SSM free additional registry settings

Discussion in 'other anti-malware software' started by Kees1958, Mar 17, 2007.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi, all

    I have collected registry settings of Regdefend, SSM-pro, Regrun and the document "Where Malware Hides" [EDIT and hints of Topper]. Offcourse SSM-free does not allow exceptions and wildcards, this limits the options a bit, but still al lot more protection than standard in SSM-free. [EDIT : All the Toni Klein's startup protection is included]

    When you do a re-store the runonce protection needs to be set on log (in stead of block), after windows restore you can set it to block again.

    When installing new software set the yellow marked protection entries to Alert. When installing drivers/hardware set the green markef protection entries to Alert also

    [Edit Thanks Topper for the tips]

    Regards K
     
    Last edited: Mar 19, 2007
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I forgot that the printscreen does not show how many levels all the KEY (not string value) entries have to be blocked. See pic below. [EDIT: currrently 77 groups/entries protected, apperently you have to enter a \ after a subkey group when it does not exist in your registry, other wise SSM-free will BSOD when you enter to many non existing entries]

    Nice free registry protection with SSM free and blazing fast (faster than SSM-paid or Regdefend).

    Regards
     

    Attached Files:

    Last edited: Mar 19, 2007
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Without wildcards, and with limited rules at your disposal, it's not possible to replicate the coverage of RegDefend and SSM full. For example SSM full covers ALL subkeys and values on the following Keys:-

    HKEY_CURRENT_USER\Software\Microsoft\Internet explorer
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer
    HKEY_CURRENT_USER\Software\Microsoft\Windows nt\Currentversion

    That is a massive amount of coverage (just check in Regedit). Similarly, RD is fully configurable and can, for example, be set to cover the following trees:-

    HKEY_LOCAL_MACHINE\System\*controlset*\Control\*class**
    HKEY_LOCAL_MACHINE\System\*controlset*\Services**

    Again that is huge coverage for just a couple of rules. Options are far more limited without wilcard possibilites.

    I don't know why you say the Reg protection with SSM free is blazing fast and faster than SSM paid or RD - What do you mean by that?
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Please read the text of my post

    "I have collected registry settings of Regdefend, SSM-pro, Regrun and teh document "Where Malware Hides". Offcourse SSM-free does not allow exceptions and wildcards, this limits the options a bit, but still al lot more protection than standard in SSM-free."

    With collected I meant: copying entries out of these sources, with limitid options due to the fact that SSM-free does not support wildcards and (allowed) process exceptions (like Regdefend ans SSM-paid). The set is more than is provided in SSM-free as the standard set.

    So you are responding to a claim I did not make.



    Regards K
     
    Last edited: Mar 19, 2007
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have tried seperately as an alternative to SSM-free.

    Compared to Antivir free + Sensiveguard-free + SSM-free + DefenseWall paid (setup) Antivir+SensiveGuard+Regdefend+DefenseWall took 1.5 sec's longer to start IE7+google on un-cached first read.

    Reference setup against AV+SG+SSM-full+DW, it took 1 sec longer, against AV+SSM-full+DW it took 1,5 seconds longer (obviously SG does all of its checking faster than SSM-full on the Network rules alone).

    That is what I mean by blazing fast and faster than SSM-full or Regdefend.
     
    Last edited: Mar 18, 2007
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Maybe you have collected all these Reg rules, but unfortunately you haven't included them in your screenshots, the contents of which don't begin to cover all the ground included in the RD 'Tony' rules, together with the SSM full rules.

    So what you appear to have done is make some suggestions for increasing coverage of Reg protection in SSM free. Which is fair enough, but it is just confusing the issue to imply that this is equivalent to the very full coverage of the apps you mention.

    Actually RD is fully configurable so you can have as many rules as you wish. Same with SSM full, if you can tolerate the extreme tedium of setting up your own Groups and rules in SSM (this is much easier to do with RD).
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Topper

    I have Regdefend running on another PC with Toni Klein's GSR. When you use Regdefend it is standard loaded with (I thought) 85-90 rules. Toni Klein's set has around 280-290 rules default with it. I did not mention Toni Klein rules set when I used Regdefend as a source.

    All the entries are set to block, so you can run SSM-free with the user interface disconnected. This set covers twice as much as the standard set you get when you download SSM-free. It is what the text says "SSM-free additional registry entries".

    I have spend some time trying to understand the relevance of certain settings. Besides the limitation of SSM-free, I have included most entries in which Toni Kleins's comment was that it rarely was a legitemate action. In my setup SSM-free gives a BSOD when I enter more than (around) 76 rules. That is why I have made choices (looking at severity and the likelyhood in conjunction with my other security aps). I would appreciate it very much when you would comment on that. After all that is why I posted it it (for others to use and get feedback on important ones missing).

    Regards K
     
    Last edited: Mar 18, 2007
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Topper that is true, SSM-free has a very limited seperate section where the most important Internet Explorer issues are covered. I have got my host file protected with SpywareBlaster. When you use FF this big difference is not so relevant anymore. In terms of severity these registry keys focus on protecting your PC from and less on the Hijack of your browser.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Topper is also true, but I hand pickes a few classes to protect which are the most important (in the context of my limited knowledge compared to Hoijtsky and Toni Klein on the registry). But suggestions are welcome
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It would be extremely difficult (and time consuming) to sort out a 'batting order' of the 76 most important Keys to protect, and I doubt anyone would want to bother to do it. So I would say concentrate most effort on the auto-run positions, to try and prevent malware running after a reboot.

    Certainly try and include all the Reg positions mentioned here:-

    http://gladiator-antivirus.com/forum/index.php?showtopic=24610&pid=88429&st=0&#entry88429

    together with any additional ones covered by Sysinternal's 'Autoruns' (just configure it to display empty locations). Merijn's 'AutoStarts' is another good source, as is Hojtsy's section on autostarts.

    That will probably take up your quota of 76 Keys/Values on its own! When you consider the need to place seperate entries for both Values and Keys in SSM (one of the worst features of SSM Reg protection IMO) you will soon realise how limited you are and therefore you might just as well rely on the default settings and be done with it.

    Ambitious Reg rule collections really require RD where the whole procedure is so much easier. I have a huge paranoid Ruleset that I use with RD, but I don't need to prioritise so I can slam everything on! If I was relying on SSM for Reg protection I'd probably just leave things largely as they are.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Topper,

    Any possibility, you share your GSR ("the Topper GSR") with us? Thanks for the hints, I will look them through.

    Regards K
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Topper thanks,

    I have entered all Toni Klein's startup protections plus some additional from other sources. Note this is only for people using SSM-free (the standard set in free is very basic, this set doubles the standard set).

    I also added some screenshots to change the standard SSM-free settings of the registry module. Wgen you block a subkety you can select the tick box "Include values", this will protect the values also.

    Regards K
     

    Attached Files:

    Last edited: Mar 19, 2007
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you want to have a look at my RegDefend mega-ruleset I'll try and upload it here (I guess I'll have to tag a .txt extension on the .gsr one to do that?)

    I actually use more than one ruleset and, depending on what I'm doing, I switch between them. The ruleset I've attached is the fullest one, containing everything.

    Please note:-

    1) I've made no attempt to sort rules into logical groups, so the whole thing is randomly organised;

    2) I've made no attempt to remove duplicate rules (caused by use of wilcards etc) so there is a great deal of redundancy (but it's easy to clear out the duplicates if you wish);

    3) I've had to delete all my app rules in order to reduce the file size to enable it to upload, but you'd make your own in any case;

    4) Finally, and most importantly, these rules were collected by me for my own use on my machine (which is XP Home), I cannot vouch what would happen on someone else's system - so use at your own risk!
     

    Attached Files:

  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx,

    I will upload it on the other PC, first browse them, then have a go on my XP home setup. Offcourse when I exclude myself from aps, it is self inflicted pain.

    Regards K
     
  15. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    hello Kees, just wondering if the recommended registry module settings for SSM Free in this thread is updated o_O
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi, Glentrino2duo

    Just use this guide and check the link posted by topper ID in post #10. I have switched from SSM free to EQSecure (because it is a bit faster and I have configured it to behavior blocking in stead of Anti-Executable).

    The additions work great, all startup locations mentioned by Toni Klein

    I have saved my last settings in this text file

    Regards K
     

    Attached Files:

  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Hi,

    I have a few questions:

    If you look at all those registry rules that come standard in SSM Pro, you often see duplicate entries (see pic), why is this?

    http://images6.pictiger.com/thumbs/e4/0fedb2a2f1173984978e12ee6ee2c2e4.th.png

    Also, does it really make since to protect all these keys? I mean can malware take control by modifying certain keys like :

    With most protected keys I do know whether it´s normal or suspicious for an app to modify them or not, but there are certain entries that I really don´t have a clue about. :blink:
     
  18. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Actually they are not duplicate entries; the first entry is to protect the CodeIdentifiers Key from creation/deletion, while the second entry protects the Values on that Key from being set/deleted/written to.

    Sometimes, if stated, protection also extends to sub-keys and their values. It is just a different way of implementing things from other Reg protection apps - though I agree it is highly annoying to have two entries.

    The latter example you chose is just a range of sub-keys that malware will make use of during install. Legitimate progs can also record themslves in this Registry tree. But you should know whether you are installing something or having it forced upon you.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The superb configuration structure of SSM's registry module enables setting a broad spectrum of registry protection in just a very few entries. Moreover, SSM's defaults are very very effective, even if you leave them just as they are. That's why I prefer SSM's registry module over & above other programs.
     
  20. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Even Regdefend?
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Good app, but it's pretty much a 1-trick pony. SSM gives much wider protection.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Thanks for the feedback @ TopperID. I´ve also noticed that a lot of legitimate apps use certain keys so it´s a bit difficult to know if certain actions from a not fully trusted app are legitimate or not, but if I´m correct, not all protected keys are equally important. :)
     
Loading...
Thread Status:
Not open for further replies.