Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,609
    Location:
    Cape Town, South Africa
    Can't this be achieved via the config.ini by setting ProtectionEnabled from default 'y' to 'n', which I understand is picked up 'on the fly':

    [Options]
    ProtectionEnabled = n
    LoggingEnabled = y


    or am I misunderstanding :confused:? Hope not, I currently do this for installs.

    If I am misunderstanding, and the service actually has to be stopped / disabled, then I certainly back the suggestion.
     
    Last edited: Apr 20, 2017 at 2:38 AM
  2. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    169
    Location:
    united kingdom
    Sadly not. In my testing, disabling protection resulted in nothing being logged, despite logging being enabled.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,609
    Location:
    Cape Town, South Africa
    Difficult for me to test this now because I have quite large list of exclusions.

    I wonder why Andreas has the second parameter then?
     
  4. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    169
    Location:
    united kingdom
    I assume it's so you can enable the protection but not log anything.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,609
    Location:
    Cape Town, South Africa
    OK, sounds right - my logical powers are diminishing :eek:. Then I support the suggestion made by @mood and yourself.

    Edit: Hope Andreas @novirusthanks spots these posts and chimes in. Maybe he is too busy with the new ERP :).
     
    Last edited: Apr 20, 2017 at 11:38 AM
  6. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,743
    Correct. The LoggingEnabled-setting has only an effect if the protection is enabled.
    Edit: See Instructions.txt
    ProtectionEnabled = y
    LoggingEnabled = y
    = Protection is enabled, Registry Access is logged.

    ProtectionEnabled = y
    LoggingEnabled = n
    = Protection is enabled, Registry Access is not logged.


    ProtectionEnabled = n (!)
    LoggingEnabled = y
    = Protection is disabled, Registry Access is not (!) logged.
     
    Last edited: Apr 23, 2017 at 7:59 PM
  7. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    282
    Location:
    router
    me too 1+
     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,609
    Location:
    Cape Town, South Africa
    Thanks for confirming and clarifying
    +2

    Or the two parameters are made to operate independently, as I had previously assumed.
    .
     
  9. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    169
    Location:
    united kingdom
    ThIs :thumb:
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    737
    Location:
    Italy
    We've added "Passive Mode" option on new version 1.3:
    http://www.novirusthanks.org/products/registry-guard-service/

    You can change it (y\n) on Config.ini under Settings section:

    Code:
    [Settings]
    LogPath = C:\RegGuardSvc\Logs
    RulesPath = C:\RegGuardSvc\Rules
    ExclusionsPath = C:\RegGuardSvc\Exclusions
    DeleteLogsOlderThanNDays=0
    PassiveMode=n
    
    When enabled, Passive Mode just logs the blocked event without blocking it and in the log files you'll see "-=== Passive Mode ===-", example:

    Some important notes:

    *** You should reset the service (stop and start) if you change Config.ini settings ***
    *** Rules are updated in real-time if the rule files have changed ***

    Regarding the logging, see this text taken from Instructions.txt file:

     
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,743
    Great :thumb:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    Not that it's any big deal but I am a registry head. LoL

    Removing the *Asterisk within [%VAL%:] allows to DELETE a newly created STRING VALUE (Instantly!) and watch it go where otherwise it takes an extra step of changing FOCUS like jumping to a next key and coming back, and the DELETED STRING is gone. In any event the DELETE still takes place.

    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [%VAL%:]
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,609
    Location:
    Cape Town, South Africa
    +1
     
  14. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    169
    Location:
    united kingdom
    +2 :)
    And thanks to @novirusthanks for making this change :thumb:
     
  15. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,743
    I can't confirm this.
    If i remove * from %VAL%, an added registry key is not removed and i can add other registry keys, and it doesn't give a peep.
    So, without a * it is not working correctly (at least in my case :doubt:)
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    (
    Yeah a weird bug-a-boo and obviously does not apply to every system I guess (Thanks for testing yours)

    But remember, I did not test it on a KEY=Reg Folder but after manually created than deleting a NEW STRING VALUE (IN THE RUN KEY SPACE/LIST) where removing the *asterisk from Rules.DB on that particular line anyway made a difference or at least it saves an extra step for me; although it still DELETES nonetheless as I mentioned.

    I dunno, maybe a FOCUS thing on my x64 WIN 8.1.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,823
    Location:
    U.S.A. (South)
    @novirusthanks

    Are there plans to add any BLOCK settings?

    I can easily manually CREATE STRING VALUE with the default Rules.DB that you included in Registry Guard Service similar to the member a few posts back who was on XP SP3 I think.

    I want to be able to get a BLOCKED result in an instant when manually adding any NEW STRING VALUE especially in the RUN KEYS branches. Maybe I am missing something here?

    Windows 8.1 x64
     
Loading...