# Tip: Registry vulnerability test - Not for 95/98/ME



## lotuseclat79 (Sep 12, 2003)

Here.

-- Tom


----------



## JohnWill (Oct 19, 2002)

Looks like this is just an ad to help them sell their RegDefend product.


----------



## lotuseclat79 (Sep 12, 2003)

Hi John,

It could well be, but it always helps to know the limits of what you have! 

-- Tom


----------



## JohnWill (Oct 19, 2002)

Well, I'd suspect that most folks registries are very vulnerable, and I'll bet that's what the "utility" will tell you.


----------



## lotuseclat79 (Sep 12, 2003)

I suspect you are right about that John! Still, wouldn't you want to know?

-- Tom


----------



## JohnWill (Oct 19, 2002)

Nope!  I love keeping my head in the sand.


----------



## new tech guy (Mar 27, 2006)

Would a program like spywareblaster count as registry defense? J/w guys.


----------



## JohnWill (Oct 19, 2002)

You'd think that Spywareblaster would count, but for this walking advertisement for their product, it's hard to know.  Try it and see...


----------



## new tech guy (Mar 27, 2006)

I know i see the blocklist in internet explorer's restricted list, its in my firefox restricted list, and there is a list in the registry as I see registry mechanic go through it during scans. I will let you know.


----------



## new tech guy (Mar 27, 2006)

Well i ran it and the system just failed miserably. It said it was able to do everything. However I beleive my system is safe without it as spyware blaster stops the files from entering anything while still over the internet. No file no infections. Just like the roundup commercial: "no root, no weed no problem." So far with my protection, i have not found anything with my antispyware scanner (which is adaware). I agree that it is probably just a rolling add.


----------



## lotuseclat79 (Sep 12, 2003)

Hi new tech guy,

I doubt that spywareblaster counts as registry defense because registry defense means something other than what spywareblaster does. Spywareblaster uses the registry to defend the computer against spyware/adware sites, but it itself is vulnerable to malware programs that if they manage to get past your firewall and security programs such as AV or AT or HIPS can write to the registry to implant their malware.

Try the following experiment: download and install the freeware research HIPS at Prevx here: http://www.prevx.com Look for the Prevx1R link at the bottom of the webpage.

Then reboot and rerun the registry vulnerability test.

You can believe your system is safe without RegDefend, but SpywareBlaster cannot protect you from everything. Spyware is not the only thing our systems are vulnerable to.

Just one drive by malware can hide on your system. Most folks that use TSG or any other support forum really don't have a clue about security.

-- Tom


----------



## JohnWill (Oct 19, 2002)

Well, I've been running many systems here for a lot of years without RegDefend, and so far they've done quite well without it's help. 

Every security vender hawking their wares has an angle, but if were were to believe the advertising hype of all of them, we'd have so many security applications loaded that we couldn't do anything else!


----------



## lotuseclat79 (Sep 12, 2003)

JohnWill said:


> Well, I've been running many systems here for a lot of years without RegDefend, and so far they've done quite well without it's help.
> 
> Every security vender hawking their wares has an angle, but if were were to believe the advertising hype of all of them, we'd have so many security applications loaded that we couldn't do anything else!


Hi John,

Yes, you are running other security software to protect your computers. I'm not hawking RegDefend, just the protection to the registry that is necessary to protect it by whatever means - HIPS, Process protection or whatever.

The point is that most folks don't run your setup, but whatever security tools they run, they should have a multi-layered security strategy in place. And one of the most vulnerable objects in a Windows system is its registry - not the brightest idea on the block as it is tantamount to a global variable space, although some security settings can protect certain areas when the right protection is applied. Yeah, RegDefend can do that, but its not necessarily hype.

Avertising hype is one thing on which we agree, but if you want to keep your head in the sand  as you stated above, that's your choice my friend!

-- Tom

P.S. By 2008, 84% of malware will be delivered by rootkits - its only 2% now, but projected to be 13% by end of 2006. What does that have to do with the registry - wouldn't you rather not find out?


----------



## JohnWill (Oct 19, 2002)

lotuseclat79 said:


> P.S. By 2008, 84% of malware will be delivered by rootkits - its only 2% now, but projected to be 13% by end of 2006. What does that have to do with the registry - wouldn't you rather not find out?


True, but I remain unconvinced that RegDefend is the only way I'll be able to protect myself.


----------



## MNG0304 (Mar 3, 2006)

Perhaps Sysinternals has an adequate alternative HERE


----------



## lotuseclat79 (Sep 12, 2003)

JohnWill said:


> True, but I remain unconvinced that RegDefend is the only way I'll be able to protect myself.


Now John,

When have I ever said that RegDefend is the ONLY way to protect yourself?

I'm just pointing out that here is probably a good test, and if you run it you will find out if your security measures are weak or strong against the test.

What method someone decides to use to protect themselves is up to them, and there are other ways to protect the registry that I have mentioned, e.g. HIPs, which is how I do it.

-- Tom


----------



## lotuseclat79 (Sep 12, 2003)

MNG0304 said:


> Perhaps Sysinternals has an adequate alternative HERE


Hi MNG0304,

RootkitRevealer cannot protect the registry, but it can find rootkits - most, but not all. Its a constantly changing landscape out there, i.e. the malware authors vs. the security analysts.

The purpose of defending the registry, but whatever means is to protect it from intrusion by malware. RootkitRevealer does not even protect against rootkits, it only is able to detect them after the fact.

Sysinternals does have a register monitor program, RegMon available here:
http://www.sysinternals.com/SystemInformationUtilities.html, but it is a real-time registry monitor, and I haven't tested its registry defense capabilities, if any, so it might be after-the-fact as well for all I know at this point in time without testing it.

-- Tom


----------



## MNG0304 (Mar 3, 2006)

Thanks for the clarification. Since I am not an IT professional I need such information before I attempt to help others here.


----------



## Rollin' Rog (Dec 9, 2000)

The tools at System Internals are analytic only -- very useful when used knowledgeably, but they are not defensive tools.

IMHO, and I'll keep repeating this whenever the subject comes up, most of these anti this and that applications prove to be more of a pain in the kazoo then they are worth -- sooner or later.

Unless you are hell bent on looking for trouble, all you need is a reasonably up-to-date Security patched XP SP2 install, a "safe" browser, freeware antivirus and common sense.


----------



## lotuseclat79 (Sep 12, 2003)

Hi Rollin' Rog,

For the most part I would agree with you, however, your point-of-view only applies to the "rational" minded, and ignores the otherwise irrational behavior of most of us when we displace our normal behavior unintentionally. And one needn't be hell bent on looking for trouble.

I'm not shilling RegDefend here, I'm just trying to cover all of the bases which for your model of behavior is fine and dandy - if only all of us folks would follow it all of the time, and there were no profit incentive for the bad guys to create ever nastier ways to take over our computers.

Covering all of the bases to me means understanding all of the vectors of attack and seeing that a method is put into place to effectively counter those instances where an attack could occur irrespective of what behavior may keep you safe otherwise.

You model is a fine one to follow, but not everyone is capable of common sense when it is needed most to avoid an attack - even when you are well protected.

As an example, a good friend of mine was intruded up-front and personal when he noticed his router going bonkers - lights flashing abnormally. Lucky he was right there (Verizon DSL) to shut things down and save his computer. If he had taken a break and not been in front of his computer to respond to the atttack, his computer would have had to be OS reinstalled - I am sure, to wipe the pest off of his system. He now also runs a software firewall in addition to his hardware firewall router.

Just goes to show that if an attacker is determined and expert enough, they can bypass almost at will just about any firewall and get onto your system - unless you are well protected. All the more reason to make sure your hardware and software is properly configured so no open holes exist.

Besides, signature-based AVs are not well-equipped to avert Zero-Day infections, but in combination with a good heuristic-based AV can possibly save the day - and just in case you haven't noticed lately, freeware AV does miserable against known threats. Visit http://www.av-comparatives.org to find out how the better AVs compare against one another.

-- Tom


----------



## JohnWill (Oct 19, 2002)

Gee Tom, given that statement you must think I'm one of those people that are incapable of exercising common sense when protection my network. 

Note: Just kidding.


----------



## lotuseclat79 (Sep 12, 2003)

Hi John,

Gee, you make it sound like you walked into my broadside!  I'm not aiming at anyone in particular, just what I view as common misguided assumptions that stick in my craw! 

It's not you or Rollin' Rog I am concerned about. I suspect you both can take care of your computers yourselves. Its the general background readers who use freeware AVs and because someone at TSG swears by it and says it good without the experience of testing its limits or really knowing anything about either the reader's Internet behavior (using P2P or visiting dodgy websites - and then they wonder why they got infected) or their own lack of knowledge about the threats out there on the Internet (other than their own limited blinder viewpoint) vs what little protection they really have. One false step, and kaboom, you see the results everyday 24/7 in the Security forum - and its only going to get worse.

-- Tom


----------



## new tech guy (Mar 27, 2006)

Hey tom,
Its really great the registry gaurd and all but i look at the malware and the rest of my pc this way, if disasters gonna strike, its gonna strike wether I have protection or no protection. Sure having the right tools can help but i figure though how is my registry going to be infected if along with spywareblaster, I have adaware to scan for stuff. If that detects somthing and repeated scans do not remove it that's when i go get the potent stuff to get rid of it. Because if spywareblaster is blocking the inlet for this stuff (the internet), there is no file to start an ifection, if there is no file there cannot be an infected registry as when the system sees the nasties coming towards it it simply slams the front door on it. Its good however to have knowledgeable people like you here to teach us. And as Rog said, if i go on a paranoya streak protecting every possible inlet of my pc it would eventually make every day tasks a royal pain to do because then i would have all these blocks and gaurds and whatnot going off at once and just wasting recources and cause sofware conflicts doing everyday tasks like installing a program. I will try your test though.


----------



## lotuseclat79 (Sep 12, 2003)

AdAware just had a critical article written about it at the Security Focus website - its not as good protection as you think it is - kinda like the swiss cheese that is IE.

SpywareBlaster all by itself is no panacea. What makes you think it protects you against everything?

Your description of all alarms full-steam ahead was indeed paranoid! 

The purpose of having a tool is to do something proactive, and in the process you become more knowledgeable in its use and limitations. If it does not do the job you expect, you move on, and get a better tool.

-- Tom


----------



## new tech guy (Mar 27, 2006)

Well there I was using an example with alarms and whatnot. But each to his own. I have been using the setup i previously stated for a while and its just hard to move from somthing you understood well and trusted to somthing new. But, even though we have our protection you also have to bear in mind that everything has a backdoor. Doesnt matter if its a registry gaurd or a simple scan with adaware. There's always a way around it. But each to his own opinion. I prefer adaware and spywareblaster and ccleaner on my machine and you use some more sophisticated pro tools but i find the KISS methood works best all the time. That's why i use such a simple setup. It just comes down to a matter of personal preference.


----------



## JohnWill (Oct 19, 2002)

Well, my curiousity got the best of me, and I tried RegTest. As I suspected, the first test was successful at changing the registry contents. The second test ran, the computer threw up a whole bunch of error windows as it shutdown, but it was happening too fast to read what kind of exception was happening. When the computer rebooted, it came up to a blank desktop and didn't boot any farther. I rebooted, same result.

I restored my backup image (that was made for just this possibility), deleted all traces of RegTest, and made a mental note to stay far away from that site.


----------



## Rollin' Rog (Dec 9, 2000)

I can certainly agree that there are situations where families are involved or folks don't have exclusive control over their systems and can benefit from a little extra defense. But they really ought to create profiles with limited priveleges or even boot in one themselves.

For the careless and impulsive, booting with full Administrative rights, there is no defense. No antivirus, no firewall, no antispyware can protect them when they are inclined to say "yes" to a an install prompt from an untrustworthy source.

Commercial programs are always one or two steps behind the malware specialists.

Check half the threads in the Security forum and see the latest AV and antispyware programs they already have when they come crying for help.


----------



## lotuseclat79 (Sep 12, 2003)

JohnWill said:


> Well, my curiousity got the best of me, and I tried RegTest. As I suspected, the first test was successful at changing the registry contents. The second test ran, the computer threw up a whole bunch of error windows as it shutdown, but it was happening too fast to read what kind of exception was happening. When the computer rebooted, it came up to a blank desktop and didn't boot any farther. I rebooted, same result.
> 
> I restored my backup image (that was made for just this possibility), deleted all traces of RegTest, and made a mental note to stay far away from that site.


John,

I am truly sorry to hear that your computer had problems. Did you run the test from an Admin account priviledge?

-- Tom


----------



## JohnWill (Oct 19, 2002)

I ran it from an admin account, though a reasonable test should crash the computer in any case. The fact that their test corrupts a previously working configuration doesn't inspire any confidence in their products.

Imagine is someone slightly less skeptical had done the same thing, only they didn't have a backup? It would obviously be a big problem!  I remain totally unimpressed with the test and the company. :down:


----------



## new tech guy (Mar 27, 2006)

John my desktop crashed as well but after a few moments everything just loaded normally although i did run registry mechanic and found like 40 problems. But my system turned out fine.


----------



## JohnWill (Oct 19, 2002)

I left it for about 10 minutes, I figured it was toast after that.


----------



## new tech guy (Mar 27, 2006)

Ahh mighthave been the better thing cause mine came back but some settings were off. Like i had the windows media thing on that was turned off and some other small things were messed up. I dont really trust that thing.


----------



## lotuseclat79 (Sep 12, 2003)

Hmm, thinking about John's awful experience, perhaps it should be recommended to backup the registry before running any registry tests? Sounds like a practical thing to do! 

-- Tom


----------



## new tech guy (Mar 27, 2006)

Good thinking lotus. I think this is a good backup setting. Not the best but i would imagine it to get someone by. Along with system restore, registry mechanic leaves registry backups. If i cannot go into the system and somehow get it running i will simply use bartpe disc to boot the system and remotely restore the registry.


----------



## JohnWill (Oct 19, 2002)

I backed up the whole partition, and I'm glad I did. The best idea is to simply avoid the test...


----------



## new tech guy (Mar 27, 2006)

Also to my dismay, i launched media center to find somehow musicmatch media center edition got wiped off the face of media center  either that test or another thing I did in a test messed it up. I reinstalled it and im listening to it right now though.


----------



## lotuseclat79 (Sep 12, 2003)

The instructions for running the tests are to first backup the registry! Here they are:

Instructions:
1. Backup your registry. All precautions have been taken with this program but registry protection programs may cause unknown effects.

2. Start all of your registry protection programs. Make sure the programs are setup to protect the autostart parts of the registry.

3. Two registry tests will be performed, the second one will require a reboot, so please make sure you can reboot before tryping thes test.

4. Click on the button in the bottom right corner to begin the tests.

Test 1 - This test works by modifying several autostart values in the registry then quickly rewriting the original contents. This test will determine whether or not the registry protection you have is quick enough to catch the change. If it is not then the fact is your registry can be modified without you knowing.

Most registry programs simply poll/read the registry every few seconds which means they will never catch everything which is written. This can be abused by malware which simply keeps rewriting itself to the registry so that you every time your machine starts up, the worm/virus/trojan will start also.

If your registry protection program is successful all registry items shown will not be able to be modified.

Test 2 - This test works by attempting to write itself to various autostart locations in the registry. It will then simulate a shutdown to show that it will appear the next time your machine starts. If the test fails to shutdown your computer, then manually shut it down to see the results for the next boot.

If this test is successful after the reboot you should receive various messages stating that this test indeed managed to start itself on the next reboot. If the test is successful you are vulnerable to being infected with something which will continually start itself on your system.

If your registry protection programs detects the changes AFTER the registry tester starts then it has failed. If this test can get itself to start up again next boot, what is stopping a malicious software doing the same thing?

I wonder if John's crash was a part of the test 2 shutdown that he mistook for a crash? I wonder what the test results were from the next boot in light of this? Maybe he doesn't run any registry protection programs to begin with? Perhaps the meaning of the test for John is that his computer is vulnerable to the kind of infection in the last sentence for test 2 - should malware get past his perimeter network defenses?

Overall, its very clear if no registry protection programs are being run by a user that runs these tests, their system will be vulnerable - that's what the tests are designed to discover!

Avoiding the test is like saying - it could never happen to me! 

-- Tom


----------



## JohnWill (Oct 19, 2002)

I'm somewhat amazed you're so "hard over" on this single stupid test. How did we ever manage to survive all these years without it?


----------



## lotuseclat79 (Sep 12, 2003)

Hi John,

From the slim information you provided about your experience, and the conclusion you reached, your observations about the experience do not lend themself to being able to pinpoint the technical problem you experienced. Oh, right, wait a moment, its Windows, and Windows has a registry - again, I'll say, a bad design idea for an OS built like swiss cheese. 

That said, I'm only "hard over" on assumptions we all make about how secure we feel we are - i.e. security is really a myth - ain't nothin secure in my book!

If your system was so survivable, then why did it fail the test? You haven't even stated if you run any registry defense programs - I suspect not - which is why when the wolf gets in the hen house, its going to feast on your chickens - the registry being a prime target. Granted, your curiosity got the best of your and your better judgement which you employ all the time, and you decided to take the test - which bypasses your security model and serves up the hen house, hence my comment about multi-layered security approach. Personally, I'm unsettled about the number of long-timers here on TSG that keep on recommending AVG over Avast! and don't consider a broader security model for protection. Sure AVG can save you money, but is that the most important thing that needs to be saved - I'd say its data - and I know you agree with me on this point - just look at your splendid backup system and approach as part of your strategy. Would that everyone were as both handy and experienced as yourself.

In my view, your experience is no different than Mark Rossinovich discovering the Sony rootkit on his computer - he did a dumb thing staying in Administrator account mode which made it easy for the rootkit to get into his system when he played the CD.

I'm only pointing out that "surviving all these years without it" is a general assumption that does not consider current threat models in the ever daily changing landscape of the fight against malware. Do you really think that your system has strong enough security?

Don't answer right away - think about it and project what the landscape will be next year when over 13% of malware will be delivered by rootkits, and the following year 84%.

-- Tom

P.S. That single stupid test is what may happen to any one of our systems unless we are prepared to stop it when the wolf gets into the hen house.


----------



## new tech guy (Mar 27, 2006)

Lotus,
I agree with your theory of the wolf and the hen house, but I kinda have a question and a statement at the same time. Well here it goes, I do not think a bunch of registry entries being written by the internet can write a file. Because as far as i know you need some type of file to write the registry. And besides if this is true, when it gets to a point where it becomes a file wouldnt any decent antivirus detect it? Because the reg thing would get into the registry and start making files (this is if my question about registries is true as that is my question which i may have answered in this reply) at this point the screamer box aka the antivirus should detect it and take action thus crippling and if the user has half a brain cell they would come here and make sure its gone but if they know how to clean spyware they would clean it themselves so eventually the sucker will be found. Most antiviruses have active monitors for things like that. So really i dont see the active protection necessary.


----------



## JohnWill (Oct 19, 2002)

Well, we can at least agree that nothing is secure, that's for sure. 

As for protection, I run AVG, Windows Defender, and ewido Pro. I run AdAware about once a week, and I also use SpywareBlaster, and update that about once a week. That's about all I have the patience for. 

I won't claim that it's the best defense possible, but I also know my environment, and the places I visit on the web. Since I'm not inclined to simply surf blindly and click on any link willy-nilly, I suspect that I'm not exposed to nearly the number of threats that some folks are.

My real final line of defense is, and will continue to be, multiple layers of backup. When the smoke settles, there isn't anything like having a complete copy of your valuable data in several extra places.

If half the people that are beating the drums for all these malware tools, were beating the drums for proper and effective backup the whole computing community would be far better off. It's not sexy, but it's vital to the health of your data. I might indeed fall victim to one of the latest "designer" malware strains, but it's unlikely to find all of the copies of my important files, so it'll only be a bump in the road in the greater scheme of things. There is such a thing as being "insurance poor". When the PITA factor of trying to defend against any possible new virus/malware strain becomes a major factor, IMO we're trying too hard and putting our resources in the wrong place.

Finally, backup protects you against another whole class of failures that all the virus scanners and malware siields in the world won't protect you against, software crashes and hardware failures. All the fancy malware/virus shields in the world won't protect you from a lightning strike or a simple hard disk failure. Just scan the forums and you'll see it's not an uncommon occurance. How many "how do I get my data from a crashed hard disk" do you have to read to get the message?


----------



## new tech guy (Mar 27, 2006)

I learned that the hardway John  had my old desktop rig hd die and thought my data was dead and gone but lucked out when i linked the old C drive as a secondary to the new seagate that was installed in its place and luckily was able to restore data. After that i always have a clone of my system using the utilities there. So when the spit hits the fan and destroys my data im not crying over my data loss as i always have a second copy that i can load back into my norm drive using that provided software from the new drive. Dont have to reinstall windows, maybe one or two updates scince the last time i did one, and thats about it. System gone one minute, its back about a half an hour later.


----------



## lotuseclat79 (Sep 12, 2003)

new tech guy said:


> Lotus,
> I agree with your theory of the wolf and the hen house, but I kinda have a question and a statement at the same time. Well here it goes, I do not think a bunch of registry entries being written by the internet can write a file. Because as far as i know you need some type of file to write the registry. And besides if this is true, when it gets to a point where it becomes a file wouldnt any decent antivirus detect it? Because the reg thing would get into the registry and start making files (this is if my question about registries is true as that is my question which i may have answered in this reply) at this point the screamer box aka the antivirus should detect it and take action thus crippling and if the user has half a brain cell they would come here and make sure its gone but if they know how to clean spyware they would clean it themselves so eventually the sucker will be found. Most antiviruses have active monitors for things like that. So really i dont see the active protection necessary.


Hi new tech guy,

Well, there is such a thing as hiding in plain sight, particularly with malware in memory that can inject themselves into DLLs or processes. Then there are BIOS oriented rootkits and kernel oriented rootkits and video bios rootkits.

You do know about zero-day malware don't you? It happens when a new malware comes along for which no signature is available, so then the signature-based AVs are scrambling while the heuristic-based ones have at least a chance, or maybe not depending on the malware's cleverness at hiding and not being detected.

John's discipline and expertise keeps him out of trouble, as for myself, well, I just added SocketShield Beta to my security arsenal yesterday.

-- Tom


----------



## new tech guy (Mar 27, 2006)

I honestly never heard about zero-day malware. And you do have a point that even though the antivirus (in my case mcafee security center) can detect virus infections but when it comes to malware i am an open front door without rotection. Because also consider the possiblity that it does not come through the internet, rather a shady looking cd, im open to madness until the next time i run my scanner. Which at that point it may have already performed considerable damage to the computer. Where if i have a gaurd installed it will notice the attack right away and start yelling at me about it. Also most decent av gaurds today have setups for both signature based AND herustic so most can check for both. Thanks for teaching me all this new information Tom and John. I am very happy to learn from both of you.


----------



## JohnWill (Oct 19, 2002)

I would think that any malware that comes on a CD would be "aged" enough to be known. I'd be more concerned about stuff over the Internet, that can be "hot off the presses" to you in minutes.


----------

