1. When I run AKLT.exe, select one of the keylogging methods and then type something in (for instance) notepad, I get a pop-up from Threatfire about keylogging activity. I then let TF just kill AKLT.exe.

2. Next I rename AKLT.exe in winlogon.exe run it and select one of the keylogging methods. Now I can type something in notepad and AKLT is simply logging it without any pop-ups from ThreatFire.

Could somebody either confirm these results or tell me his results are different from mine?

ENOUGH PEOPLE!!!:ouch:

Name me one software that doesnt have issues based on user, user setup, user intelligence. Ok, I bought Rollback today because it is the only way I can load all Sims games at one time with each in its own snapshot. So I did a little testing for about 4 hours today and uninstalled and reinstalled it quite a bit to test.

With Avira set to only scan not all files it was fairly quick making snapshots. With it set to scan all files, it slowed down considerably. With Eset, now using, it is still slow but only when taking a snapshot.
With Threatfire and Sandboxie, SUPERFAST. It seems the scanning of the AV plays an integral role in the speed of snapshots. So before you blame it on Rollback, take a look at your setup.

It's been a while since I did the same test as you and as I remember TF did not catch the majority of the exploits.

{QUOTE-> 1. When I run AKLT.exe, select one of the keylogging methods and then type something in (for instance) notepad, I get a pop-up from Threatfire about keylogging activity. I then let TF just kill AKLT.exe.

2. Next I rename AKLT.exe in winlogon.exe run it and select one of the keylogging methods. Now I can type something in notepad and AKLT is simply logging it without any pop-ups from ThreatFire.

Could somebody either confirm these results or tell me his results are different from mine? <-QUOTE}

What Protection Level you were using in the test? Also, if it was 3, what happens at 4 and/or 5? May be interesting.

1956 was a good year btw ;)

{QUOTE-> 1. When I run AKLT.exe, select one of the keylogging methods and then type something in (for instance) notepad, I get a pop-up from Threatfire about keylogging activity. I then let TF just kill AKLT.exe.

2. Next I rename AKLT.exe in winlogon.exe run it and select one of the keylogging methods. Now I can type something in notepad and AKLT is simply logging it without any pop-ups from ThreatFire.

Could somebody either confirm these results or tell me his results are different from mine? <-QUOTE}


Personaly I was never impressed with TF.
You could try GesWall or DefenseWall, both are excellent at blocking/stopping keyloggers.
GesWall has a free and paid version, DefenseWall has only a paid version but worth the money.


{QUOTE-> ENOUGH PEOPLE!!!:ouch:

Name me one software that doesnt have issues based on user, user setup, user intelligence. Ok, I bought Rollback today because it is the only way I can load all Sims games at one time with each in its own snapshot. So I did a little testing for about 4 hours today and uninstalled and reinstalled it quite a bit to test.

With Avira set to only scan not all files it was fairly quick making snapshots. With it set to scan all files, it slowed down considerably. With Eset, now using, it is still slow but only when taking a snapshot.
With Threatfire and Sandboxie, SUPERFAST. It seems the scanning of the AV plays an integral role in the speed of snapshots. So before you blame it on Rollback, take a look at your setup. <-QUOTE}


trjam,
Just a tip when making snapshots with Rollback Rx,
Create the snapshots using the tray icon, not Rollback's GUI. Its much faster.

{QUOTE-> ENOUGH PEOPLE!!!:ouch:

Name me one software that doesnt have issues based on user, user setup, user intelligence. Ok, I bought Rollback today because it is the only way I can load all Sims games at one time with each in its own snapshot. So I did a little testing for about 4 hours today and uninstalled and reinstalled it quite a bit to test.

With Avira set to only scan not all files it was fairly quick making snapshots. With it set to scan all files, it slowed down considerably. With Eset, now using, it is still slow but only when taking a snapshot.
With Threatfire and Sandboxie, SUPERFAST. It seems the scanning of the AV plays an integral role in the speed of snapshots. So before you blame it on Rollback, take a look at your setup. <-QUOTE}

Your quote apparently seems related to something completely different. Hey man wake up !! ;D

Don't quite understand some replies (probably misposted).

The reason for this test is that I think the whitelist of ThreatFire is only consisting of executable file names.

This means that if I take a malicious application, in this case the keylogger AKLT.exe, and run it ThreatFire will produce pop-ups.

However, if I change the name of the malicious file (in my example AKLT.exe) into one on the whitelist of ThreatFire (like winlogon .exe) than it can do whatever it wants to do without any reaction from ThreatFire.

On my PC this seems to be the case (which would mean that the protection provided by ThreatFire can be easily circumvented, just by giving the malicious application a name which is on the whitelist).

I just would like to have a check made by someone else, to exclude that my result is caused by some conflict with other security software on my PC.

By the way, I run ThreatFire just as it is right after install.

Would appreciate it if someone could check this for me.

{QUOTE-> Your quote apparently seems related to something completely different. Hey man wake up !! ;D <-QUOTE}
LMAO,Lets Give him a break, He Is Usually Awake when he writes;D

It's been a long day for trjam. Let's give him a break. It was rather warm here in Southwest Virginia today...I'm sure it was much warmer in Charlotte. Maybe heat stroke? :P .

Later...

Henk1956,

I tried renaming the aklt executable to winlogon.exe, but received an error message when trying to run it, so this test was not possible.

I'm running W2K and under a Limited User Account.

Where can one find the TF "whitelist"? I could try another name. I did rename it to kencat.exe, and this file behaved exactly as aklt.exe. I tested under Protection Level 5. At least TF hasn't been "padded" to just pass aklt.

I would hope that TF is smarter than relying just on a filename in a whitelist to allow it to do whatever it wants :-\

For what it's worth, only tests 1 and 2 out of the 6 I would consider a pass (TF alert given for keylogging detected). Test 3 Failed completely, no TF alert and aklt detected the keys. Test 4,5 and 6 were dubious, where TF issued an alert (this program is attempting to manipulate....another program...) but if the process is allowed to continue, the keys will subsequently be detected.

Sorry I couldn't confirm winlogon. Hopefully someone else will be able to.

Edit: is there a space in your winlogon .exe file name as in your post? maybe that's why it ran?

Similar issue in this thread (http://www.pctools.com/forum/showthread.php?t=51010)

{QUOTE-> This means that if I take a malicious application, in this case the keylogger AKLT.exe, and run it ThreatFire will produce pop-ups.

However, if I change the name of the malicious file (in my example AKLT.exe) into one on the whitelist of ThreatFire (like winlogon .exe) than it can do whatever it wants to do without any reaction from ThreatFire.

On my PC this seems to be the case (which would mean that the protection provided by ThreatFire can be easily circumvented, just by giving the malicious application a name which is on the whitelist).

I just would like to have a check made by someone else, to exclude that my result is caused by some conflict with other security software on my PC.

By the way, I run ThreatFire just as it is right after install.

Would appreciate it if someone could check this for me. <-QUOTE}

Henk,

I did not check but this could well be the case. TF allows YOU to change a name, when another executable changes the name of another executable TF will pop-up!

Therefore the programmers problably have optimised the code and assumed that the white list is always a clean and reliable reference (because other rules protect exe name change).

So yes when this protection fails, this is a weakness. Considering the strength of TF, I would not worry about it.


A lot of members are mentioning the CPU usage of TF. This was the reason for me to do some testing. And Yes compared to Mamutu, ThreatFire uses about 600% more CPU time! in a 1 hour internet session. Now comes the surprise, when I checked disk access, CPU performance and multi thread performance, it turned aout that:
- disk access is as fast (of TF and Mamutu)
- multi thread performance of TF is about 8 percent FASTER!
- in CPU benchmarks TF scores a 11% BETTER/FASTER result


Regards Kees

{QUOTE-> Similar issue in this thread (http://www.pctools.com/forum/showthread.php?t=51010) <-QUOTE}

The response of djames in that thread ("TF does not care about test apps") borders on the "we can't be fairly tested" alibis-of-old from Prevx, BOClean, etc.

No offense but -- if it cannot be tested, it cannot be trusted. At least, not in my book. :dry:

{QUOTE-> And Yes compared to Mamutu, ThreatFire uses about 600% more CPU time! in a 1 hour internet session. <-QUOTE}This could mean that (in 1 hour) Mamutu used 1 second of cpu whereas TF used 6 seconds. No big deal. I suggest you use absolute values rather than percentages in comparisons such as this. Just a thought -- no offense intended.

Damn, time to join AA. That post was ment for the Rollback thread. I sincerly apologize to all in this one.:gack:

{QUOTE-> 1. When I run AKLT.exe, select one of the keylogging methods and then type something in (for instance) notepad, I get a pop-up from Threatfire about keylogging activity. I then let TF just kill AKLT.exe.

2. Next I rename AKLT.exe in winlogon.exe run it and select one of the keylogging methods. Now I can type something in notepad and AKLT is simply logging it without any pop-ups from ThreatFire.

Could somebody either confirm these results or tell me his results are different from mine? <-QUOTE}

Tried this test with Mamutu 1.7. Didn't detect any of the keylogging attempts :-(

{QUOTE-> Tried this test with Mamutu 1.7. Didn't detect any of the keylogging attempts :-( <-QUOTE}
Neither does ThreatFire, I've read a post, where ThreatFire failed to detect a keylogger.
Dangerous behavior blockers seem to have a problem to consider keylogging as dangerous behavior and keyloggers are one of the most dangerous malware around and they do their evil job immediately.

{QUOTE-> Damn, time to join AA. That post was ment for the Rollback thread. I sincerly apologize to all in this one.:gack: <-QUOTE}
NO apology needed,Just one of thouse rear moments.It Happens to the best of us.

Ok, one more time :P

1-AKLT.exe is not malicious. If TF flagged it, it would be a FP.
2-People not understanding this in full, test TF with AKLT.exe, TF "fails" and they report by email, forum, comment with other people etc.
3-TF adds detection so people can see it working. However, apparently, if you change the name, TF will analyse it normally, and since AKLT.exe is not malicious, it will fail.

However, the OP seems to be only testing the whitelist. I would just note one thing. This is not a whitelist application afaik, ie, it's not excluding the executable from analysis, it's including it in a FP's list pop-up show. :)

{QUOTE-> On my PC this seems to be the case (which would mean that the protection provided by ThreatFire can be easily circumvented, just by giving the malicious application a name which is on the whitelist). <-QUOTE}

that seems troubling - anyone who designs a whitelist based on filename has never considered how to attack a whitelist... ideally a whitelist should be based on some kind of hash of the program's contents rather than the filename... much harder to pretend to be a trusted program that way...

{QUOTE-> that seems troubling - anyone who designs a whitelist based on filename has never considered how to attack a whitelist... ideally a whitelist should be based on some kind of hash of the program's contents rather than the filename... much harder to pretend to be a trusted program that way... <-QUOTE}
That's why I use AE with its quintuple verification of each whitelisted executable, including Delete/Copy Prevention and AE has a 100% detection rate, while ThreatFire is more a gamble, too vague.

{QUOTE-> that seems troubling - anyone who designs a whitelist based on filename has never considered how to attack a whitelist... ideally a whitelist should be based on some kind of hash of the program's contents rather than the filename... much harder to pretend to be a trusted program that way... <-QUOTE}
It's not a whitelist, unless i'm missing something.
Easy to test if it's a security risk. Get a malware sample that TF can detect and block. Rename it AKLT.exe , run it.

{QUOTE-> 1. When I run AKLT.exe, select one of the keylogging methods and then type something in (for instance) notepad, I get a pop-up from Threatfire about keylogging activity. I then let TF just kill AKLT.exe.

2. Next I rename AKLT.exe in winlogon.exe run it and select one of the keylogging methods. Now I can type something in notepad and AKLT is simply logging it without any pop-ups from ThreatFire.

Could somebody either confirm these results or tell me his results are different from mine? <-QUOTE}

Used to have TF but moved away as it is of course a freebie and the adware now in all these free SW versions turns me right off. I would want to know if it is calling home.

I thought TF also used behavior monitoring to pick up baddies? So if that is right, the name change alone should not have "worked". :-\

If it is only white list based on file name it is worthless, the exe hash should be used at least to id the keylogger.

Strongly suggest you post your question on the PC Tools user forum or scan the FAQ there to get direct info.

It's obvious i'm talking to myself..

{QUOTE-> It's obvious i'm talking to myself.. <-QUOTE}
;D I always have that feeling. Doesn't really matter to me as long my post counter increases. ;D

Thanks for all respons and sorry for this late post (had to get some sleep and go to work).

kencat:
- winlogon.exe did not have a space in it (typo)
- The whitelist is probably in the Program Files\ThreatFire\TFWL.db4 file.
I can't read it, but know for sure that some essential windows executables will be certainly included in the list (among which winlogon.exe, smss.exe, ntoskrnl.exe, csrss.exe, userinit.exe, lsass.exe) to ensure windows will boot.

MrBrian:
- Thanks for the link you provided.
In the mean time I did another test not involving AKLT.exe with similar results. This strengthened my believe that indeed the whitelist just consists of executable names only. Any executable having such a name (being the either the proper or a malicious exe) can do what it wants, without a beep from TF.

kees1958:
- TF allows YOU to change a name, when another executable changes the name of another executable TF will pop-up!
Thanks Kees, I did not know this. Will TF always notify me when this happens or does the application have to violate multiple rules?

Pedro:
- Yes, I only wanted to test the whitelist: Does TF only test for the names on the whitelist or does it test for more, like full path or MD5 checksum).
To test this I just needed an application that would trigger TF to produce pop-up warnings. AKLT was just one that was available. I did not want to test if TF fails/passes keylogging tests.

- You say "This is not a whitelist application afaik, ie, it's not excluding the executable from analysis, it's including it in a FP's list pop-up show".
Maybe TF is analysing each executable, but if it is on the whitelist it does not only stop pop-ups it also does not prevent any malicious activity. The result is the same as not analysing executables on the whitelist.

kwismer:
- I was also expecting TF to check the full path and/or MD5 checksum for executables on the whitelist, but this doesn't seem to be the case. I noticed that TF did not use the full path when I was trying to add an executable to the trusted list. To add the executable I used the browse button. In that case the full path is added to the trusted list which did not have the effect I expected (it seemed as if the trusted list was simply ignored by TF). However, if I just add the executables name to the trusted list (without path) it works like expected. This was the reason why I wanted to test if the whitelist was also containing only file names.

Escalader:
Already posted it at PC Tools (http://www.pctools.com/forum/showthread.php?t=51887) but moderator is only saying that they don't use filenames but a file's MD5 Hash. At the moment, I find this very hard to believe.

Henk, it's not whitelisting afaik, not in this case. It seems logical.
You asked a question there, he answered. You should explain what you tried, ie, rename AKLT.exe .
From MrBrian's link:
{QUOTE-> The "Simple keylogger test" app is a test app, by a trusted company.
We have played with this quite a while ago in Cyberhawk days.

TF does not "care" about test apps. We sometimes have to make exceptions so that it does. We put this app in a "special" list so that people could see that we are aware of it, and/or test TF. The truth is that TF trusts this program.
We will change the way TF responds to this app however so that the "name" won't matter anymore. <-QUOTE}
You rename it, and TF acts as normal (this is a guess), and since AKLT is not malicious, nothing happens.

With TF, you have to test with malware.

The AKLT thing does give to much confusion.

Will try to find a better way to test this and then post again.

Depending on your experience, this is more or less relevant:
I don't recommend you to install malware. I'm just saying that TF can't be tested with ordinary tests, expecting in to act on anything. It's built to detect and block/quarantine real malware.

{QUOTE-> ....

Escalader:
Already posted it at PC Tools (http://www.pctools.com/forum/showthread.php?t=51887) but moderator is only saying that they don't use filenames but a file's MD5 Hash. At the moment, I find this very hard to believe. <-QUOTE}

I read their answer to your post. Interesting.

If we assume for the moment that they do use the hash as their moderator says then where would that leave your test result? There must be another reason. Unless I missed it I don't think this question is over. Their moderator would have a few problems IF they don't use the hash.

Escalader & Pedro,

Pedro, I think you are right considering the MrBrian's link.
I did try some different things with custom rules and not involving AKLT.
Now behaviour is quite different and more as expected.
Only sometimes, after a change in the rules or trusted files, TF does not act according to these changes right away (but eventually it does).

I have to agree that testing TF is not that simple and it's probably best to test with real malware (but I don't have a VM so I am not going to do that myself).

Thanks for the help.

Henk

Pedro,

but TF does alert you to keylogging activity for tests 1 and 2. And there is no recourse but to kill and quarantine aklt.exe because the alert keeps popping up if you try to allow it. This is for level 5. I renamed aklt to kencat and it behaved the same.

200464

Test 3 Fails period.

Test 4, 5 , and 6 gives a TF alert like this:

200465

But you can allow the action and then AKLT will capture the keystrokes.

So the test does seem valid since TF detects some but not all tests.

I can't confirm changing to winlogon as I get this when I doubleclick, so W2K seems to know what's going on ??:
200466

If I'm doing something wrong let me know.

They add the "detection" of these tests so people see it "working".
Normally and without pressure (from people on forums for one), TF would not detect this. If it did, it's a false alarm, since this test doesn't really harm you.

TF is closer to AV's than HIPS on that regard, it's not to alert until it finds malware, with 90%+ guarantee it's not a false alarm.
(the percentage is just to make a point)
It's "this is malware", and not "this application is doing that, figure it out". :)

Only if some of the keylogging methods were by themselves indication of malware, like suppose no legitimate program used them, then it would be reasonable to flag it.
If not, and since legitimate programs will use some or all of these methods as well, TF has to take other things into consideration, before alerting the user "hey, this thing is a trojan, i suggest you quarantine it".

Just my opinion though.

Hi Henk! You know what i suspect.

It will be just plain stupid to have a white list based upon names only without any checksum/ hash etc. We should not expect this from any vendor at all.

The reason I suspect may be as follows. TF is very poor against keyloggers. Now as people try POC keyloggers against TF so they might have added detection for some POCs like AKLT and this detection might be separate from whitelist, not involving a proper checksum/ hash etc.

Now best way to do that is take an actual malware. Rename to some legit essential windows executabel like winlogon.exe and then execute. I am sure it will be dtected. So many malware samples use names similar to windows own executables.

Yes aigle, I already admitted that I did some poor testing and jumped to some early conclusions.

I now learned that TF can not be so easily tested as other security applications.

I have to live with that, since I don't want to take any risks by testing with real malware.

May be i will test in that way if I got some time later. Not sure, depends upon time.

Threatfire is not that good against keyloggers. Threatfire is like the last security blanket in your setup. If it gets by your firewall, AV and sandbox, Hopefully, Threatfire will come to the rescue.

IceCube

{QUOTE-> .....

...... I renamed aklt to kencat and it behaved the same. <-QUOTE}

this seems to confirm that the TF moderator was correct and they do in fact use the hash.

This might clinch it. I renamed aklt to mstask. Same result on test1 as before. Mstask.exe should be a trusted exe in TF, but TF detected the keylogging.

200480

As an interesting aside note. On another old laptop I have TF and the PCTools firewall. Tests 4,5, and 6 are detected by the firewall with a nice description of the keylogging hook and blocking did stop aklt from detecting the keystrokes. Test 3 was still invisible to the PCTools suite.......but 5 out 6 ain't bad :D

What has the name of an object to do with its suspicious behavior ? Nothing.
If an object behaves itself suspicious, the name of the object doesn't matter, the name is only usefull to identify the object. Isn't that logical ?
What I don't understand about TF is that it doesn't detect every keylogging, while keylogging is always a suspicious behavior and the same activity.

{QUOTE-> It's obvious i'm talking to myself.. <-QUOTE}

not completely. for what it's worth, i thought your explanation nailed it.


Mike