Windows registry guard programs

Discussion in 'other anti-malware software' started by EASTER, Jun 4, 2015.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Are there any independent (or standalone) registry guard application programs floating around such as similar as some found in complete commercially marketed programs? Preferably which also function in x64 platforms for Windows.
    While there seems almost a glut of process applications here and there and other such in experimental development as kernel mode apps for process security etc. it's lately of a massive challenge trying to single out something useful for simple but strict registry protection that's being considered or developed or at least that i haven't run across yet.

    Working with the latest PC HunterX64 i noticed under it's settings tab this set of instant on-the-fly registry protection requiring a simple tick to the radio box that immediately restricts any registry modifications that is exactly what i'm looking for on x64 Win8. Maybe it is enabled due to some kernel mode driver acting on Permissions but i won't speculate, just curious if something of this sort couldn't be made separate from an analysis program of this nature to act as maybe a standalone registry guard of sorts.

    Any ideas? Suggestions to this?

    http://s2.postimg.org/k536t1nsp/image.jpg
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,631
    Location:
    Toronto, Canada
    This is a far stretch at the moment and only something to keep an eye on, but the Bouncer developer has also been working on an entirely kernel level registry scanning driver. See blog http://bitnuts.de/ second post down from 2015/04/04. As I said, it's only just a beginning and doesn't having blocking functionality yet from my understanding. So just something to keep an eye out for if it develops further. Registry scanning/protection is not one of my areas of expertise so I have very limited knowledge there.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    @WildByDesign
    You simply have no idea just how much your reply w/reference to Bouncer's developer's article is music to this security fanatic's ears.

    This is something which is been very sorely needed and should be a routine basic part of any security setup (already is in AS/AV's) in different flavors.

    I'm frankly surprised that no one (independent non commercials) is even bothered to touch on such a critical detail to important security that registry protection really is and can be realized in the manner that he suggests (kernel mode).
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,631
    Location:
    Toronto, Canada
    I think that you and I both can visualize and respect the ways of thinking of this developer. From all of my previous conversations with him, he will absolutely not cut any corners for things like usability and so on. By that, I mean his goal is always to keep everything within the kernel and will not add kernel mode to user mode communication hooks, etc. to make certain things easier or more convenient. If more users are interested in this kernel mode registry driver, I'm sure he would continue more development. I think he has a few companies interested in licencing it individually and would be custom implementations, but there has been almost zero interest from consumer level. But I think that it's because his tools and business are so new and have very little exposure. And again, this would still be very niche and only for the real hard core.

    You would probably like some of the other interesting stuff coming up as well. All of his individual drivers and projects are specifically only within kernel mode, that is always his very first and foremost design goal that represents every design decision he makes going forward. I wouldn't be surprised if he could do some kernel level HIPS type of thing is users were interested. There's commandline filtering driver coming up soon as well, all within the kernel. And there's two other kernel drivers that I have been testing but I don't think I have permission to speak about yet. But I'm sure it will be of interest. If you have any ideas for the developer, let me know and I can pass it along or you can always feel free to talk with him as well.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well i just fired off an email in-depth to the developer in regards to registry scanner along with some serious compliments on his efforts regarding Bouncer. Hopefully some of his current work will mark something of a turning point for interest in these individual drivers/projects that's been sorely absent long enough already. And you're so right, it sure will be of special interest and especially so for us serious enthusiasts to help address fields of concern thru interaction and correspondences during different stages of the development progress.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Frankly I feel a separate registry scanner is total overkill. Please explain to me how the registry can be modified if you don't let the malware run in the first place.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    The driver is still under development, so if you have any questions or comments do not hesitate and contact me. Any feedback is appreciated.

    I stumbled across this article and fully agree with him.

    I still like to understand how things work internally and behind the scenes. I hate sophisticated, heavy weighted solutions that consume megabytes of space just to solve a tiny problem. I really like hacking and programming and even if one of my solutions is not perfect, I have always learned a lot and have experience that helps me to quickly understand complex IT problems today and in my daily job. I often see average large blab academic dudes failing if it goes into the dirty details and if we leave the well crafted roads - there using libraries from the rod is often no smart idea, because you really need deep knowledge.
     
    Last edited: Jun 4, 2015
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,631
    Location:
    Toronto, Canada
    I actually am in the same position as you regarding registry protection, Pete. It's not my "cup of tea" so to speak, nor is it something that I worry about.

    However, I do respect that every security enthusiast has different perspectives, different opinions, and may like to tackle other aspects of security from different angles. So having variety and choice among software and technologies is a good thing, maybe not for us, but for some users.
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Yup! :thumb:
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Registry Protection certainly cannot possibly appeal to those who gleefully already enjoy that same said protections within their respective security solutions etc. but as WildByDesign explains (much better then i can i might add) it does offer additional alternatives and can assist in the layered defenses approach for some. Myself happily included :)

    In conclusion please try to contribute whatever you might find helpful to that end and also to the possibilities and remember everyone has different choices that they try to pursue in establishing what works best for them with what's currently available.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    HIPS like Zemana and SpyShelter both have registry protection, but you can't customize it. And do you trust a tool like PCHunter? I've read that it's able to bypass PatchGuard.

    You can also try these 2 apps:

    http://www.techrepublic.com/blog/smb-technologist/protect-your-windows-registry-with-registry-alert/
    http://www.snapfiles.com/get/registrywatcher.html
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    ESET's HIPS can be also configured to monitor changes in registry. You have to make rules manually, though.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Yes, this i have been reading some posts about and of course like it very very much (especially for manual config purposes) however it's nested in with the AV proggy and i really am not looking to add a whole AV program. You're right that Eset's HIPS are highly spoken of though.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Yes I understand what you mean. I also have mixed feelings about using AV :)
    Good thing about ESET is, that you can disable most of AV part and use only what you want. For me, I disabled protocol filtering and monitoring of all read/write operations. I only left file execution control (with SRP I combine black and whitelisting), HIPS with exploit blocker and advanced memory scanner. With this configuration ESET is more similar to HIPS than AV ;)
     
  15. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    162
    Download Shadow Defender and be done with it already. "Oh, looky here, the registry has been modified ("gasp!" or "shriek!" Mileage may vary.) :eek: Shadow mode-- reboot-- end of story.
     
    Last edited: Jun 5, 2015
  16. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
    100% agree with you!!! :thumb:
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Peter,

    When you run a medium level process like word or firefox, they have access to HKCU autorun entries. These applications run rich content (code sniplet in meta data of picture which is included in word document, flash, vb script, javascript, XML, XUL, etc), so an anti-executable would not prevent that (because word or firefox are allowed to run). That is the beauty of IE's and Chrome's internal low rights sandbox (low rights objects are not allowed to change medium level and high rights objects).

    You can reduce attack surface (e.g. reading emails in plain text, disallowing macro's or javascript etc), simply removing write permission through regedit for basic users for those user autoruns (UAC protects HKLM autoruns) or run most vulnarable aps in a sandbox (browser, mail, pdf and media player). So there are more roads leading to Rome as we say in Dutch, registry protection is just one of it.

    Regards Kees
     
  18. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    162
    Along with Windows_Security, count me in as another consensus agreement that Peter is 100% right on the "total overkill" factor. Heck, there's a lot of valid arguments out there already that suggest that even "registry cleaners" are little more than snake oil or outright dangerous. @Windows_Security--> sure, the road to Rome is paved with good intentions. But don't let that spook you into settling for brick oven pizza anywhere else than NYC. :p
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    EIS alone monitors autorun stuff. Sandboxie lets nothing near the real registry, and appguard, also stops guarded apps. Another program is just plain not needed.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well maybe i should have fashioned this topic a little better and perhaps been more specific with a title "I am looking for any new.........." to offset the usual responses of "overkill", "why" "I don't see the need" etc. replies. Ok guys we get it but this topic was meant more to what is currently available as a standalone (independent) kernel-mode driven registry guard (excubits registry scanner material) (PC Hunter focus) and not the same old "it's not needed i have my program that does all that and more" mush.
     
  21. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
    A few years ago, classical H.I.P.S. were very popular.

    Gradually, most Wilders users fed up with the frequent pop-up windows
    signaling every change and asking for an Allow/Block decision.
    As a result, classical H.I.P.S. have become abandon-ware both by developers and users.
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    I would gladly use Malware Defender on my new system, but unfortunately it was never developed for 64 bit OS. It was on of the best security related software that I've ever used.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Same here. The greatest opportunity of all time was snuffed out in a moment once those HIPS developers didn't follow thru with updating to 64bit.
     
  24. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Couldn't agree more. My favorite piece of software ever, it was Malware Defender that made fall in love the concept of HIPS and made me move away any AV. It taught to me about the hierarchy structure of the operating system and processes that need certain permissions to function etc. It also made me realize the potential flaws in AV and it taught me that im in charge of my PC and not an AV/ OS/ or Malware.

    I miss it..:doubt:
     
  25. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    Yep Malware Defender and GesWall...sigh...
     
Loading...