[JohnWill]

I left it for about 10 minutes, I figured it was toast after that.

[new tech guy]

Ahh mighthave been the better thing cause mine came back but some settings were off. Like i had the windows media thing on that was turned off and some other small things were messed up. I dont really trust that thing.

[lotuseclat79]

Hmm, thinking about John's awful experience, perhaps it should be recommended to backup the registry before running any registry tests? Sounds like a practical thing to do!

-- Tom

[new tech guy]

Good thinking lotus. I think this is a good backup setting. Not the best but i would imagine it to get someone by. Along with system restore, registry mechanic leaves registry backups. If i cannot go into the system and somehow get it running i will simply use bartpe disc to boot the system and remotely restore the registry.

[JohnWill]

I backed up the whole partition, and I'm glad I did. The best idea is to simply avoid the test...

[new tech guy]

Also to my dismay, i launched media center to find somehow musicmatch media center edition got wiped off the face of media center either that test or another thing I did in a test messed it up. I reinstalled it and im listening to it right now though.

[lotuseclat79]

The instructions for running the tests are to first backup the registry! Here they are:

Instructions:
1. Backup your registry. All precautions have been taken with this program but registry protection programs may cause unknown effects.

2. Start all of your registry protection programs. Make sure the programs are setup to protect the autostart parts of the registry.

3. Two registry tests will be performed, the second one will require a reboot, so please make sure you can reboot before tryping thes test.

4. Click on the button in the bottom right corner to begin the tests.

Test 1 - This test works by modifying several autostart values in the registry then quickly rewriting the original contents. This test will determine whether or not the registry protection you have is quick enough to catch the change. If it is not then the fact is your registry can be modified without you knowing.

Most registry programs simply poll/read the registry every few seconds which means they will never catch everything which is written. This can be abused by malware which simply keeps rewriting itself to the registry so that you every time your machine starts up, the worm/virus/trojan will start also.

If your registry protection program is successful all registry items shown will not be able to be modified.

Test 2 - This test works by attempting to write itself to various autostart locations in the registry. It will then simulate a shutdown to show that it will appear the next time your machine starts. If the test fails to shutdown your computer, then manually shut it down to see the results for the next boot.

If this test is successful after the reboot you should receive various messages stating that this test indeed managed to start itself on the next reboot. If the test is successful you are vulnerable to being infected with something which will continually start itself on your system.

If your registry protection programs detects the changes AFTER the registry tester starts then it has failed. If this test can get itself to start up again next boot, what is stopping a malicious software doing the same thing?

I wonder if John's crash was a part of the test 2 shutdown that he mistook for a crash? I wonder what the test results were from the next boot in light of this? Maybe he doesn't run any registry protection programs to begin with? Perhaps the meaning of the test for John is that his computer is vulnerable to the kind of infection in the last sentence for test 2 - should malware get past his perimeter network defenses?

Overall, its very clear if no registry protection programs are being run by a user that runs these tests, their system will be vulnerable - that's what the tests are designed to discover!

Avoiding the test is like saying - it could never happen to me!

-- Tom

[JohnWill]

I'm somewhat amazed you're so "hard over" on this single stupid test. How did we ever manage to survive all these years without it?

[lotuseclat79]

Hi John,

From the slim information you provided about your experience, and the conclusion you reached, your observations about the experience do not lend themself to being able to pinpoint the technical problem you experienced. Oh, right, wait a moment, its Windows, and Windows has a registry - again, I'll say, a bad design idea for an OS built like swiss cheese.

That said, I'm only "hard over" on assumptions we all make about how secure we feel we are - i.e. security is really a myth - ain't nothin secure in my book!

If your system was so survivable, then why did it fail the test? You haven't even stated if you run any registry defense programs - I suspect not - which is why when the wolf gets in the hen house, its going to feast on your chickens - the registry being a prime target. Granted, your curiosity got the best of your and your better judgement which you employ all the time, and you decided to take the test - which bypasses your security model and serves up the hen house, hence my comment about multi-layered security approach. Personally, I'm unsettled about the number of long-timers here on TSG that keep on recommending AVG over Avast! and don't consider a broader security model for protection. Sure AVG can save you money, but is that the most important thing that needs to be saved - I'd say its data - and I know you agree with me on this point - just look at your splendid backup system and approach as part of your strategy. Would that everyone were as both handy and experienced as yourself.

In my view, your experience is no different than Mark Rossinovich discovering the Sony rootkit on his computer - he did a dumb thing staying in Administrator account mode which made it easy for the rootkit to get into his system when he played the CD.

I'm only pointing out that "surviving all these years without it" is a general assumption that does not consider current threat models in the ever daily changing landscape of the fight against malware. Do you really think that your system has strong enough security?

Don't answer right away - think about it and project what the landscape will be next year when over 13% of malware will be delivered by rootkits, and the following year 84%.

-- Tom

P.S. That single stupid test is what may happen to any one of our systems unless we are prepared to stop it when the wolf gets into the hen house.

[new tech guy]

Lotus,
I agree with your theory of the wolf and the hen house, but I kinda have a question and a statement at the same time. Well here it goes, I do not think a bunch of registry entries being written by the internet can write a file. Because as far as i know you need some type of file to write the registry. And besides if this is true, when it gets to a point where it becomes a file wouldnt any decent antivirus detect it? Because the reg thing would get into the registry and start making files (this is if my question about registries is true as that is my question which i may have answered in this reply) at this point the screamer box aka the antivirus should detect it and take action thus crippling and if the user has half a brain cell they would come here and make sure its gone but if they know how to clean spyware they would clean it themselves so eventually the sucker will be found. Most antiviruses have active monitors for things like that. So really i dont see the active protection necessary.

[JohnWill]

Well, we can at least agree that nothing is secure, that's for sure.

As for protection, I run AVG, Windows Defender, and ewido Pro. I run AdAware about once a week, and I also use SpywareBlaster, and update that about once a week. That's about all I have the patience for.

I won't claim that it's the best defense possible, but I also know my environment, and the places I visit on the web. Since I'm not inclined to simply surf blindly and click on any link willy-nilly, I suspect that I'm not exposed to nearly the number of threats that some folks are.

My real final line of defense is, and will continue to be, multiple layers of backup. When the smoke settles, there isn't anything like having a complete copy of your valuable data in several extra places.

If half the people that are beating the drums for all these malware tools, were beating the drums for proper and effective backup the whole computing community would be far better off. It's not sexy, but it's vital to the health of your data. I might indeed fall victim to one of the latest "designer" malware strains, but it's unlikely to find all of the copies of my important files, so it'll only be a bump in the road in the greater scheme of things. There is such a thing as being "insurance poor". When the PITA factor of trying to defend against any possible new virus/malware strain becomes a major factor, IMO we're trying too hard and putting our resources in the wrong place.

Finally, backup protects you against another whole class of failures that all the virus scanners and malware siields in the world won't protect you against, software crashes and hardware failures. All the fancy malware/virus shields in the world won't protect you from a lightning strike or a simple hard disk failure. Just scan the forums and you'll see it's not an uncommon occurance. How many "how do I get my data from a crashed hard disk" do you have to read to get the message?

[new tech guy]

I learned that the hardway John had my old desktop rig hd die and thought my data was dead and gone but lucked out when i linked the old C drive as a secondary to the new seagate that was installed in its place and luckily was able to restore data. After that i always have a clone of my system using the utilities there. So when the spit hits the fan and destroys my data im not crying over my data loss as i always have a second copy that i can load back into my norm drive using that provided software from the new drive. Dont have to reinstall windows, maybe one or two updates scince the last time i did one, and thats about it. System gone one minute, its back about a half an hour later.

[lotuseclat79]

Quote:

Originally Posted by new tech guy

Lotus,
I agree with your theory of the wolf and the hen house, but I kinda have a question and a statement at the same time. Well here it goes, I do not think a bunch of registry entries being written by the internet can write a file. Because as far as i know you need some type of file to write the registry. And besides if this is true, when it gets to a point where it becomes a file wouldnt any decent antivirus detect it? Because the reg thing would get into the registry and start making files (this is if my question about registries is true as that is my question which i may have answered in this reply) at this point the screamer box aka the antivirus should detect it and take action thus crippling and if the user has half a brain cell they would come here and make sure its gone but if they know how to clean spyware they would clean it themselves so eventually the sucker will be found. Most antiviruses have active monitors for things like that. So really i dont see the active protection necessary.

Hi new tech guy,

Well, there is such a thing as hiding in plain sight, particularly with malware in memory that can inject themselves into DLLs or processes. Then there are BIOS oriented rootkits and kernel oriented rootkits and video bios rootkits.

You do know about zero-day malware don't you? It happens when a new malware comes along for which no signature is available, so then the signature-based AVs are scrambling while the heuristic-based ones have at least a chance, or maybe not depending on the malware's cleverness at hiding and not being detected.

John's discipline and expertise keeps him out of trouble, as for myself, well, I just added SocketShield Beta to my security arsenal yesterday.

-- Tom

[new tech guy]

I honestly never heard about zero-day malware. And you do have a point that even though the antivirus (in my case mcafee security center) can detect virus infections but when it comes to malware i am an open front door without rotection. Because also consider the possiblity that it does not come through the internet, rather a shady looking cd, im open to madness until the next time i run my scanner. Which at that point it may have already performed considerable damage to the computer. Where if i have a gaurd installed it will notice the attack right away and start yelling at me about it. Also most decent av gaurds today have setups for both signature based AND herustic so most can check for both. Thanks for teaching me all this new information Tom and John. I am very happy to learn from both of you.

[JohnWill]

I would think that any malware that comes on a CD would be "aged" enough to be known. I'd be more concerned about stuff over the Internet, that can be "hot off the presses" to you in minutes.