RegTest Released - Test your protection

Discussion in 'Ghost Security Suite (GSS)' started by Jason_R0, Mar 9, 2005.

  1. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    http://www.ghostsecurity.com/registrytest/

    This program, available at the above URL, will perform 2 tests on your computer to determine how well protected your registry is. Test 2 in particular simulates how a malicious file might act trying to stay active on your system.

    I think some of the results may surprise. :)
     
    Last edited by a moderator: Mar 17, 2007
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yep, Jason it works, don't know how you managed to close down the whole pc!
    I tried it with RegDefend enabled and without - Without RD enabled after reboot I was presented with the Regtest GUI which could easily have been malware :(
    Clicking the X in the regtest gui restored my desktop

    With RD enabled the PC booted normally after the test with no regtest GUI so I assume RD protected me ?

    Thanks. Pilli
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Yes, RegDefend v1.150 protects against all attacks shown in this demonstration by default, no extra rules are needed. All you need to do is install RegDefend to be protected. :)
     
    Last edited: Mar 9, 2005
  4. dog

    dog Guest

    Hi Jason, ;)

    I tried it also successfully ~thanks to RegDefend~ :)

    Here's a couple of screen shots

    Steve
     

    Attached Files:

  5. dog

    dog Guest

    and #2 (log file entries)
     

    Attached Files:

  6. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Question on RegTest:

    When I first start RegTest and BEFORE Test 1 or Test 2, I get an alert from RegDefend that RegTest wants to modify in the AutoStart are:

    HKLM\Software\MS\Windows\CV\Run by adding 1regtest1. Am I suppose to Block this alert or Allow it?

    I seem to be passing the 2 tests. However, I have to manually power down on Test 2. I think Process Guard is blocking something during test 2. The number of attacks goes up by 2. At any rate, RegTest does not shutdown the system. I have to power down. I get no RegTest windows, etc., when I power back up.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, As far as I know you have to completely disable RD for it to show you that you can be compromised. RD now runs as a service and closing the gui does not stop protection so you have to exit it. With RD running you should always remain protected from the test.


    Pilli
     
  8. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Thanks for the comeback, Pilli.

    I do understand the part of needing RegDefend active for my system to be protected during the RegTest run. I do not understand however, if I am suppose to permit or block the RegDefend alert PRIOR to the tests even starting....the one concerning 1RegTest1. o_O
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi With RD running you would need to block the items that the test 1 does and you should see in the test list that the keys could not be modified.
    Disabling RD you will see that the the test successfully made the changes.

    What I find rather interesting is that neither RegRun or Giant show any alerts, so I assume all polling registry monitors can be compromised easily in this way. Quite an unnerving experience.

    Pilli
     
  10. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    That's the BEAUTY of RegDefend and ProcessGuard. They are proactive instead of reactive. If only someone could come up with a spyware/virus/trojan/worm engine that is the same...trapping BEFORE they are installed...and not noticeably compromise one's system performance.
     
    Last edited: Mar 10, 2005
  11. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    Hi siliconman01 :).

    You bring up a good point that I'll briefly expand upon:

    The problem is that at the moment most Anti-virus and anti-spyware programs (as far as I am aware) poll for changes to the registry checking only every few seconds or so. Those few seconds can be a potential opening for malware to make modifications to the registry, and by the time that has happened many simply cannot fix without the help of specialist tools and the guidance of spyware/malware experts (even then it may be too late with some of the really nasty stuff out there). We are lucky now though, in that we have RegDefend....which stops programs before they can access the registry. Not to mention RegTest that enables us to see just how well it does :).


    Regards,
    Jade.
     
  12. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The two alerts you see before the test starts is only to "clean" the system of any left-over entries which may have occured from previous tests. You should allow them as they are simply deleting old entries if they exist. :)
     
  13. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Thanks Jason, :)

    I'd run it again but if I have to "power" shutdown, it often causes the Quick Lauch bar to be turned off. When I turn it back on, the icons (many) are reversed in order and I have to reorder them in a specific sequence I like.... :D That's not a RegTest problem, btw.
     
  14. cqdx11

    cqdx11 Registered Member

    Joined:
    Oct 13, 2004
    Posts:
    14
    Location:
    france
    Hi !

    I'm going to make some testing tonight, but when I tested RegTest this morning, test 1 was ok , but test 2 was a failure, even with RegDefend activated, a window on reboot said that my system could be compromised by malware.

    I'll let you know if I found out some software compatibility issues.

    Before test 1, I got a prompt from RD , I block it
    On test 1 start, I block each modification from beeing made, all ok .
    On test 2, an RD window pops up , but I can't do anything as it disapears quickly and the system is rebooted.
     
    Last edited: Mar 11, 2005
  15. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Are you running RegDefend v1.150 ?
     
  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    That is about the same scenerio I experienced when I ran the test.

    xp pro sp2
    PG
    Panda platinum 7
    regdefend 1.150
    spybot s/d
    adaware
    Ms antispyware
    Win Patrol
    a2
    spywareblaster and guard
     
  17. cqdx11

    cqdx11 Registered Member

    Joined:
    Oct 13, 2004
    Posts:
    14
    Location:
    france
    Hi Jason,

    Indeed, I'm using the registered version of RegDefend V1.150.
     
    Last edited: Mar 11, 2005
  18. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Anyone who is having the problem of RegDefend failing the RegTest might like to try doing a COMPLETE uninstall of RegDefend. Here is what I do:


    - Close/Exit RegDefend and copy your custom .ghst files to another location.

    - Now go to Add or Remove Programs and uninstall RegDefend. When prompted to reboot choose YES.

    - Once the computer has rebooted navigate to C:\Program Files (or whichever directory you installed to) and delete the RegDefend Folder IF it is in there.

    - Open regedit now: START> RUN> type in regedit and click OK

    - While in regedit do a search for regdefend and delete all entries found. If you have problems deleting the LEGACY_REGDEFEND keys, all you need to do is: right-click on it> select permissions> tick ALLOW next to Full Control> then Apply and OK it. You should now be able to delete them.

    - Also do a search for regtest while in regedit and delete any entries you find in there.

    - Reboot the computer.




    Once all that is done then re-install RegDefend and see how it goes now :). As always, make a backup of your registry before doing anything in there.


    Hope that helps.


    Regards,
    Jade.
     
  19. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    How come ALL RegDefend entries aren't removed when doing an uninstall ?

    eg.

    - HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
    - HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security
    - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RegDefend_is1
    - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REGDEFEND
    - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_REGDEFEND
     
  20. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    I just had a bad experience with test 2.
    With RD set to block, my PC was rebooted during the test. On attempting to ‘Log in’ I was immediately ‘Logged out’ again during which the PC hung. This happened on 3 attempts.
    I then selected to ‘Boot with last known good settings’. Logged in OK this time, and after all that I was told I’d failed the test. Don’t think I’ll be trying that one again in a hurry! :doubt:
     
  21. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Blame the legacy keys on Windows, the MUICache one is due to you searching for RegDefend in some windows program (same with the ARPcache one but im not soo sure on that one, something to do with inno setup the installer I think...) .
     
  22. cqdx11

    cqdx11 Registered Member

    Joined:
    Oct 13, 2004
    Posts:
    14
    Location:
    france
    Hi !

    I made a fresh install of RegDefend, with Jade's uninstall procedure, but it was useless, still failing test n°2 ...
     
  23. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    Strange indeed.

    Just to double check, did you also remove any entries found in regedit for regtest? And when you first run RegTest, are you allowing that initial RD alert?, as it is there to clean the system of any left-over entries from previous tests.


    Regards,
    Jade.
     
  24. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Jason, if you ever grow tired of programming, there would appear to be a career for you in marketing.
     
  25. dog

    dog Guest

    Just a guess here ... but seeing as Regdefend doesn't support 95/98/ME ... I'd guess neither does RegTest. You're running 98 right?