Discussion in 'Ghost Security Suite (GSS)' started by dja2k, Jan 16, 2006.
Hey tonyjl, how do I prevent the regdefend blocking of regedit enumeration of value blocks from filling up the log continuously and making cpu usage close to 100 persent and not stopping until I disable regdefend and re-enable it manually?
HKEY_CLASSES_ROOT** / Allow
HKEY_CURRENT_USER** / Allow
I have the opposite
HKEY_CLASSES_ROOT** / Block
HKEY_CURRENT_USER** / Block
And just disable RD before launching RegEdit. A bit of extra security.
This is my rd.gsr file here. It is a zip file, just change the .txt to .zip. It has the extra groups you previously posted and the ones you PM'ed me with. Don't know if I have them in the correct order though and are set right. Got mixed up with which keys need the ** and in the value *
Been having a computer crashing event using that list and the only thing that comes to mind is internet related. When I start consecutively MSN Messenger, Yahoo Messenger followed by ICQ, I get a crash. Anyways I don't know if my list has been sorted or even done right.
I don't use any of those appz.
Have you tried disabling RD,then launching those appz? if so,try launching the appz one at time (slowly) and see if you get any alerts,also try launching them in reverse order incase it's just a prob with ICQ.
You could also try this app. http://www.sysinternals.com/Utilities/Regmon.html to monitor which keys/values those appz use,then cross-search them with the rules,highlight 'global registry rules',click the top bar above the rules to put them in alphabetical order,makes searching through them easier.
Keep me posted mate,looking at your rules file now.
Thanks! Well good news, don't think it was regdefend, but I think it was something to do with appdefend, might have accidently blocked something that I couldn't tell. though started again with defualt and it doesn't do it anymore. And I do think it was ICQ cause it has more IE stuff running it. About the list, I still don't know if I have the right order, and if I did the extra protection for my security apps right as I said before about the single * and double ** . Wow with that link you send me, that program is sure helpful. I did notice that there are a lot of buffer overflows and not found entries, anything I should worry about?
No,don't worry,that's normal,if i remember correctly,it's for the software to be as compatable as posible with many machines/versions of windows,or something like that.
It all looks fine to me. The order of the rules doesn't really matter,but i just prefer to keep the default ones first,no reason not to though. Below is your rules-set,rename to .zip. I have made a few changes that i have done to mine,just little tweaks basically,but a couple new rules. Keep us posted mate.
Great work! two more rules contributor.
but now i get lost
wich one is considered the *lastest* or they are two parrallel or one is a subset of the other
I've tried tonyjl one and i found in gss self protection something about md_ruleset, maybee you want to change it to ad_ruleset
Don't know what you mean but the ruleset in post #34 is Tonyjl fixed version of my previously posted set of rules.
I had all three rulesets covered individually (ad,md,rd),but have changed to one rule (*ruleset) to cover them all,plus any future rulesets added if any,and cut down on the number of rules.
Any other feedback is most welcome
hey tonyjl, I dropped wormguard cause I had no use for it using regrun and now I get a regdefend alert each time I log in and out of windows saying delete some key in the following key:
HEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Should I always allow the change or always block it cause it gets annoying always having to pick.
Why don't you need WG anymore? I'm actually debating about getting it myself. But if you must...
Anyway,if the alerts are from RegRun,then yes,allow it as RegRun is a trusted app. Maybe it's from WG being uninstalled,and just removing a few leftovers?
What's the exact value being deleted?
The wormguard progrom is god , don't get me wrong, but I couldn't stop it from crashing the start center in regrun. Also the default blocked extensions are similiar to the ones already blocked by regrun.
About the shell folder key, nope the reg alerts are coming from nowhere in particular. They are at startup and shutdown, the key I mentioned and the delete value confirmation are what I see and since there is no particular value cause of the ** at the end of the key and * at the value.
Not too keen on that answer I've made a new group for ya called 'User Shell Folders',it lists each and every value in that key (on my PC anyway,don't worry,there's only few entries). The reason i'm a bit dubious is because it contains the paths to your folders,eg. startup,cookies,local settings,start menu etc. so i'm wondering why 'something' is trying to delete that data .
Anyway,import it (after deleting the .txt part) and place somewhere before the 'Misc - Test Rules' group. See if we can narrow it down a bit,cause i've had that rule about a week now with no alerts so...
Okay here goes the first one:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and the value is common administrative tools. That one appears as soon as I click on the start button. When I shut down or at windows startup, the value that is changed and\or deleted is the same key - shell folder , with value recent.
Common Administrative Tools,yeah,i seem to remember that changing between user folders on my pc a while back.
C:\Documents and Settings\My folder
C:\Documents and Settings\All Users
and back again.
It did this a couple times,no idea why,i only have one account on my pc,didn't change anything to do with my account (that i'm aware of anyway).
Anyways,i would say backup that reg key,and then allow it,that way,you can repair it.
Hi all, sorry about the long absence...
I've uploading a new and improved gsr file for use with the latest version of RegDefend in the "Untested ghst files" thread.
It features more complete protection, while not being overly invasive, and it replaces my 'old' ghst file, also covering everything in the default RD set.
You shouldn't be getting too many unexpected popups, except of course perhaps some hailing from applications that only you have installed...
Give it a go, suggestions and criticism welcome!
Thanks Tony, good to see you back here.
Hi G1111, same here!
New file up, containing additions, a few refinements and other tweaks.
Between the apps groups there will be a couple referencing third party applications that you don't need if you don't happen to run those programs (Port Explorer, ACDsee, and so on) In that case there's obviously no need to keep those groups.
Please make comments about this update in the following thread: https://www.wilderssecurity.com/showthread.php?t=115276
have seen twice now that KAV and Online Armor have changed this value :
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders** - *
That is the same as we had talked before with the changes to the shell folder. Nothing to worry about though, they are known security programs, but is that normal and can I allow them always or deny always?
the Rules concerning Startup and Common Startup values in the HKLM and HKCU have been taken out of my currently uploaded gsrfile.
I suggest you install that latest one.
Separate names with a comma.