http://www.ghostsecurity.com/registrytest/

This program, available at the above URL, will perform 2 tests on your computer to determine how well protected your registry is. Test 2 in particular simulates how a malicious file might act trying to stay active on your system.

I think some of the results may surprise. :)

Yep, Jason it works, don't know how you managed to close down the whole pc!
I tried it with RegDefend enabled and without - Without RD enabled after reboot I was presented with the Regtest GUI which could easily have been malware :(
Clicking the X in the regtest gui restored my desktop

With RD enabled the PC booted normally after the test with no regtest GUI so I assume RD protected me ?

Thanks. Pilli

Yes, RegDefend v1.150 protects against all attacks shown in this demonstration by default, no extra rules are needed. All you need to do is install RegDefend to be protected. :)

Hi Jason, ;)

I tried it also successfully ~thanks to RegDefend~ :)

Here's a couple of screen shots

Steve

and #2 (log file entries)

Question on RegTest:

When I first start RegTest and BEFORE Test 1 or Test 2, I get an alert from RegDefend that RegTest wants to modify in the AutoStart are:

HKLM\Software\MS\Windows\CV\Run by adding 1regtest1. Am I suppose to Block this alert or Allow it?

I seem to be passing the 2 tests. However, I have to manually power down on Test 2. I think Process Guard is blocking something during test 2. The number of attacks goes up by 2. At any rate, RegTest does not shutdown the system. I have to power down. I get no RegTest windows, etc., when I power back up.

Hi, As far as I know you have to completely disable RD for it to show you that you can be compromised. RD now runs as a service and closing the gui does not stop protection so you have to exit it. With RD running you should always remain protected from the test.


Pilli

Thanks for the comeback, Pilli.

I do understand the part of needing RegDefend active for my system to be protected during the RegTest run. I do not understand however, if I am suppose to permit or block the RegDefend alert PRIOR to the tests even starting....the one concerning 1RegTest1. ???

Hi With RD running you would need to block the items that the test 1 does and you should see in the test list that the keys could not be modified.
Disabling RD you will see that the the test successfully made the changes.

What I find rather interesting is that neither RegRun or Giant show any alerts, so I assume all polling registry monitors can be compromised easily in this way. Quite an unnerving experience.

Pilli

{QUOTE-> What I find rather interesting is that neither RegRun or Giant show any alerts, so I assume all polling registry monitors can be compromised easily in this way. Quite an unnerving experience <-QUOTE}

That's the BEAUTY of RegDefend and ProcessGuard. They are proactive instead of reactive. If only someone could come up with a spyware/virus/trojan/worm engine that is the same...trapping BEFORE they are installed...and not noticeably compromise one's system performance.

{QUOTE-> If only someone could come up with a spyware/virus/trojan/worm engine that is the same...trapping BEFORE they are installed...and not noticeable comprise ones system performance. <-QUOTE}


Hi siliconman01 :).

You bring up a good point that I'll briefly expand upon:

The problem is that at the moment most Anti-virus and anti-spyware programs (as far as I am aware) poll for changes to the registry checking only every few seconds or so. Those few seconds can be a potential opening for malware to make modifications to the registry, and by the time that has happened many simply cannot fix without the help of specialist tools and the guidance of spyware/malware experts (even then it may be too late with some of the really nasty stuff out there). We are lucky now though, in that we have RegDefend....which stops programs before they can access the registry. Not to mention RegTest that enables us to see just how well it does :).


Regards,
Jade.

The two alerts you see before the test starts is only to "clean" the system of any left-over entries which may have occured from previous tests. You should allow them as they are simply deleting old entries if they exist. :)

Thanks Jason, :)

I'd run it again but if I have to "power" shutdown, it often causes the Quick Lauch bar to be turned off. When I turn it back on, the icons (many) are reversed in order and I have to reorder them in a specific sequence I like.... ;D That's not a RegTest problem, btw.

Hi !

I'm going to make some testing tonight, but when I tested RegTest this morning, test 1 was ok , but test 2 was a failure, even with RegDefend activated, a window on reboot said that my system could be compromised by malware.

I'll let you know if I found out some software compatibility issues.

Before test 1, I got a prompt from RD , I block it
On test 1 start, I block each modification from beeing made, all ok .
On test 2, an RD window pops up , but I can't do anything as it disapears quickly and the system is rebooted.

{QUOTE-> Hi !

I'm going to make some testing tonight, but when I tested RegTest this morning, test 1 was ok , but test 2 was a failure, even with RegDefend activated, a window on reboot said that my system could be compromised by malware.

I'll let you know if I found out some software compatibility issues.

Before test 1, I got a prompt from RD , I block it
On test 1 start, I block each modification from beeing made, all ok .
On test 2, an RD window pops up , but I can't do anything as it disapears quickly and the system is rebooted.

My system :
XP PRO SP2 with all updates
NOD32
LOOK'N'STOP
All Diamond CS progs
Adinf 32
Shadow user
Safety bar
Acronis True image
RegDefend
Spysweeper (on demand) <-QUOTE}

Are you running RegDefend v1.150 ?

That is about the same scenerio I experienced when I ran the test.

xp pro sp2
PG
Panda platinum 7
regdefend 1.150
spybot s/d
adaware
Ms antispyware
Win Patrol
a2
spywareblaster and guard

Hi Jason,

Indeed, I'm using the registered version of RegDefend V1.150.

Anyone who is having the problem of RegDefend failing the RegTest might like to try doing a COMPLETE uninstall of RegDefend. Here is what I do:


- Close/Exit RegDefend and copy your custom .ghst files to another location.

- Now go to Add or Remove Programs and uninstall RegDefend. When prompted to reboot choose YES.

- Once the computer has rebooted navigate to C:\Program Files (or whichever directory you installed to) and delete the RegDefend Folder IF it is in there.

- Open regedit now: START> RUN> type in regedit and click OK

- While in regedit do a search for regdefend and delete all entries found. If you have problems deleting the LEGACY_REGDEFEND keys, all you need to do is: right-click on it> select permissions> tick ALLOW next to Full Control> then Apply and OK it. You should now be able to delete them.

- Also do a search for regtest while in regedit and delete any entries you find in there.

- Reboot the computer.



Once all that is done then re-install RegDefend and see how it goes now :). As always, make a backup of your registry before doing anything in there.


Hope that helps.


Regards,
Jade.

How come ALL RegDefend entries aren't removed when doing an uninstall ?

eg.

- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RegDefend_is1
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REGDEFEND
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_REGDEFEND

I just had a bad experience with test 2.
With RD set to block, my PC was rebooted during the test. On attempting to ‘Log in’ I was immediately ‘Logged out’ again during which the PC hung. This happened on 3 attempts.
I then selected to ‘Boot with last known good settings’. Logged in OK this time, and after all that I was told I’d failed the test. Don’t think I’ll be trying that one again in a hurry! :-\

{QUOTE-> How come ALL RegDefend entries aren't removed when doing an uninstall ?

eg.

- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RegDefend_is1
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REGDEFEND
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_REGDEFEND <-QUOTE}

Blame the legacy keys on Windows, the MUICache one is due to you searching for RegDefend in some windows program (same with the ARPcache one but im not soo sure on that one, something to do with inno setup the installer I think...) .

Hi !

I made a fresh install of RegDefend, with Jade's uninstall procedure, but it was useless, still failing test n°2 ...

{QUOTE-> Hi !

I made a fresh install of RegDefend, with Jade's uninstall procedure, but it was useless, still failing test n°2 ... <-QUOTE}


Strange indeed.

Just to double check, did you also remove any entries found in regedit for regtest? And when you first run RegTest, are you allowing that initial RD alert?, as it is there to clean the system of any left-over entries from previous tests.


Regards,
Jade.

Jason, if you ever grow tired of programming, there would appear to be a career for you in marketing.

{QUOTE-> Hi, Just tried the test and it Didn't work ? I got the alert box as in my screeny and that was it ! <-QUOTE}Just a guess here ... but seeing as Regdefend doesn't support 95/98/ME ... I'd guess neither does RegTest. You're running 98 right?

Yes, Jade, I do remove all references to both regDefend and regTest.

Anyway, it shouldn't be a problem with leftover parts of previous test, as it failed from the beginning.

I tested various scenerios, with allow, blocking, remember checkboxes on initial alert, but as far as I know, this haven't changed anything on the test 2 failure.

I plucked up the courage to repeat test 2. The same thing happened as before –

Run the test 2 – Various things flash up on screen very quickly and RD informs me something has been blocked. The system shuts down.

The system boots up to the ‘Login page’. I log into my account. On logging in and before I actually see my desktop, an error box flashes up – something to do with failing to load explorer.dll. The system starts to log out (without me doing anything) and locks up requiring a hard reboot.

I login again and this time, windows automatically goes into the, ‘Windows is shutting down’ routine before I see my desktop.

The 3rd time I try to login, the RD Test screen appears and tells me I’ve failed the test. I then get logged in correctly. :-\

Windows XP Home. Athlon 64 3500+
NIS2005, SpySweeper 3.5, TH Guard, RegDefend.

This afternoon, I decided to test something :

I formated c: , installed Windows XP Pro SP2 French and installed RegDefend, nothing else, no resident progs, no tweaks.

... and test 2 was again a failure ...

System quickly rebooted after I hit test 2, I just saw an alert from RD, but too quickly to react.

On first reboot, I just saw my wallpaper, it hang a while and rebooted by itself.
On second reboot, the fatal "system can be compromised" showed up

I was suspecting a software issue with my security apps, but looks like it is more likely to be an hardware issue or issue with XP on some systems.

Just let me know if I can be of any help trying to find out what's causing problems with regtest + regdefend.



Contact : < e-mail removed to prevent harvesting - puff-m-d >

{QUOTE-> Replaced dodgy Screeny ! <-QUOTE}

Just curious. Why would you be so interested in an obscure program like regdefend, be up to date on internet and computer security and STILL be running Windows 98?

{QUOTE-> Just curious. Why would you be so interested in an obscure program like regdefend, be up to date on internet and computer security and STILL be running Windows 98? <-QUOTE}

I think you may find that his interest is in the testing to see how his setup copes, and not in Regdefend itself.

Also, people who use Win 98 are most likely BETTER protected because most of the new malware only runs on Win XP. In a weird, perverse way it must be quite comforting to the Win 9x users to see all these nasties that don't support Win 9x. I mean if you were a virus writer, what OS would you be creating your new nasty on? The percentages say Win XP! Would you have the inclination to test it on Win 9x systems as well? Probably not.

muf

{QUOTE-> I think you may find that his interest is in the testing to see how his setup copes, and not in Regdefend itself.

Also, people who use Win 98 are most likely BETTER protected because most of the new malware only runs on Win XP. In a weird, perverse way it must quite comforting to the Win 9x users to see all these nasties that don't support Win 9x. I mean if you were a virus writer, what OS would you be creating your new nasty on? The percentages say Win XP! Would you have the inclination to test it on Win 9x systems as well? Probably not.

muf <-QUOTE}


good point.

{QUOTE-> Replaced dodgy Screeny ! <-QUOTE}

At the moment RegTest doesn't support Windows 9x, but it will just take a small recompile and some other tweaks to make it work on Win9x . The way RegTest "works" too will also work on Windows 9x just fine, so malware could target it the same way.

For the next version I will make sure it is tested/works on Win9x too. :)

Could you guys who have RegTest work even when RegDefend is enabled see if you have a key in your registry located here :-

(use regedit)
hkey_local_machine\system\currentcontrolset\services\1regtest

And if you do, delete the whole key, and retry the test. Also make sure RegTest isnt on your allow list (program overrides), and that both of the default registry groups (Autostarts and Special Items) are enabled.

I found the following "regtest" keys in my registry :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_1REGTEST
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_1REGTEST\0000

...deleted it.

RegTest is not on my RegDefend allow list.
The 2 default register groups are protected.

Still failing test n°2

Can you explain what you see on Test 1 cqdx11?

Yep,

Regtest.exe [1144] tried to modifiy the following registry VALUE with this data
This registry item is in the AUTO STARTS Registry group
Process : d:\to burn\regtest.exe
Registry key : HKEY_LOCAL_MACHINE\software\microsoftwindows\currentversion\run
registry value 1regtest1

Allow or Block

BLOCK

Click on Test1 introduction

Click on Start Test1

Regdefend popups up to tell me Regtest tried to modify the protected value and to set a value to possible virus.exe.
I block each attempt and modification fails.

HKEY_LOCAL_MACHINE\system\controlset001\control\session manager
hkey_current_user\software\microsoft\windows\currentversion\run
hkey_current_user\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run

{QUOTE-> Could you guys who have RegTest work even when RegDefend is enabled see if you have a key in your registry located here :-

(use regedit)
hkey_local_machine\system\currentcontrolset\services\1regtest

And if you do, delete the whole key, and retry the test. Also make sure RegTest isnt on your allow list (program overrides), and that both of the default registry groups (Autostarts and Special Items) are enabled. <-QUOTE}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1RegTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_1REGTEST\0000

I found the above reg entries. I couldn’t delete the Legacy ones for some unknown reason? I haven’t retried the test as yet.

{QUOTE-> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1RegTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_1REGTEST\0000

I found the above reg entries. I couldn’t delete the Legacy ones for some unknown reason? I haven’t retried the test as yet. <-QUOTE}


Hi ReGen :).

In my instructions for complete uninstall I gave instructions how to remove those legacy entries. Have a read here (http://www.wilderssecurity.com/showpost.php?p=397206&postcount=18).

If you follow the instructions you should be able to delete them easily ;).


Regards,
Jade.

{QUOTE-> Hi ReGen :).

In my instructions for complete uninstall I gave instructions how to remove those legacy entries. Have a read here (http://www.wilderssecurity.com/showpost.php?p=397206&postcount=18).

If you follow the instructions you should be able to delete them easily ;).


Regards,
Jade. <-QUOTE}

Ahhhh! Missed that. Thanks Jade. :)

OK! Uninstalled RD cleared the Registry of everything to do with RD and RT. Reinstalled RD with the default settings. I Run RT. I block all the items in test 1. Pass! I run test 2 – and exactly the same thing happens as before. A couple of error boxes flash up on screen (no idea what they say), system reboots. 3 reboots later I get the system back, RD says test failed.
Even my Motherboard didn’t like it this time. Having detected windows not starting correctly, it automatically reduced the CPU timing down the way to play it safe. :P

I ran regtest with regdefend running and failed test 2. Then I realized I had regdefend version 1.10 rather than 1.15. I installed 1.15 and voila, test 2 failed - at least I assume it did since I didn't get a window upon restart. Although regdefend also did not give me any warnings that anything was happening or, in fact, did happen - even in the log.

My question to you, Jason, is what, apparently extremely important thing, did you discover between versions 1.10 and 1.15 that allows regdefend to pass?

{QUOTE-> I ran regtest with regdefend running and failed test 2. Then I realized I had regdefend version 1.10 rather than 1.15. I installed 1.15 and voila, test 2 failed - at least I assume it did since I didn't get a window upon restart. Although regdefend also did not give me any warnings that anything was happening or, in fact, did happen - even in the log.

My question to you, Jason, is what, apparently extremely important thing, did you discover between versions 1.10 and 1.15 that allows regdefend to pass? <-QUOTE}

The only thing was that the protection remain active whilst the GUI was not running. I thought it would be good in earlier versions if the protection was "disabled" when the GUI was shutdown, obviously though this isn't very secure. :)

So now if the GUI is shutdown and an "ASK USER" event occurs, it just blocks it instead of asking.

Hi I'm having the same problem as everyone else where Regdefend fails Test 2 of Regtest. Using RD 1.15 trial.

I'm doing it on a microsoft virtual PC. I posted a separate thread here detailing my troubles, so refer to it if needed. But basically the behavior is identical as others describe here with the PC rebooting twice before finally coming up with the failure notification....

Jason, if you want to duplicate this using VPC, there is a trial version of VPC 2004 available from Microsoft.com.

I have uploaded a test build of RegTest.. can you guys who fail test 2 try it out and see if you fail it with this new build.

http://www.ghostsecurity.com/downloads/regtest_beta.zip

I downloaded the beta, but it still fails test 2. This time, it doesn't reboot a second time though. It does the initial reboot after Test 2, goes all the way through the boot-up, and I get the "Your system can be compromised" message immediately. Clicking the top right X brings my desktop as normal.

I guess I would still suggest trying to test it yourself on VPC, that's probably your best bet for duplicating since that's where I'm seeing the trouble. If you do, don't forget to install the virtual machine services additions.

Besides, I would be more concerned about the vulnerability in Regdefend that causes it to fail Test 2 on certain machines, than I would about making a Regtest that doesn't exploit that vulnerability. Just my opinion ::)

Thanks for your help!!

{QUOTE-> I downloaded the beta, but it still fails test 2. This time, it doesn't reboot a second time though. It does the initial reboot after Test 2, goes all the way through the boot-up, and I get the "Your system can be compromised" message immediately. Clicking the top right X brings my desktop as normal.

I guess I would still suggest trying to test it yourself on VPC, that's probably your best bet for duplicating since that's where I'm seeing the trouble. If you do, don't forget to install the virtual machine services additions.

Besides, I would be more concerned about the vulnerability in Regdefend that causes it to fail Test 2 on certain machines, than I would about making a Regtest that doesn't exploit that vulnerability. Just my opinion ::)

Thanks for your help!! <-QUOTE}

The RegTest beta was to help pinpoint where RegDefend was failing on your machines... so maybe you shouldn't jump to conclusions there. :)

RegDefend has been tested on VPC and VMWARE with RegTest, and it works fine, as in it passes test 2 fine here.

Can you please delete all the old registry values as listed by Bowserman and then retry the test? The behaviour you are describing is a bit different than what should be happening.

Same results as JimmyTop, it boots only once instead of twice.

(registry keys related to regtest have been erased prior to regtest bêta setup)

Ok I think I have found the issue.... when the GUI shuts down due to RegTest closing it, the driver allows the last item which is being "asked" instead of blocking it. On some machines due to timing, there might not by any items waiting and hence when closing down it won't allow any items and still block the test fine.

Anyone interested in testing the new driver can email me at :- support@ghostsecurity.com

Hi,

The new driver doesn't work for me.

Procedure :

RegDefend clean uninstall
close, remove, reboot, clean registry entries

RegTest clean remove
Cleaned registry entries

Reboot

Applied the modified driver
Rebooted twice

Test 2 :

it closes down system quickly, without showing any alert window
it reboots two times
on second reboot, the "compromised security" windows appears.

{QUOTE-> Hi,

The new driver doesn't work for me.

Procedure :

RegDefend clean uninstall
close, remove, reboot, clean registry entries

RegTest clean remove
Cleaned registry entries

Reboot

Applied the modified driver
Rebooted twice

Test 2 :

it closes down system quickly, without showing any alert window
it reboots two times
on second reboot, the "compromised security" windows appears. <-QUOTE}

Was this with the BETA regtest or the public release one? Have you tried both?

Ok one of my testers have managed to reproduce this error with my latest beta build, so we worked out what was causing it. In the driver a mapping was incorrect which caused it to not pick up a certain registry item. It will be fixed in the next RegDefend (v1.200) release.

{QUOTE-> Ok one of my testers have managed to reproduce this error with my latest beta build, so we worked out what was causing it. In the driver a mapping was incorrect which caused it to not pick up a certain registry item. It will be fixed in the next RegDefend (v1.200) release. <-QUOTE}

Good to hear Jason. :)

Just for your info:
Using the beta regdefend.sys and the beta RT.

Test 1 : Passed (Passed with GUI closed down)

Test 2 : PC rebooted after test, then rebooted once more. RT says test failed, system returned to normal. So using these beta files I was saved from a further reboot and had no lockups.

{QUOTE-> The RegTest beta was to help pinpoint where RegDefend was failing on your machines... so maybe you shouldn't jump to conclusions there. :) <-QUOTE}

oops...sorry ;)

{QUOTE->
RegDefend has been tested on VPC and VMWARE with RegTest, and it works fine, as in it passes test 2 fine here.

Can you please delete all the old registry values as listed by Bowserman and then retry the test? The behaviour you are describing is a bit different than what should be happening. <-QUOTE}

I can try. However, the VM that I'm installing too is my base XP SP2 Pro installation. Regdefend has never been installed on it before. It has a few security apps such as Adaware SE and Spybot S&D but has nothing loading at start-up (except the VM Additions service). It's handy this way because when I want to test something, I can install it on there and then when I'm done testing just click "Turn off and delete changes" and it goes back to the clean state.

But when I get home, I will first try seeing if any of those keys are there. Then I'll install Regdefend, and follow the uninstall procedure posted here, and reinstall it.

Edit: Since I've read thru the other posts, it sounds like you guys have things well in hand - so I'm not going to do anymore testing unless needed. But I am more than willing to do any testing. However, I am not a registered user. But if you need me to test anything just PM me.
Thanks again for all your help! I will try again when the new version is available.

I recently tested Prevx with RegTest and passed all tests except the 1st one. [HKLM\System\CurrentControlset\Control\Session Manager\Boot Execute] Is it dangerous that I failed the 1st test with Prevx? Or just a minor thing?

Then on the 2nd test, my computer just froze and would not reboot, but I couldn't do anything else either. So does that mean I failed test #2 or passed it with Prevx? Thx.

{QUOTE-> I recently tested Prevx with RegTest and passed all tests except the 1st one. [HKLM\System\CurrentControlset\Control\Session Manager\Boot Execute] Is it dangerous that I failed the 1st test with Prevx? Or just a minor thing? <-QUOTE}

Same here with Prevx

{QUOTE-> Then on the 2nd test, my computer just froze and would not reboot, but I couldn't do anything else either. So does that mean I failed test #2 or passed it with Prevx? Thx. <-QUOTE}

Mine passed test 2 with Prevx - it made it all the way through the reboot though.

Hi Jimmytop

Are you using Prevx pay version, because I'm using the free version. If so, maybe that's why you passed test #2 and I didn't.

Shooter, free version here also. Please PM me on this if you want to discuss, I don't want to hijack this thread anymore than we already have :P

As a matter of interest I have made a screenshot of Tiny V6 protected keys.

Pilli

Hello all

I'm running RD 1.3 (new to RD).

How do I tell if I passed test 2? (I ask because I uninstalled the trial version, then a few days later decided to buy it...and I see there's been problems with uninstalls).

After Regtest shuts down my comp, and it reboots....I didn't get any message saying pass or fail. I checked the logs of RD but there was nothing in them.

{QUOTE->

After Regtest shuts down my comp, and it reboots....I didn't get any message saying pass or fail. I checked the logs of RD but there was nothing in them. <-QUOTE}

Hi Vikorr,

The fact that you didn't get any message after the reboot means that you passed. Had you failed, you would have been presented with the notice in my attached screenshot :).

Regards,
Jade.

I have just installed RegDefend but reading about the tests I am worried about using them ??? I am not sure what to expect and how to answer RD if it tells me about modifications due to the test :-[

I would be grateful if someone could advise as I don't want to run anything without knowing what it is going to do and how I should re-act to the test. Do I need the RD icon in my system tray or do I shut this down?
Apologies for all the questions :-[

Hi Robyn, When you fire up Regtest you will have two Alerts for it to run - allow them, next start test one and block any alerts. You will see the results in the RT window. Move to test two and you will not be able to do anything as after a few seconds the test will reboot your machine, if after you reboot there is an RT test pop up (See Jades screenshot above) with your machine has been compromised then the test has failed if, however, your machine boots without the RT screen then you have passed :)

HTH Pilli

Thanks Pilli

Will gather my courage now to make sure my computer cannot be compromised. Thank you for explaining the order and the answers to me. Hopefully I can post back with a secure registry guard working for me.

Back again - first test was easy :) the second one was scary - I did see a quick flash of debug error but it didn't stay on screen the test kept on going and did re-boot my computer but when I came back I did not see any sreenshots just the RD notice about my trial - nothing in the logs etc

Apart from the little debug box which didn't do anything RD certainly seemed to protect me through the tests as I am back without any notices to scare me.

I am just running it at default settings until I learn more about other keys I should add - hopefully default are enough. I know it managed to shut my computer down but as I am back running, I think that means whatever was trying to change anything couldn't because RD was in place (hope so)

DefenseWall HIPS 1.0 Beta passes Regtest.exe without any problems.

When I downloaded the test I considered i not to be thrustworthy I put it in the sandbox - as untrusted app. From there I ran it and saw no problems.

Best Regards

Test1 seemed to go fine.


Test2
Bunch of windows popup
RegDefend, WinPatrol, ProcessGuard

Before I could respond to all the popups, system rebooted.

Did not get http://www.wilderssecurity.com/showpost.php?p=465201&postcount=64 window.

But did not know what had happend with all the popups, being able to respond to some, but not others before the reboot.

Was not able to make sense of RegDefend log.
No entries earlier than ~ 11 hours prior??

So, since had created a WinXP System Restore point before all above, attempted to restore to that point.

Would not do so upon clicking on: Select A Restore Point | Next.
That window just stayed opened.

So, booted into Safe mode. Then able to do the desired restore.


Will not be trying this 'RegTest' without more complete instructions at top of this post or in regtest.txt or similar before start of the test.

I was going to run the test but regdefend and processguard were really poping up on it so I just canceled. If I am getting that many warnings before it really even runs I feel fairly well alerted.

Ive looked for these .ghst files but CAN'T find em anywhere + where do we move em to - like to a wordpad or documents Folder ?

+ Ive tried to remove program but it says "Program is running + can't be removed" + for me to Disable the Ghost type program + try again

{QUOTE-> Anyone who is having the problem of RegDefend failing the RegTest might like to try doing a COMPLETE uninstall of RegDefend. Here is what I do:


- Close/Exit RegDefend and copy your custom .ghst files to another location.

- Now go to Add or Remove Programs and uninstall RegDefend. When prompted to reboot choose YES.

- Once the computer has rebooted navigate to C:\Program Files (or whichever directory you installed to) and delete the RegDefend Folder IF it is in there.

- Open regedit now: START> RUN> type in regedit and click OK

- While in regedit do a search for regdefend and delete all entries found. If you have problems deleting the LEGACY_REGDEFEND keys, all you need to do is: right-click on it> select permissions> tick ALLOW next to Full Control> then Apply and OK it. You should now be able to delete them.

- Also do a search for regtest while in regedit and delete any entries you find in there.

- Reboot the computer.



Once all that is done then re-install RegDefend and see how it goes now :). As always, make a backup of your registry before doing anything in there.


Hope that helps.


Regards,
Jade. <-QUOTE}

Ive deleted regdef folders
so I went to the Add/Remove Programs list + hav removed RegDefend == all that stuff I tried sumhow closed it + allowed me to get rid of it

Thanks ,I'll have a try。。。

It is strange for me to see people trying the test issued from Ghost security on the product from same company. Do u expect that they will not succeed on the tests created by them self? or I am missing something.
Note: Don,t mean to say that Ghost sec products are not good. I am just mentioning the fact that sure Regdefent can,t fail on this tests so no point in trying it over here.

BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

Cheers
Vlk

KIS6 passes all this test. Other security related wares like AS/AT's and even some HIPS didn't fair as well on at least #1.

GW passes it( Test one is Virtualized so it,s pass).
Test 2, that,s wonderful to see via GW policy notifications, suh a huge no. of policy restictions blocked by GW and test 2 can,t reboot the system, a total success of GW.

{QUOTE-> BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

Cheers
Vlk <-QUOTE}
Hi, it is a more than PASS in my opinion as malware is fooled in a way that it has done its job. I don,t see anything wrong in the test as long as u understand it.

All I'm saying is that if there's a virtualizer in place, it's more than PASS but RegTest reports it as FAIL. Which is very confusing for the user (and all the "testers" out there who rely on RegTest's report).

Cheers
Vlk

vlk,
I agree with you. However, people playing with these tests is aware of lot of things :)
I don´t see the average Norton/McAfee/Trend user playing with security demos/tests.

I don't quite agree. The mere goal of the RegTest program is to test certain functionality and report the result of the test to the user.

Now it turns out that for certain classes of programs, the reported result is incorrect. How can then the user tell if that's because the program is really unable to shield registry attack - or rather because RegTest just can't see it?

Take e.g. this test here: http://www.techsupportalert.com/security_HIPS.htm
I'm sure the author RELIED on the results reported by RegTest, without really looking for a reason if an application failed.

Cheers
Vlk

If I am going to do some public tests, I must know the inner workings of the products tested and the tools used for testing.

{QUOTE-> Take e.g. this test here: http://www.techsupportalert.com/security_HIPS.htm
I'm sure the author RELIED on the results reported by RegTest, without really looking for a reason if an application failed.
<-QUOTE}

Why you r so sure? I don,t think he is not aware of this simple fact.

{QUOTE-> BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

Cheers
Vlk <-QUOTE}

It isn't really my responsibility to ensure people who use RegTest know how it works, and how a HIPS works either. We see this kind of misreporting of software testing in many places. Most people who read RegDefend's forum know a lot more about how HIPS work than most of the reviewers out there.

There is no real way of knowing if you are under a "virtualizer" as you called it or not, unless you specifically try and detect the presence of them. If you were at ring0 (like a driver) you could probably fool the "virtualizer" and get around it's protection, which is why you need protection against driver installations. However since most malware is ring3, I think RegTest serves the purpose of being a generic attack for registry defenders to test themselves against.