http://www.aplin.com.au/?page_id=531

It seems interesting. Tried it with CFP.

Keys logging -- CFP Passed
Logging of Applications launched n web sites visited --- CFP Failed
Clipbpard logging ---- CFP failed
Screen capture ---- CFP PASSED

207012
207013
207014

GesWall

Keys logging -- GW Passed
Logging of Applications launched n web sites visited --- GW Failed
Clipbpard logging ---- GW failed
Screen capture ---- GW Passed

DefenseWall:
Keys logging -- Passed (inform about this event, but if you don't click Terminate button - then failed (keys still will be logging)
Logging of Applications launched n web sites visited --- Failed
Clipboard logging ---- Passed (DW inform about this event, and again you have to press Terminate button on notification to close rogue application)
Screen capture ---- Passed


Online Armor (paid v.3.1.0.26):
Keys logging -- Passed
Logging of Applications launched n web sites visited --- Failed
Clipboard logging ---- Passed/Failed (OA only shows an information about that the running software will be able to record what you type - no any information about Clipboard logging)
Screen capture ---- Passed

Thanks for adding this.

Thank you for the infos.

You are wecome :)

BTW i sent this file to Jotti and 3 AV found this file as a malicious software:
F-Secure Anti-Virus Found Trojan.Win32.VB.kll
Kaspersky Anti-Virus Found Trojan.Win32.VB.kll
Sophos Antivirus Found Mal/VB-G

I wonder if thats FP or not :D

Not exactly HIPS but Zemana is supposedly designed to prevent exactly these type of things.

Results:

Keys logging -- Passed
Logging of Applications launched and web sites visited --- Failed
Clipbpard logging ---- Failed
Screen capture ---- Passed

Cheers

Zemana Antilogger stops this, the one pop-up - blocked, cannot get it to run anymore, simply won't start:

Allow it once and see if u get more alerts about clipboard and screen logging?

-{ Quote: "Allow it once and see if u get more alerts about clipboard and screen logging?" }-

Will do in a little while when I have a spare minute.

1-OPFW

Pop-up for all but failed all also.
Keys logging Passed
Screen capture Failed
Clipbpard logging Failed

2-ZEMANA

Pop-up for all but;
Keys logging Passed
Screen capture Passed
Clipbpard logging Failed

I think it depemnds on settings. I had set it to

207021

This I think lets the application launch but should alert on potentially harmful actions. Basically I wanted to see whether Zemana recognised the applications activities as 'potentially harmful'.

Got this which I blocked:

207022

But result still this

207023

Cheers

Can any of you confirm if what I am experiencing corresponds to the reality of things or not.

I tested this, and after that, I noticed something odd with some keys of my keyboard.

I've noticed that now, everytime I press ~~ ^^ ´´ ``, they appear twice. I'm not sure whether or not all of you have these same keys on your keyboard, because some languages may not have such accents, or all of them.

Can you tell me if you're also experiencing it?


Thanks

I thought Zemana prevented clipboard logging. Are there any programs that do?

-{ Quote: "Allow it once and see if u get more alerts about clipboard and screen logging?" }-

Allowed it once and it runs, allows everything. Also tried it with different settings in Zemana and it was blocked without any pop-up at all. Screenshot of settings below. PrevxEdge also blocked it. Needless to say DefenseWall blocks it with a Terminate option.

Yes, I see. It's these we have different, hence the different results

207034

I set it like this as I wanted to see how it performed on all 4 areas. Wheras I think on your settings if it recognises even 1 of the 4 it will permanantly block the application.

cheers

-{ Quote: "Yes, I see. It's these we have different, hence the different results

207034

I set it like this as I wanted to see how it performed on all 4 areas. Wheras I think on your settings if it recognises even 1 of the 4 it will permanantly block the application.

cheers" }-

When I tested first time I had Zemana in default settings, it looks as though yours are in Expert Mode. I tried the 'Custom settings' the second time to see what would happen :)
Perhaps have a go in Expert settings tomorrow.

Tested with Malware Defender 2.1.0 beta.
Got an alert every time in all 4 tests.

207036

207037

207038


Chose deny and kill process on each alert.
MD passed with flying colors. :thumb:

-{ Quote: "Tested with Malware Defender 2.1.0 beta.
Got an alert every time in all 4 tests.

207036

207037

207038


Chose deny and kill process on each alert.
MD passed with flying colors. :thumb:" }-cool thanks buddy:thumb:

m00nbl00d - I confirm they appear twice ; it is normal ...

-{ Quote: "Chose deny and kill process on each alert.
MD passed with flying colors. :thumb:" }-

Can anyone confirm. No doubt I've done something wrong but I did as LoneWolf and sure enough MD passed all. Used deny and kill but not create rule. I the ran the app again and chose the combined test. This is what I got. No pop ups from MD.

207041

Rule looks like this

207042

As I say I'm sure its me and something to do with my original decisions but but some confirmation that others see MD passing would be nice.

Cheers

Edge wont even let it run. Also disable Edge and it still grabs it.

Prevx disabled and still nabs it.

I tried Netchina and EQSecure (default ruleset) and both would kill the app initially and then let it run after that. I didn't create any rules either.

Are some in here crazy blocking the app from running does not mean a pass.. ::) ::)


Comodo passes then as well.. and so does most HIPS probably.

Well, I is crazy, and would not catching it intially on install be the most favorable method for protection.

-{ Quote: "Well, I is crazy, and would not catching it intially on install be the most favorable method for protection." }-

I would not catch it either as comodo do alarm a lot more.. Still I can see how comodo do not fully pass as it don't give the precise alerts thats being asked for..

PrevX has added a signature for this by the look on the alert, is that a pass? No its not.:wacko: :wacko: This test is supposed to test a technique and should NOT be threated as a virus.. Adding this file to the database is a easy and cheap way to fight this test.. The question remains would it catch this attack if this was modified a bit, making the signature unusable? we don't know since PrevX is relaying on signature in this case.. A good coder could probably make a "real" in the wild keylogger functioning in a similar manner Undetected from this signature.. :wacko: :wacko:

Still if you catch the actual tecnique, the coder would have to find an other way to keylog.

prevx will catch them all with signiture or in the wild when heuristic is on high:)

to me it passes. Anything else is fluff. Any that catch it on install pass. Plain and simple.

-{ Quote: "to me it passes. Anything else is fluff. Any that catch it on install pass. Plain and simple." }-


I disagree. If so all passes.. Comodo gives some alerts blocking those and the app won't run or bew able to do anything at all.. Wooho great pass, This is ridiculous..

Adding it to the CIS AV database would also be a pass?

If so all those matusec tests are really easy, a AV with no outbound or inbound filtering could pass it by label all of those tests as "potentially bad" or virus or whatever and become the Best firewall against leaks.. give me a break.. Who are you trying to fool.. ::) ::)


Its the teqnique that matters when it comes to these kinds of tests.. A modified version would most likley get UD (undetected) past PrevX.. Adding a single definition is nothing and is NOT a allround protection against anything. Adding a signature will prove good on paper but if a hacker does a similar application it won't provide decent protection against any attack, since the hacker change some stuff test, bam undetected. If you catch the actual technique a similar program won't be able too fool your software.

-{ Quote: "Tested with Malware Defender 2.1.0 beta.
Got an alert every time in all 4 tests.
" }-

Hi LoneWolf, your second SS where "Create new process" alert on explorer.exe attempts to create target through-the-eyes-...... needs to be allowed otherwise the tests can't be run. This is just simple stopping of the executable but you have to assume allowing of the executable, even if only temporarily, because in reality this will be the intent.

After that you deny the "Low level keyboard access" as I've done with a permanent rule as seen in my SS's.

The way I see it - and this is unfortunate :( - this test absolutely annihilates MD 2.1.0 beta 1

MD does not alert on the first test - Fails

MD alerts with "Access keyboard in low level"; I deny permanently but screen captures still take place - Fails

Third test - Fails

Fourth test - Fails

-{ Quote: "Hi LoneWolf, your second SS where "Create new process" alert on explorer.exe attempts to create target through-the-eyes-...... needs to be allowed otherwise the tests can't be run. This is just simple stopping of the executable but you have to assume allowing of the executable, even if only temporarily, because in reality this will be the intent." }-
Finally someone agreeing and understanding what those tests are made for.. :thumb: :thumb: Block execution is NOT a pass.. *yawn*

-{ Quote: "Hi LoneWolf, your second SS where "Create new process" alert on explorer.exe attempts to create target through-the-eyes-...... needs to be allowed otherwise the tests can't be run. This is just simple stopping of the executable but you have to assume allowing of the executable, even if only temporarily, because in reality this will be the intent.

After that you deny the "Low level keyboard access" as I've done with a permanent rule as seen in my SS's.

The way I see it - and this is unfortunate :( - this test absolutely annihilates MD 2.1.0 beta 1

MD does not alert on the first test - Fails

MD alerts with "Access keyboard in low level"; I deny permanently but screen captures still take place - Fails

Third test - Fails

Fourth test - Fails" }-
Yes, this is the right way to test it against MD.

-{ Quote: "m00nbl00d - I confirm they appear twice ; it is normal ..." }-

I appreciate your feedback, and was in fact just about to reply on this thread.

Such issue is not related with the keylogger test. I guess it was just a coincidence.

It's a bug in Opera 10 Alpha, latest build.


Thanks

-{ Quote: "
MD does not alert on the first test - Fails" }-
MD passes keylogging for me. 'What Keyloggers see' is running as I type this and I have a permanent deny for 'Access keyboard in low level'.
-{ Quote: "
MD alerts with "Access keyboard in low level"; I deny permanently but screen captures still take place - Fails" }-
This is true, I get a prompt which then suspends TTEOAK, but regardless whether a permanent deny is in place it seems to capture anyway.

Edit: I also received a prompt for the first test.

-{ Quote: "MD passes keylogging for me. 'What Keyloggers see' is running as I type this and I have a permanent deny for 'Access keyboard in low level'.
" }-

Hi tony,

you mean the keylogger is not logging any keystrokes in test 1? I get the initial alert as seen in the SS from MD which I of course allow otherwise no tests can be run, but then the keylogger logs my keystrokes with no alerts from MD.

-{ Quote: "
you mean the keylogger is not logging any keystrokes in test 1?" }-
That is correct. However it is capturing active window titlebar text.
-{ Quote: " I get the initial alert as seen in the SS from MD which I of course allow otherwise no tests can be run, but then the keylogger logs my keystrokes with no alerts from MD." }-
Yes of course I permit the test to take place and I still get prompted for 'Access keyboard in low level' on both test 1+2, although test 2 fails.

-{ Quote: "Yes of course I permit the test to take place and I still get prompted for 'Access keyboard in low level' on both test 1+2, although test 2 fails." }-

I see, I don't get the "Access keyboard low level" alert for test 1 ??? Only for test 2 but as in your case MD also fails.

Only latest MD beta running on my system, no other security software:

I'm asking xiaolin (http://www.wilderssecurity.com/showpost.php?p=1422799&postcount=15) to take a look :)

-{ Quote: "Hi LoneWolf, your second SS where "Create new process" alert on explorer.exe attempts to create target through-the-eyes-...... needs to be allowed otherwise the tests can't be run. This is just simple stopping of the executable but you have to assume allowing of the executable, even if only temporarily, because in reality this will be the intent.

After that you deny the "Low level keyboard access" as I've done with a permanent rule as seen in my SS's.

The way I see it - and this is unfortunate :( - this test absolutely annihilates MD 2.1.0 beta 1

MD does not alert on the first test - Fails

MD alerts with "Access keyboard in low level"; I deny permanently but screen captures still take place - Fails

Third test - Fails

Fourth test - Fails" }-

Yes I did allow the first pop up from MD to let it execute and got an alert on all the tests which I simply chose deny and kill process.
Your testing took it further, I'll be waiting to hear what xiaolin has to say about this test.

I run with Mamutu and DriveSentry and the 2 fail at all tests. No alerts are displayed for mamutu. DriveSentry alert only for a write to the disk for a creation of a .tmp file before and after the test.

-{ Quote: "Yes I did allow the first pop up from MD to let it execute and got an alert on all the tests which I simply chose deny and kill process.
Your testing took it further, I'll be waiting to hear what xiaolin has to say about this test." }-

Fair enough LoneWolf, and xiaolin has conformed MD's not yet ready to protect against this type of action:

-{ Quote: "MD can pass the first test only. There is no protection for screen/clipboard capturing yet." }-

KIS denied me to download the file....kill joy! ;D

Anybody try it using KIS2009 (OS: Vista)?

-{ Quote: "KIS denied me to download the file....kill joy! ;D

Anybody try it using KIS2009 (OS: Vista)?" }-

That's the easy way out.

This test is designed to run it, and then objectively observe the results of your security apps if they are capable of suspending it long enough to kill it, or simply strong enough to block all 3 attempts.

Nifty new test however, my congrats on another test app especially as to do with keylogging.

EASTER

-{ Quote: "KIS denied me to download the file....kill joy! ;D

Anybody try it using KIS2009 (OS: Vista)?" }-

I disabled anti-malware to facilitate the download. The application filtering then examines it as it is not listed good or bad. Unsurprisingly as KIS flags it as a trojan the application filtering puts it into untrusted. This stops it from running.

If you move it to Low Restricted or High Restricted KIS2009 on Vista 32 fails all the tests.

Depends how you look at it. You either think KIS nailed it early so no need to worry or like me you are a little disappointed that in Low or High restricted it did not generate an alert or other action.

Cheers

so KIS2009 automatically put it on to untrusted apps....is that the right way to pass this kind of test for KIS2009 or you need to put it on to High/Low restriction to see if KIS will pass the test?

btw, what's your KIS set up?

SUSPENDING OR KILLING THE APPLICATION IS NOT A PASS..
If so a classical HIPS(still the strongest thing out there against anything) such as CIS Passed ALL TESTS. as it is capable to stop all applications from startup upon execution its "bullet proof" in that sense nothing bad or unknown can run without popups..

ALL VIRUSES TROJANS MALEWARES AND TESTS..THERE IS NOT A SINGLE ONE OF THEM THAT YOU CAN'T SUSPEND WITH CIS..

A signature is absolutely not a pass.. And on top of that Kaspersky labels it the wrong way.

Is those 4 techniques cached is the question? Adding a single signature won't provide protection against the attack in those tests, just the test it self, that is harmless. Would it catch a real keylogger doing a similar thing is the question.. Relaying on a signature means that yes this harmless test won't run, but a similar app using the same attack would fool you. Catching the technique is much better and means that you are you protected from the actual attack and no modified variant can fool you.

Ofc don't get me wrong..

Its not a fail for kaspersky we don't know kasps results yet..

This is a HIPS Test.. And that is what are supposed to be tested..

Not the antivirus part.. :) :)

-{ Quote: "so KIS2009 automatically put it on to untrusted apps....is that the right way to pass this kind of test for KIS2009 or you need to put it on to High/Low restriction to see if KIS will pass the test?

btw, what's your KIS set up?" }-

Each to their own. I'm sure most would say the fact that the intentions of the programme were recognised by KIS and blocked at point of download, write and execution then even if these were bypassed subsequently made the app untrusted is a pass.

I'd just have been happier if a High Restricted programme was also prevented from logging key strokes/capturing screens etc. It would be interesting to see KIS results on XP where the HIPS features dig deeper.

The test is deliberately not designed for this but from the areas protected it is likely on High Restricted an alert would have been given had the application tried writing the data to a file or phoning home.

Settings are fairly standard except I select all of the pro-active defence categories and do not automatically trust signed applications.

Cheers

-{ Quote: "

A signature is absolutely not a pass.. And on top of that Kaspersky labels it the wrong way.

" }-

Agreed, that's why I avoided the signature based detection and tested against KIS HIPS capabilities.

KIS examined the app as it is not (or was not) on their white or black list and it made it untrusted. Not based on signature but by the apps likely activities. I deliberately moved the app to the other 2 standard KIS HIPS categories Low and High restricted to test them out. Both of which failed to prevent the apps activities.

Cheers

Good, thats what I wanted to know.

You can't pass leaktests either with a antivirus it don't have that functionality..
Thats fighting the test and not the actual problem.

-{ Quote: "Agreed, that's why I avoided the signature based detection and tested against KIS HIPS capabilities.

KIS examined the app as it is not (or was not) on their white or black list and it made it untrusted. Not based on signature but by the apps likely activities. I deliberately moved the app to the other 2 standard KIS HIPS categories Low and High restricted to test them out. Both of which failed to prevent the apps activities.

Cheers" }-

does it means that KIS2009 built in HIPS is weak against this kind of Keylogger and do you have recommended security software i should team-up with KIS and Sandboxie to protect me against Keylogger?

also, i dont know how the virutal keyboard of KIS will work against this kind of Keylogger.

Getting a bit OT probably but this link might interest you. http://www.wilderssecurity.com/showthread.php?t=219377.

I thought Zemana would help but not so sure after these tests! Defensewall will alert but not stop until you choose to terminate I think. If you find anything else give a holler!

Cheers

AntiLogger 1.7.2.973 (Friday, March 13, 2009):

* Improved : Improved detection of autostart locations.
* Fixed : Fixed a bug that will result msconfig or regedit to not functioning properly.
* Fixed : A tray icon bug fixed.
* Fixed : Fixed a bug that will result AntiLogger to freeze in some situations.
* Fixed : Many small bugfixes and improvements.

Maybe someone can test this version of Zemana's AntiLogger?

-{ Quote: "(...)
I thought Zemana would help but not so sure after these tests! Defensewall will alert but not stop until you choose to terminate I think. If you find anything else give a holler!

Cheers" }-
That is correct.
One person from another forum tested on this test Privacy Keyboard and he told that it passed every test with flying colors, does anyone can confirm that?

-{ Quote: "That is correct.
One person from another forum tested on this test Privacy Keyboard and he told that it passed every test with flying colors, does anyone can confirm that?" }-

Just downloaded Privacy Keyboard and tried it,
Keyloggers - Fail
Screenlogger - Pass
Clipboard logger - Fail

:thumb: AppGuard shut this one down to. Amazing.

-{ Quote: "AntiLogger 1.7.2.973 (Friday, March 13, 2009):

* Improved : Improved detection of autostart locations.
* Fixed : Fixed a bug that will result msconfig or regedit to not functioning properly.
* Fixed : A tray icon bug fixed.
* Fixed : Fixed a bug that will result AntiLogger to freeze in some situations.
* Fixed : Many small bugfixes and improvements.

Maybe someone can test this version of Zemana's AntiLogger?" }-

Updated Zemana to new version, Disabled Zemana and downloaded the Eyes of a Keylogger test to my desktop. Enabled Zemana protection and ran first test "What the keyloggers see" Zemana pop-up blocked it and none of the other tests will run. This time Zemana is alerting when the tests are run, not on the download of the tests.

KIS 2009 passes Keylogging and screenlogging, fails clipboard logging (doesn't have that functionality)
Keylogging is detected regardless of HIPS group, to pass screenlogging it should be placed in High restricted (or just modify Low restricted to prompt on such activities).
XP SP3 ;)
207105207106

-{ Quote: "Just downloaded Privacy Keyboard and tried it,
Keyloggers - Fail
Screenlogger - Pass
Clipboard logger - Fail" }-
Thanks Dark Star :thumb:

Avira Premium results;

Keyloggers - Passed
Screenlogger - Passed
Clipboard logger - Passed

http://i44.tinypic.com/15ew8qq.jpg

-{ Quote: "Avira Premium results;

Keyloggers - Passed
Screenlogger - Passed
Clipboard logger - Passed

http://i44.tinypic.com/15ew8qq.jpg" }-
Yes cool, but Avira do not have HIPS - only signatures.

Threatfire failed too(tested with default config.)No alerts displayed. Please confirm, but looks like BB at moment not offer the same security as a classical HIPS(at least HIPS like D+ don't block but alert about what's going on right?)

*darn* Can't you guy see what this truley is?

Its a test..

Passing the test by signature is called "fighting the test and not the real problem." You are NOT protected from the actual PROBLEM.. If this file gets modified it would easily bypass all those "signature" detection based stuff..

And blocking its execution is still not considered a pass either. Its no "wow" factor off that, CIS easily prevents this from running and so does all HIPS I suppose. The question is, would you be alerted if a application that you let run starts monitor your keyboard?

PrevX so far - UNKNOWN
AppGuard - UNKNOWN
Avira Premium - FAIL, its a HIPS test damit.. :argh: :argh:

Understand that, if a av detects it or not dosn't matter, you are still not protected from the attack that way. As this is just an example attack and a modified attack (file) using a similar technique would monitor your keystrokes without a problem until your AV vendor gets the sample, no doubts about it.. And that can take time, sometimes a keylogger is undetected for hours other times weeks or more..

-{ Quote: "Threatfire failed too(tested with default config.)No alerts displayed. Please confirm, but looks like BB at moment not offer the same security as a classical HIPS(at least HIPS like D+ don't block but alert about what's going on right?)" }-


Correct Classical HIPS is the strongest thing out there saying something else is a lie.. A BB is not bad but a HIPS is stronger.. Much stronger.. And D+ can block this test from running just set it to proactive security, doubt you even has to do that, but what the heck and click no to the alerts. :wacko: ::) DIES. But thats not how you are supposed to do this test..


Due to its design a BB blocker will never be as strong as a classical hips.. but that don't mean it will offer bad protection..

-{ Quote: "

Its a test..

Passing the test by signature is called "fighting the test and not the real problem." You are NOT protected from the actual PROBLEM.. If this file gets modified it would easily bypass all those "signature" detection based stuff.." }-

I support Iam_me's statements - well put I might add - on determining the effectiveness of the tested security products against this keylogger.

-{ Quote: "And blocking its execution is still not considered a pass either. Its no "wow" factor off that, CIS easily prevents this from running and so does all HIPS I suppose. The question is, would you be alerted if a application that you let run starts monitor your keyboard?
" }-

It can be difficult to resist the feeling of satisfaction that arises upon seeing the security product alert on attempted execution of the test file (it's happened to me before), but as long as the test emulates the common situation where the downloaded file is intended without reserve to be launched by the user, then stopping its execution attempt is meaningless; only the behaviour of the file after it's launched and how effectively the security product detects and reports the subsequent behaviour, as well as the effectiveness of the user is at interpreting and responding to the warnings is what truly matters.

I would contend, however, that blocking a file's attempted execution if it's not expected is certainly a valid response under this circumstance.

@ Iam_me "...And D+ can block this test from running just set it to proactive security..." This is the first mode that i do the test :) . And really the test can be easily blocked on the first execution. But is like you say... this is not how the test need be executed...

But i have a doubt and if anyone here can explain me, please: When I run the test with D+, i run the test through sandboxie and write and manipulate clipboard in a notepad in the real system; if the clipboard for the systems (real and virtual) are the same (or can communicate), no chance to use this to escape the virtual system? or send anything to the real system? sorry if this is a little offtopic or a dumb question

Excuse me but i beg to differ on the suspend MODE, once an app (anyone) is SUSPENDED, IT IS EFFECTIVELY STOPPED OR ABORTED from proceeding. That paralalyzed program cannot send or infect no matter what once it's ABORTED.

But it is up to the user to delete it completely since it entered the system at the start.

EASTER

-{ Quote: "KIS 2009 passes Keylogging and screenlogging, fails clipboard logging (doesn't have that functionality)
Keylogging is detected regardless of HIPS group, to pass screenlogging it should be placed in High restricted (or just modify Low restricted to prompt on such activities).
XP SP3 ;)
207105207106" }-
Still good. Most apps can't stop clipboard logging because it doesn't seem to beimportant. I doubt people copy and paste their credit card info.

-{ Quote: "Still good. Most apps can't stop clipboard logging because it doesn't seem to beimportant. I doubt people copy and paste their credit card info." }-

sometime i copy paste my c/c

-{ Quote: "sometime i copy paste my c/c" }-
Aren't you scared someone will come to your computer and paste by accident? Happens to me sometimes since copy doesn't always work first time.

I think screen logging will probably concern more about privacy than security as most passwords are hidden by circular dots when logging in at most https: sites. Rarely do I see actual password characters shown as they are typed.

Snoop Free seemed to block it, i say seemed because after clicking DENY i could still type in the box in #1 but #2 & #3 were effectively empty.

EASTER

SnooPFree still has some power ;)

-{ Quote: "KIS 2009 passes Keylogging and screenlogging, fails clipboard logging (doesn't have that functionality)
Keylogging is detected regardless of HIPS group, to pass screenlogging it should be placed in High restricted (or just modify Low restricted to prompt on such activities).
XP SP3 ;)
207105207106" }-

What an excellent descriptions KAV provides, even a fool would choose the correct options :thumb: :thumb: :thumb:

Kees! Sure a fool can,t. :)

-{ Quote: "SnooPFree still has some power ;)" }-

Indeed jmonge

I didn't expect those results but it done alright at least with this TEST, i'm sure theres others that would run past snoop's driver so would be a nice find for snoopfree to update it again. It's a very simple app and requires no maintenance except to just let it go and respond when it' aroused to a potential no no.

-{ Quote: "
Keylogging is detected regardless of HIPS group,... " }- Keylogger detection was and still is a part of Proactive Defense, that's why KAV protects against Keyloggers even without Application Filtering module.

Cheers

-{ Quote: "Keylogger detection was and still is a part of Proactive Defense, that's why KAV protects against Keyloggers even without Application Filtering module.

Cheers" }-
Also, KAV 2009 doesn't detect keyloggers which are using hook installation method. KIS does. :)

for twister av.....did not try further ....

-{ Quote: "Also, KAV 2009 doesn't detect keyloggers which are using hook installation method. KIS does. :)" }-
Note: KIS 09 has proactive protection only in XP. And not in Vista.
So if subnet ran KAV/KIS 09 on Vista, then there will be no popups.

-{ Quote: "Note: KIS 09 has full proactive protection only in XP. And limited in Vista.
" }-
Fix'd ;)
(when you say "proactive protection", keylogger detection isn't the only available proactive protection :))

These kind of tests once again show that most (actually ALL) hips software is, uhm, well, kind of useless.

I bet the more experienced (malware)-programmers still have a couple of thousands of methods at hand to bypass any HIPS, no matter how many times it has been "upgraded"..... And then, we still didn't speak of the techniques investigation agencies use....::)

Also, for the noobs, you HAVE TO LET IT START ! This tool is an example, but once some jerk adds this code to your beloved "Image Viewer v2.14.163.exe" and you want to have the latest greatest of your beloved image viewer, you're screwed.

-{ Quote: "These kind of tests once again show that most (actually ALL) hips software is, uhm, well, kind of useless." }-

Infact the opposite of this is true. HIPS are very usefull against most of current malware.

However they can by bypassed if malware is written with such intention by malware writers. However as the users of HIPS are few, malware writers will not bother for all this.

-{ Quote: "Fix'd ;)
(when you say "proactive protection", keylogger detection isn't the only available proactive protection :))" }-
When :o ... In beta ?? I am running KIS09 on Vista right now I don't see it detecting any loggers.

Also in Vista the whole proactive subset is limited. I am sure you know this, since we have discussed the same many times. The Rules available in KIS 09 Vista are a hogwash, IMO. Hope that's about to change soon.

-{ Quote: "When :o ... In beta ?? I am running KIS09 on Vista right now I don't see it detecting any loggers.

Also in Vista the whole proactive subset is limited. I am sure you know this, since we have discussed the same many times. The Rules available in KIS 09 Vista are a hogwash, IMO. Hope that's about to change soon." }-

Agreed as stated earlier in this thread KIS09 (well at least .506) fails all these tests on Vista 32 by way of example.

Also hoping for change soon although don't see it discussed anywhere. HIPS talk seems to be about whether manual allocation to groups is a good idea for 2010 rather than enhancing what is protected.

Cheers

-{ Quote: "When :o ... In beta ?? I am running KIS09 on Vista right now I don't see it detecting any loggers.

Also in Vista the whole proactive subset is limited. I am sure you know this, since we have discussed the same many times. The Rules available in KIS 09 Vista are a hogwash, IMO. Hope that's about to change soon." }-
Sorry, I misunderstood your post. I thought you're talking about proactive protection in general, not limited to keylogger detection (that's why I said "when you say "proactive protection", keylogger detection isn't the only available proactive protection") :)
The beta is not yet out, so it's hard to say what will happen regarding Vista/W7 and HIPS. :)
Sorry for the confusion. :)

Ok,3x0gR13N ... No damage done :thumb:

ANTIVIR 9 DETECT THIS SOFTWARE ONTHEFLY WHEN YOU TRY TO DOWNLOAD.........SPR/KEYLOGGER PROGRAM!!

-{ Quote: "ANTIVIR 9 DETECT THIS SOFTWARE ONTHEFLY WHEN YOU TRY TO DOWNLOAD.........SPR/KEYLOGGER PROGRAM!!" }-
Yes but this is not HIPS - it is only database AV signature.

IS VERY INTELLIGENT GERMAN SOFTWARE.......SMARTER THAN HIPS;D

-{ Quote: "IS VERY INTELLIGENT GERMAN SOFTWARE.......SMARTER THAN HIPS;D" }-

It is an excellent AV but still only detected this from sigs.
Unlike a HIPS whose detection would come from behavior.

this is not true! strong heuristics is behavior......based on signatures:P

nevermind its better to detect everything without a question thats jenius. but in perfect windows world

-{ Quote: "IS VERY INTELLIGENT GERMAN SOFTWARE.......SMARTER THAN HIPS;D" }-

Could you restrain your self from using CAPS, IT IS VERY AGITATING!

-{ Quote: "this is not true! strong heuristics is behavior......based on signatures:P" }-
Few days ago when Aigle posted this thread i tested this software on Avira and Avira didn't detect that. When i upload file on jotti - only 3 AV found this file as malicious:
http://www.wilderssecurity.com/showpost.php?p=1422422&postcount=6

any questions?

-{ Quote: "this is not true! strong heuristics is behavior......based on signatures:P" }-

Never thought of them that way but it's a good point to make and not so far from the truth.

sorry for caps.... respect to all free software my friends bye

Hi all,

My name is Neo - I wrote "Through the Eyes of a Keylogger".

After being on holidays for 3 weeks, it has just come to my attention that for at least some time, a version of "Through the Eyes of a Keylogger" available at my site was infected with a Trojan.

I have no idea how the trojan got there. The version I first uploaded earlier this year did not have a trojan. (I have checked my archived copy of it.)

In any case, I have deleted the infected version, and have re-uploaded the original, clean "Through the Eyes of a Keylogger" to the website. To be clear, if you (re)download "Through the Eyes of a Keylogger" from www.aplin.com.au you will get a clean version.

I have been working to protect people against malicious software - I'm embarrassed to find that my sofware was infected. I will now perform regular checks of the online program versions, and you will soon see checksums of my original files published on my site - for your protection.

...just wanted to clear any confusion about the purpose of the tool.
If (after downloading the version that's on the site now) your security software says that it is a key/screen logger, well, that's correct (it just doesn't save or send anything anywhere). But if your security software says it's a trojan...then don't use it. I sure didn't program a trojan into it! :)

By the way - if you have any improvement suggestions or questions on "Through the Eyes of a Keylogger" or Neo's SafeKeys, I'm happy to hear them.

Cheers. Neo.

Neo,

Would you be so kind to tell which trojan it was, so people can check whether they were infected or not?

Thanks Kees

-{ Quote: "Neo,

Would you be so kind to tell which trojan it was, so people can check whether they were infected or not?

Thanks Kees" }-
Hi Kees. My virus checker told me it was "Generic.dx".

Hmm. Can you send me the file (infected) through PM so I can analyze it further and see the modifications it makes.

-{ Quote: "Hi Kees. My virus checker told me it was "Generic.dx"." }-
Here are results when i uploaded this file on VT:
http://www.wilderssecurity.com/showpost.php?p=1422422&postcount=6

-{ Quote: "Hmm. Can you send me the file (infected) through PM so I can analyze it further and see the modifications it makes." }-
I wish I could, but I deleted the infected file. (Now, I can't believe I did it.)

Sorry.

-{ Quote: "I wish I could, but I deleted the infected file. (Now, I can't believe I did it.)

Sorry." }-
I have found this file on my second disk.

-{ Quote: "I have found this file on my second disk." }-

Send it to me please :)

Files on TE as well:

http://www.threatexpert.com/report.aspx?md5=ec9e11864cb294766fca5fccc5f17f9a

A reminder. This is not a malware trading forum.

-{ Quote: "A reminder. This is not a malware trading forum. " }-

Ron we are not trading. Simply trying to find out what malware has infected us (if it is malware), and how to get rid of it. :)

Something, deep inside me, is not surprised at all with this "incident" ......

Well 26 virus labs now have a sample and will be testing it :D I'll post my results in the morning.

It's scary how only 3 av's detected it. Proof it doesn't matter what percentage an av got on a test if it misses the one virus your actually infected with (avira).

-{ Quote: "Hi all,

My name is Neo - I wrote "Through the Eyes of a Keylogger".

After being on holidays for 3 weeks, it has just come to my attention that for at least some time, a version of "Through the Eyes of a Keylogger" available at my site was infected with a Trojan.

I have no idea how the trojan got there. The version I first uploaded earlier this year did not have a trojan. (I have checked my archived copy of it.)

In any case, I have deleted the infected version, and have re-uploaded the original, clean "Through the Eyes of a Keylogger" to the website. To be clear, if you (re)download "Through the Eyes of a Keylogger" from www.aplin.com.au you will get a clean version.

I have been working to protect people against malicious software - I'm embarrassed to find that my sofware was infected. I will now perform regular checks of the online program versions, and you will soon see checksums of my original files published on my site - for your protection.

...just wanted to clear any confusion about the purpose of the tool.
If (after downloading the version that's on the site now) your security software says that it is a key/screen logger, well, that's correct (it just doesn't save or send anything anywhere). But if your security software says it's a trojan...then don't use it. I sure didn't program a trojan into it! :)

By the way - if you have any improvement suggestions or questions on "Through the Eyes of a Keylogger" or Neo's SafeKeys, I'm happy to hear them.

Cheers. Neo." }-
Hi neo. I don't think you should be embarassed. It would be embarassing if you knew it contained a trojan and didn't tell us in fear of ruining your reputation. I think it allows us to trust you if your not scared to tell us of a small mess-up.

+ 1

tried test 1 vs keyscrambler and it seems ok.

could the test still be infected ?

I downloaded it now and got this virus scan result.

http://www.virustotal.com/analisis/8574d4402e0625c87b6cc13148d0e06c

Checked it with threatfire which has now hung.

Hi all,

I'm at a loss as to why the replaced version is coming up in some checkers as a trojan.

In an attempt to get to the bottom of this, I have done the following:

I have released the next version, today (a bit premature as it doesn't have the full featureset yet, but having the next version is a good test).
You can download here: http://www.aplin.com.au/?page_id=443
Here is its MD5Sum: 22bf4c3e32e9555eb68ab617ec761dde

I have checked every line of code - there is NO trojan programmed here.

If people find that some checkers state that it has a trojan in this new program, I can only suggest two possibilities:

some virus checkers are giving false positives
my compiler is somehow inserting trojan code into the program?

(...perhaps others more versed in viruses/trojans can suggest other alternatives.)

To show that I'm serious about security; if I can't resolve this issue to my satisfaction, I will take down Through The Eyes of a Keylogger permanently.

Neo.

-{ Quote: "Hi all,

I'm at a loss as to why the replaced version is coming up in some checkers as a trojan.

In an attempt to get to the bottom of this, I have done the following:

I have released the next version, today (a bit premature as it doesn't have the full featureset yet, but having the next version is a good test).
You can download here: http://www.aplin.com.au/?page_id=443
Here is its MD5Sum: 22bf4c3e32e9555eb68ab617ec761dde

I have checked every line of code - there is NO trojan programmed here.

If people find that some checkers state that it has a trojan in this new program, I can only suggest two possibilities:

some virus checkers are giving false positives
my compiler is somehow inserting trojan code into the program?

(...perhaps others more versed in viruses/trojans can suggest other alternatives.)

To show that I'm serious about security; if I can't resolve this issue to my satisfaction, I will take down Through The Eyes of a Keylogger permanently.

Neo." }-
I believe they are fp's. I am using KIS 09 right now and it still detects it but kaspersky has no information about it. I am guessing kaspersky seems to be catching it based on filename or something since it has no idea what the so-called virus even does.

See kaspersky detection page: http://www.viruslist.com/en/search?VN=Trojan.Win32.VB.neo

EDIT: Tried with new beta and it is reported clean by kaspersky is 09

I wouldn't mind the virus scans but that TF hung worried me a little.
Anyhow scanning away with MBAM so hopefully nothing will be found.

will try the new version with TF after that.

I just downloaded it again now
When I sent it to it virustotal it said it was this

03e787cab7f69a90a74b6fd1ee361ec4

MD5 checksum......

which is also the result that this tool gives.
http://www.winmd5.com/

Well no lab has said it has a trojan, however, they say it is a privacy risk watching keystrokes...Duhh. :-\

I wonder if they are just analyzing the surface or delving deeper?

Maybe it's just FP's?

-{ Quote: "Well no lab has said it has a trojan, however, they say it is a privacy risk watching keystrokes...Duhh. :-\

I wonder if they are just analyzing the surface or delving deeper?

Maybe it's just FP's?" }-

No I had a different malware in C:\Windows\system32. The executable itself is listed as general keystroke Pup or something (might be a general classification after this incicent)

Hi all,

Even though I first reported that Through the Eyes of a Keylogger was infected, I now believe that virus checkers are issuing false positives when scanning the program. I do not know why - this program does not save anything or send anything anywhere - it just presents info on the screen for you to see (information that is lost once you close the program). It does not do any malicious activity.

Even though I'm 100% sure that these are false positives, and that any malware activity is NOT associated with Through the Eyes, I have removed the utility from my site.

The tool was supposed to assist people to understand the dangers of keyloggers (and to help me to write better versions of Neo's SafeKeys to combat keyloggers). But I'd rather not have people misunderstand my intentions if they get false positives.

I'd like to thank the members of this forum in helping me investigate this issue.

Cheers,

Neo.

No need to remove it when it,s clean. U can just post the warning on web site about possible detection by some AVs as malware and it may be even true due to very nature of the software.

-{ Quote: "No need to remove it when it,s clean. U can just post the warning on web site about possible detection by some AVs as malware and it may be even true due to very nature of the software." }-
True, but I don't see too many non-tech users wanting to download and use a program that admits it may be blocked by virus checkers as malware.

...my main aim in publishing this tool was to show people what keyloggers are, what they can do, and how incidious they are. In short, to show non-technical people how they shouldn't just do their banking etc. on a public terminal when on holidays (without some form of protection, or knowing the risks).

I don't think that too many non-technical people would be prepared to run a program that admits to possible detection as malware (albeit incorrectly detected).

I'm quite happy to send program Through the Eyes of a Keylogger to anyone who would like it - just PM me.

has anyone tried this on firefox with keyscrambler running, if so what does it come out as, i would like to know that what im using is safe.

-{ Quote: "has anyone tried this on firefox with keyscrambler running, if so what does it come out as, i would like to know that what im using is safe." }-

Yeah, I did. The free version of Keyscrambler prevented keystroke logging on Firefox in this test at least (and most AKLT also) but as you might expect it did not prevent screen capture or clipboard logging. Not sure about the paid version.

Cheers

-{ Quote: "True, but I don't see too many non-tech users wanting to download and use a program that admits it may be blocked by virus checkers as malware.

...my main aim in publishing this tool was to show people what keyloggers are, what they can do, and how incidious they are. In short, to show non-technical people how they shouldn't just do their banking etc. on a public terminal when on holidays (without some form of protection, or knowing the risks).

I don't think that too many non-technical people would be prepared to run a program that admits to possible detection as malware (albeit incorrectly detected).

I'm quite happy to send program Through the Eyes of a Keylogger to anyone who would like it - just PM me." }-
Hi agentG,
But......It's still available for download from your main page under other languages page traduction, and the application is the same english. Why?
Thanks

-{ Quote: "Hi agentG,
But......It's still available for download from your main page under other languages page traduction, and the application is the same english. Why?
Thanks" }-

Hm... strange. Looks like the page is cached by the translation plugin (even though it is now deleted).

I have now removed the application from that directory, and have scheduled a re-caching of the pages over the next couple of days.

Thanks for letting me know, zen_usuario.

-{ Quote: "Hm... strange. Looks like the page is cached by the translation plugin (even though it is now deleted).

I have now removed the application from that directory, and have scheduled a re-caching of the pages over the next couple of days.

Thanks for letting me know, zen_usuario." }-
I've glad to see I've helped you with these informations.
Tanks for you:thumb: