Regdefend & Wildcard changes for Kent\Tony Files

Discussion in 'Ghost Security Suite (GSS)' started by dja2k, Jan 16, 2006.

Thread Status:
Not open for further replies.
  1. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Sorted.
     
  2. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,259
    Location:
    USA
    o_O??
     
  3. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    Hey tonyjl, how do I prevent the regdefend blocking of regedit enumeration of value blocks from filling up the log continuously and making cpu usage close to 100 persent and not stopping until I disable regdefend and re-enable it manually?

    dja2k
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    HKEY_CLASSES_ROOT** / Allow
    HKEY_CURRENT_USER** / Allow
    etc.
    etc.

    I have the opposite

    HKEY_CLASSES_ROOT** / Block
    HKEY_CURRENT_USER** / Block
    etc.
    etc.

    And just disable RD before launching RegEdit. A bit of extra security.
     
  5. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    This is my rd.gsr file here. It is a zip file, just change the .txt to .zip. It has the extra groups you previously posted and the ones you PM'ed me with. Don't know if I have them in the correct order though and are set right. Got mixed up with which keys need the ** and in the value *

    dja2k
     

    Attached Files:

    Last edited: Jan 30, 2006
  6. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    Been having a computer crashing event using that list and the only thing that comes to mind is internet related. When I start consecutively MSN Messenger, Yahoo Messenger followed by ICQ, I get a crash. Anyways I don't know if my list has been sorted or even done right.

    dja2k
     
    Last edited: Feb 1, 2006
  7. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I don't use any of those appz.
    Have you tried disabling RD,then launching those appz? if so,try launching the appz one at time (slowly) and see if you get any alerts,also try launching them in reverse order incase it's just a prob with ICQ.
    You could also try this app. http://www.sysinternals.com/Utilities/Regmon.html to monitor which keys/values those appz use,then cross-search them with the rules,highlight 'global registry rules',click the top bar above the rules to put them in alphabetical order,makes searching through them easier.

    Keep me posted mate,looking at your rules file now.
     
  8. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    Thanks! Well good news, don't think it was regdefend, but I think it was something to do with appdefend, might have accidently blocked something that I couldn't tell. though started again with defualt and it doesn't do it anymore. And I do think it was ICQ cause it has more IE stuff running it. About the list, I still don't know if I have the right order, and if I did the extra protection for my security apps right as I said before about the single * and double ** . Wow with that link you send me, that program is sure helpful. I did notice that there are a lot of buffer overflows and not found entries, anything I should worry about?

    dja2k
     
    Last edited: Feb 2, 2006
  9. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    No,don't worry,that's normal,if i remember correctly,it's for the software to be as compatable as posible with many machines/versions of windows,or something like that.

    It all looks fine to me. The order of the rules doesn't really matter,but i just prefer to keep the default ones first,no reason not to though. Below is your rules-set,rename to .zip. I have made a few changes that i have done to mine,just little tweaks basically,but a couple new rules. Keep us posted mate.
     

    Attached Files:

  10. f3x

    f3x Guest

    Great work! two more rules contributor.
    but now i get lost
    wich one is considered the *lastest* or they are two parrallel or one is a subset of the other

    I've tried tonyjl one and i found in gss self protection something about md_ruleset, maybee you want to change it to ad_ruleset
     
  11. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    Don't know what you mean but the ruleset in post #34 is Tonyjl fixed version of my previously posted set of rules.

    dja2k
     
  12. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I had all three rulesets covered individually (ad,md,rd),but have changed to one rule (*ruleset) to cover them all,plus any future rulesets added if any,and cut down on the number of rules.

    Any other feedback is most welcome :)
     
  13. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    hey tonyjl, I dropped wormguard cause I had no use for it using regrun and now I get a regdefend alert each time I log in and out of windows saying delete some key in the following key:

    HEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

    Should I always allow the change or always block it cause it gets annoying always having to pick.

    dja2k
     
  14. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi dja2k.

    Why don't you need WG anymore? I'm actually debating about getting it myself. But if you must...

    Anyway,if the alerts are from RegRun,then yes,allow it as RegRun is a trusted app. Maybe it's from WG being uninstalled,and just removing a few leftovers?

    What's the exact value being deleted?
     
  15. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    The wormguard progrom is god , don't get me wrong, but I couldn't stop it from crashing the start center in regrun. Also the default blocked extensions are similiar to the ones already blocked by regrun.

    About the shell folder key, nope the reg alerts are coming from nowhere in particular. They are at startup and shutdown, the key I mentioned and the delete value confirmation are what I see and since there is no particular value cause of the ** at the end of the key and * at the value.

    dja2k
     
  16. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Not too keen on that answer :cautious: I've made a new group for ya called 'User Shell Folders',it lists each and every value in that key (on my PC anyway,don't worry,there's only few entries). The reason i'm a bit dubious is because it contains the paths to your folders,eg. startup,cookies,local settings,start menu etc. so i'm wondering why 'something' is trying to delete that data o_O .

    Anyway,import it (after deleting the .txt part) and place somewhere before the 'Misc - Test Rules' group. See if we can narrow it down a bit,cause i've had that rule about a week now with no alerts so...
     

    Attached Files:

  17. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    Okay here goes the first one:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and the value is common administrative tools. That one appears as soon as I click on the start button. When I shut down or at windows startup, the value that is changed and\or deleted is the same key - shell folder , with value recent.

    dja2k
     
    Last edited: Feb 4, 2006
  18. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi dja2k.

    Common Administrative Tools,yeah,i seem to remember that changing between user folders on my pc a while back.
    eg from
    C:\Documents and Settings\My folder
    to
    C:\Documents and Settings\All Users
    and back again.
    It did this a couple times,no idea why,i only have one account on my pc,didn't change anything to do with my account (that i'm aware of anyway).
    Anyways,i would say backup that reg key,and then allow it,that way,you can repair it.
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
    Hi all, sorry about the long absence... :)

    I've uploading a new and improved gsr file for use with the latest version of RegDefend in the "Untested ghst files" thread.

    It features more complete protection, while not being overly invasive, and it replaces my 'old' ghst file, also covering everything in the default RD set.

    You shouldn't be getting too many unexpected popups, except of course perhaps some hailing from applications that only you have installed...

    Give it a go, suggestions and criticism welcome! :)

    https://www.wilderssecurity.com/showthread.php?p=676747#post676747
     
    Last edited: Feb 6, 2006
  20. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,259
    Location:
    USA
    Thanks Tony, good to see you back here.
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
    Hi G1111, same here! :)
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
    New file up, containing additions, a few refinements and other tweaks.

    Between the apps groups there will be a couple referencing third party applications that you don't need if you don't happen to run those programs (Port Explorer, ACDsee, and so on) In that case there's obviously no need to keep those groups.

    https://www.wilderssecurity.com/attachment.php?attachmentid=174267&d=1139318037
     
  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  24. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,097
    Location:
    South Texas, USA
    have seen twice now that KAV and Online Armor have changed this value :

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\Shell folders** - *

    That is the same as we had talked before with the changes to the shell folder. Nothing to worry about though, they are known security programs, but is that normal and can I allow them always or deny always?

    dja2k
     
  25. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
    the Rules concerning Startup and Common Startup values in the HKLM and HKCU have been taken out of my currently uploaded gsrfile.

    I suggest you install that latest one.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.