Why does AntiSpy constantly access the registry?

[Ron Kinner]

I downloaded a new program the other day that logs
registry access. Regmon from:

http://www.sysinternals.com/ntw2k/source/regmon.shtml

When sitting there idle AntiSpy constantly accesses the
registry. Anybody know what it is up to? Is it just
checking to make sure its keys haven't been touched?
Aren't there better ways to do that that don't involve
constantly checking the registry?

Ron

454 1.24754429 gcasServ.exe:1284 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
455 1.24759066 gcasServ.exe:1284 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
456 1.24762118 gcasServ.exe:1284 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
457 1.24766445 gcasServ.exe:1284 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
458 1.24769318 gcasServ.exe:1284 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
459 1.24776888 gcasServ.exe:1284 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS

460 1.24784601 gcasServ.exe:1284 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
461 1.24788320 gcasServ.exe:1284 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
462 1.24791169 gcasServ.exe:1284 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"

 

[Andre Da Costa]

Because most Spyware like to live in the registry and wreak havoc.

 

[Kozi]

As an amateur, I feel qualified to say I feel that key
is handled in an amateurish fashion. I keep reading here
just to find out whether MS has decided that shutting
down MS Antispy by the notification area icon's
"shutdown microsoft antispyware" option shouldn't set
the servstate value to zero. Set the value to zero and
gcasserv exits and Security Agents are disabled. Shutdown
MSAS and it sets the value to zero so when you reboot the
Security Agents are disabled.

I've removed my own permission to set that value, since
MSAS runs as me, and that way the key never gets set to
zero and the Security Agents always run at boot time.
Obviously I think MSAS' behaviour is ridiculous. I've had both firewalls and AVs that had a notification area icon
option to shutdown, but MSAS is the only program I've
had that accepts shutting down the program as an override
so that it doesn't run as the preferences indicate.

 

[Andre Da Costa]

Same applies to Norton AntiVirus when it comes to disabling Auto-Protect in
the Notification Area.

--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

As an amateur, I feel qualified to say I feel that key
is handled in an amateurish fashion. I keep reading here
just to find out whether MS has decided that shutting
down MS Antispy by the notification area icon's
"shutdown microsoft antispyware" option shouldn't set
the servstate value to zero. Set the value to zero and
gcasserv exits and Security Agents are disabled. Shutdown
MSAS and it sets the value to zero so when you reboot the
Security Agents are disabled.

I've removed my own permission to set that value, since
MSAS runs as me, and that way the key never gets set to
zero and the Security Agents always run at boot time.
Obviously I think MSAS' behaviour is ridiculous. I've had both firewalls and
AVs that had a notification area icon
option to shutdown, but MSAS is the only program I've
had that accepts shutting down the program as an override
so that it doesn't run as the preferences indicate.

 

[plun]

I've removed my own permission to set that value, since
MSAS runs as me, and that way the key never gets set to
zero and the Security Agents always run at boot time.
Obviously I think MSAS' behaviour is ridiculous. I've had both firewalls and AVs that had a notification area icon
option to shutdown, but MSAS is the only program I've
had that accepts shutting down the program as an override
so that it doesn't run as the preferences indicate.

Well, if you dont like real time protection, uninstall it
and choose another program.

I believe this function is really important, are you also
closing
real time protection within antivirus programs ?

Users scan and scan but it is real time protection wich is
most important.

 

[Bill Sanderson]

Thanks for posting this. One other poster--Gunilla, also posted about this
behavior.

You'll have to wait for another build, or perhaps beta2, I think, to see if
they've fixed this one.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

As an amateur, I feel qualified to say I feel that key
is handled in an amateurish fashion. I keep reading here
just to find out whether MS has decided that shutting
down MS Antispy by the notification area icon's
"shutdown microsoft antispyware" option shouldn't set
the servstate value to zero. Set the value to zero and
gcasserv exits and Security Agents are disabled. Shutdown
MSAS and it sets the value to zero so when you reboot the
Security Agents are disabled.

I've removed my own permission to set that value, since
MSAS runs as me, and that way the key never gets set to
zero and the Security Agents always run at boot time.
Obviously I think MSAS' behaviour is ridiculous. I've had both firewalls and
AVs that had a notification area icon
option to shutdown, but MSAS is the only program I've
had that accepts shutting down the program as an override
so that it doesn't run as the preferences indicate.

 

[Bill Sanderson]

I think you're misreading.

He's complaining about the same behavior Gunilla mentioned: Shut down
Microsoft Antispyware, via the system tray icon, then reboot the machine.
Does Microsoft Antispyware restart, with all protection enabled, as it
should?