Thinking about purchasing RegDefend/have question?

Discussion in 'Ghost Security Suite (GSS)' started by Rilla927, Jun 30, 2005.

Thread Status:
Not open for further replies.
  1. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I have been looking at RegDefend for the last month. Do you scan your computer with this program or does it work much like PG? I have PG,PE,WG,TDS-3, but I don't have anything to clean Registry.

    I don't want to get something that will be to complicated to operate or understand. It sure looks like a great program.

    I read about creating groups and ghost files and I asked myself, "what are you getting into". It intimidates me a bit, because as you know if you make the wrong choices, there goes your computer.

    I'm running XP Home w/SP2 and two user accounts. If anyone has some advice it would greatly appreciated.

    Thanks
    Rilla927
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rilla,

    RegDefend is not a scanner. It works more like ProcessGuard, in that it "guards the registry". The RegDefend ghst files contain the definitions of the areas of the registry that RegDefend will guard. These areas are parts of the registry that are known to be used by malware programs. But they are also used by legitimate programs.

    So whenever you try, for example, to install or update some software, then you will get alerts from RegDefend telling you that the program is trying to update the registry. You then decide whether to allow the update to the registry or to deny it. If you are in the process of installing a new program, then you allow it. However, if the alert comes out of no where, then it is most probably some malware.

    The exception may be if you have automatic updates turned on somewhere. Then you may get an alert from a legitimate program that is automatically trying to update the registry in the background. You have to look at the alert and decide.

    The additional protection that are offered in the RegDefend forum are optional. Kent and Tony have added specific definitions to their own optional ghost files that cover more of the registry. You install these definitions by downloading the files and then moving the files (after renaming them from .txt to .ghst) into the /program files/regdefend/groups.

    I find the product no more difficult to use than ProcessGuard, so if you are comfortable with PG you should find this program easy enough to use and most useful since it creates an additional line of defense. Programs usually try to instantiate themselves in the registry, so by protecting the registry you can potentially stop malware that gets past your primary AV/AT software.

    Hope this helps.

    Rich
     
  3. James Taylor

    James Taylor Guest

    It isn't a registry cleaner. It just tells you when there is a change in a registry key you are monitoring and gives you the option to block it.

    Mostly if you stick to the default ghst files, you shouldnt do too much damage
    .

    Well i suppose if you make the wrong choices and allow the wrong process to run with processguard, there goes your computer too :)
     
  4. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks Rich & James for clarifying that for me. I didn't think it was a scanner but wasn't sure. Yes, I'm comfortable with PG.

    I be adding RegDefend to my arsenal. I'll let you know how it goes.

    All you guy's in this forum are GREAT! Rilla927
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rilla,

    RegDefend should be a pretty easy install. I think you should put PG in Learning mode as you install it, so that RegDefend can install of the drivers/services that it needs. After that, you should reboot, and then put PG back into regular protection mode.

    Rich
     
  6. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Okay, thanks Rich, I will do that. Rilla927
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Well I installed RegDefend,

    Rich I know you said to okay "Install Drivers". I had PG in learning mode and it never put "Install Drivers" for RegDefend. As soon as I restarted my computer after installing RegDefend, it asked about a few programs. Is it going to work properly as it is, or should I enable the "Install Drivers" myself? How do you update the ghost files? I looked around in the program and didn't see that option, unless I missed it somewhere. Does RegDefend need permissions to Terminate in PG?

    Just a quick overview of the processes that have "Install Drivers" enabled in PG:
    SpySweeper, smss.exe, msetup4.exe d:\,msiexec.exe C:\windows\system32\.
    Those are the permissions PG gave these processes. I hope they are correct!

    Oops, sorry! I would like your advice, and thanks in advance.

    :D
     
    Last edited: Jun 30, 2005
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rilla,

    I took a quick look at my PG Protection setup and RegDefend did not require an permissions to Install Drivers/Services so you should be fine. It should be working in the background now. I hope that it works well for you. Most users seem to like it a lot. When you are ready, you may want to inquire about Kent's and Tony Kleins extended definitions. They have both put a lot of work into further securing the registry. However, not everyone uses them so you should be aware that they may cause additional alerts on your machine. On my machine, I am quite comfortable with them.

    If you have any problems/questions feel free to ask. There are lots of users on this forum who will be more than happy to help you out. But so far it looks good from where I am sitting.

    Cya,
    Rich
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    What does Kent and Tony's ghost files consist of?
     
  10. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Extra protection ... yiieaahhhhhaaaaaaa :D

    It's a very dedicated list constructed by our own Puff, Tony and Tay :)

    You won't regret the purchase Rilla :)
     
  11. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Tell me how I can go about this, I like the idea of extra protection.
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    https://www.wilderssecurity.com/showthread.php?t=85130

    If you scroll down that page, you can find a zipfile. d/l and unzip it and follow the instructions on the txt file. that will show you how to do it. (put the ghst file into your rd program files. restart regdefend and you're good to go.

    The rest of the documents are still in beta so at the moment this is the only one that has been tested and verified. it's recompiled by Puff-m-d to fit into Regdefend.
     
  13. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks for the info. I have one more question: Do you need to shut down RegDefend when installing software also? In the last two hours that RegDefend has been installed there has been four blocks refering to IE try to modify files to Google. I just looked in my Log File and everything disappeared, I mean the entries of the blocks, where did they go?

    Thanks again!
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    you don't have to close Regdefend, cause it will still continue to work I'm affraid.

    Regdefend is certainly not a program where you can click very fast on warnings just to get rid of them. it's also important to know which registry keys gets changed so you can remember them in the future. you got to learn what all those registrykeys means, and what they stand for.

    the helpfile should be read first. just like the procedure with processguard. don't try to learn all apps in one day ;) or you will get a fat head :D
     
  15. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Is there a way to copy the log file so you see what I'm talking about.:D
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Rilla, you can capture your screen and upload it here. I like Snagit the most, but opinions may change
    http://www.techsmith.com/
     
  17. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Infinity your awesome! I will try it. I'll be bock.
     
  18. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Infinity, I hope this works! Ah, there we go. Take a look at what IE keeps doing. Timestamp Alert Key Value Application Registry Group
    16:20:29 - 30 Jun 2005 wrsssdk.exe [1516] was allowed to delete a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... sunotification c:\program files\webroot\spy sweeper\wrss... AUTO STARTS

    16:21:07 - 30 Jun 2005 ad-watch.exe [3972] was blocked from deleting a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... cookiepatrol c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe AUTO STARTS
    16:21:33 - 30 Jun 2005 wrsssdk.exe [1516] was allowed to delete a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... ghostsurfdelsat... c:\program files\webroot\spy sweeper\wrss... AUTO STARTS
    16:21:33 - 30 Jun 2005 ad-watch.exe [3972] was blocked from deleting a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... cookiepatrol c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe AUTO STARTS

    16:21:33 - 30 Jun 2005 wrsssdk.exe [1516] was allowed to delete a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... syntpenh c:\program files\webroot\spy sweeper\wrss... AUTO STARTS
    16:21:33 - 30 Jun 2005 ad-watch.exe [3972] was blocked from deleting a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... cookiepatrol c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe AUTO STARTS
    16:21:34 - 30 Jun 2005 wrsssdk.exe [1516] was allowed to delete a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... syntplpr c:\program files\webroot\spy sweeper\wrss... AUTO STARTS
    16:21:34 - 30 Jun 2005 ad-watch.exe [3972] was blocked from deleting a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... cookiepatrol c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe AUTO STARTS

    17:06:08 - 30 Jun 2005 iexplore.exe [2468] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS
    18:01:53 - 30 Jun 2005 iexplore.exe [2468] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS
    18:01:53 - 30 Jun 2005 iexplore.exe [2468] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS

    18:04:18 - 30 Jun 2005 iexplore.exe [2656] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS
    18:15:20 - 30 Jun 2005 iexplore.exe [2508] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS
    18:28:51 - 30 Jun 2005 iexplore.exe [2508] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS

    18:52:23 - 30 Jun 2005 ad-watch.exe [3848] was blocked from deleting a protected value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi... cookiepatrol c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe AUTO STARTS
    18:52:23 - 30 Jun 2005 ad-watch.exe [3848] was blocked from setting this value to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentve... appinit_dlls c:\progra~1\lavasoft\ad-awa~1\ad-watch.exe EXTRA PROT...
    19:08:58 - 30 Jun 2005 iexplore.exe [4088] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS

    19:11:33 - 30 Jun 2005 iexplore.exe [3428] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS
    19:15:36 - 30 Jun 2005 iexplore.exe [3428] was blocked from deleting a protected value hkey_current_user\software\microsoft\windows\currentversion\run googledcclient c:\program files\internet explorer\iexplore.exe AUTO STARTS
    19:25:39 - 30 Jun 2005 snagit.exe [3508] was allowed to delete a protected value hkey_current_user\software\microsoft\windows\currentversion\run wisestubreboot c:\documents and settings\brenda frank\my ... AUTO STARTS
    19:27:35 - 30 Jun 2005 regsvr32.exe [3064] was allowed to set this value to HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\tool... {8ff5e183-abde-... c:\windows\system32\regsvr32.exe INTERNET EX...
     
  19. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,691
    Location:
    Texas
    In Rilla97's RD log It looks like he was using spysweeper, then ad-aware, then went on the internet, googled something. Will RD keep repeating the same question? I see many repeated questions in the log. Does RD learn?

    I use PC-Cillin & she updates in the background, would the update for PC-Cillin be easily identified. I've never really seen a virus pattern update file.

    Thanks
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rilla,

    I am not able to analyze everything that is going on, but if you are running Ad-watch alongside RegDefend you probably have overly redundant registry protection that may indeed conflict with each other. I use to have Ad-watch running but as soon as I installed RegDefend I uninstalled it. You may want to ask others for their opinion.

    Rich
     
  21. Leitchy

    Leitchy Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    21
    Location:
    Canberra, AU
    This raises a question for me; I use Spybot Search & Destroy's TeaTimer registry guard; I recently purchased and installed RegDefend over top of TeaTimer and had/have a couple of minor issues. Would I be wise to remove TeaTimer? Or RegDefend?

    Also, are there others on this forum who use TeaTimer, and how do they find it?
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    With RegDefend you won't need Teatimer.

    Cheers :D
     
  23. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Rich, Leitchy, and everyone!

    yes you may be right, but if I disable my Ad-Watch then all the crap it normally blocks would be on my machine, and I really depend on that.

    The one I'm concerned with is the value Ad-Watch keeps trying to delete, which is appinit_dlls. Did I do the right thing by blocking it, I remember when it first came (I mean the info from RegDefend) up and it was referring to something in my Pest Patrol that Ad-Watch was trying to delete. Thats the way I understood it, thats why I blocked Ad-Watch from doing so.

    Also I'm puzzled as to what IE keeps trying to modify or delte something to do with Google.

    If you guy's have any advice please let me know.
     
  24. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I forgot to add something I wanted to say.

    The one where IE keeps trying to delete a protected value which refers to Google is in the AUTOSTARTS Registry Group.
     
  25. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
Thread Status:
Not open for further replies.