Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    But it also protects against installing of new services/drivers [%KEY%: *\SYSTEM\ControlSet*\Services\*]
    Or against fiddling around in the registry, changing of explorer-settings, (and the newest "Double Agent" PoC) which might affect your currently running shadow-session.

    For SD-users it is not really needed. After a reboot all changes are gone, so there is already "registry-protection".
     
    Last edited: Mar 30, 2017
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    Maybe we could exclude our trusted apps in SD or even after updating do a commit.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    I haven't noticed anything in my logs for my security software except those I have exclusions for now like MBAM and CCleaner. You might be right about SD changing reg entries back with Reguard service running. I don't know.
     
  4. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,694
    Location:
    Mexico
    Fine, but again, a simple reboot would vanish those changes right? Am I missing something here?
    (Sometimes slow to understand here, lol)
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    I think what he is trying to say is if you reboot with reg guard running, reg guard might stop shadow defender's changing the keys back?
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    I have a question about the logs and the exclusions DB file. Do the logs only show what has been blocked? Also I am still getting stuff for malwarbytes. This time it is shutting down ransomeware protection. Also some stuff in the logs about Tinywall.

    Ok now the DB file. This is including the ones NVT asked me to add above. If I have the controlset* do I need the other two [%KEY%: *\SYSTEM\ControlSet001 and controlset002 ?

    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\CDPUserSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\DevicesFlowUserSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MessagingService_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\OneSyncSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\PimIndexMaintenanceSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\WpnUserService_5fc3f78] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\CCleaner\CCleaner64.exe] [%KEY%: *\Software\Microsoft\Windows\CurrentVersion\Run] [%VAL%: CCleaner Monitoring]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet001\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet002\Services\MBAMWebProtection] [%VAL%: ImagePath]
     
  7. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,694
    Location:
    Mexico
    Thanks @boredog , perhaps you're right on what he's trying to say.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    I haven't checked to see if that happens or not yet. If it does happen it should be logged by Reg Guard. And you are right, when in shadow mode you shouldn't really need Reg Guard running anyway.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    I noticed I have this in my excluded DB. [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_5fc3f78] [%VAL%: ImagePath]

    does there have to be a wildcard added to the DB exclusion? Appears the name of the UserData changes along with a coupls other that were a part of the exclusions list.
    The one listed today is
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_775e7
    Value: ImagePath
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    742
    Location:
    Italy
    @mood

    Can you retry now? I updated the zip file:
    http://www.novirusthanks.org/products/registry-guard-service/

    Should work now:

    Code:
    Date/Time: 30/03/2017 23:06:45
    Operation: Write Value
    Process: [2508]C:\Windows\regedit.exe
    Parent: [2208]C:\Windows\explorer.exe
    Thread Id: 3068
    Key: \REGISTRY\USER\**********\Software\Microsoft\Windows\CurrentVersion\Run
    Value: Nuovo valore #1
    New Value Data:
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]
    
    @boredog

    Yes, if a string changes frequently you should use wildcards, example:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\UserDataSvc_*] [%VAL%: ImagePath]
    
    Yes.

    Please post what is in the logs so we can help.

    No, you can remove these two rules from the Exclusions.DB file:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet001\Services\MBAMWebProtection] [%VAL%: ImagePath]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet002\Services\MBAMWebProtection] [%VAL%: ImagePath]
    
    Because you have this:

    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\MBAMWebProtection] [%VAL%: ImagePath]
    
     
    Last edited: Mar 30, 2017
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    Thank You Andreas.
     
  12. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    Correct. Users of Shadow Defender don't really need it, because all changes are gone after a reboot.
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    Well yesterday I was trying Ramdisk again and tried installed a program in it and bang, really messed with my computer. I had to restore image from before reguard so now back to the drawing board. I had already created a exclusion rule for the ransomware part of Malwarbytes since looking how they are created.
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,168
    Location:
    The etherlands
    Thanks again @mood (and @novirusthanks). I have now included all blocks as exclusions so the log file is clean on reboot.

    So I am up and running.

    Will keep monitoring the logs.
     
  16. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    To be sure that Registry Guard Service doesn't prevent the correct installation of programs, i disable it.
    After the installation of programs i enable it again.

    Some applications change/create services or are changing registry keys while these applications are running, so exclusions have to be made.
    And some applications have an option: "Automatically start with Windows" and changing this option leads to a block from, so this must be excluded too.
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,475
    Yup had done that. It looks like a no no to try install an app in the ramdisk itself. All is well again.
     
  18. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    97
    Sadly Registry Guard Service doesn't works with Windows XP SP3. :(

    The service is running (no problems with the installation) but none of the default rules are applied.

    For example, I can create new values as I want in the registry key :
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Tested with version 1.3.0.0 of Registry Guard Service.
     
  19. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    Because Registry Guard Service is now fully working on my system, i noticed that after starting a scan with HitmanPro the following was blocked:
    Code:
    Operation: Write Value
    Process: [616]C:\Windows\System32\services.exe
    [...]
    Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hitmanpro37
    Value: ImagePath
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]
    This application is creating/starting a service, so excluding the security application itself might be not enough, additional exlusions are needed.
    In the case of HitmanPro:
    Code:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\HitmanPro\HitmanPro.exe] [%KEY%: *] [%VAL%: *]
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\hitmanpro*] [%VAL%: ImagePath]
    
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,168
    Location:
    The etherlands
    Indeed I have also excluded via that second entry.

    But I have not seen any blocks for other security softs, other than having to exclude this:

    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files (x86)\Blue Ridge Networks\AppGuard\LicQueryApp.exe] [%KEY%: *] [%VAL%: *]

    Are exclusions for all security softs necessary?
     
    Last edited: Apr 7, 2017
  21. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    Not really. If a security app never writes to the registry after it has been installed, then it doesn't need to be exluded.
    To be sure, that Registry Guard Service doesn't conflict with another security app, if it wants to write to the registry (sometime) then it can be excluded in advance.
    But it's not a must.
    Or you can exclude applications only after you see blocks in the log-file. That's also sufficient.
     
  22. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    742
    Location:
    Italy
    @genieautravail

    Yes, Registry Guard Service (and the GUI version) works only on Vista+ OS.

    @mood

    Thanks for the help :D
     
  23. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    296
    Location:
    router
    can just use this tool to log specific exe registry access not blocking?
    if so can someone write the rule for me.
    thanks
     
  24. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    If it is enabled, it is strictly blocking. After being turned off, it is not blocking and not logging.
    But adding such functionality (logging without blocking) could be useful, to see registry access from programs in the log-file without actually blocking it.

    @novirusthanks
    Suggestion: Let the user activate Registry Guard Service without actually blocking programs. Maybe with an additional option like "OnlyLogging = y" or something similar.
    Now the user can install/deinstall programs, and can do other things and is able to see all blocked registry-access in the logfile, but no registry-access was actually blocked (only logged).
     
  25. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    251
    Location:
    united kingdom
    I was going to suggest the same so +1 :thumb:
     
Loading...