I just performed tests with Armadillo 4.x protected malware (Optix Lite 0.4). Code splicing + copy mem II + debug-blocker was enabled. Incidentally, I noticed that RegDefend did not block or show an alert when the Optix server registered itself (autostart entry). That's why Regrun's alert was triggered. I did not investigate this issue in more detail. Therefore, I am unable to rule out that RegDefend was not correctly configured. But someone may want to have a look.