Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    You're welcome :)
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    By default common startup entries or other important registry keys are protected.

    But installed programs store its settings in registry keys which are not protected.
    For example NoVirusThanks OS Armor is storing its settings in the following registry key:
    "HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev"

    Ticking/unticking options in OS Armor leads to a write to this registry key.
    In the case of Processes with administrator rights, they can also change the settings of OS Armor. For example they can disable specific settings.
    To add an additional protection layer, so that only OS Armor itself is able to modify settings:
    Code:
    File: Rules.DB
    ; NoVirusThanks OS Armor - Protection of the registry key
    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]
    
    File: Exclusions.DB
    ; Only Executables of NoVirusThanks OS Armor can modify settings:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmor*.exe] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]
    
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    Registry Guard Service v1.6 Released (20 September 2018)
    http://www.novirusthanks.org/products/registry-guard-service/
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,186
    Location:
    Under a bushel ...
    @mood Is this free for personal use?
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,186
    Location:
    Under a bushel ...
    :thumb: Thanks, I have used it. Was just wondering if anything had changed.
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,186
    Location:
    Under a bushel ...
    @mood Noob question. To update the service, can I simply stop the service, install over the stop and restart?
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    If you have not made any modifications to the configuration (Exclusions.DB, Rules.DB, etc.) then these files can simply be overwritten with the new ones.
    But if there are own modifications, make sure to not simply overwrite these files.

    The files uninstall.bat/install.bat can be used but stopping of the service, replacing old files with new files and starting of the service should be sufficient.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,186
    Location:
    Under a bushel ...
    Nevertheless, I must have messed something up in my upgrade to v1.6, because started experiencing mysterious symptoms like bad installs, not being able to change DNS, etc. - in spite of (still) being set to 'Passive' in config.ini.

    Uninstalled for now.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    Confirmed.
    There is something wrong with the Passive Mode.
    Actions are correctly logged with "-=== Passive Mode ===-" but it is also blocking actions. After setting it to Passive Mode it should only log but never block.

    Example:
    Today i wanted to register a context menu, switched Registry Guard Service to Passive Mode but registering of the context menu was prevented and the utility (Detect It Easy) throw an error.
    1) Registry Guard Service_passive_mode_register.png 2) Registry Guard Service_passive_mode_failed.png
    Code:
    -=== Passive Mode ===-
    Operation: Write Value
    Process: [6320]C:\***\DIE\stuff\die.exe
    Key: \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Detect It Easy\command
    Value: (Default)
    New Value Data: "C:\***\DIE\stuff\die.exe" "%1"
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Classes\exefile*] [%VAL%: *]
    
    After stopping of Registry Guard Service the tool was able to correctly modify the registry and the contextmenu is also working.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,186
    Location:
    Under a bushel ...
    Thanks for this, I think the issue seems to have crept in with v1.6?

    I didn't think I had done anything wrong when updating to v1.6. I stopped the service, replaced old files with new files and started of the service as you mentioned in #85.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    Yes, the issue was introduced with v1.6.
    = Modifications of protected registry keys while in Passive Mode will simply be reverted.

    After a downgrade to v1.5 i can see that protected registry keys can be modified and it is only logged
    = Passive Mode is working as intended.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.