I’ve found out Defense+ doesn’t protect some important keys by default.
So far I think these one should be default:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce*
Reason for these ones are that malware can easily add itself to auto-start.
Maybe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager*, since you can add something to run after the boot-screen, before protection is enabled, tho it’s not commonly used.
Another important key is Software\Microsoft\Windows\CurrentVersion\Policies\System*. Malware can use this key to disable task manager and the registry editor.
If you can think of some other ones, please post them.
Hmmmm. In my notes, I have a comment that it was fixed with 276. Prior releases did not have this entry. Did you do a clean install(Uninstall old install new) of 276?
I’ve always found it less problematic to do clean installs and start from scratch.
Yes, this registry key has been added in 276, but only if you made the ‘clean install’ and you didn’t restore your previously saved configuration . If you used the built-in updater it wouldn’t be added there either. Another limitation of CFP. I hope they will resolve this issue (if they didn’t yet). What is the point of using built-in updater if you lose some critical upddates 88) . ‘Clean install’ without ability to restore your settings is not an option too.
New key suggestion:
Internet Explorer 7 have secondary home/start pages option, so one more value in “My protected Registry Keys” should be added to cover home page hijacking completely:
Note: Secondary home page registry multi-string/value is not here by default but it will be created by user in IE or when some malicious software add data value to it.