RegDefend VS Hidden Keys

Hi,

On my first post about RegDefend, i've mentioned protection against hidden keys.
So i've tested RegDefend against this kind of methods used by rootkits for instance.

The test tool is RegHide by Sysinternals:

http://www.sysinternals.com/ntw2k/info/tips.shtml#registryhidden

RegHide creates a hidden key in the HKLM_Software group.

During the test, i've monitored all changes with InstallSpy (a monotoring free soft).

I've added the HKLM_Software group to the rules with different configurations:

*block,
*ask user .

Conclusion: RegDefend has a real and efficiency protection against hidden keys:

*RegHide was able to create the key (Systems Internals\Can't touch me):

-With the "ask user" rule, and "allow" answer to the RegDefend's pop up box .

*RegHide was not able to create the keys in all the others case:

-"block" rule,
-"ask user" rule and "block" answer to the pop up box.

To be objective, there's many monitoring softs (free or paid) which have not a real and efficiency prevetion protection of the registry (prevent=block, not only monitor and detect).

In this case, RegDefend, as RegRun, is an efficiency program which protects against advanced attacks .

But just some little remarks (or whishes) :

*Why RegDefend is not already pre-rules configured?

If Wilders members are well informed about computer's security, it's not the case of John Doe, Monsieur Dupont, our friends or family's members.
Three rules with different level (low, medium, high security) could be interesting for newbies and classicals users.

*For more security, hashes values to authenticate the registry could also be interesting.
MD5 is enough, SHA-1 can be more secure but also too slow and too long.




Regards

 

RegDefend pop up box:

 

About the RegHide pop up box:

 

And here the second RegHide Pop up:

 

Here the html report of InstallSpy with the "allow" answer to the RegDefend's pop up box:

 

Thanx Kareldjag for this indepth testing against hidden regkeys!!!

it seems that regdefend is doing what it is supposed to do, protect the registry.

 

Good tests, french mate

These tests should be added to RegTest IMHO, it shows the strength of RegDefend.

 

Great detailed testing Kareldjag ....nice one.

Regards,
Jade.

 

Nice job on the testing but I don't quite understand. You added the registry key to regdefend that you already knew the software was trying to 'infect' and then it detected it. I would certainly hope so. The problem is that typically a program trying to add a hidden registry item won't be kind enough to tell you where it is going to put it so perhaps regdefend could warn against any hidden keys being installed anywhere? Or are there good reasons for hidden registry keys?

 

The key being added contains a NULL character and the Win32 API's that most programs use treat the NULL as the "end of string"

Seeing as the key name actually contains the NULL then all programs that use the Win32 API's won't be able to touch it because they are truncating the name

Probably the most interesting part of the "demo" pictures is that it highlights the lack of information being shown in the popup boxes...

 

Yes kareldjag, thank you for that interesting test. Also, I think docfleetwood has an interesting point. Perhaps RD should have a global option to ask approval for (block??) the insertion of any key or value whose name contains a NULL (or any non-printable character?). I suspect such keys are frequently used for time-limited software trials, but it would be nice to know what untouchable remnants will be left behind. More importantly, I wouldn't want such a key/value to be inserted anywhere in the registry without some sense of a good reason for it.

 

Jason,
I'll second that request - it fits the bill of being generic and easy to monitor for the creation of such keys (and values)...

I'm still hoping that we will be able to represent NULL's when we are constructing patterns containing wildcards.... that way we can detect the existing ones if we are really keen

 

Hi,

Thanks for the Belgian/French/Aussie/American feedbacks.

*Docfleetwood

I think that many members on this forum have already add the HKLM\Software Group to their rules!
The problem is that RegDefend has only 2 specific rules by default (statup in particular).

If i run the test with default's rules, RegDefend will surely fail.

As i said in my post, it's not a problem for the ones who are well informed about malwares methods.
But the newbie or the classical user may not add this rule to his configuration.

That's why i've suggested diiferent level of rules by default available in RegDefend's options.

In all case, how could you see if RegDefend has or not the ability to block this key (Systems Internals\Can't touch me) if you don't add the HKLM\Software registry group to your rules?

*As it 's said on the Sysinternals link this kind of value name includes "0" character as a part of the name.
I've also monitored the API calls used by RegHide (see the images).

And as said Gottadoit, the RegDefend's pop up box doesn't show exactly the name of the key (the installSpy report too).
If we allow the installation of the hidden key, we will not be able to see it (or to touch it) with RegEdit or RegDatXP: the value name is really hidden!

Regards

 

API calls of RegHide.exe:

 

Other API details:

 

Does anyone know of a free registry editor that does allow you to see hidden keys?