Registry Guard - Protect registry keys and values

Discussion in 'other anti-malware software' started by novirusthanks, Nov 24, 2015.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    We've released a new tool to protect registry keys\values:

    registry-guard-gui.png

    Read more & download here:
    http://www.novirusthanks.org/products/registry-guard/
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,144
    Location:
    in a remote land :)
    another nice tool ;) seems very similar to SoB ,

    @novirusthanks will it be integrated in it (or maybe it is already)?

    Do you plan to release portable versions?
     
    Last edited: Nov 24, 2015
  3. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Won't work with XP??
     
  4. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @novirusthanks .:) I have some questions on this tool.

    1. I guess this version is a stable version rather a beta version. Is that true?

    2. Could this tool only use path to match an EXE? Or does it also support hash code and digital sign?

    3. Could the [%EXE%] field be used to match any executable files, including scripts? Or does it only match ".exe" files?

    4. Does this tool have a passive logging mode?
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @TomAZ

    It only works on Vista+ OS.

    @umbrapolaris

    No plan for now to integrate into SOB, we'll see.

    Noticed you posted on MT, wanted to clarify one thing, Registry Guard actually does block in real-time specific processes from writing\reading\deleting to\from the Windows registry if the rules match the event, and when an action is blocked, it is then logged in the textarea. It is like a HIPS\real-time protection for custom registry keys and values so they can't be created\changed\deleted\read :)

    Example, with this custom rule:

    The program prevents regedit.exe from deleting any registry key that matches the wildcard *DeleteKey*

    @Online_Sword

    1. Yes, it is stable.

    2. It matches only fully qualified process path using wildcards.

    3. The alias [%EXE%] matches the process fully qualified file path of the process that requested the registry action.

    4. Not for now.
     
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,144
    Location:
    in a remote land :)
    ok i will add your clarification ;)
     
  7. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Looks interesting, but again no user friendly GUI, I hope this won't become a trend.
     
  9. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @umbrapolaris Thanks :)

    Released a new version:

    http://www.novirusthanks.org/products/registry-guard/

    registry-guard-gui.png

    You can now write exclusion rules easily:

     
    Last edited: Dec 3, 2015
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
  11. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,133
    Location:
    USA
    +1
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,947
    Location:
    USA
    Does Registry Guard prompt the user to allow, or deny the action, or does it automatically block the action?
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    How RG is/can be differ from MJRW?
     
  14. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    "MJ Registry Watcher is a simple registry, file and directory hooker/poller [...]" (from their site). Registry Guard uses real-time blocking.
     
  15. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    OK, I agree but MJRW is not so simply :)
    "You can also choose between always prompting your attention when one occurs, automatically
    accepting all changes, or rejecting all changes, using the top left radiogroup. Automatic
    Rejection will undo all value changes, subkey additions, and file and directory additions..."

    From help file...so question would be still valid :)
     
  16. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    What I meant is that the way they work is different.As far as I remember MJRW has a lot more facilities.

    If you ask me, a real-time blocking tool is always better at protecting the system, because the modification is intercepted before the actual change happens. A tool that uses polling will read the changes after they happen and then it reverts them if the users decides that.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    NVT"s Registry Goard excludes XP BUT XP doesn't need it -- we've got Tiny Watcher. It's on-demand -- the BEST way (a key link in the *detect & recover* concept of security).

    Tiny Watcher is *good* at detecting spooky registry changes right out of the box BUT -- for XP users who want to turn TW from *good* into *formidable*) goto THIS Wilders thread.
     
    Last edited: Dec 8, 2015
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Last edited: Dec 11, 2015
  21. pasmal

    pasmal Registered Member

    Joined:
    Jan 25, 2015
    Posts:
    36
    Cool! So potentially we could use this to prevent portable apps from writing to the registry?

    Would something like this work for a rule to prevent any process from d:\apps from writing to HKCU/Software?

    Code:
    [%OPR%: CREATE_KEY] [%EXE%: d:\apps\*] [%KEY%: *\SOFTWARE*]
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    704
    Location:
    Italy
    @pasmal

    Correct, with that rule the program blocks every process located on d:\apps\* to create new keys to *\SOFTWARE\* (HKLM and HKCU).
     
  23. Led42

    Led42 Registered Member

    Joined:
    Oct 9, 2014
    Posts:
    2
    Windows XP cannot be secured and should no longer be used.
     
  24. pasmal

    pasmal Registered Member

    Joined:
    Jan 25, 2015
    Posts:
    36
    Cool! Is it possible to make a separate build for portable use?
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I have a problem, I think. Probably just a missing character or something in the rule line.

    I uncommented the "included" line for DELETE_KEY but I can still delete this simple KEY below each and every time.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WUSA]

    So far I have tried these below and no change. What am I doing wrong? The others work perfectly!

    [%OPR%: DELETE_KEY] [%EXE%: *regedit.exe] [%KEY%: *DeleteKey*]

    [%OPR%: DELETE_KEY] [%EXE%: *regedit.exe] [%KEY%: *\Software*]

    [%OPR%: DELETE_KEY] [%EXE%: c:\windows\*] [%KEY%: *\Software*]

    [%OPR%: DELETE_KEY] [%EXE%: C:\*] [%KEY%: *\SOFTWARE*] <-- I know this is likely 0ff (experimenting)
     
    Last edited: Dec 13, 2015
Loading...