Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    What is Registry Guard Service?

    We've released a new version:
    http://www.novirusthanks.org/products/registry-guard-service/

    Code:
    [24-Mar-2017] v1.1.0.0
    
    + Log the new value to Logs (when performing a write operation on a value's contents)
    + Added [%OPR%: RENAME_KEY] option to prevent processes from renaming a registry key
      Example: [%OPR%: RENAME_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      // prevents "Run" key from being renamed
    + Added dynamic unloading of driver + deletion
    + Added DeleteLogsOlderThanNDays option in Config.ini
    + Updated the Rules.db to include rules to block the "Double Agent" PoC
    + Appended \Logs\ to LogPath
    
    These new rules are used to block "DoubleAgent" attack:

    Code:
    {
      Below are some rules that prevent your IFEO key from being abused. These rules are especially useful to
      block the "Double Agent" PoC that bypasses many security software programs by simply renaming the keys,
      adding the VerifierDlls value, and renaming back key back to the original key name. It is important to
      note that the %OPR%: RENAME_KEY rules are used to prevent any process
      from renaming \Image File Execution Options* keys.
    }
    
    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *] [%VAL%: VerifierDlls]
    [%OPR%: RENAME_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*]
    [%OPR%: RENAME_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*]
    
    The new option "%OPR%: RENAME_KEY" is used to prevent processes from renaming a registry key (the trick used by "DoubleAgent" PoC to bypass many security software).
     
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,556
    Location:
    Mexico
    Thank you.
     
  3. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    80
    Any news about SOB or NVT ?
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    Should post ERP news very soon.
     
  5. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,684
    Location:
    Europe then Asia
    Nice update.
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    Are you using it with default rules? Or have you already customised it?

    I would try this but I suspect it may be problematic for me as I frequently install software so I will need to disable it often ... it may be a bit 'over my pay grade' :)
     
    Last edited: Mar 28, 2017
  8. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    I'm not even sure what i should add to the Rules.DB :doubt:, so i leave it as it is. I use only default rules.
    But i have added all security apps to the Exclusions.DB.

    But i'm wondering now, because it doesn't give a peep if i modify/add Startup-Entries. But shouldn't it be blocked? :cautious:
    And i have installed/deinstalled Excubits-drivers or other programs, and again no peep.
    Edit: There was a problem with comments in the Exclusions.DB. The Problem is solved now and Registry Guard Service is now working correctly.

    But renaming a key seems to be working: [%OPR%: RENAME_KEY]
     
    Last edited: Mar 29, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,545
    Location:
    U.S.A.
  10. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    Nice, maybe i'll found something which is not yet included in the rules. I'll have a look at it later :thumb:
     
  11. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    @boredog

    Let's move the conversation in this thread :)

    Can you post the logs of Registry Guard blocked events?

    So we can see what is actually blocked and write a specific exclusion rule.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    Thanks.

    I would try that but not sure I understand the syntax. :doubt:
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    @novirusthanks
    Sometimes i was a little bit confused after testing self-made rules, but i wasn't able to trigger [%OPR%: WRITE_VALUE], even with [%KEY%: *] [%VAL%: *]
    With Registry Guard v1.0/1.1/1.2 (from the year 2015) i can clearly see Operation: Write Value in the log-files :cautious:
    But with newer versions of Registry Guard and with Registry Guard Service 1.0/1.1 it seems to be not monitored anymore (Edit: at least on my system :doubt: , in post #14 and #15 it seems to work) (but all other rules with READ_VALUE/CREATE_KEY/DELETE_KEY, etc. are working correctly)
    Edit 2: There was a problem with comments in the Exclusions.DB. The Problem is solved now and Registry Guard Service is now working correctly.
     
    Last edited: Mar 29, 2017
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,299
    NVT

    Date/Time: 3/27/2017 2:20:49 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 8292
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMWebProtection
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MessagingService_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:43:28 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 12080
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_5fc3f78
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]


    Date/Time: 3/27/2017 2:44:59 PM
    Operation: Write Value
    Process: [6664]C:\Program Files\CCleaner\CCleaner64.exe
    Thread Id: 6180
    Key: \REGISTRY\USER\S-1-5-21-3438962753-3298352509-1694371991-1001\Software\Microsoft\Windows\CurrentVersion\Run
    Value: CCleaner Monitoring
    New Value Data: "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]


    Date/Time: 3/27/2017 5:03:21 PM
    Operation: Write Value
    Process: [444]C:\Windows\System32\services.exe
    Parent: [824]C:\Windows\System32\wininit.exe
    Thread Id: 8256
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMWebProtection
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]
     
  15. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    237
    Location:
    united kingdom
    Blocking and logging ok here too...

    Code:
    Date/Time: 29/03/2017 15:06:05
    Operation: Write Value
    Process: [27676]C:\Windows\regedit.exe
    Parent: [5480]C:\Windows\explorer.exe
    Thread Id: 24152
    Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value: Greenshot
    New Value Data: C:\Program Files\Greenshot\Greenshot.exes
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]
    
    
    Date/Time: 29/03/2017 15:12:58
    Operation: Write Value
    Process: [29836]C:\Program Files\Greenshot\Greenshot.exe
    Parent: [5480]C:\Windows\explorer.exe
    Thread Id: 28772
    Key: \REGISTRY\USER\S-1-5-21-2085512294-17192213334-522249646-1674\Software\Microsoft\Windows\CurrentVersion\Run
    Value: Greenshot
    New Value Data: "C:\Program Files\Greenshot\Greenshot.exe"
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]
    
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    @boredog

    Can you try to add these rules in the \Exclusions\Exclusions.DB file?

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\CDPUserSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\DevicesFlowUserSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MessagingService_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\OneSyncSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\PimIndexMaintenanceSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\WpnUserService_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\CCleaner\CCleaner64.exe] [%KEY%: *\Software\Microsoft\Windows\CurrentVersion\Run] [%VAL%: CCleaner Monitoring]
    
    @askmark

    To allow Greenshot to write its value to HKCU\Run key you can add this rule in the \Exclusions\Exclusions.DB file:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\Greenshot\Greenshot.exe] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [%VAL%: Greenshot]
    
    @mood

    We only updated Registry Guard Service, the GUI version Registry Guard will be updated soon.

    Can you post your rules here? So I can check them.
     
    Last edited: Mar 30, 2017
  17. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    I have added own rules, but i commented them out.
    But to be sure i have copied the default rules to the directory. I tested it again = Writing Values to the registry was possible.
    Now i copied the default Exlusions.DB to the directory. After another test = Now i can see Operation: Write Value in the log-file :eek: It works now

    To find the culprit i compared my Exclusions.DB with the default Exlusions.DB, and i had this in my Exclusions.DB:
    Code:
    {
        [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *] [%VAL%: *]
    }
    All lines between { and } should be seen a comment and should be ignored, but it seems that Registry Guard Service has added it as an exclusion :doubt:
    This could be a reason, why i couldn't see "Operation: Write Value" after editing Registry Keys.

    I guess i can now create a Bugreport:

    If ; is being used to make a comment in the file Exclusions.DB, it is correctly commented out and ignored from Registry Guard Service (as expected)
    But comments with { and } are not ignored and rules within such comments are added as an exclusion:
    Code:
    Bug:
    The following "multi-line comment" in the file Exclusions.DB is added as an exclusion:
    {
        [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *] [%VAL%: *]
    }
    
    The following comment is correctly seen as a comment:
    ;    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *] [%VAL%: *]
    
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
  19. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    :thumb: This is fixed now, but a new bug was introduced. The Rule isn't mentioned in the log:
    Code:
    Operation: Write Value
    Process: [5928]C:\Windows\regedit.exe
    Parent: [3252]C:\Program Files\totalcmd\TOTALCMD64.EXE
    Thread Id: 4940
    Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value: New Value
    New Value Data: 
    Rule:  
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    @mood Would it be possible to post some example security apps Exclusions.DB entries?
     
  21. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    For example:
    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\CheckMAL\AppCheck\AppCheck*.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\NoVirusThanks\EXE Radar Pro\ERPSvc.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files (x86)\Blue Ridge Networks\AppGuard\LicQueryApp.exe] [%KEY%: *] [%VAL%: *]
    
    To be sure that it doesn't conflict with other security apps, i allowed other security apps to write values to "all" registry keys.
    Or you can take the approach to only allow the access to specific registry keys, but you'll have to monitor the log-file all the time to see possible conflicts.
    With a tray-icon it will be much easier to monitor, but the GUI-version will be released soon:
    If you see blocks for services.exe (for example #14) or InfDefaultInstall.exe (...install a driver from Excubits and you'll see it)
    then i would better write specific exclusions (only allow the access to specific registry keys - #16) even if you have a lot of them.
    Or disable the protection before installing of new drivers.
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    Thanks @mood. Still trying to decide whether to make this 'a project'. There is quite a bit of info here now.
    Wondering whether to wait for the GUI version.
     
  23. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,556
    Location:
    Mexico
    Do you think RGS is not needed when using Shadow Defender?
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    I would guess not if you use SD all the time, rather than on demand.
    But there are others far more knowledgeable than me here, including you :)
     
  25. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,556
    Location:
    Mexico
    LOL
    Exactly from what I understand this protect reg entries from being "touched" by malware AND survive a machine restart. But as I use SD on-demand entering in shadow mode right after updating my well-known apps, any other program not well-known I install under shadow mode will not survive a reboot including reg entries of any kind.

    But just to be sure I ask once again in case I'm missing something to protect or consider.
     
Loading...