4) Registry protection
-with Scoundrel Simulator (Run Keys): P1/P2 (4/5)
-with RegTest1: P1/P2
-with RegHide (hidden key called 'can't touch me"): P1/P2
NB: Kav can prevent hidden key installation but is not able to detect already installed hidden key (see rootkit tests for more details).
5) Message Hooks protection
-with Keyhook: P1/P2
-with ExecuteHook: P1/P2
-with keyboardhook: P1/P2
-with HookDump : The dll injection into other processes is successfully blocked; then the logs stay empty : P1/P2
-with Keylog (simple keylogger coded in visual basic): F1/P2
NB. even if we stop the hooks, the keylogger can record what is typed.
6) Malware simulation with Hookdemo and DFK-Threat Simulator (Version 1)
a) Hookdemo: P1/P2
b) DFKThreat Simulator (first version): P1/P2
NB.The file can be terminated at the first malicious action, but we've allowed it to run in order to test the application activity analyzer.
Le fichier peut être terminée dés la première détection d'un comportement malicieux, mais nous avons autorisé son éxecution afin de tester les réactions du module proactif.
nb : (nicM) If we block the 1st process detected by Kav, most of the executable components are not initialized at all (the spyware service, the rootkit - we can see its folder, not hidden, etc). The only process which remains running is swfactive.exe, as you can see in the 2nd pic; red rectangle is showing end-time of processes :
Part 2: in the wild with malwares