Regdefend & Wildcard changes for Kent\Tony Files

Discussion in 'Ghost Security Suite (GSS)' started by dja2k, Jan 16, 2006.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Can anyone post tony's and Kent's rules with the wildcard changes already done to them. I see that a lot of people and myself have trouble with the changes. I don't know why a lot you mind sharing the files because I know for sure I have asked for them before and no one has dare to post them.

    dja2k
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi dja2k.

    Here are some of my rules,i have not included all my rules/groups as some are specific to my PC.

    --WARNING--

    I've been collecting rules for ages (since before RD came out,i had a customizable reg poller) from the net,forums,tv,radio etc.etc,so i already had most Tony's/Kent's and who ever else posted in,but i did add a couple that i didn't have (Thanks guys :) ). I'm afraid i can't always give info on why a certain value should be protected,as i don't always save the web page or whatever for later reference.

    SO USE WITH CAUTION... AND YES,YOU WILL GET A LOT OF ALERTS AS STATED BELOW.

    I use RegDefend the same way as AppDefend/ProcessGuard... allow everything on your PC to do want they want/need (PROVIDED YOU KNOW YOUR PC IS CLEAN). After that,you should only get alerts for unusual/infreqent stuff or malware.

    I have renamed the file to rdstandard-1 (just delete the .txt part) so as not to over-write your original - just incase,i have also disabled the non-default rules so you can re-enable them one at a time for testing.

    Hope this helps mate :)

    Let us know how you get on.

    Any feedback is wellcome!!

    --------------ONCE AGAIN,USE WITH CAUTION---------------
     

    Attached Files:

    Last edited: Jan 17, 2006
  3. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks will try them out....

    UPDATE #1:
    Replaced the original with your file after I backed up the original. Enabled all of the disabled options and so far working fine. Will post back if I get an error or conflict with your ruleset file.

    UPDATE #2:

    One thing though, I was having some trouble with my winsock file ws2_32.dll crashing and what I noticed with this list and having regrun registry tracer is that when regdefend is active with all your groups on, I get a prompt from regrun saying that some paremeters were deleted in winsock2 and to accept or not. Well after that I accepted, so they got deleted. Now if I disable regdefend, I get a popup again from regrun saying that the paremeters got added back and well I can do that process over and over and they get added and deleted again after enabling and disabling regdefend. Is that normal?

    dja2k
     
    Last edited: Jan 17, 2006
  4. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Well nevermind the above posts since I am about to do a clean install of windows and using a different approach to security using your way of thinking. I am always up to a different idea to test.

    So you say you use this ghost list in regdefend like others use the appdefend/processguard approach? Well if that is true, you don't run appdefend nor processguard right? What else do you run along side your regefend with your custom list if I may ask? I have been mixing and matching a lot of HIPS and other security programs for the past year and now I am ready to give up on that again and just use a minimum way of security and with what I have seen, a good antivirus, a good HIPS program, and regdefend with your list is about enough. Also I might have over done it on hardening my system with what everyone uses here, but don't know if any of those programs conflicts with your ghost list? And yes I understand to install everything first, then install regdefend with your custom list last to avoid popups and installation problems.

    dja2k
     
  5. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi dja2k.

    Sorry mate,i forgot to mention about Tay's 'Protect Winsock' / 'Protect MAC Address' rules,they are set to block,so just change them to ask user,and click allow always next time you get an alert for RegRun. You could just delete that group as i don't think it's nessesery,plus,i've never had an alert since adding those rules.
     
  6. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks!

    By the way, did you forget or you didn't want to coment on what software you run along side regdefend ?

    dja2k
     
  7. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi dja2k.

    I didn't really see the need to mention what software i use alongside GhostSecuritySuite,as,as mentioned in my first post,i just allow everything (especially security appz) full access to the registry,so i don't have any special rules for software,apart from the 'allow always' app rules,i'll leave that others who do block stuff,then they can give you reasons as to why.
    Whenever i get an alert from something i know,i select 'always allow',it's only when something i dont know/recognize that i block,do a bit of googling to find out what it is,if it's lagit,the next time i get the alert i select 'always allow' (touch wood,had nothing yet/ever).
     
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Tonyjl, maybe you know this allready but regsvr32.exe, services.exe and some others could be set too permit once ... cause it will give you some extra protection just in case some process had full access to the registry, regsvr32.exe will still warn you when writing to it...not in all cases I guess, at least that's how I do it on some of my setups.

    take care

    Inf.
     
  9. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Yes i did know that Infinity,thanks for mentioning it as some other people may not of known. I haven't actually set RD to permit once cause i have PG & AD set to permit once,triple protection is good (for security and finger exercise :thumb: ) but sometimes it slows things down or causes them to hang.
     
  10. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    off course, I did it the other way around, I gave it full access in PG (exept rundll32.exe - if you wanted to know why I gave those processes full access in PG...well I find Appdefend a lot faster in respons time and never new it hang while doing it with pg I had hickups) so I limited their radius with appdefend ... cause it's overlap and does slow things down.
    for myself I'm using the standard rules but I would like to see them more tight.

    I asked a question myself regarding this issue, cause we can see RDstandard rules and ADsecure rules but I was hoping to see RDSecure and ADstandard in some update as well ... I know they are working hard to establish this all so let's hope those rules will be more tight!

    take care
     
  11. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    So if you are using Appdefend and ProcessGuard together, do you have something disabled in PG and\or what protection do you have in Appdefend as allow to let PG handle them or vise versa?

    dja2k
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    execution protection disabled, registry protection disabled, all the rest is checked regarding global protection. about the exe's, well that's personal but I explained what I did with regsvr32.exe.
     
    Last edited: Jan 20, 2006
  13. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    disabled global hooks in pg as well hence AD is faster and cause of the overlap.

    /OT: ... I am looking forward to play with the new beta and I hope it won't take too long :D
     
  14. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks for the info...

    dja2k
     
  15. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Are Kent's and Tony's original ghost files now useless because of the wildcard difference (* vs. **)?
     
  16. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    What I read is that you have to modify them to use them properly. Thats why I asked for someone's ghost file cause I didn't understand how to change them. There is however a thread here explaining how to modify them yourself.

    dja2k
     
  17. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Thanks - I deleted them for now.
     
  18. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Hey tonyjl, quick question - Why does RegRun Gold registry tracer flag more objects than regdefend using the list you provided perviously? Are the regrun entries not in there?

    dja2k
     
  19. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi hja2k.

    Thanks for pointing that out. I imported puff-m-d's RegRun set and noticed i have the following missing:-

    HKEY_CURRENT_USER\Control panel\Desktop / ScrnSave.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code store database\Distribution units* / *
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Inifilemapping\System.ini* / *
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Inifilemapping\Win.ini* / *
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost* / *
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / System
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / Taskman
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / Userinit
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon / VMApplet
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon/Notify / *
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shellexecutehooks* / *
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload* /*
    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Winsock2* / *

    The rest are already in there,thanks again for pointing that out,don't why i didn't add them.
     
  20. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    You welcome tonyjl, but now I am lost here. How do I go by to import those rules to your custom list? I get an error saying to pick a profile which is already on. Or if you have time, can you please add them to that previous posted list of yours. I don't understand this wildcard changes and well the order they go in.

    dja2k
     
  21. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi hja2k.

    I've just added them on as a seperate group as i like to mine and other people's rules seperate,it makes it easier to track changes etc. Download the file below to somewhere handy (i have it with my backup RD rules-sets),delete the .txt part as before,open GSS,click on RegDefend,high-light 'Global Registry Rules',then in the right pane,click 'Import Group',search this file and select it,it will be added at end (bottom) of the list. Rearange if you prefer,best to put it before (above) the test rules though.
     

    Attached Files:

  22. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi hja2k.

    Since you pointed out the RegRun stuff,i did a bit of double-checking,and found a few of Tony Klein's rules missing aswell,i didn't bother adding any of those cause if i remember correctly,it was Tony who impressed Jason and became a beta tester or something like that,anyway,a lot those rules are part of the Default set now,so i 'assumed' they were all in there. Anyway add these the same as before mate,would of posted in above post,but can only upload one file at a time. I'll let you know if i find anything else.
     

    Attached Files:

  23. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Cool! Thanks... I have put the file together and added the RegRun stuff to the buttom of your list before the disabled entries were. I of course have them all active.

    dja2k
     
  24. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Glad to help mate :) ,let us know if you find anything else.
     
  25. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I added the two updated groups back to my protection also. Thanks.
     
Thread Status:
Not open for further replies.