Registry Monitor comparison

Discussion in 'other anti-malware software' started by hojtsy, May 19, 2004.

Thread Status:
Not open for further replies.
  1. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    289
    What about just using prevx--seems to me that would be enough.Even though RegWatcher seems pretty cool too.
     
  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I'm confused as to why you would use anything besides RegRun considering it monitors all the main keys to be concerned with by default as well as being able to add any others you may need. If someone can explain this I would be interested.

    Thanks,

    Chris
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Chris,

    I tried out RegRun and it kept blowing up all over the place so I figure there is some incompatibility on my system. For me, registry monitoring is a medium priority since I already have Ad-Watch running and I will be probably getting Process Guard when it is out of beta. So I really don't won't to spend too much time figuring out how to get RegRun up and running. The other registry monitors run without any problems - including RegProt, Tea Timer, Ad-Watch, and RegWatcher. For me, anyone of these are O.K though RegWatcher seems to be surprisingly simple and straightforward. I wonder why all of the vendors don't just do this? Does monitoring all of the suggesting registries consume too much resources?

    Rich
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi BrainWarp,

    Thanks for the headsup on prevx. I will be looking at it.

    Rich
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Well Brainwarp. Prevx looks too kewl. Ad-Watch has just been forced out in order to make room for Prevx in the highly coveted spot in my system tray - where only the very best get to stay. Thanks for the rec.

    For those interested, my system tray now has prevx, zap, spysweeper, kaspersky 4.5.104, ewido, and watchdog - and lots of commonsense. There is a place reserved for Process Guard 3.0.

    Rich
     
    Last edited: Oct 23, 2004
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    :p What is a Registry monitor for? It seems to me that it is an additional line of defence AFTER your AV/FW defence has been breached, by which time you're already in trouble!

    It's all very well a monitor popping up and telling you that changes have been made and offering you the possibility of denying them, but the fact is that if you have 'alien' processes/services running they are simply going to make the change again at the first opportunity. So you need something that will give you a chance to tackle these underlying processes.

    WinPatrol, with its multiple kill and simultaneous delete ability gives you the the chance to fight back! Do the others (eg RegRun) have this facility? Individual sqashing of processes simply may not work with groups of 'nasties' that work together as a team - they just keep resurrecting each other!
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    System Safety Monitor can not only block/monitor registry changes, but it can prompt you when a new executable runs (suspending it pending your reply) - giving you the chance to block malware from even starting. And it's currently free (the author is planning a shareware version sometime next year - but a free version should still be available).
     
  8. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    7,633
    Location:
    Hawaii
    I can't get RegRun' WatchDog to cycle more often than once in 3 minutes. I think that's too slow for a polling scanner. Also, RR's WatchDog's load is heavier than RegWatcher -- that's a significant consideration for my decrepit computer. Also, RR's Registry Tracer's configuration menu for adding or removing registry items to be scanned is a tedious, item-By-item process, compared to the fact that RegWatcher uses a simple text file. However, I do like & use RR for other purposes.
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Oh, forgot to add that I am experimenting with WinPatrol on my system tray also. It is getting a little more crowded than I would like, but so far everything is behaving pretty well and I do not notice too much overlap in function.

    It seems like Prevx is preforming very similar functions as SSM and PG. Is anyone familiar with the basic differences between these three programs? Thanks.

    Rich
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Prevx protects files on the drive, Process Guard protects objects in memory. Take a quick look through the Prevx protection settings and click on each option to read the description. They're both great programs that compliment each other perfectly, IMO.

    Bellgamin: I've noticed that with RR you have to restart the program for it to lower the amount of time it does it's checks. I've got mine set at 1 min right now. You're right, though, it really is too bad it isn't real-time protection and the registry tracer really should have an option to easily add every preset option at once, like it does with file protection. It's a great app, but the security options are almost secondary to me.
     
    Last edited: Oct 24, 2004
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Notok,

    Thanks for the explanation. Right now I am very pleased with Prevx and I have zero problems running all of my system tray programs side-by-side - which is great by me. I even have BOClean running right now for some addtional protection but it is probably redundant with Ewido. I have to turn them of when I do a full system scan with KAV.

    I think that PG will be the last program I will put in my system tray once it is out of beta and it looks like it will also run smoothly with the existing set of programs. Glad to hear that it will complement Prevx.

    Thanks,
    Rich
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Process Guard and SSM both also act as "application firewalls" allowing you to create rules to permit or block programs from running as well as restricting them from certain operations (physical memory access, driver/service installation, DLL injection). SSM offers registry, start menu startup and Windows .ini file (win.ini, system.ini) monitoring also.
    None of the registry monitors seem to be real-time (in the sense of catching/blocking changes as they are made) unfortunately. SSM's default setting of checking every 7 seconds (17 for services) doesn't seem at all heavy on CPU usage though (3 minutes out of over 9 hours uptime so far on my 1Ghz PIII system) so maybe other monitors could be run more frequently?
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Right, but Prevx stops a process from adding/modifying/deleting the actual file itself. Process Guard is focused on memory, so it checks the file when it starts, it doesn't stop anything from actually accessing the file itself. It intercepts the attempt in real time, so you know BEFORE the file is changed, rather than just knowing that the file has somehow changed.

    True, more often would probably suffice. I'm actually kind of torn on the issue, actually, there's advantages to both sides. When installing something it's check will show everything at once, rather than a series of pop-ups, so it's less intrusive in some instances.
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's probably worth noting (for those unfamiliar with PG or SSM) that both will flag file changes the next time it is run.
    With SSM, you get one popup window for all its plugins which then gets updated with multiple entries, so you do get the best of both worlds there. A monitor that could intercept changes before they were made would be a more secure option but SSM does block many changes by default (i.e. it removes the changes and you have to permit them manually to restore them). This can be adjusted though.
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Then it's also probably worth noting that I refrain from talking about SSM because I don't know a lot about it. I just couldn't get it working right with my setup and uninstalled it after only a day or two of tinkering. So it's not that I don't like SSM, I just can't really say much about it at this point. :)
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I'm betting that this will become more refined in some product at some point in the future, I think the concept is still relatively new. My initial experience with an earlier beta of this was that it kept going and stealing focus. I changed the settings to make it a little better, but I still found it a bit akward at times (in the short time I had it.)
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Shhhh...I'm trying to refrain from talking about any other registry monitors for the same reason - don't out me here! ;)
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
  19. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Same here. SSM looked like a darn good product but it kept crashing. I had similar problems with PG 2.5, but less so. Now I am just going to wait for pG 3.0 and see what happens. I think PG 3.0 will also help me fill in any keyloogger holes that I might have in my security defenses. I don't get the sense that any the security programs are really targetting keyloggers though I would think it would be fairly straightforward to monitor keyboard and monitor hooks a Keylogger Killer does. I could load Keylogger Killer but I haven't read too much about it and I have a stable system at this time.

    Rich
     
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This has been a very interesting thread :)

    Regarding keyloggers Process Guard stops them dead it blocks .dll injection into other programs process memory space and also Blocks any Registry .dll injection providing .dll blocking is enabled in the General tab.
     
  21. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, P2K. :)

    I believe your familiar with MJ Registry Watcher, and it does seem to catch changes real-time...or at least it seems to. I've been using it for months, and it works great.
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    From my own experimentation, it seemed like Tea Timer, Ad-watcher, and Premx were all more or less real-time. They would all shoot up on the screen practically at the same time. Right now I have settled on Premx which seems like a darn good product as does WinPatrol.

    Rich
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If you haven't already done so, give the latest version (1.9.5) a shot - it's currently in beta but is a substantial improvement over 1.9.4. If you encounter problems with this, enable logging (create a file ssmlog.log in your C:\ folder and ensure your user account has Write access to it - SSM will write to this automatically if it is present) and email the results to DivineGlitch (at) mail.ru (if the logfile is large, compress it first please). Reported problems are being fixed (1.9.5 is on beta 3 now) but the more people that give detailed bug reports, the better the final release should be.
    PG 2.5?! Hey, I missed a version! :D
    Hello again D&C - long time no see! I'm not familar with MJ's program so thanks for the pointer - according to the page though, it does not intercept Registry changes but detects them after they have been made. To that extent it seems much like all the others although it may well respond more quickly.
    May we take it that you mean Prevx or have you found a new toy for us to play with? :D
     
  24. Meltdown

    Meltdown Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    299
    Location:
    Babylon
    I recall a post a while back, I think by Blackspear, reporting a conflict between SSM and Prevx that may explain richrf and Notok's experiences.
     
  25. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    7,633
    Location:
    Hawaii
    I think that a registry monitor should list exactly WHAT it is monitoring, and should be configurable so that the user can readily add or subtract from that list. Registry Watcher meets these criteria. WinPatrol does not. Other than this, WinPatrol is a superb program (I have the *PRO* version).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.