Tested comments Re. TK's new .gsr file - 0529

Here is the thread for comments regarding Tony's new approved .GSR file.

File available here post 4 https://www.wilderssecurity.com/showthread.php?t=85130

Pilli

 

When I use Tony's rule set (for which I am very gratefull) I always receive 2 alerts on start up.

They both appear to be from the Microsoft security centre. The first relates to the fact that the Windows firewall is turned off, the second relates to Automatic updates (because it is set to notify instead of being automatic).

As my wife has to use the computer, and is not computer literate, I end up clicking 'always do this' and then Allow.

Is it possible to create/amend a rule to avoid these two alerts or would that pose a security threat...?

Regards

Nigel

 

Hello Nigel.

Don't know why that should be happening.

First of all, are you using the latest gsrfile, available at the above link?

I'd like to see the exact log entries of those two events.
You can copy them by highlighting them, then pressing Ctrl + C in order to copy them to the clipboard.

 

Hello Tony

Yes I am using the file: 0529.zip

Here are the log entries:
20:00:01 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | firewalldisablenotify | svchost.exe
20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | updatesdisablenotify | svchost.exe
20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | firewalldisablenotify | svchost.exe
20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | updatesdisablenotify | svchost.exe
20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | firewalldisablenotify | svchost.exe
20:00:03 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | updatesdisablenotify | svchost.exe

These entries are in the Group: Security- Policies.

I hope this helps, and thank you for your time and help.

Regards

Nigel

 

I suggest you enter the following rule in the Svchost Application Rules group in order to allow (only) that application to modify those values:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

Value: *disablenotify

Check 'Allow these events' and check the SET VALUE box

 

i too appreciate the updated ruleset(s).. thanks..

P.S. Nigel, you could disable the security ctr's alerts, from within the security ctr..

 

np - my pleasure.

 

Thank you for your help Tony, and redwolfe.


Nigel

 

Congrats TK on getting your file approved.

We all know how much work you (and others) put into that file,and greatly appreciate your time and effort.

 

You're very welcome, guys.

 

Hi Tony..first of all good work on the rules...keep it up ..anyway i have small problem.. while ur ruleset is loaded..spywareblaster(enable all protections) takes long to complete...i tested regdefend with default rules/disabled .. both doesnt affect spywareblaster..only when urs is loaded

pls check the screencap i made so u can check it out urself

http://www.yousendit.com/transfer.php?action=download&ufid=28D05D18186F1E15
800kb only

mirror: http://rapidshare.de/files/22905948/slwload.avi.html

 

The SpywareBlaster thing was dealt with here:-

https://www.wilderssecurity.com/showthread.php?t=115276&page=5

You just need to create an Application rule for SpywareBlaster, allowing it to Create/Modify Keys and Set/Delete values on this Reg Key:-

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\*

 

Topper is this key already in TK'S rules or is it something extra that must be added?

The reason I ask, I did see Spyware Blaster under App rules in RD.

Thanks in advance

 

Yes it is.

Right, so why not actually have a look at that SpywareBlaster Application Rules Group, and you'll be able to see for yourself that that key is in there.

All you need to do in enable that group.

Cheers,

 

Thanks Tony.

Aah! Didn't know that. Thanks very much.

 

Tony can you take a look at the permissions for Adwatch and tell me if anything needs modified?

 

I don't run Adwatch residently myself, but I'll have a look later today or tomorrow for ya.

Meanwhile, someone who already IS running Adwatch may beat me to it.

All the same, if you're not getting any popups, and you aren't seeing any blocked Adwatch related log entries you're probably fine.

 

Just curious Rilla....is that an Adwatch Application rule you made or was that an attempt by Adwatch to query that registry key ?

 

Cool! Thanks Tony

 

Hi Bubba!

Attempt by Adwatch to query that registry key.

I don't like this program at all. The only reason I use it is for the Browser Hijacks and persisent third party cookies. If anyone has any suggestions for a replacement please forward.

The first time RD alerted about Adwatch and I blocked it. Don't know if I done the right thing or not. See screen shot. Since I blocked it Adwatch will not minimize to system tray. If I minimize an Adwatch window is always at bottom of screen instead of in the system tray with icon showing.

 

Rilla FWIW, with GSS running I have disabled AdWatch, SB S&D's TeaTimer, and have even quit using WinPatrol on one system. I found AdWatch and TeaTimer to be to non-user friendly in that they are not configurable as is AD and RD. As for WinPatrol all I was using it for was Cookie control, which I now fully rely on ZA Security Suite.

RD will take care of any potential browser hijacks. Speaking of which, which browser are you using you did not say and I ask because even IE has third party cookie control. Take a look in your browser's settings I would imagine you will find something about cookies in general and third party cookies in particular.

HTH

 

As the others already said, RD will protect you from browser hijacks just fine, as it monitors virtually ALL registry keys involved.

And it is very easy indeed to manage cookies with IE:

In Internet Options, go to the Privacy Tab > Advanced, and check "override automatic cookie handling".

Now set "first party cookies" to 'prompt' , and "third party cookies" to 'block', and not a single cookie will be installed without your express approval.

If you're running FireFox, I can recommend the Extended Cookie Manager extension: https://addons.mozilla.org/firefox/1243/

You might also consider installing a good Hosts file.

With all that in place, AdWatch doesn't really represent 'added protection'

 

Oh, okay I didn't know that. Thats good. I think I will uninstall that Adwatch.

I use Firefox or Opera and I do have the browser set to accept first party cookies but refuse third party, but then I would see that some how Adwatch would catch bad cookies. Also, I have both browsers set to completely dump all cookies when the browser is closed. I use IE only for windows updates.

Thanks Disciple for the info.

 

Thanks a lot Tony. I'm glad you pointed that out because I wasn't familiar with the way IE does cookies.

I will give it a try.

Normally I always run a Host file from Bluetack, but at the moment I'm having trouble with installing it. It would freeze completely when I would open it and you would see no entries and the I would have to Ctrl+Alt+Delete in order to close it so I uninstalled it for the time being. I have to figure out what is hanging it up.

I'm going to uninstall this program since I have RD now.

Tony thanks for all the good info and take care

 

You're very welcome.

I suggest you try the MVPS Hosts file. It's very comprehensive, and it even includes an "installer" that will back up your existing Hosts file, and install the new one in the appropriate location: http://www.mvps.org/winhelp2002/hosts.htm