Important registry keys that CFP 3.x should protect!

Greetings all!

I’ve found out Defense+ doesn’t protect some important keys by default.
So far I think these one should be default:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce*

Reason for these ones are that malware can easily add itself to auto-start.

Maybe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager*, since you can add something to run after the boot-screen, before protection is enabled, tho it’s not commonly used.

Another important key is Software\Microsoft\Windows\CurrentVersion\Policies\System*. Malware can use this key to disable task manager and the registry editor.

If you can think of some other ones, please post them.

Cheers,
Ragwing

I don’t understand your concern. I took a look at the default Reg settings for 276 and found:

\Software\Microsoft\Windows\CurrentVersion\Run

Should that not take care of the list you posted?

A simple test for this is SPYCAR at http://www.spycar.org/Spycar.html

Al

I’m using 3.0.14.276, and I don’t have that registry key (by default), I’ve added it myself.

Hmmmm. In my notes, I have a comment that it was fixed with 276. Prior releases did not have this entry. Did you do a clean install(Uninstall old install new) of 276?

I’ve always found it less problematic to do clean installs and start from scratch.

Al

I have it under “Automatic Startup” in 3.0.15.277 by default. Also the last key, but not the current control set. Vista ultimate.

I did a clean install using this way as desribed by USSS.

Yes, this registry key has been added in 276, but only if you made the ‘clean install’ and you didn’t restore your previously saved configuration . If you used the built-in updater it wouldn’t be added there either. Another limitation of CFP. I hope they will resolve this issue (if they didn’t yet). What is the point of using built-in updater if you lose some critical upddates 88) . ‘Clean install’ without ability to restore your settings is not an option too.

See also this topic: new reg key to monitor

New key suggestion:
Internet Explorer 7 have secondary home/start pages option, so one more value in “My protected Registry Keys” should be added to cover home page hijacking completely:

*\SOFTWARE\Microsoft\Internet Explorer\Main\Secondary Start Pages

Note: Secondary home page registry multi-string/value is not here by default but it will be created by user in IE or when some malicious software add data value to it.