What does it protect

Discussion in 'Ghost Security Suite (GSS)' started by Blackspear, Feb 18, 2005.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    As far as I can see you can add any key you wish, so them all would be my guess. They would blocked from change rather than after the event as polling regwatchers do. The default keys appear to cover all the autostart areas already which is a good protection in itself especially against spyware.
    I can see websiltes starting with custom rulesets already! :D .
     
  3. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Spybot's teatimer also stops autostart changes, and I thought this was also done before the event. Even if it's after, it still blocks a change taking place at the next boot, so what's the difference in practice... is there any need to have a non-free program do the same thing in essence.

    Or does this new program do something completely different, or better, or more than teatimer.
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Well if teatimer is polling for changes it can easily be defeated. Try putting a variant of Flux or Coolwebsearch which rewrites itself to the registry many times a second and see how well Teatimer does then. :)
     
  5. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Hi Jason,

    Well, this is my point I guess. I really don't know how teatimer works, if it is by polling in some kind of measured sense, seconds, milliseconds, microseconds etc. or whatever. And if you are saying there are ways that it can be defeated, then this is what I was wondering, and if your program does this better, and with no defeats possible... then... yep... guess it has to be worth having.

    Just needed to pose this question... thank you for the reply.
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi zarzenz, "polling" for changes is fine for most malware out there, but there is malware out there now (not just proof of concept programs) which makes these programs useless. The way I see it, why have 1-4 registry protection programs all doing ineffecient methods when you can use one, and one which cannot be defeated. I know all the methods one can use to protect the registry and the one RegDefend uses is the most efficient and secure.

    I have got many emails from people asking this exact same thing (people with various registry protection programs, most of the time they have more than one) asking me what RegDefend does different. On the webpage I talk about anti-virus/anti-spyware programs registry protection, but you can apply what I say there to most registry protection programs also.

    My response to these people is the same I will say here, with RegDefend you only need RegDefend on your system to protect the registry, nothing else. If you are happy with your current registry protection(s) (whatever it is), and can live with their flaws (in knowledge that they work well for 99% of the current malware) then there is no reason you need to purchase RegDefend. :)
     
  7. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The registry monitor part of Teatimer works only by polling (approx every second) a FEW, PRESET keys in the registry. But note that Teatimer also provides a completely different feature: realtime protection by checking for signatures of trojans. Unfortunately these two separate features can not be enabled/disabled separately even though I asked for it ages ago.
    -hojtsy-
     
  8. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Thanks Jason,

    I see exactly what you mean. What we are into now with these newer sophisticated malwares are programs that are being designed with the sole purpose of defeating the normal protections that are currently in use on most peoples systems. So in effect systems are going to be compromised more and more easily as these newer nastys emerge.

    Hence you have now put in place a defence system that is able to protect against all current known, and hopefully all future such malwares, by using a program that does not use these usual defeatable polling methods.

    Again... I'm not sure how teatimer does its checking, but if it is defeatable then I'm sure this will become known sooner or later.

    Thank you for your work in this new and difficult area
     
  9. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Thanks hojtsy,

    There we are... confirmation of teatimers polling at second intervals.

    Ok about the realtime protection... a separate feature... but integrated.

    I am now quite happy with my posing the question, and these replies.

    This is exactly what the Wilders forum here is all about... knowledge being shared for the improved security of all.
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Have you tried to have all your regkeys in protection for modifications?
    Nice all those alerts, for opening a browser, maybe you have googlebar included so extra alerts for that, for uninstalling something, installing, reboot, whatever, i was only updating a program and saw loooooooots of alerts :cool:
    Put the user in the learning mode and we'll learn lots more about our registry with RegDefend!
     
  11. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The answer to the tread-starting question is now visible right there.

    Edit: The linked table contained some errors, but should be correct now. :)
    -hojtsy-
     
    Last edited: Feb 19, 2005
Thread Status:
Not open for further replies.