword:00000000
    "NTEContextList"=hex(7):00,00
    "DhcpIPAddress"="0.0.0.0"
    "DhcpSubnetMask"="0.0.0.0"
    "Domain"=""
    "NameServer"=""
    "DhcpClassIdBin"=hex:
    "RegistrationEnabled"=dword:00000000
    "RegisterAdapterName"=dword:00000000
     
  15. passing thru

    passing thru Guest

    Following up, I get the same behavior on my cable-connected desktops by "disabling" my Local Area Connection (using either the tray icon or one of the Control Panel\Network Connections icons).
     
  16. Bournesup

    Bournesup Registered Member

    Joined:
    Jul 11, 2005
    Posts:
    5
    Well Done Ghost Security Team. Interface is slick, and application is easy to use and flexible. Like to offer a couple of suggestions.

    1) When an update is applied, and there is a change in the standard rule set, there should be a text file explaining the addition, modifications and or deletions. This would be of great help with users who developed their own rule set in conjuction with the standard set.

    2) Question, what happened to the monitoring aspect of you software, to aid in the development of custom rule sets.

    3) Has anyone started investigating the plausibility of using this software to monitor java script keywords since these are a great hole in most web browsers. Blocking of reading certain registry keys through java based on the keyword be used from java;

    Computer security has taken a new step in the evolution of prevention. This is necessary. Your software is a great addition to this evolution.
     
  17. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Are you using TDS-3 execution protection?
     
  18. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The monitoring aspect will be making a return in a future update. Due to inefficiencies in certain Microsoft code I felt that I would have to rewrite certain aspects of the monitoring to allow 100,000's alerts to be displayed without a massive impact to the end user.

    Thanks for appreciative words. :)
     
  19. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Thanks for the informative post and information. This problem should be solved shortly in an update.
     
  20. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Jason - No I don't have TDS-3. I am running ProcessGuard, WormGuard, KAV Personal and TrojanHunter (TrojanGuard running).

    I have PG set to allow gss.exe to allow global hooks and install drivers/services. Also set it to access physical memory and still get the error message after I try and open a second link in menu.
     
  21. passing thru

    passing thru Guest

    Glad to have helped. Keep up the great work.
     
  22. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Do you get the same errors in ProcessGuard, when you click on links and the helpfile from within the GUI?
     
  23. Hagbard

    Hagbard Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    13
    I have to admit that I'm feeling a little lost with this instruction.

    Where am I supposed to copy what to be able to paste where? When does REMEMBER show where so I can click it? No right click menu, expect for one that shows "Move...".

    The frequent SVCHOST alerts are becoming some kind of a nuisance, esp. since they tend to "help" kill my vnc connection. Happened today, some kind of time out, Ghost window hidden by another window so I didn't know, hence internet connection got severed. Really not helpful for remote access.
     
  24. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia

    Once you click on configure, a window will pop up. Then look to the left and click on APPLICATION rules. You should see a few entries for SVCHOST, when you click on each one you will find rules which have been added to them. If you could paste all the rules shown for svchost (if you have more than one then do it for each one).

    To copy entries, simply click on the rule, and press CTRL+C to copy it, then whatever item you selected is copied into the clipboard, allowing you to CTRL+V (paste) it.
     
  25. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    There should be an update available now, fixing the SYSTEM application rule issue.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.