Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    Can't this be achieved via the config.ini by setting ProtectionEnabled from default 'y' to 'n', which I understand is picked up 'on the fly':

    [Options]
    ProtectionEnabled = n
    LoggingEnabled = y


    or am I misunderstanding :confused:? Hope not, I currently do this for installs.

    If I am misunderstanding, and the service actually has to be stopped / disabled, then I certainly back the suggestion.
     
    Last edited: Apr 20, 2017
  2. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    237
    Location:
    united kingdom
    Sadly not. In my testing, disabling protection resulted in nothing being logged, despite logging being enabled.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    Difficult for me to test this now because I have quite large list of exclusions.

    I wonder why Andreas has the second parameter then?
     
  4. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    237
    Location:
    united kingdom
    I assume it's so you can enable the protection but not log anything.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    OK, sounds right - my logical powers are diminishing :eek:. Then I support the suggestion made by @mood and yourself.

    Edit: Hope Andreas @novirusthanks spots these posts and chimes in. Maybe he is too busy with the new ERP :).
     
    Last edited: Apr 20, 2017
  6. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
    Correct. The LoggingEnabled-setting has only an effect if the protection is enabled.
    Edit: See Instructions.txt
    ProtectionEnabled = y
    LoggingEnabled = y
    = Protection is enabled, Registry Access is logged.

    ProtectionEnabled = y
    LoggingEnabled = n
    = Protection is enabled, Registry Access is not logged.


    ProtectionEnabled = n (!)
    LoggingEnabled = y
    = Protection is disabled, Registry Access is not (!) logged.
     
    Last edited: Apr 23, 2017
  7. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    289
    Location:
    router
    me too 1+
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    Thanks for confirming and clarifying
    +2

    Or the two parameters are made to operate independently, as I had previously assumed.
    .
     
  9. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    237
    Location:
    united kingdom
    ThIs :thumb:
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    We've added "Passive Mode" option on new version 1.3:
    http://www.novirusthanks.org/products/registry-guard-service/

    You can change it (y\n) on Config.ini under Settings section:

    Code:
    [Settings]
    LogPath = C:\RegGuardSvc\Logs
    RulesPath = C:\RegGuardSvc\Rules
    ExclusionsPath = C:\RegGuardSvc\Exclusions
    DeleteLogsOlderThanNDays=0
    PassiveMode=n
    
    When enabled, Passive Mode just logs the blocked event without blocking it and in the log files you'll see "-=== Passive Mode ===-", example:

    Some important notes:

    *** You should reset the service (stop and start) if you change Config.ini settings ***
    *** Rules are updated in real-time if the rule files have changed ***

    Regarding the logging, see this text taken from Instructions.txt file:

     
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
    Great :thumb:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,362
    Location:
    U.S.A. (South)
    Not that it's any big deal but I am a registry head. LoL

    Removing the *Asterisk within [%VAL%:] allows to DELETE a newly created STRING VALUE (Instantly!) and watch it go where otherwise it takes an extra step of changing FOCUS like jumping to a next key and coming back, and the DELETED STRING is gone. In any event the DELETE still takes place.

    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [%VAL%:]
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    +1
     
  14. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    237
    Location:
    united kingdom
    +2 :)
    And thanks to @novirusthanks for making this change :thumb:
     
  15. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
    I can't confirm this.
    If i remove * from %VAL%, an added registry key is not removed and i can add other registry keys, and it doesn't give a peep.
    So, without a * it is not working correctly (at least in my case :doubt:)
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,362
    Location:
    U.S.A. (South)
    (
    Yeah a weird bug-a-boo and obviously does not apply to every system I guess (Thanks for testing yours)

    But remember, I did not test it on a KEY=Reg Folder but after manually created than deleting a NEW STRING VALUE (IN THE RUN KEY SPACE/LIST) where removing the *asterisk from Rules.DB on that particular line anyway made a difference or at least it saves an extra step for me; although it still DELETES nonetheless as I mentioned.

    I dunno, maybe a FOCUS thing on my x64 WIN 8.1.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,362
    Location:
    U.S.A. (South)
    @novirusthanks

    Are there plans to add any BLOCK settings?

    I can easily manually CREATE STRING VALUE with the default Rules.DB that you included in Registry Guard Service similar to the member a few posts back who was on XP SP3 I think.

    I want to be able to get a BLOCKED result in an instant when manually adding any NEW STRING VALUE especially in the RUN KEYS branches. Maybe I am missing something here?

    Windows 8.1 x64
     
  18. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    739
    Location:
    Italy
    @EASTER

    Registry Guard Service blocks all registry modifications according to the rules in \Rules\Rules.DB file.

    By default, it blocks processes from creating string values on common startup locations,example rule taken from Rules.DB:

    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]

    That rule blocks any process from creating a string value (any value) on *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* key.

    You can use Regedit for testing, works fine for me here on Windows 7 (64-bit) and Windows 10 AU (64-bit).

    Code:
    Date/Time: 27/04/2017 13:53:32
    Operation: Write Value
    Process: [1636]C:\Windows\regedit.exe
    Parent: [2388]C:\Windows\explorer.exe
    Thread Id: 2996
    Key: \REGISTRY\USER\XXX\Software\Microsoft\Windows\CurrentVersion\Run
    Value: Nuovo valore #1
    New Value Data:
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*] [%VAL%: *]
    
    Please note, that if you use Regedit, press F5 after you have created the value, so you will see it disappears because it failed to be created as it was blocked by Registry Guard Service.
     
  19. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
    For people who might prefer to have a GUI-version and a tray-icon, a new GUI version has been released:
     
    Last edited: May 21, 2017
  20. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    I might go that route ... but I guess I would need to rebuild my Exclusions.DB - or can one copy it?
     
  22. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
    The only difference is the GUI.
    You can copy the rules from Registry Guard Service to Registry Guard.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
    Thanks. May well go with the GUI version then.
     
  24. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,271
    To prevent malware from doing this, these rules can be used:
    Code:
    [%OPR%: CREATE_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates*] [%VAL%: *]
    [%OPR%: CREATE_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\Disallowed\Certificates*] [%VAL%: *]
    
    Now the creation of subkeys in HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates is prevented:
    Code:
    Operation: Create Key
    Process: C:\Windows\regedit.exe
    Parent: C:\Program Files\totalcmd\TOTALCMD64.EXE
    Key: \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
    Rule: [%OPR%: CREATE_KEY] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates*] [%VAL%: *]
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,902
    Location:
    Cape Town, South Africa
Loading...