RegdatXP

Discussion in 'other anti-malware software' started by WilliamP, Aug 28, 2004.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I was reading about RegdatXP being able to detect root kits. I was just wondering if anyone has used this software.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    I read somewhere out there that rootkits are not a threat to Windows as much as Linux or Unix.

    Since I just made this statement, there should be a flurry of replies! :D
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I don't know anything about that. All the information about root kits that I have seen is about Windows. Don't plan to get one but am interested in this program because it is claimed that it is about the only thing that can spot one.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Here's an article. Maybe it is a worry.

    Root kits are old hat in the Unix and Linux world, but are rarely found on hacked Windows hosts. "They're a scary thing," says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. "In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening."

    http://www.securityfocus.com/news/2879
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Does anybody have a link for the makers of RegdatXP?

    Thanks in Advance.
     
  6. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for the link WilliamP.

    It looks like a registry analysis or checksum type comparison to compare a backed up registry with the current one.
    But I don't see how it could help detect a rootkit. I thought they can conceal themselves from the registry completely. If it compares the current registry to a backup, couldn't the rootkit make the backup registry look just like the current one to hide itself? You could counter that by storing the backup registry off computer, but then wouldn't the registry change and be different from the backup during normal everyday use?

    Maybe I am missing something. There wasn't a lot of info on the site. Do you have the article where it mentioned how it is used to detect rootkits?
     
  8. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I bought RegdatXP a short while ago and have only scratched the surface as far as what it can do. It is basically an offline registry toolkit (browser, editor, etc). I use it in conjunction with ERUNT registry backups, and compare the live registry to the last backup. Concerning rootkit detection, it will compare live registry keys to offline keys and look for hidden keys not normally visible in Regedit when the rootkit is loaded (see the settings dialogue below). The help file is somewhat vague about the methods used.

    Concerning Windows rootkits in general, I've only played with Hacker Defender on a test machine and it does work.

    Nick
     

    Attached Files:

  10. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Nick ,do you have to have Erunt to create a registry backup? I thought that RegdatXP made a backup.
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi nick s,

    So in order for RegdatXP to detect the hidden keys you have to have a clean registry backup? It cannot detect the hidden keys if you don't have a reg backup?
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    True, both do backups. I prefer ERUNT at the moment because it can restore the registry using a batch file from the Recovery Console.

    Nick
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    A clean backup is not necessary. The copy only has to be "offline" (meaning not under the influence of the rootkit.)

    Nick
     
  14. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Nick!

    That is one cool program. :cool:
     
  15. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
  16. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Nick, what actually do you mean by offline?
     
  17. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Offline means not loaded by Windows. Such as the copies in C:\System Volume Information, or in C:\Windows\repair, or in ERUNT backups.

    Nick
     
  18. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Thank you Nick for the information. Needless to say I don't plan to get a Root Kit. But these programs would be nice to have if you were unlucky enough to get one.
     
  19. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    After seeing what a rootkit can do, I did not hesitate in buying Process Guard when it was released.

    Nick
     
  20. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I also have Process Guard. I feel that it is the most important security program that I have.
     
  21. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have allready downloaded ERUNT and made a back up.
     
Thread Status:
Not open for further replies.