Useful Registry Protection Rules #1 - Run Key

Last post 10-07-2009 11:13 AM by Blue1978. 6 replies.

Page 1 of 1 (7 items)
	Sort Posts: Previous Next

08-13-2008 12:08 PM

Blue1978
Joined on 06-07-2007
Posts 1,062

Useful Registry Protection Rules #1 - Run Key

Reply Contact

Here are 2 rules that are useful that I have created under the "Registry Protection" tab located in the System Protection section.

NOTE: These rules do have a few minor setbacks if you choose to use them which I will explain later. These setbacks are easily overcome though.

Most of the Malware out there will attempt to create a registry key of its own that allows it to run itself at system startup. Here are two rules that you can use to prevent this from happening.

Create rules with the following in the fields:

1. Registry Key Tab -

Specifiy the Registry key that this rule will protect: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Match Type: Partial

Caller Tab -

Specify the call that this rule will filter against: *

Match Type: Wildcard

Do not use the caller MD5 is selected

Action Tab -

Write box is checked, Deny is selected, and the Log box is checked.

2. Registry Key Tab -

Specifiy the Registry key that this rule will protect: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Match Type: Partial

Caller Tab -

Specify the call that this rule will filter against: *

Match Type: Wildcard

Do not use the caller MD5 is selected

Action Tab -

Write box is checked, Deny is selected, and the Log box is checked.

Rule Results:

The PROS: You will be notified, it will be logged, and the attempt will be blocked, anytime a program or malware attempts to create a registry key

in the two locations above. This will keep most anything from starting itself with your system each time that you did not allow in the first place.

The CONS:

- If you install a program that you want to start each time when your system starts, then temporarily disable these rules before you begin the installation process.

- You may also want to disable these rules too when your uninstalling a program that you want to remove. I have noticed instances of the program trying to remove the registry keys in placed in these locations during the uninstall process.

I have learned both of these the hard way by myself. :)

- WHEN your doing Microsoft Update or installing a program (that you want to start with your system each time you log on), you will need to temporarily disable these rules to accomodate these situations.

------------------------------------------------------------------------------

08-27-2008 2:11 PM In reply to

Dirigible
Joined on 07-10-2007
Posts 18

Re: Useful Registry Protection Rules

Reply Contact

Hi Blue,

Thanks. I just added these two rules.

For clarification this is what I set for each rule (not 100% sure it's correct)

Registry Key

Specify the Registry key that this rule will protect:
    [same Key as given in your post]
Match type:
    [Partial]

Caller

Specify the caller that this rule will protet against:
     [*    ]
Match type:
    [Exact]    <---------- Is this correct?
Specify the type of MD5 validation:
     (*) Do not use caller MD5

Action

   Specify an action that will be matched by this rule:
   [x] Write
Specify an action that will be taken when this rule is matched
     (*) Deny
   [x] Log

Name and Description (user choice)

Name [Startup Current User OK?] // as appropriate
Description [Run at startup -- CURRENT_USER (disable for MS updates)]

08-28-2008 1:48 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,062

Re: Useful Registry Protection Rules

Reply Contact

Dirigible:

Caller

Specify the caller that this rule will protet against:

     [*    ]

Match type:

    [Exact]    <---------- Is this correct?

Specify the type of MD5 validation:

     (*) Do not use caller MD5

Match Type should be "Wildcard" for the caller one.

-------------------------------------------------------------------------------

My two rules are as follows:

Registry Key

Specify the Registry key that this rule will protect:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Match type:

[Partial]

Caller

Specify the caller that this rule will protet against:

[* ]

Match type:

[Wildcard]

Specify the type of MD5 validation:

(*) Do not use caller MD5

Action

Specify an action that will be matched by this rule:

[x] Write

Specify an action that will be taken when this rule is matched

(*) Deny

[x] Log

==================================================

Registry Key

Specify the Registry key that this rule will protect:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Match type:

[Partial]

Caller

Specify the caller that this rule will protet against:

[* ]

Match type:

[Wildcard]

Specify the type of MD5 validation:

(*) Do not use caller MD5

Action

Specify an action that will be matched by this rule:

[x] Write

Specify an action that will be taken when this rule is matched

(*) Deny

[x] Log

----------------------------------------------------------

09-02-2009 7:47 AM In reply to

nalinu
Joined on 09-02-2009
Posts 1

Re: Useful Registry Protection Rules (Run Key)

Reply Contact

Hi Blue1978,

Could you point me in the right direction as where in the documentation I can fin how to write these rules please ?

I couldn't find any reference to these in the documentation I have come across.

Any help would be much appreciated.

thanks in advance.

Nalinu

09-02-2009 10:19 PM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,062

Re: Useful Registry Protection Rules (Run Key)

Reply Contact

These were not in any documentation, moreless I created these rules myself. I explained above step by step how to best create them.

10-07-2009 11:09 AM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,062

Useful Registry Protection Rules #2 - Browser Helper Objects (BHO)

Reply Contact

The following registry protection rule can be created to block (or allow for logging purposes) the creation of BHOs in IE.

Create a new rule with the following in its fields:

Registry Key Tab -

Specifiy the Registry key that this rule will protect: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects

Match Type: Partial

Caller Tab -

Specify the call that this rule will filter against: *

Match Type: Wildcard

Do not use the caller MD5 is selected

Action Tab -

Make sure the "Write" box is checked, "Deny" is selected, and the "Log" box is checked.

If you simply want to be alerted to anything that may have installed a BHO, select "Allow" instead of "Deny".

Filed under: Registry Protection

10-07-2009 11:13 AM In reply to

Blue1978
Joined on 06-07-2007
Posts 1,062

Useful Registry Protection Rules #3 - Toolbars

Reply Contact

The following registry protection rule can be created to block (or allow for logging purposes) the creation of Toolbars in IE.

Create a new rule with the following in its fields:

Registry Key Tab -

Specifiy the Registry key that this rule will protect: HKLM\Software\Microsoft\Internet Explorer\Toolbar

Match Type: Partial

Caller Tab -

Specify the call that this rule will filter against: *

Match Type: Wildcard

Do not use the caller MD5 is selected

Action Tab -

Make sure the "Write" box is checked, "Deny" is selected, and the "Log" box is checked.

If you simply want to be alerted to anything that may have installed a BHO, select "Allow" instead of "Deny".

Filed under: Registry Protection

Page 1 of 1 (7 items)

eEye Digital Security