Tested against Scoundrel Simulator

Hi,

I tested it against Scoundrel Simulator which commits four registry changes commonly used in malicious softwares. (Well yes I know the test tool was made by a different vendor, but it seems to fit for the task anyway.) The default keyset of RegDefend only covers one out of these four changes. So the test ran as expected: one of the changes was blocked, and other 3 succeeded. I will also test it with the specific keys added to the protection list. [Edit: after adding the specific keys to the protected ones, RegDefend blocks the registry attacks of this test app.]
-hojtsy-

 

Hey there,

Do you by any chance know what registry keys were altered?

Will download the program and test it out.

Kind Regards
----

Found 1.. For stopping the modification of the Registry.....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Found another.. For stopping the loading of Control panels

HKEY_CURRENT_USER\Control Panel\don't load
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load

And for Internet Options.....
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

 

So based on what you are finding, is there a recommendation for additional custom rules to help us DEFEND our boxes?

 

Thanks for testing hojtsy , if you could list the keys needed to be protected for this test program and any others I will add them to the next build of RegDefend.

 

Hi,

As it was discussed on some posts, registry monitoring is an impoertant function to increase the security.
I've done a little example of one of this utility and a tool to test it:
https://www.wilderssecurity.com/showpost.php?p=346815

Bur many of these tools (free or not) could be bypassed.
With Scoudrel Simulator for instance, only Spysweeper detects the "starpup user" entry, but not Tea-timer, RegDefend, Master your Windows or startup Inspector (RegDefend is the more rapid for the other test).


And Scoudrel Simulator is a basic test utility.
There's some methods used by rootkits in order to bypass some registry protections.

Consequently, Having RegDefend with monitoring and BLOKING features could be more interesting.
In fact, with this kind of blocking features, any new key could not be added without our permission (new soft, update etc...).


In any case, congratulation for RegDefend and good luck in your own business.

Regards

 

Jason,
I'm wondering now if you have seen hojtsy's impressive Registry Monitor comparison thread where there is a nice list of keys to monitor....
I had assumed that you already had or that someone would have told you by now

So just in case and at the risk of pointing out the obvious, the link is above

 

Yes I know of that thread, however some of the information as to why the specific keys are there is missing. I don't necessarily want to add rules for items which aren't that important and which may generate a lot of extra confirmations to the end-user, which is why a lot of them will need to undergo some testing.

 

As rodsoto already found the not-yet-covered keys abused by Scoundrel Simulator are:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Control Panel\don't load
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
After configuring these keys, the registry attacks of Scoundler Simulator, and of the scoundlers it simulates, are blocked. During adding these keys I found that it is very tiresome to add many keys, please try to improve this part of the GUI (such as adding the key by name instead of browsing the tree).

Each key in that list has a link going to a report about a trojan abusing that specific key. That is the answer to the "why". Sorry but that is the most I can provide for now. I won't have the time to explain/research/document the usage/format/syntax/dangers of every one of those many keys. Especially considering that I am doing this for free. Even the presence of the list should provide a solid ground for further investigations, and after that your best friend is google. (Hmm makes me remember of the author of WinPatrol asking me some kind of tutorial for my key list. After I declined he didn't put any new one of those keys into WinPatrol.)

Users of MJ-RegWatcher already participated in the testing for the number of confirmations dialogs for that key list. Why not ask them? For me after proper configuration 95% of those keys generated zero warnings when I was not deliberately (re)configuring something.
-hojtsy-

 

I am one of those users and it hasn't caused me much pain, I do get quite a few alerts about services being created, but that is by choice

Seeing as RegDefend has groups it wouldn't be particularly hard to have a look at the MJRW different list sets ( light, default, medium, high, highest or custom ) and make your own set of groups that provides something similar

If the groups can be flagged to be enabled/disabled then you can deliver a product with the full list configured and make it easy to become more/less paranoid about what is being monitored

As far as being cautious about what is being added I understand where you are coming from but configuration (enable/disable groups) and operational flexibility (imp/exp key and app data) will allow you to satisfy the most picky of us to the ppl that want it to work out of the box and then let them learn and slowly enable more features (without necessarily needing to deal with the complexity)

My 3p

 

Great idea. I like it.

Rich