Discussion in 'Ghost Security Suite (GSS)' started by gottadoit, Feb 18, 2005.
Seeing as infinity has already started with the requests...
Re: RegDefend Suggestions / New Features / Wishlist
Good point, and I was about to start one myself.
There is a few features I plan on adding very soon, so I do plan on making some updates in the near future, the best time to get the features you want in RegDefend would be now.
I have a few Early Suggestions, but bare with me I've only been looking at RegDefend for about 10mins.
1. Could you put in some options for "Connection Settings". ie Direct Connection , Proxy etc.
2. Could the ability of logging the log file to a default text file, with the ability for the user to determind the max size, and the ability to change the default location. (as I don't see this option ATM) Plus maybe an added option from the task tray menu to open the log file.
3. Nothing seems to be logging ATM, even though changes have occured and have been permitted. Could the log, record all activities, allow, always allow, deny, and alway deny. The details are good, could a date/time column also be added.
4. Another tab for user specified "always allow/deny" registery changes, rather than just using the application permissions override, under the main tab, with the same right-click options.
5. The second button in the application permissions override doesn't display the entire text, and the tooltip only displays "tip"
6. Currently the "X" close button on the GUI actually closes the program, could it just minimize instead. With the Close/Exit function only in the system tray, and under file, which would prevent accidently closure and the lose of protection.
7. I really like the user database idea, for protecting keys.
8. These are really tic 'e tac things: A monochrome scheme would be nice for the GUI. Sorry, but I don't like the icon ... I don't really have an idea to suggest, but maybe just the ghost image, larger without the black frame/background and text.
Overall, it looks great Jason, Good Job. I know it's early and you will perfect/tweak it over time. Definitely a keeper.
One more suggestion to add:
Maybe a built in Registry Backup tool and restore function.
ps. Here are a couple icon ideas (see attachment) ~the artwork isn't mine, I borrowed a few from DeviantART, only to illustrate some examples~ I know this isn't any where near a priority.
I would definitely want to be able to resize the windows, I tend to resize app windows so I can see most of the information on the screen at once
The way v1 is I can resize the main window to fill up most of my 1400x1050 screen but I cannot make the registry key portion big enough to be useful
It would be good to have an export/import feature, that would kickstart people sharing settings on the forums and also provide an easy way to save the settings across machine rebuilds
You need to be able to lock down the interface so that malware can't automatically manipulate the settings (just like PG... cough)
Be ultra-secure when you generate the hash for the application, see here
At the very least you are in a better position than me to provide some constructive criticism on whether this is worthwhile....
How do you deal with the "by proxy" applications like rundll and msiexec ?
It might be useful to have a "trusted install" mode that still records all the changes, if you do this then it would be good to have a default option for the trusted mode to automatically turn off again in N minutes (and potentially persist across reboots)
Alerting would be good to be done in the various ways I suggested for PG (which I'm sure you can remember) with using the standard eventlog as being the most useful addition and also having syslog for off host logging
The Log window could usefully show the "before" value as well as the "new" value with an option to revert back to the old one or roll forward again to the new one
It would be useful to define a program to jump to when you double click on a registry key in the registry items window and also in the log window (regedit or reghance or one of the myriad of others)
A useful enhancement would be to alert on suspicious activities
One obvious example would be a process attempting to perform registry operations very frequently reading included (multiple times a second). This would potentially identify poorly coded applications as well as malware which isn't a bad thing to be aware of. You would probably need to have different thresholds for reads and modifications to lessen the false positives out of the box
Another example more malware oriented would be if an application was performing the same operation on a key very frequently, even if the key wasn't being monitored
Date columns in the app permissions override window to show when added/changed and the same for the registry items windows.
Having this information is very useful from a forensic POV
I'm sure I'll come up with more after I actually have a play with the program...
Edit: Dog managed to get in 2 posts while I was typing all that in
One potentially very useful feature would be the ability to have the program optionally, but if enabled automatically phone home to get a centrally maintained block list
This could be applied prior to the local definitions so that any local allow rules override any central deny rules
I'm sure I don't need to enumerate why this would be a good thing
This might be similar to the "additional" TeaTimer functionality
The rules would have to be very specific seeing as they would be targeting specific and presumably prolific or very nasty new threats....
It might also be good to be able to selectively enable/disable the central rules to allow problems to be worked around and if the local ruleset already covers what has been added centrally the local administrator could save a millisecond or two's CPU
You can only add/view select keys/values to protect with RegDefend ... it would be nice to have the ability to protect any key/value. Say for example; (as was mentioned in the License Thread) to protect your license key from being read by malware or any other program but the particular application/program to which value is linked, unless permission is granted by the user. What's the reason/limitation to adding protection to any key in the registry?
Sorry if this is a silly question, my knowledge in this area is limited? So, I'm just feeling my way along.
Ps. Nice Suggestions gottadoit.
My suggestion is to improve the GUI. I will throw away my personal taste for now about the graphical elements, but come on: it is barely usable. The key list which should show the most information is using up only 20% of the screen. You have to scroll it around to see the end of the key names, and when you get to see the values you either see the end of the key names, or the truncated version of them. And in the same time the screen is filled with empty areas, and big buttons with unfortunate placing. Sorry but I can not resist the feeling of non-professionalism when I look at this GUI.
OK, I can give an example: Some worms/trojans set in the registry a specific value, which disables the execution of Regedit. This practically disables the usual user from resetting the same value, because that would need the execution of Regedit itself. Maybe you can understand the benefit of blocking this malicious change in the first place. Let me give one more example: a worm could disable the option to boot into Safe Mode itself by changing the registry only. You definitely want to stop that change!
I would like to be able to kill the program that is trying to startup when it places itself in the registry. Not just be able to block it from writing to the registry. If the trojan starts itself and RegDefender only stops it from writing to the registry the Trojan is still running.
You are right, the registry items and rules section needs to be better designed. I will be releasing an update in a few days with this done.
Do you mean you would want to have a "Kill Process" button on that confirmation dialog?
I will consider a lot of these for the next version, thanks Steve.
I think a "kill process" button and also the option to delete the offending file would be very handy .
When I click the tray icon it opens the GUI minimized, if this is normal, can you give a box to tick for opening maximized. I will be puchasing your product, Jason and eagerly await the updates to this product of great potential.
One option I suggested in another thread is the ability to "spoof" changes (i.e. don't allow changes to go through to the registry, but do return the amended values in reads by that application or related ones only - making it think that the changes were made successfully). This would allow users to review a list of Registry changes made by an application (rather than having to approve/block them on a key-by-key basis) and even run it a few times before deciding to "commit" or "discard" the changes.
One difficulty would be identifying which programs should see the spoofed values. RegDefend ideally would need to check what new executable files were added by an installer and include those in the "spoof-set" (which would take it into uninstaller territory) but an easier alternative short-term could be to prompt the user as to which files/folders should be shown the spoofed values. Separate sets of spoofed values could be kept in the case of multiple installs.
What benefits would this offer?
Spoofed values could not affect other programs (or Windows itself) so malware could not really run on startup or change Windows settings (though it would think that it did - this would also however affect legitimate software).
If malware was able to terminate RegDefend it would lose its Registry settings unless it then rewrote them (could RegDefend block application Registry writes if it was terminated to prevent this? e.g. by altering system hooks so that they needed RegDefend running to function).
RegDefend could be used as a registry cleaner - keeping track of what keys were added by every application and thereby allowing users to remove every one if the application was uninstalled.
I like P2K's idea of turning RegDefend into a registry sandbox, that would be great if you can do it. It does leave open the issues of what to do with uncommited changes during shutdown, but if the uncommited changes were visible in the log pane after reboot then they could potentially be applied again (easily) with a right click "apply"
To allow this tool to be used as P2K describes and get a list of registry changes make by an application it would be nice to be able to specify "advanced" filter rules for a particular executable (eg: hello.exe filter: Change:HKLM\*;!Change:HKLM\Software\HelloCorp\*; .. )
That way if we have an executable that we are a little unsure of, then we can get prompted for every read and every little change (and see the existing value and the new value), it would be a lot of clicking
And as hojtsy says in post 8 the abilility to allow/deny of specific key+value combinations is somewhat important. That is what I was referring to in my earlier post for centralised blocklists - the ability to target specific suspicious or known malicious behaviours
As bowserman says in #13, a delete file would be good, if any handles to the offending file were forcibly closed first then the delete would most probably be able to happen immediately....
To take an idea from the latest version of Process Explorer another potentially useful thing to log from a forensic point of view, would be to add a button to the GUI alert to collect and display a stack trace (and module name) from the app thread that is attempting to make the registry modification.
If you did this it would be nice to have an option to also log the module + stack trace to the logfile, this would need to be tightly configured (with a filter pattern) to keep the volumne of information manageable and make sure that the overheads of collecting and storing are acceptable
And just like PG the GUI Alert suffers from the problem that people with single headed systems cannot go an look for information about whether a particular registry change is safe (whilst the Alert is in the way), I'm not sure how you can work around this without providing a way to compromise display of the alert but it would be nice to have a way of getting some information in this situation (nb: I don't have an issue when using a dual headed system)
The best option in my view would be for RegDefend to keep them spoofed/uncommitted so they would only be visible when RegDefend restarts - this would allow testing of applications whose installers insist on an immediate reboot.
The main problem is that the application wouldn't be properly installed (e.g. it would not run on startup since Windows processes would not see the spoofed Run entries, so it would have to be run manually and Explorer changes would not be implemented so right-click menu options and extra buttons would not be present). However the application would see all its (spoofed) registry entries so should otherwise function normally, and Committing the changes should then give a fully functional install.
I would like to make Bowserman's suggestion a little wider A link to regedit with the ability to delete the key and a pop up property box of the offending process /executable with the ability to disable, rename or delete it.
Edit: re. gottadoits suggestion below Quarantine & submit
If you are going to have that then Jason might as well have a "submit suspicious executable" button that will shoot the executable off to the list of email addresses configured via the GUI
And a button to auto-submit the executable for scanning to one (or more) configurable online sites would be somewhat nice as well
NB: For the guys at DCS reading this thread, both Pilli's suggestion and this one would also be good to have in PG
Somewhere in your ideas about spoofing and injecting ProcessGuard comes into play preventing the .dll injection
It's to me now pls !
That's mainly user-friendly requests :
- make the window maximized when we load it from the task bar icon (actually the minimized menu bar appears on the left top of my screen)
- a popup should appear when we click "delete group" ! I deleted accidentaly the main group by cliking by mistake on it, I was obliged to reinstall to restore it.
- something need to be done about the GUI, I don't know how exactly thought, it's probably hard to find the better way, but actually (as said by hostjy) the most important window (left bottom) is small and we have to scroll it.
One possible way would be to have a separate application tab, and the allowances would be global, not per group created. Thus you can decrease the height of the group block (may be a combo box ?) and make the most important take all the screen in width ?
- explain somewhere in the help if the protection is still activated or not when RegDefender is closed (if not while not blocking any new values when RD is closed ?)
- in general, the icons for the groups and the registry "folder" could be better may be, the groups are too big I think, but I don't know.
- I absolutly would want to see the icon of the program trying to read/write the registry, and his path. When a warning popups, we want to be able to quickly identify the potential offender (or trusted app), and user-friendly speaking it's better too
- usual requests : make the window remember his size and location, and remember the column header size on the window.
Can't wait to see the next version
EDIT : oh and another icon if possible, something making us to feel that something is blocked or protected. The current one is not looking good in the taskbar.
EDIT2 : having the possibility to load rulesets or "packages" would be really nice. Thus we could have many different ones such as IE (including all IE related registry entries targetted by spywares), others ones related to particulars applications (ApplicationX ruleset, etc...), and why not a "paranoid" one ? The users could share their files and everyone could load and import them.
How about the ability to specify a wildcard when adding registry keys (like MJRW), that way we could easily cover all the different users keys in HKU and the ones in hojtsy's list
It would mean that you would have to enumerate the keys to watch at startup time (and add new ones to the watch list as they are created or as new hives are loaded if they match an existing pattern...)
It is nice to be able to specify what to monitor without having to add each key in individually and seeing as there is only a bit of memory overhead for the table of keys there is no real reason not to make the list very long....
For what its worth I quite like the Tiny Firewall Registry protection hierarchical permission application where you can set a more restrictive permissions as you go further down the registry tree and have the deeper keys override the settings higher up. I don't want to run Tiny everywhere and PG+RegDefender are not too bad a combination instead
I could see this being useful by being able to specify that all *new* executables (ie: being run the first time) could read anywhere but need to prompt before add/change/delete
Once I knew where the app was storing its own values (during the install process) I could then add permissions for that specific part of the tree and lessen the number of prompts for the remainder of the installation
That way I would end up with an application that had tightly specified areas that it could write to and even if something later introduced a trojan dll, it would probably draw attention to itself by writing to a different area in the registry tree (even if that area wasn't being monitored)
Yes a kill process option is what I would like. And remember that on reboot so that the process can't start again.
- "Locked mode" : To install it on users computer or on a computer used by kids, a password lock feature would be very interesting.
When an application tries to read a key and that the group is set on "ask the user", and that RD is password locked, it should ideally be blocked without prompting the user.
- when adding a key to a group, as hojtsy pointed out, it would be great to have a text box to enter the path, first, and secondly, while we are browsing the registry, it is not written where we are (and we have to scroll up to check that we are at the correct place).
RegDefend only informs you that a registry key/value is being modified instead of informing you what the modification is (ie. adding, deleting, modifying/renaming Value name, modifying Value data, etc.).
Would it be possible to give the user this information, instead of just saying it's been modified, which isn't overly informative.
Separate names with a comma.