Trusteer Rapport

is zemana easier to use and does do as good job?

 

Tin-foil hat or not, I do not like the fact that it does not allow you to restrict uploading of files to IBM like almost all other security software does. I do not have much faith in the diagnosing abilities of IBM anyway. It's not going to be like Kaspersky that uncovered state sponsored malware from suspicious files that were submitted.

If they cannot do so much as put in an option to NOT send personal files to IBM, I can do without their protection

 

Tho I like EMET pinning feature, it can't be alternative to cert checking. This feature just check if the presented cert belongs to predefined rootCA thus if compromised cert (e.g. CA was hacked) happend to belong to the same rootCA, EMET won't warn.
And some websites uses different cert and rootCA for different subdomains so in this case you have to assign more than one rootCA for specific site as EMET rules automatically are applied to alternate names too. Actually most built-in rules have many rootCA assigned.

Also manual checking have some subsidiary benefits. If you always do this you will be intimate with certs, you remeber what certs your everyday site uses and if they changed cert you'll notice it. And there're grades in certs e.g. in Verisign (Symantec) class3 certs have higher grade than lower classes and it requires entity verification behind site (those grades are all different by each CA). So you can get some more info about site you're connecting to.

 

True there are instances of subdomains using different certs but I have found that the exception. I would also scrutinize any financial/e-commerce site that does so.

Actually I agree with this and should always be done initially before the site is set up in EMET. Of course, people will have to train themselves on how to validate certificates.

 

I did a small test here: https://www.wilderssecurity.com/threads/security-tools-versus-ssl-hijackers-with-root-certs.373772/
When you go to their site to download Trusteer, they offer different installers for each bank. Looking at my test results, my guess is that the installer contains a list of certificates used by the bank or perhaps a config to download them and uses that to detect MitM attacks. Any sites manually added don't have that protection or the possibility to communicate with the server software so only the general browser protection is added(keylogging, screenlogging, browser injection etc.)

 

There are two features that make Trusteer unique and why many banks want their customers to use it.

The first is that Trusteer is designed to run on infected PCs. The software when it detects malware will automatically switch to armored browser mode. Contrast that to BitDefenders SafePay that will abort if it detects any malware present.

The second and more important feature is that the Trusteer supported bank server when sensing a connection from a Trusteer enabled client will initiate a secured tunnel between the client and server thereby preventing any hijack attempts. Unless a third party e-commerce site has the Trusteer software installed on it's server, the secure tunnel feature will not be implemented.

 

If IBM is really saying that, they are being irresponsible. You can never guarantee worth anything that the browser session is not being spied on, if the machine is known to be compromised. And if the compromise is on a kernel level - which is harder to detect - all bets are off. This is how privilege level based security works, and no current desktop OS can avoid it.

Perhaps Trusteer Rapport does do the job for a large portion of userspace malware, maybe even some kernel stuff. I don't really care. Encouraging people to do online banking on infected PCs, and to feel safe about it, is reckless and irresponsible, period.

 

FYI - Per Trusteer documentation. Although I do agree with you statements about conducting financial activities on an infected PC.

Responding to a Forced Virtualized Browser Download Alert
The following is an example of a forced Virtualized Browser download alert:
http://www.trusteer.com/User-Guides/Rapport-User-Guide-3.5.1207/1503.png
This alert may appear when you browse to a protected website. This alert indicates that Trusteer Rapport has detected a security risk on your computer and is preventing you from viewing the site in the regular browser. If you want to view the site, you must download and install Trusteer Rapport's Virtualized Browser. Trusteer Rapport's Virtualized Browser is an isolated browsing environment that provides an additional layer of protection.
When you see this alert, choose one of these options:

• Click Download Now. This downloads the installation file for Trusteer Rapport's Virtualized Browser. After you have downloaded and run this file, you will be able to browse again to the site and view it securely in the Virtualized Browser. It is recommended that you also contact Trusteer support (See Sending a User Problem Report) and tell us you received this alert. We will be able to guide you to take action to combat the security risk on your computer.
• Click Click here to contact Trusteer Support. This opens the Report a Problem form in the Rapport Console. Use the form to tell Trusteer you received this alert. We will be able to guide you to take action to combat the security risk on your computer. See Sending a User Problem Report if you need help reporting the problem.
• Click Close. This closes the alert and the website.

For information about downloading and installing Trusteer Rapport's Virtualized Browser, see Using Trusteer Rapport's Virtualized Browser.

 

Still rubbish. If the host OS is compromised, then the VM is not trustworthy either.

Their FAQ is at least not too overweeningly optimistic. Although as far as protection against keylogging, that again depends on what layer the attacker is working in.

 

Security software makers can't be an entry point or attack points, because they are there to protect

1. Installs DLL's + SYS in Appdata with User having write access
2. Uses visual studio 2005 DLL's

 

Just saw this posting over at WindowsSecrets. Appears Trusteer has some auto certificate pinning capability akin to EMET's. Interesting .................

2015-02-26, 09:41 #12

Richardmj
Richardmj is offline New Lounger
--------------------------------------------------------------------------------
Join Date:Feb 2015Posts:1Thanks:0Thanked 0 Times in 0 Posts

My answer is YES! I recently acquired a Lenovo PC. In accordance with my banks instructions I use Trusteer to protect my online banking. However everytime I tried to connect Trusteer gave an invalid certificate warning. I contacted Trusteer whose support was excellent. They analysed the logs and found Superfish was getting in the way of the authentication. I had already run a number of scans etc none of which identified/removed superfish. Was I had followed removal instructions online banking worked without warnings. I shall now complain to Lenovo for wasting my time.

 

So does Zemama Antilogger which claims to protect your root certs.

 

On my Win7x64, Zemana Pro don't store its dll or driver under user space. All I could find are log files, some DB, and user difined rules. Well, maybe rules and DB should better be placed on protected space.

 

Can't vouch for the Pro version but the free ver. did store stuff in AppInitDlls. Zemana's statement was that was perfectly normal. That was when I uninstalled the software.

 

Does Trusteer alert/warn the user of a browser intrusion? I know Zemana free doesn't so i use HMP.A along with it & I've been doing the same with Trusteer since I Can't find information stating if it does or not...

 

Here's a link to the user manual: https://www.trusteer.com/User-Guide...Rapport-User-Guide-3.5.1403/index.htm#434.htm

I know you will get warnings on certificate issues. Also Trusteer has keylogger protection so I don't know why your using Zemana with it.

 

MRG Effitas recently published a report comparing WSA to Trusteer Rapport

https://www.mrg-effitas.com/webroot...rusteer-rapport-comparative-analysis-2015-q2/

While it is 32 pages long it is well worth a careful read, the results are quite enlightening as it details Rapports weaknesses. Some Wilders members do not have much time for MRG but the results in this report are much the same as my (unscientific) findings when testing Rapport earlier this year.

 

MRG are very credible

 

Just printed out that WSA/TR MRG report for reading while visiting Throne Room. Results in previous MRG testing convinced me to at least give TR a whirl.

I've been using it for several months, Windows 7 x64. Since it doesn't work with my primary browser (Cyberfox 64 Portable), it does work with Haller's Chrome 64 Portable (stock except for ABP+ Easy List/Privacy and Ghostery), so when I do my banking I use that. No slowdowns, no issues.

I downloaded the one supporting my bank but FWIW I've set up also for three credit card banks.

I was/am not wild about the default Automatic status of the Rapport Management Service; I changed that to Manual and keep it in a stopped state when not in use. Opening the Start menu items (RapportService.exe -userstart or -config) starts the service OK. Not unexpectedly, RapportService.exe -shutdown does not stop the service so I built a little net stop batch file to do that. Some extra effort for the 30-45 minutes sessions 3-4 times a month when needed. I see no reason why Rapport needs to run in any capacity otherwise.

Since they have browser apps for Android and ios, I'd like to see them release their "emergency" virtualized browser as a stand-alone install for Windows workstation.

 

Great - thanks for the info everyone!

sorry my post wasn't clear - 2 different PCs - 1) Zemana AL free + HMP.A and 2) TR + HMP.A... However, because TR only keyscrambles on protected sites and Zemana AL keyscrambles system wide - the two could actually be used together if one wanted some functionality of both

that is a great report - very detailed - I'd like it even more if they'd included Zemana AL free/paid and Quarri MyPOQ in the tests. so here's my answer on page 30...

"Trusteer Rapport only alerts users about financial malware when user interaction is needed (e.g. restart system). We believe this is a fundamental problem as malware needs to be deleted as soon as it (or its action) is detected. Without these alerts, users cannot take counter-measures (e.g. ask for professional
help or download a new malware scanner), and the malware can cause more harm"

so yes & no - i think i will keep HMP.A free installed with TR.

 

Wow! Thanks for posting the MRG test result link. As far as I am aware of, this is the first detail test of Trusteer Rapport in a very long time.

In somewhat MRG fashion though, you really have to sift through a lot of "fluff" to get to the important stuff:

5 Conclusion

Based on the number of different tests done, it is hard to draw any conclusions about which vendor performed better. From an end-user perspective, the performance of Webroot SecureAnywhere performed was superior. From a financial site point of view, if it is in the partner site lists, it is a draw.

The bottom line is TR was originally designed to protect banking web sites. It's full effectiveness is only achieved when its corresponding server software is installed. In this scenario, a secure tunnel is established between the client and the bank server. As such any external MITM activity or interception is impossible. Also the server software is constantly monitoring the web session and will react to any malware activity from the client. So if your bank offers TR as an option, it would be the way to go if banking security is your primary concern.

Now I have to go back and reread the MRG report for client performance issues with TR. That has always been the primary negative of this software.

-EDIT- Looks like nothing has changed on TR's performance issues. Main reason I don't use it.

Trusteer Rapport had a 425% performance impact on the load time of the browser.

It is important to note here that at times during the test, the browser crashed where Trusteer Rapport was installed, while no simulator or malware was running on the system.

 

if i understand this test correctly the browser is launched + the protected site loaded. but we shouldn't care if TR increases browser launch time - doesn't happen very often in a day - and the majority of sites are not protected... so a test i'd also like to see is the comparative load time of an 'unprotected' site (no browser launch time included). i haven't used TR much (it's on another users pc) but i don't notice a slowdown in browsing speed - sample set of 1

Anyone have any thoughts on how Quarri MyPOQ browser would do in these tests? i don't think i've ever seen a 'red' mark for it on an MRG test... i've been trying it out, but not sure it's worth the inconvenience of a separate browser.

 

My use of the product a couple of years ago showed a very noticeable impact on all browsing activities using IE10 x64. Also as I recollect, the performance degradation was gradual; initially after install OK but as time went by, things got noticeable worse. I even worked with Trusteer on the issue to no avail.

 

It only works presently on IE11 and there are issues with that. Here's a link to discussion of product at MalwareTips: http://malwaretips.com/threads/quarri-mypoq-info-and-access-links.43225/

 

TR with Chrome on my 3rd gen i7 box is screaming fast on all browsing activities without issue. The 425% performance impact on the load time of the browser occurs with near instananeousness.