Rules Help

Discussion in 'Ghost Security Suite (GSS)' started by redwolfe_98, Sep 15, 2005.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i need help with working with the rules in regdefend.. i am using the default rules except for where i have clicked "always allow", in some cases.. i am concerned that when i want to "always allow" one thing, that it is opening up the door to "always allow" other things besides the one thing that i wanted to be allowed..

    i don't know if it is possible for anyone to help me with the rules.. i have looked at regdefend's online-help file..

    should all of the "global registry rules" be set to alert on all four of the primary events, "create key", "modify key", "set value", "delete value"? i notice that in my rules, they all are not set to alert on all four of those primary events.. i don't know if i have the default settings, or if when i clicked "always allow" on something, it changed those settings..

    i wish that when we clicked "always allow" on something, it would only be for one specific regkey instead of for all of the regkeys that begin with the same lettering, like "HKEY_LOCAL_MACHINE\System\*controlset*\Services\* ".. in the case of the items that i have in "applications", i have gone back and tweeked the rules so that they only allow the one regkey to run, and tweeking the rule created by regdefend so that instead of "HKEY_LOCAL_MACHINE\System\*controlset*\Services\* " being set to "always run", it is set to "ask user", with all four primary boxes checked.. maybe those rules are specific to the "file" involved, but still, i don't want "services.exe" to "always allow" everything to run, just specific items, there..

    i would like to lock things down as tight as possible, but i don't want to inadvertantly block something that should not be blocked, causing problems with my computer..

    also, i saw some posts where some people said that they had imported some custom rules.. it sounded like somehow they merged the custom rules with the default rules.. i don't see how that would be done.. i don't really care about doing that, at this point, i just don't see how they merged a custom rules file with the default rules file..
     
    Last edited: Sep 15, 2005
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    redwolfe_98,
    You are right in that you are opening up the possibility that other things could be done if the rule has a wildcard. Rule creation is really a tradeoff between usability and alert overload. The default ruleset needs to be generic and provide a good coverage of the security related keys without generating non-security related alerts

    Its actually quite easy to decide what boxes to tick, if you follow certain conventions. If you want to stop Key's being created or deleted then create a rule just for that Key and leave the Value blank. In that rule only put a tick in the Create Key and Modify Key boxes (and no ticks in the Value boxes). If you are protecting a Value then put in the Key and the Value and only tick protection in the "* Value" boxes

    That is a good point and it would be nice to see 2 ways of remembering, I'll add my vote to yours (for the advanced alert box) there as it saves a step of having to "tweak" it afterwards.

    Most of the time a program will just malfunction and a restart (or reboot at worst) gets you back to the prompt to allow/deny again. If you deny access to key "core" system processes you can stop yourself logging in, but a safe mode reboot and a change of the RD profile to DISABLED will allow you to log in again afterwards and continue working on the rules...

    If you click on "Global Registry Rules" in the treeview you will see a button called "+ Import Group" and when you select an existing group in the treeview you see a button "+ Export Group"

    Hope that helps a little

    NB: and to respond to your edit....
    Its a matter of trust really, if you don't trust the program enough to allow always then have it prompt all the time. If you do trust a program enough then use the remember function. If you feel that the program is "probably" safe but may need watching then either err on the side of caution and don't use remember or manually create the rules based on what you see blocked (its potentially dodgy so you block the first time it asks...)
     
  3. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I'll whole heartedly third the addition of a more specific (always do this) button on the advanced pop up screen.

    I'm always copying from the logs and pasting into the application rules to tighten up my always allows and always blocks after I check that "always do this" check box.

    As it is now, it's much too generous in it's use of wildcards.
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks for your help, gottadoit..

    if i click "always allow" on something, do you think that could change the settings for any of the global rules? or would that only create a seperate rule in "applications"? i am thinking that it does not change the global rules..

    if clicking "always allow" does change the settings for global rules, i think that is something that should be changed (but i could be wrong there, too).. :)
     
    Last edited: Sep 15, 2005
  5. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    You were right the first time.

    You aren't changing global rules when setting the "always do this" options.

    You create or add to the application rules only with an always do this exception.

    But I agree it's often not specific enough for my tastes so I go in and change the application rule key line so it's more specific. That way I still get prompted it if does something different by the same app.
     
  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks for the help.. i am good to go..

    (i am sorry about the tone of my original post)
     
    Last edited: Sep 15, 2005
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    redwolfe_98,
    Nothing to be sorry about, you were asking for help and that is what this forum is all about
     
  8. xwray

    xwray Guest

    I'm far from being expert in this area but the foregoing discussion brings up a concern in my mind and a request to consider a new feature. What bothers me is that I have, for instance, clicked allow and remember for an event that I knew was OK but what I am hearing is that I opened the door for some piece of malware to make a similar change and I would never know it. That, to me, defeats the whole purpose of this type of utility software. What I *thought* I was doing was allowing that specific change by that specific software to take place in the future without generating an alert. Please correct me if I am misunderstanding this.

    If my understanding is correct, then my suggestion is this, assuming I am right in that the specific key that is being changed would have the granularity to pin it to the specific program (a fully qualified registry key?): why not, when regdefend detects a change to a protected key, and if you select remember, have regdefend retrieve that specific key and "turn it into a new rule" that would continue to do what you want for that program only but leave all of the other protections in place?

    That has to be one of the poorest sentences I have ever written but hopefully it is clear enough to get my thought across.
     
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi xwray,

    When you click "allow" + "remember" you create an application rule linking a specific process to a specific event.

    Nick
     
  10. -----

    ----- Guest

    I agree. For most apps, I trust it enough so that it doesn't matter. But for some like IE, I try to ensure that the permissions it gets are specific, rather than matching the original default rules.

    Eg For some weird reason my IE wants do delete the value "googledcclient" in

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run .

    This matches the general rule "autostart" rule which covers the whole key (including subkeys and values).

    The problem is if I click always allow, it suddnely gains access over the whole key based on the rule it triggers on. Is my understanding correct? So it can now delete any value for any key covered by the rule?

    This clearly is not a good thing. Even if it's just for delete value.

    So what I do is to create a more specific rule on top that covers this specific key googledclient value.

    Rerun IE, and wait for the alert on the new rule I just created and click allow always.

    This will then ensure IE will only be able to delete that specific value.

    Is my understanding right?

    if so, it would be nice yes, to have applications rules created with more specific rules.
     
  11. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    That's exactly our point "dashed stranger".

    The problem lies with the fact that many times it isn't specific enough in the exception it's creating. For example:

    Let's say I disable and enable my buffer-overflow protection that comes with my anti-virus app. I get prompted on disable (delete key) and more when I re-enable (Create key, Set Value). Let's say I feel it's safe to make an exception to eliminate the prompts it creates when I re-enable it, so I eliminate some prompting on an action I perform semi-routinely.

    So I enable it and choose to remember my allowed actions. Here's what I get under allow:

    "Services.exe - H K E Y _ L O C A L _ M A C H I N E \ S y s t e m \ * c o n t r o l s e t * \ S e r v i c e s \ * - CREATE KEY, MODIFYKEY"

    Is that what I wanted it to permanently allow? NO!!!! Do I want to allow services.exe the ability to install any services? Heck NO!!!!!

    So I'll copy the specific reg key from the logs, overwrite the reg key the new application rule created and allow it to create and modify that very specific service entry.

    We need some sort of additional check box in advanced prompt mode so we can be very specific in our always remember application exceptions.

    Otherwise we should create application rules manually to make sure we aren't undoing our protection or remember to always look and verifiy it really did what we wanted it to and adapt it.
     
  12. ----

    ---- Guest

    Good, I was just checking.

    IC



    On another note, is there any way to stop logging this allowed action in the future? I can't seem to turn it off, for allowed actions in the application rules.

    As a workaround, I created a global rule matching the specific rule, and unchecked the logging box. Not optimal, but wiill that work?


    Yes, seems strange that this isn't the default. Perhaps Jason has some technical reason?

    All in all, 2.0 seems to work very akwardly when it comes to handling application rules. I suppose that's because its new and was completely redone from the 1.3 "application overrides" based on groups.

    I wouldnt mind seeing the ability for apps to have permissions for whole groups like 1.3 , though i suppose the current version always more specific finetuning since it matchs indidvual rules rather than whole groups.
     
  13. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I'm not sure how safe it is making global rules just to avoid logging remembered allows, because then the allow is no longer application specific so anything can change it. I certainly would like the option to not log or log allowed application exceptions. But I'll wait and see what Jason does over time.

    I kind of like the idea of maybe being able to set application rules from the log portion tab of GSS Regdefend itself. So instead of worrying about making application rules permanent during the prompt process, you could look at your log after doing normal allows and blocks, right click an entry and choose to add that very specific rule to the application rules. Doing it from the log tab window would be nicer because it generally means you are not in the middle of a prompt having to make fast decisions. Instead you're at the log window taking your time and reviewing actions more carefully. It could even open an "edit/approve new application rule window" when right clicked from a log entry so you could make sure what application exception you are about to make is correct and specific enough for your tastes.

    Just some suggestions. I know everyone's a critic. :)
     
  14. -----

    ----- Guest

    Actually, I *thought* that creating a specific global rule (say targetting a certain value) with ask + logging off, coupled with a application rule allowing it, would mean that it won't be logged . But it doesn't work, still logged.

    Definitely. Regdefend 2.0 as improved a lot since 1.3 by making it easer for me to tweak its configuration files to my heart's content.

    It still lacks I think one or two things to be nearly perfect.

    1) Turning off Logging for allowed application execeptions is one (should be default I think),

    2) Creating specific application logging rules (rather than those matching global rules)

    It's also still rough around the edges in terms of layout which feels a bit uninitutive, but i can live with those. But anyway you can figure out how to handle that, once the interface functions settles down.


    Yes, the log screen is not as useful as it can be. Maybe Any blocked entries for example shown there, can be converted into a application exception from the log screen with a click or two. PG has something like that.

    Yes, but many are lousy ones. ;)
     
  15. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    when you click "always allow", it creates a rule in "applications".. it is not difficult to then check the rules in "applications", and then get the information from the log to modify the rule so that only each specifiic item is allowed..
     
  16. -----

    ----- Guest

    It's quite difficult. At least 5 clicks to do it.

    Seems that it's much easier to set the tightened the rule in the first place.

    I mean think about it, whenever you get a firewall alert, you can generally either accept the broader rule proposed for the connection, or you can immediately set a tighter default rule (specific ports if required for example). How sick would it be, if you had no choice, but had to accept the inital general rule, go to the logs, and then cut and paste to create the more specific filter?
     
  17. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    maybe there is a reason why regedfend creates the application rules the way that it does.. it is actually a lot simpler to tweek the rules later than it would be to create a new rule for each "value".. 5 clicks later to customize a rule vs perhaps 40 clicks to create the non-generic rules in realtime (2 clicks for each rule, 1 rule for each "value").. that would be a nuisance.. but yea, maybe the dialog could give you a choice between a generic rule and one that you could customize..

    if you think about it, one way or another there would either have to be some generic-ness to to those rules or else it would be a nuisance, having to create a new rule for each "value"..

    i really think that regefend is OK the way that it is, as far as this issue goes..

    incidentally, i said once that i did not like RD's GUI, but i quickly changed my mind after working with RD for a little while.. i do like RD's GUI..
     
    Last edited: Sep 17, 2005
  18. ----

    ---- Guest

    It doesn't have to be a value, it could be a subkey. And no I can't see how it may be simpler later. No matter how you count it, in the current scenario you still have to do the extra steps of going to the logs and cut and paste.

    I can't say I understand your math, but I think you are envisioning that the new rule as opposed to the default one would require clicking from the root again like creating a new rule from the scratch?

    Anyway Since Regdefend can apparantly show which specific key is affected,independent of the global rule that triggers it, it seems that it shouldn't be too hard to offer to create a more specific rule covering the exact key affected if not the specific value.

    Of course, sometimes you don't want too specific a rule....


    My own experience is that The global rules have to be somewhat generic yes with the liberal use of wildcards.
    .
    While in most cases application rules don't have to be. Granted, for some cases its not easy to figure out how exact the rule should be for the application, but mostly it should be more specific than the global rule that triggers it.

    The current system , is actually a disincentive against overly generic global rules since when this generates a query, clicking 'always' for application rules will create a free for all pass matching the generic global rule.

    I suppose you could say this simply means global rules should be carefully chosen.....


    I disagree :). Another reason why I think it's damn troublesome to go to the logs, is because the logs suck. Way too many things are logged. Why should permitted events covered by app rules be logged??


    I still hate it. The arranagement of buttons seems to be very disorderly.
     
  19. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    It seems like a programming choice to me.

    Currently it appears to base it's application rule key entry on the global rule that triggered the prompt. Hence the broad based exception to the global rule. I would prefer it creates the application rule key based on the key the app in question attempted to create/alter/set/modify etc.

    Even if Jason doesn't change the way it creates exceptions, maybe just being able to right click the log entry on an "Add Application Rule" menu item that would pop up the Configure window with the entry added. That would at least make it easer to add application rules and tweak them by having both the configure window open and the log window left open behind.

    It's kind of a pain to tweak rules now. Go to Main, click configure, click on the back windows again and reactivate the Regdefend tab, click on a log entry, highlight the key line below in the details portion and then copy and paste back to the configure window.

    A simple right click on the log entry that takes you directly to the Configure window with the suggested application rule selected would improve editing. You can then tweak it all you like quickly.
     
  20. xwray

    xwray Guest

    After reading the responses and a bit of cogitation, I would appreciate it if someone could tell me if my understanding of the following is correct.

    When I start IE it wants to delete a value in the HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run key. I allow the change and ask RD to remember the change.

    RD creates the following application rule for key HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run** with the application being iexplore.exe

    This does not mean that now *any* malware can delete a value uner that key but only iexplore.exe because iexplore is a part of the permision criteria; ie, it is *not* global in the sense that any software can now delete a value under that key - only iexplore can.

    right?


    thanks for any feedback.
     
  21. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Basically you just gave Internet Explorer the ability to delete ANY start up run key without prompting you.

    In theory browser related malware could now delete any start up item in your run keys, including any security related apps that starts from there.

    You probably meant for iexplore.exe to have the ability to delete that ONE Run key you were prompted for when you started it.

    Find the key that it deletes when you start iexplore.exe in the Regdefend logs, copy that more detailed entry from the log detail screen after highlighting it and replace HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run**

    with that specific entry in the iexplore.exe Application Rule. That way iexplore.exe can only delete that ONE start up item you feel comfortable with without prompting you, not ANY of them.
     
  22. xwray

    xwray Guest

    That makes sense...I believe I've got it now.


    many thanks
     
Thread Status:
Not open for further replies.