RegTest Released - Test your protection

[vlk]

BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

Cheers
Vlk

KIS6 passes all this test. Other security related wares like AS/AT's and even some HIPS didn't fair as well on at least #1.

[aigle]

GW passes it( Test one is Virtualized so it,s pass).
Test 2, that,s wonderful to see via GW policy notifications, suh a huge no. of policy restictions blocked by GW and test 2 can,t reboot the system, a total success of GW.

[aigle]

Quote:

Originally Posted by vlk

BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

Cheers
Vlk

Hi, it is a more than PASS in my opinion as malware is fooled in a way that it has done its job. I don,t see anything wrong in the test as long as u understand it.

[vlk]

All I'm saying is that if there's a virtualizer in place, it's more than PASS but RegTest reports it as FAIL. Which is very confusing for the user (and all the "testers" out there who rely on RegTest's report).

Cheers
Vlk

[lucas1985]

vlk,
I agree with you. However, people playing with these tests is aware of lot of things
I don´t see the average Norton/McAfee/Trend user playing with security demos/tests.

[vlk]

I don't quite agree. The mere goal of the RegTest program is to test certain functionality and report the result of the test to the user.

Now it turns out that for certain classes of programs, the reported result is incorrect. How can then the user tell if that's because the program is really unable to shield registry attack - or rather because RegTest just can't see it?

Take e.g. this test here: http://www.techsupportalert.com/security_HIPS.htm
I'm sure the author RELIED on the results reported by RegTest, without really looking for a reason if an application failed.

Cheers
Vlk

[lucas1985]

If I am going to do some public tests, I must know the inner workings of the products tested and the tools used for testing.

[aigle]

Quote:

Originally Posted by vlk

Take e.g. this test here: http://www.techsupportalert.com/security_HIPS.htm
I'm sure the author RELIED on the results reported by RegTest, without really looking for a reason if an application failed.

Why you r so sure? I don,t think he is not aware of this simple fact.

[Jason_R0]

Quote:

Originally Posted by vlk

BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

Cheers
Vlk

It isn't really my responsibility to ensure people who use RegTest know how it works, and how a HIPS works either. We see this kind of misreporting of software testing in many places. Most people who read RegDefend's forum know a lot more about how HIPS work than most of the reviewers out there.

There is no real way of knowing if you are under a "virtualizer" as you called it or not, unless you specifically try and detect the presence of them. If you were at ring0 (like a driver) you could probably fool the "virtualizer" and get around it's protection, which is why you need protection against driver installations. However since most malware is ring3, I think RegTest serves the purpose of being a generic attack for registry defenders to test themselves against.