RegTest Released - Test your protection

Yes, Jade, I do remove all references to both regDefend and regTest.

Anyway, it shouldn't be a problem with leftover parts of previous test, as it failed from the beginning.

I tested various scenerios, with allow, blocking, remember checkboxes on initial alert, but as far as I know, this haven't changed anything on the test 2 failure.

 

I plucked up the courage to repeat test 2. The same thing happened as before –

Run the test 2 – Various things flash up on screen very quickly and RD informs me something has been blocked. The system shuts down.

The system boots up to the ‘Login page’. I log into my account. On logging in and before I actually see my desktop, an error box flashes up – something to do with failing to load explorer.dll. The system starts to log out (without me doing anything) and locks up requiring a hard reboot.

I login again and this time, windows automatically goes into the, ‘Windows is shutting down’ routine before I see my desktop.

The 3rd time I try to login, the RD Test screen appears and tells me I’ve failed the test. I then get logged in correctly.

Windows XP Home. Athlon 64 3500+
NIS2005, SpySweeper 3.5, TH Guard, RegDefend.

 

This afternoon, I decided to test something :

I formated c: , installed Windows XP Pro SP2 French and installed RegDefend, nothing else, no resident progs, no tweaks.

... and test 2 was again a failure ...

System quickly rebooted after I hit test 2, I just saw an alert from RD, but too quickly to react.

On first reboot, I just saw my wallpaper, it hang a while and rebooted by itself.
On second reboot, the fatal "system can be compromised" showed up

I was suspecting a software issue with my security apps, but looks like it is more likely to be an hardware issue or issue with XP on some systems.

Just let me know if I can be of any help trying to find out what's causing problems with regtest + regdefend.



Contact : < e-mail removed to prevent harvesting - puff-m-d >

 

Just curious. Why would you be so interested in an obscure program like regdefend, be up to date on internet and computer security and STILL be running Windows 98?

 

I think you may find that his interest is in the testing to see how his setup copes, and not in Regdefend itself.

Also, people who use Win 98 are most likely BETTER protected because most of the new malware only runs on Win XP. In a weird, perverse way it must be quite comforting to the Win 9x users to see all these nasties that don't support Win 9x. I mean if you were a virus writer, what OS would you be creating your new nasty on? The percentages say Win XP! Would you have the inclination to test it on Win 9x systems as well? Probably not.

muf

 

good point.

 

At the moment RegTest doesn't support Windows 9x, but it will just take a small recompile and some other tweaks to make it work on Win9x . The way RegTest "works" too will also work on Windows 9x just fine, so malware could target it the same way.

For the next version I will make sure it is tested/works on Win9x too.

 

Could you guys who have RegTest work even when RegDefend is enabled see if you have a key in your registry located here :-

(use regedit)
hkey_local_machine\system\currentcontrolset\services\1regtest

And if you do, delete the whole key, and retry the test. Also make sure RegTest isnt on your allow list (program overrides), and that both of the default registry groups (Autostarts and Special Items) are enabled.

 

I found the following "regtest" keys in my registry :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_1REGTEST
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_1REGTEST\0000

...deleted it.

RegTest is not on my RegDefend allow list.
The 2 default register groups are protected.

Still failing test n°2

 

Can you explain what you see on Test 1 cqdx11?

 

Yep,

Regtest.exe [1144] tried to modifiy the following registry VALUE with this data
This registry item is in the AUTO STARTS Registry group
Process : d:\to burn\regtest.exe
Registry key : HKEY_LOCAL_MACHINE\software\microsoftwindows\currentversion\run
registry value 1regtest1

Allow or Block

BLOCK

Click on Test1 introduction

Click on Start Test1

Regdefend popups up to tell me Regtest tried to modify the protected value and to set a value to possible virus.exe.
I block each attempt and modification fails.

HKEY_LOCAL_MACHINE\system\controlset001\control\session manager
hkey_current_user\software\microsoft\windows\currentversion\run
hkey_current_user\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1RegTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_1REGTEST\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_1REGTEST\0000

I found the above reg entries. I couldn’t delete the Legacy ones for some unknown reason? I haven’t retried the test as yet.

 

Hi ReGen .

In my instructions for complete uninstall I gave instructions how to remove those legacy entries. Have a read here.

If you follow the instructions you should be able to delete them easily .


Regards,
Jade.

 

Ahhhh! Missed that. Thanks Jade.

 

OK! Uninstalled RD cleared the Registry of everything to do with RD and RT. Reinstalled RD with the default settings. I Run RT. I block all the items in test 1. Pass! I run test 2 – and exactly the same thing happens as before. A couple of error boxes flash up on screen (no idea what they say), system reboots. 3 reboots later I get the system back, RD says test failed.
Even my Motherboard didn’t like it this time. Having detected windows not starting correctly, it automatically reduced the CPU timing down the way to play it safe.

 

I ran regtest with regdefend running and failed test 2. Then I realized I had regdefend version 1.10 rather than 1.15. I installed 1.15 and voila, test 2 failed - at least I assume it did since I didn't get a window upon restart. Although regdefend also did not give me any warnings that anything was happening or, in fact, did happen - even in the log.

My question to you, Jason, is what, apparently extremely important thing, did you discover between versions 1.10 and 1.15 that allows regdefend to pass?

 

The only thing was that the protection remain active whilst the GUI was not running. I thought it would be good in earlier versions if the protection was "disabled" when the GUI was shutdown, obviously though this isn't very secure.

So now if the GUI is shutdown and an "ASK USER" event occurs, it just blocks it instead of asking.

 

Hi I'm having the same problem as everyone else where Regdefend fails Test 2 of Regtest. Using RD 1.15 trial.

I'm doing it on a microsoft virtual PC. I posted a separate thread here detailing my troubles, so refer to it if needed. But basically the behavior is identical as others describe here with the PC rebooting twice before finally coming up with the failure notification....

Jason, if you want to duplicate this using VPC, there is a trial version of VPC 2004 available from Microsoft.com.

 

I have uploaded a test build of RegTest.. can you guys who fail test 2 try it out and see if you fail it with this new build.

http://www.ghostsecurity.com/downloads/regtest_beta.zip

 

I downloaded the beta, but it still fails test 2. This time, it doesn't reboot a second time though. It does the initial reboot after Test 2, goes all the way through the boot-up, and I get the "Your system can be compromised" message immediately. Clicking the top right X brings my desktop as normal.

I guess I would still suggest trying to test it yourself on VPC, that's probably your best bet for duplicating since that's where I'm seeing the trouble. If you do, don't forget to install the virtual machine services additions.

Besides, I would be more concerned about the vulnerability in Regdefend that causes it to fail Test 2 on certain machines, than I would about making a Regtest that doesn't exploit that vulnerability. Just my opinion

Thanks for your help!!

 

The RegTest beta was to help pinpoint where RegDefend was failing on your machines... so maybe you shouldn't jump to conclusions there.

RegDefend has been tested on VPC and VMWARE with RegTest, and it works fine, as in it passes test 2 fine here.

Can you please delete all the old registry values as listed by Bowserman and then retry the test? The behaviour you are describing is a bit different than what should be happening.

 

Same results as JimmyTop, it boots only once instead of twice.

(registry keys related to regtest have been erased prior to regtest bêta setup)

 

Ok I think I have found the issue.... when the GUI shuts down due to RegTest closing it, the driver allows the last item which is being "asked" instead of blocking it. On some machines due to timing, there might not by any items waiting and hence when closing down it won't allow any items and still block the test fine.

Anyone interested in testing the new driver can email me at :- support@ghostsecurity.com

 

Hi,

The new driver doesn't work for me.

Procedure :

RegDefend clean uninstall
close, remove, reboot, clean registry entries

RegTest clean remove
Cleaned registry entries

Reboot

Applied the modified driver
Rebooted twice

Test 2 :

it closes down system quickly, without showing any alert window
it reboots two times
on second reboot, the "compromised security" windows appears.

 

Was this with the BETA regtest or the public release one? Have you tried both?