TeaTimer vs RegDefend

Discussion in 'Ghost Security Suite (GSS)' started by Herzeleid, Dec 18, 2005.

Thread Status:
Not open for further replies.
  1. Herzeleid

    Herzeleid Guest

    How is TeaTimer compared to RegDefend? I don´t wan´t to pay, so will TeaTimer be userfull? I have here NOD, a²Guard, ZA PRO 6 and PG.
     
  2. f3x

    f3x Guest

    hi, first of all you are double posting this wich is not good.

    Then you can use that thread to see wich registry entry is protected by each
    https://www.wilderssecurity.com/showthread.php?t=32823

    TeaTimer is exelent for common startup... however i do not beleive it's customisable wich somehow let you vulnerable. Keep in mind that spyware / viruses often like to hide in exotic places, and that most thing cathed by tea timer migth be legit.

    Then you can test Jason's regtest. it show you a vulnerability of pooling software such as teatimer. Yet for now it is safe to only have such pooling device. But soon or later more and more popular viruses / spyware will exploit vulnerability not offered in those free tools

    Jason work is licenced for life and you can also have a ulimited liscence to all your computer.. when you think of it .. it's somethign you migth keep with you for a really long lifetime.

    You'll find that regdefend offer similar protection that your a² guard yet is ligther on cpu / ram. Then Pg can help you against autostart and such if it's very tigthly configured

    The best answer would be try it yourself
    RD vs TeaTimer is like
    prevention vs healing

    prevention can be more anoying yet it can be more usefull
     
  3. Matt Barnes

    Matt Barnes Registered Member

    Joined:
    Dec 18, 2005
    Posts:
    3
    Location:
    Waynesboro,VA
    What is the difference between how RD protects the registry and TT or any other registry protection that uses polling?
     
  4. POS

    POS Guest

    The main diference is that RegDefend alerts the user before the the malware change the registry.
     
  5. f3x

    f3x Guest

    to make the short story a bit longuer ....

    Windows Pc is like a castle. The king being the cpu.
    Arround the castle, there is a protection.
    Inside the protection is what we call ring 0 or "kernel mode".
    Everyone inside that ring 0, have almost direct acess to the hardware and can do pretty much all they want. This is why you should only let ppl you trust to stay in that place. In order to prevent that one program crashes, crashe the whole computer, most of the application you see live in a little town called ring 3 or "user mode"

    THeir they do all the hard work, however they sometime need infomation about the hardware. This being said, they send a trusted messenger (windows api) to querry or set information in ring 0

    What RD is doing is to intercept the messenger, to prevent him going directly to the king / cpu. At that time it'll ask you ... is that messenger ok ??
    There is many way of holding the messenger, the most secure is the nearest of the ring 0. ( some brigth messenger can do a diversion to fool others )

    As RD work directly inside ring 0 it's of course really secure.

    What are pooling software doing ?
    Well it's simple ... they let that first messenger get in.
    So in fact the regitry is changed.
    Then each few second, they send another messenger to querry the information in that ring 0 registry key
    If the informatiojn is changed .. it alert you
    If you press ... reverse changes (block)
    It then send another messenger to reverse back to the old value.

    The problem is that if a malware have a change to slip into ring 0 before you react to the alert, it migth just shoot the messenger of the pooling software making it useless

    Or another malware can send a messenger to reboot he pc before the security messenger reverse that change in registry


    You see it's all a matter of communication and timming ;)
    And why regdefend is better than other ring0 protector ... simply because the author have more experiance and can be trusted. ( if a program is instable in ring0 it can crash your whole computer )
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    If "not paying" is important you might want to consider that RegDefend becomes "free" with some limitations on its features after the trial period

    With a little effort on your part you could probably still set it up so that it does a good job (for you) without presenting many (if any) alerts. This sort of setup is basically customising the rules to your computer and the way you work while the program comes with more generic rules by default.

    If you do get an alert that you want to deny you can always use the "Kill Process" button to stop the change (and the process). The free version of RegDefend is very functional, its just not as convenient
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I understood that the free version of RD didn't give alerts at all if you set it to 'Block'. You have to look in the log to check on events.

    If you don't set it to block then it will alert you that a change has occured but will not enable you to prevent that change.

    Thus, to be protected by RD free you must put a block on the important keys and use the log to decide what Application Rules you need to manually set.

    Is this understanding incorrect?

    I'd have thought that the best 'free' solution would be to cover the vital keys by blocking them with RD free, while simultaneously running Mark Jacobs' Reg Watcher set to poll every 10 mins and 'accept' changes while logging them. Because RW has such a huge number of Reg keys preset in it, you would easily be able to find adverse changes in many keys not covered by RD.

    That solution would give you better protection than using RD full (paid) version with just its default Groups - even with the Kent/Tony Groups added!

    Incidently, Tea Timer is doing a bit more than just monitoring the Registry, I believe it can also block certain bad ActiveX components - I'm a bit hazy about that now though because I haven't used Tea Timer for quite a while.
     
  8. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Topper,

    I don't see how it would give you "better" protection than RegDefend full version, but it certainly can give you just as much protection if you don't mind configuring the free version. It is just more hassle and more configuring in the free version compared to paid version.

    Relying on polling programs to detect changes to registry keys is unreliable at best and extremely dangerous in the worst case scenario. They can be fooled to believe no change has occured at all, along with their usual problems of missing quick changes, and over-the-top resource usage (when set to few second interval updates).

    RegDefend doesn't poll, hence it isn't subject to these issues.
     
  9. POS

    POS Guest

    There is no tutorial to configure RD Free? I really don´t know to configure it...
     
  10. Prions

    Prions Guest

    A tutorial for the free version would be nice!
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    'Better protection' was the wrong phrase - and I realised that as soon as I wrote it, but I couldn't change it 'cos my 'edit' function does not work.:doubt:

    What I meant to say was that you would be covering far more Reg keys using RD free together witk MJ-RW than you would using RD paid's default keys (even with the Kent/Tony extensions).

    In the unfortunate case of infection you would still have a lot of picking through the Registry to do to clear up the mess; but if you were also polling a large number of keys every 10mins or so, you would have a useful log of events to refer to.:cool:

    At the moment I am trying out a greatly enlarged Keyset for RD based on the Hojtsy set, together with some others that I know malware go for, this seems to be working OK - so no polling for me!;)
     
  12. f3x

    f3x Guest

    If those keys works well for you, it can be a good gesture from you to export your work in a .gsht file that can easily be imported back... this will benefit for hard work configuration of free version and will benefit to registered user too
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Unfortunately I cannot upload a .gsht file, I would have to convert it to a .txt file first, and the last time I tried that it all became scrambled during the uploading!

    However I can say that most of my extended keyset came from here:-

    https://www.wilderssecurity.com/showthread.php?t=32823

    It would be inconvenient to use an extended keyset for the free version of RD, because the more keys you protect the more exceptions (application rules) you need to create, and that has to be done manually using the logs with RD free.

    To be properly protected using RD free you should set it to permanently block the keys you wish to protect and that could lead to problems as you cannot 'accept' an app via a pop-up. However it should work fine for the default set of keys (which is quite large anyway).
     
  14. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi TopperID.

    I have RegWatcher,i used to have it as my main registry protection. I have since converted all the keys/values that i covered with RW into RD ;) ,i now use RW as a file/folder monitoring app (currently scanning 238 file stats).
     
Thread Status:
Not open for further replies.