RegTester Test

Discussion in 'Ghost Security Suite (GSS)' started by Rmus, Nov 5, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I was interested in this test, and am confused by a couple of things.

    Test 1 states:

    "This test works by modifying several autostart values in the registry then quickly rewriting the original contents. This test will determine whether or not the registry protection you have is quick enough to catch the change. If it is not then the fact is your registry can be modified without you knowing."

    I'm not sure what this proves: no malware is going to do that.

    "Most registry programs simply poll/read the registry every few seconds which means they will never catch everything which is written."

    I set the Monitor program I have to scan at 15- second intervals, then manually made a quick Registry change between scans, and on the next scan, the change was flagged.

    I'm considering purchasing RegDefend because it certainly has deeper protection than other programs in other areas, but the above test #1 seems to me to be a bit misleading, unless I'm missing something.

    thanks for any clarification.


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  2. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    I don't understand, malware is going to do what? Write to the registry? Or are you being confused by the fact that the test writes to the registry and then rewrites the original contents back to the registry, thus effectively undoing the write.
    Yes the change was flagged, after the change was made. I would venture you were given the choice of accepting the change or denying it, which your then monitoring program would have basically deleted the change to the registry. But in a fast computer 15 seconds of time is a lot of time, any malware could/would be 2/3 steps past the registry write. What if the registry write was the last step before the malware rebooted your computer, and said write was to the ...\Run section. When your computer booted it would then run whatever the malware set, which could cause said malware to become more deeply entrenched on your computer. On a RegDefend (RD) protected machine, when a protected registry area is accessed you are notified immediately and given the option of whether to allow the write to continue or not. There is no going back afterward and undoing any registry changes.

    You have stated one of the advantages of RD over the other registry monitoring programs, deeper protection. Another advantage RD has is it is completely user configurable. By that I mean you the user can accept the default rules and not have much, if any thing, to worry about as far as something getting on your system and causing harm. Or you can add other registry keys/values to the protection and tighten things down to your liking.

    It is worth giving the 14 day trial a run on your system and see how you feel about it after a few days. Most here consider RD a must have security program, I know I will not connect to the Internet without it but that is only my 2¢. I hope I have help you understand what the test is pointing out about other registry monitors.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, that's what I meant, undoing the write.

    Can you list some known malware that reboots like this?

    Not here, since my C:\ (which includes the Registry) is locked down, and would revert to original state on a reboot.

    Yes, I understand that. I'm interested in setting up a Reg monitor of some type on a system for someone else, not for myself

    Will consider that. Thanks for the clarification on the test.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. Haack

    Haack Guest

    Does it matter if there are or there isn't?

    You miss the point entirely.
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Rich,

    If you don't have registry interception (RegDefend) for this type of "malware event", then all the malware needs to do is create a thread, then constantly rewrite whatever it wants to the registry in this thread, whilst its main thread does its malware "thing".

    When the 15 seconds (or whatever the interval is) comes around and your monitoring program detects the change, what good will it do, considering that the malware will continue writing it? Your monitoring program also won't tell you which process is doing the writing, so that you can stop it.

    In this scenario, RegDefend would alert to you the fact something was trying to change the registry (without it allowing the change unlike a monitoring program), allow you to terminate the THREAD or PROCESS performing the operation, and also tell you what the process is, for further investigation. :)
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Jason,

    That clears things up!

    -rich
     
Thread Status:
Not open for further replies.