I have an executable file which i want to restrict from modifying any registry in win 7 when i run it.
My CIS setting are : proactive security, latest version, still have premium left.
HIPS and firewall : safe mode
Sandbox and virus scope are enable.
I used Sandbox for this application but sandbox is cutting out the sound and other features and also I don’t want use it in sandbox.
I want to stop ANY registry modifications and to be flagged so than I can decide which to allow and which not.
In the picture u can see my settings on reg modifications for this .exe file
By default when I click add registry to be blocked when click on the reg hive CIS will add that like that " HKCR* " so I did this for all hives but the .exe file modified registry with this settings , so I removed the asterisk for all hives , but same results than also I removed the slash but same result registry was modified.
I haven’t added registry hives in Protected Objects in HIPS because than all app which will modify the registry will be flagged and alerted.
So the question is how can I stop successfully any .exe file to modify any registry in win 7?
[attachment deleted by admin]
You must add the entire registry to the protected registry section of HIPS for your rules to be effective. To do this go to HIPS > Protected Objects >Registry Keys tab > Add registry entries then at the registry window enter the wildcard character * in the Add item bar > click the + sign and ok out all windows. Do note that an application may not actually modify the registry but just try to read the data of a registry key. The HIPS will warn that an application is trying to modify the protected registry key but the application is really just opening the key to be read. Its an unfortunate limitation of the HIPS when dealing with registry access, whereas when an application opens a protected file or folder to read, you won’t get an alert until the application tries to write to the file/folder.
Thanks for the input.
I observed when I’m alerted by hips is saying that the app tries to modify. I hope in the future they can fix and alert me if tries to access or modify is a big difference to any OS security.
However in the first example don’t know if the app was modifying or only read this registry
But in this example: the app modified for sure the registry because I found the modification and delete it. But after I added in hips the protected objects the registry hives, HIPS stopped the modification .
On the other hand on the protected folders which some are by default protected by CIS: \Device\Afd\Endpoint this are really suffering modifications but don’t know if are temporary. I know that afd.sys is a driver, an important one.
How secure is to let an app to modify this file? Same for \Device\Nsi.
Also sand boxing the app, the activity of the.exe file it seems it was creating new registry and than set the value of that registry as show activity is reporting.
I really hope Comodo can adjust HIPS to tell the difference between read access or modification of a registry as the registry are really the best entrance to corrupt an OS.
Another question is: when I protect an entire partition for modification for example D:* what are the differences if I use wildcard or no wildcard?
Second one: how is seen by CIS if I add only D: with no slash or wildcard?
When HIPS alert contains a path starting with \Device\ the applications is not modifying anything, these are called device objects which allow user-mode applications to access and interact with the kernel and kernel-mode drivers. In particular afd\endpoint and nsi belongs to the windows sockets interface with is used by applications to access the network via network sockets. So if an application wants to send or receive data on the network, it would first need to create a socket and does so by accessing windows networking sockets.
As for using next question on using wildcards or not, then if you have a protected file/folder such as C:\some folder then only the name of that folder will be protected but not its contents. In your example of just adding D:\ or D: then HIPS will not protect the contents of that partition, you must specify the wildcard D:* to provide protection of everything within that path.
Thanks for the input. Your info helped.