Tested comments Re. TK's new .gsr file - 0529

Discussion in 'Ghost Security Suite (GSS)' started by Pilli, May 29, 2006.

Thread Status:
Not open for further replies.
  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  2. Nigel B

    Nigel B Registered Member

    Joined:
    May 31, 2006
    Posts:
    5
    When I use Tony's rule set (for which I am very gratefull) I always receive 2 alerts on start up.

    They both appear to be from the Microsoft security centre. The first relates to the fact that the Windows firewall is turned off, the second relates to Automatic updates (because it is set to notify instead of being automatic).

    As my wife has to use the computer, and is not computer literate, I end up clicking 'always do this' and then Allow.

    Is it possible to create/amend a rule to avoid these two alerts or would that pose a security threat...?

    Regards

    Nigel
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hello Nigel.

    Don't know why that should be happening.

    First of all, are you using the latest gsrfile, available at the above link?

    I'd like to see the exact log entries of those two events.
    You can copy them by highlighting them, then pressing Ctrl + C in order to copy them to the clipboard.
     
  4. Nigel B

    Nigel B Registered Member

    Joined:
    May 31, 2006
    Posts:
    5
    Hello Tony

    Yes I am using the file: 0529.zip

    Here are the log entries:
    20:00:01 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | firewalldisablenotify | svchost.exe
    20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | updatesdisablenotify | svchost.exe
    20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | firewalldisablenotify | svchost.exe
    20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | updatesdisablenotify | svchost.exe
    20:00:02 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | firewalldisablenotify | svchost.exe
    20:00:03 | Set Value | Allowed [User] | HKLM\Software\Microsoft\Security center | updatesdisablenotify | svchost.exe

    These entries are in the Group: Security- Policies.

    I hope this helps, and thank you for your time and help.

    Regards

    Nigel
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I suggest you enter the following rule in the Svchost Application Rules group in order to allow (only) that application to modify those values:

    Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

    Value: *disablenotify

    Check 'Allow these events' and check the SET VALUE box
     
  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i too appreciate the updated ruleset(s).. thanks.. :)

    P.S. Nigel, you could disable the security ctr's alerts, from within the security ctr..
     
    Last edited: Jun 1, 2006
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    np - my pleasure. :)
     
  8. Nigel B

    Nigel B Registered Member

    Joined:
    May 31, 2006
    Posts:
    5
    Thank you for your help Tony, and redwolfe.


    Nigel
     
  9. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Congrats TK on getting your file approved. :thumb:

    We all know how much work you (and others) put into that file,and greatly appreciate your time and effort. :)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're very welcome, guys. :)
     
  11. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    Hi Tony..first of all good work on the rules...keep it up :) ..anyway i have small problem.. while ur ruleset is loaded..spywareblaster(enable all protections) takes long to complete...i tested regdefend with default rules/disabled .. both doesnt affect spywareblaster..only when urs is loaded

    pls check the screencap i made so u can check it out urself ;)

    http://www.yousendit.com/transfer.php?action=download&ufid=28D05D18186F1E15
    800kb only ;)

    mirror: http://rapidshare.de/files/22905948/slwload.avi.html
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The SpywareBlaster thing was dealt with here:-

    https://www.wilderssecurity.com/showthread.php?t=115276&page=5

    You just need to create an Application rule for SpywareBlaster, allowing it to Create/Modify Keys and Set/Delete values on this Reg Key:-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\*
     
  13. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Topper is this key already in TK'S rules or is it something extra that must be added?

    The reason I ask, I did see Spyware Blaster under App rules in RD.

    Thanks in advance:D
     
    Last edited by a moderator: Jun 15, 2006
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yes it is. :)

    Right, so why not actually have a look at that SpywareBlaster Application Rules Group, and you'll be able to see for yourself that that key is in there.

    All you need to do in enable that group.

    Cheers,
     
  15. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks Tony.




    Aah! Didn't know that. Thanks very much.
     
  16. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Tony can you take a look at the permissions for Adwatch and tell me if anything needs modified?
     

    Attached Files:

    Last edited by a moderator: Jun 24, 2006
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I don't run Adwatch residently myself, but I'll have a look later today or tomorrow for ya.

    Meanwhile, someone who already IS running Adwatch may beat me to it. ;)

    All the same, if you're not getting any popups, and you aren't seeing any blocked Adwatch related log entries you're probably fine.
     
  18. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just curious Rilla....is that an Adwatch Application rule you made or was that an attempt by Adwatch to query that registry key ?
     
  19. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Cool! Thanks Tony:)
     
  20. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Bubba!

    Attempt by Adwatch to query that registry key.

    I don't like this program at all. The only reason I use it is for the Browser Hijacks and persisent third party cookies. If anyone has any suggestions for a replacement please forward.

    The first time RD alerted about Adwatch and I blocked it. Don't know if I done the right thing or not. See screen shot. Since I blocked it Adwatch will not minimize to system tray. If I minimize an Adwatch window is always at bottom of screen instead of in the system tray with icon showing.
     

    Attached Files:

  21. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Rilla FWIW, with GSS running I have disabled AdWatch, SB S&D's TeaTimer, and have even quit using WinPatrol on one system. I found AdWatch and TeaTimer to be to non-user friendly in that they are not configurable as is AD and RD. As for WinPatrol all I was using it for was Cookie control, which I now fully rely on ZA Security Suite.

    RD will take care of any potential browser hijacks. Speaking of which, which browser are you using you did not say and I ask because even IE has third party cookie control. Take a look in your browser's settings I would imagine you will find something about cookies in general and third party cookies in particular.

    HTH
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    As the others already said, RD will protect you from browser hijacks just fine, as it monitors virtually ALL registry keys involved.

    And it is very easy indeed to manage cookies with IE:

    In Internet Options, go to the Privacy Tab > Advanced, and check "override automatic cookie handling".

    Now set "first party cookies" to 'prompt' , and "third party cookies" to 'block', and not a single cookie will be installed without your express approval.

    If you're running FireFox, I can recommend the Extended Cookie Manager extension: https://addons.mozilla.org/firefox/1243/

    You might also consider installing a good Hosts file.

    With all that in place, AdWatch doesn't really represent 'added protection'
     
  23. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Oh, okay I didn't know that. Thats good. I think I will uninstall that Adwatch.
    I use Firefox or Opera and I do have the browser set to accept first party cookies but refuse third party, but then I would see that some how Adwatch would catch bad cookies. Also, I have both browsers set to completely dump all cookies when the browser is closed. I use IE only for windows updates.

    Thanks Disciple for the info.
     
  24. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks a lot Tony. I'm glad you pointed that out because I wasn't familiar with the way IE does cookies.

    I will give it a try.
    Normally I always run a Host file from Bluetack, but at the moment I'm having trouble with installing it. It would freeze completely when I would open it and you would see no entries and the I would have to Ctrl+Alt+Delete in order to close it so I uninstalled it for the time being. I have to figure out what is hanging it up.

    I'm going to uninstall this program since I have RD now.

    Tony thanks for all the good info and take care;)
     
  25. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're very welcome. :)

    I suggest you try the MVPS Hosts file. It's very comprehensive, and it even includes an "installer" that will back up your existing Hosts file, and install the new one in the appropriate location: http://www.mvps.org/winhelp2002/hosts.htm
     
Thread Status:
Not open for further replies.