RegTest Released - Test your protection

Discussion in 'Ghost Security Suite (GSS)' started by Jason_R0, Mar 9, 2005.

  1. vlk
    Offline

    vlk AV Expert

    BTW... just noticed this little tool and tried it out... Unfortunately I have to say that I don't think the way it's working is correct, actually.

    That is, for simple registry blockers the results will certainly be positive. However, for more sophisticated/powerful tools (redirectors/virtualizers) it says the test failed even though it has not!

    Redirectors/virtualizers work in the way that they make the application beleave that all the operations succeeded - but the underlying storage is left intact. When the application tries to read the data it has written, it gets them correctly - but these are in fact spoofed by the virtualizer.

    It would be really helpful if your tool could handle this kind of sophisticated applications and correctly report that they're doing their job well. Otherwise, the results may be very confusing for the user.

    Cheers
    Vlk
  2. EASTER.2010
    Online

    EASTER.2010 Guest

    KIS6 passes all this test. Other security related wares like AS/AT's and even some HIPS didn't fair as well on at least #1.
  3. aigle
    Offline

    aigle Registered Member

    GW passes it( Test one is Virtualized so it,s pass).
    Test 2, that,s wonderful to see via GW policy notifications, suh a huge no. of policy restictions blocked by GW and test 2 can,t reboot the system, a total success of GW.
  4. aigle
    Offline

    aigle Registered Member

    Hi, it is a more than PASS in my opinion as malware is fooled in a way that it has done its job. I don,t see anything wrong in the test as long as u understand it.
  5. vlk
    Offline

    vlk AV Expert

    All I'm saying is that if there's a virtualizer in place, it's more than PASS but RegTest reports it as FAIL. Which is very confusing for the user (and all the "testers" out there who rely on RegTest's report).

    Cheers
    Vlk
  6. lucas1985
    Offline

    lucas1985 Retired Moderator

    vlk,
    I agree with you. However, people playing with these tests is aware of lot of things :)
    I donĀ“t see the average Norton/McAfee/Trend user playing with security demos/tests.
  7. vlk
    Offline

    vlk AV Expert

    I don't quite agree. The mere goal of the RegTest program is to test certain functionality and report the result of the test to the user.

    Now it turns out that for certain classes of programs, the reported result is incorrect. How can then the user tell if that's because the program is really unable to shield registry attack - or rather because RegTest just can't see it?

    Take e.g. this test here: http://www.techsupportalert.com/security_HIPS.htm
    I'm sure the author RELIED on the results reported by RegTest, without really looking for a reason if an application failed.

    Cheers
    Vlk
  8. lucas1985
    Offline

    lucas1985 Retired Moderator

    If I am going to do some public tests, I must know the inner workings of the products tested and the tools used for testing.
  9. aigle
    Offline

    aigle Registered Member

    Why you r so sure? I don,t think he is not aware of this simple fact.
  10. Jason_R0
    Offline

    Jason_R0 Developer

    It isn't really my responsibility to ensure people who use RegTest know how it works, and how a HIPS works either. We see this kind of misreporting of software testing in many places. Most people who read RegDefend's forum know a lot more about how HIPS work than most of the reviewers out there.

    There is no real way of knowing if you are under a "virtualizer" as you called it or not, unless you specifically try and detect the presence of them. If you were at ring0 (like a driver) you could probably fool the "virtualizer" and get around it's protection, which is why you need protection against driver installations. However since most malware is ring3, I think RegTest serves the purpose of being a generic attack for registry defenders to test themselves against.