topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 2:15 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: IDEA: Firewall for registry  (Read 8488 times)

philip2005

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 25
    • View Profile
    • Donate to Member
IDEA: Firewall for registry
« on: August 20, 2007, 03:38 AM »
Hi,

I was looking around in google for a program that monitors programs that access and change registry values. Like a firewall, it would have exception rules for processes that constantly write to the registry - like explorer.exe and services.exe / svchost.exe ect.
It would come in handly for malware detection. It could also provide tracking for actual values written to the registry.

Smilary there could be a process firewall - where processes must first be authenticated to run... :)

Could any one share any coding possibilies for these ideas? Or do these programs already exist?

Thanks

tonsofpcs

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 30
  • Video Tech
    • View Profile
    • Video Production Support
    • Read more about this member.
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #1 on: August 20, 2007, 03:46 AM »
You could use a file access monitoring program (like one of the ones from winternals - now part of MS) on the hive files, not sure how much better than that you could do...

philip2005

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 25
    • View Profile
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #2 on: August 20, 2007, 03:58 AM »
Thanks for the reply,

Regmon (Now Process Monitor) has thousands of entries for few seconds, but if you notice they are not instances of writing a key to the registry, but of reading, closing the key.

A notifier for writing to the registry would be helpful - but i know it would be extremly difficult to code

 :)


iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #3 on: August 20, 2007, 04:31 AM »
There are a few programs that do this - am at work but will grab the list later today. I use regrun by greatis, which is shareware, but there are a few other registry firewall tools and even some freeware.

Of course you can also run programs in a sandbox to get the same effect, but with more hassle.

Will update this later when i have time to open my LWA and refresh my memory

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #4 on: August 20, 2007, 05:10 AM »
Yes, there are quite a few programs that do that. I use RegDefend (freeware version). I have also used DiamondCS Registry Prot (freeware) and Spybot Search and Destroy Teatimer (freeware) before. Here is a link to an excellent thread on this topic.

philip2005

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 25
    • View Profile
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #5 on: August 20, 2007, 07:06 PM »
Thanks for the great tools... ;D

Much appreciated

Any similar programs dor processes? Which will block/allow processes to be executed?

Thanks
phil

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #6 on: August 20, 2007, 07:12 PM »
You might try the other component in the GhostSecuritySuite, AppDefend. I haven't run it in a while, but I'm pretty sure that it's intended to do what you describe. After about a year of non development, it seems active again (it's still in beta).

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: IDEA: Firewall for registry
« Reply #7 on: August 20, 2007, 08:56 PM »
Any similar programs dor processes? Which will block/allow processes to be executed?

Check out Castlecops Wiki resources mentioned in this thread.