Registry Guard Service

Discussion in 'other anti-malware software' started by novirusthanks, Mar 24, 2017.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    You're welcome :)
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    By default common startup entries or other important registry keys are protected.

    But installed programs store its settings in registry keys which are not protected.
    For example NoVirusThanks OS Armor is storing its settings in the following registry key:
    "HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev"

    Ticking/unticking options in OS Armor leads to a write to this registry key.
    In the case of Processes with administrator rights, they can also change the settings of OS Armor. For example they can disable specific settings.
    To add an additional protection layer, so that only OS Armor itself is able to modify settings:
    Code:
    File: Rules.DB
    ; NoVirusThanks OS Armor - Protection of the registry key
    [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]
    
    File: Exclusions.DB
    ; Only Executables of NoVirusThanks OS Armor can modify settings:
    [%OPR%: WRITE_VALUE] [%EXE%: *:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmor*.exe] [%KEY%: *\SOFTWARE\NoVirusThanks\OSArmorDev*] [%VAL%: *]
    
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    Registry Guard Service v1.6 Released (20 September 2018)
    http://www.novirusthanks.org/products/registry-guard-service/
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    @mood Is this free for personal use?
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    :thumb: Thanks, I have used it. Was just wondering if anything had changed.
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    @mood Noob question. To update the service, can I simply stop the service, install over the stop and restart?
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    If you have not made any modifications to the configuration (Exclusions.DB, Rules.DB, etc.) then these files can simply be overwritten with the new ones.
    But if there are own modifications, make sure to not simply overwrite these files.

    The files uninstall.bat/install.bat can be used but stopping of the service, replacing old files with new files and starting of the service should be sufficient.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    Nevertheless, I must have messed something up in my upgrade to v1.6, because started experiencing mysterious symptoms like bad installs, not being able to change DNS, etc. - in spite of (still) being set to 'Passive' in config.ini.

    Uninstalled for now.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    Confirmed.
    There is something wrong with the Passive Mode.
    Actions are correctly logged with "-=== Passive Mode ===-" but it is also blocking actions. After setting it to Passive Mode it should only log but never block.

    Example:
    Today i wanted to register a context menu, switched Registry Guard Service to Passive Mode but registering of the context menu was prevented and the utility (Detect It Easy) throw an error.
    1) Registry Guard Service_passive_mode_register.png 2) Registry Guard Service_passive_mode_failed.png
    Code:
    -=== Passive Mode ===-
    Operation: Write Value
    Process: [6320]C:\***\DIE\stuff\die.exe
    Key: \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Detect It Easy\command
    Value: (Default)
    New Value Data: "C:\***\DIE\stuff\die.exe" "%1"
    Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SOFTWARE\Classes\exefile*] [%VAL%: *]
    
    After stopping of Registry Guard Service the tool was able to correctly modify the registry and the contextmenu is also working.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    Thanks for this, I think the issue seems to have crept in with v1.6?

    I didn't think I had done anything wrong when updating to v1.6. I stopped the service, replaced old files with new files and started of the service as you mentioned in #85.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    Yes, the issue was introduced with v1.6.
    = Modifications of protected registry keys while in Passive Mode will simply be reverted.

    After a downgrade to v1.5 i can see that protected registry keys can be modified and it is only logged
    = Passive Mode is working as intended.
     
  15. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    I wonder if I should be prepared for any problems with Windows Updates (or built-in update functionality in other common applications such as Microsoft Office) when using the default ruleset...
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,027
    Location:
    Italy
    Here is a new test version:
    https://downloads.novirusthanks.org/files/registry_guard_service_v1.7_test1.zip

    *** Please do not share the download link, we will delete it when we'll release the official version ***

    Here is what has changed:

    + Passive Logging now works as it should (nothing is blocked)
    + Config.ini options are now read in real-time (no need to restart the service)
    + Support saving of unicode strings when saving events to log file
    + Updated kernel-mode drivers both 32 and 64-bits
    + Various performance and logic improvements

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    @mood @paulderdash

    Can you confirm me PassiveMode works fine for you on this new build?
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,066
    Location:
    U.S.A. (South)
    Thanks @novirusthanks for another try at a new version.

    Maybe this one will suit to expectations. The previous releases were a bit hit n miss for the 8.1 units tested on before.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    I have tested it and PassiveMode works now :thumb:
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,379
    Location:
    Under a bushel ...
    Thanks @novirusthanks, I am not currently using it but ...
    thanks also to @mood for testing. Good to know!
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,470
    Registry Guard Service v1.7 is now available on the website.
    Changelog: #91
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.