Hello all,
I've built a list of leaktests which we are aware of for testing SafeOnline. If anyone is aware of any other leaktest, please let me know and I'll add it to the list, analyzing it and adding protection if necessary. The list is fairly comprehensive to cover a number of techniques, but in no way does it show every technique protected by SafeOnline - each of these keyloggers uses a slightly different approach but let me know if you'd like any validation on specific threats.
We've manually tested each of these leaktests on the full range of operating systems but if anyone wants us to replicate the test results, please let me know and I'll make a video demonstrating it.
To better explain the scope of testing SafeOnline, please take the following into account:
- SafeOnline will provide full protection on 32bit operating systems. On 64bit operating systems, SafeOnline relies on the layered protection of Prevx 3.0 for blocking known screen grabbers and clipboard stealers. This is because of fundamental architectural differences in 64bit operating systems preventing modifications to the "shadow service descriptor table" because of PatchGuard. We are planning a workaround for this, but it will still have some reliance on the antimalware components.
- SafeOnline provides protection over credentials and browser instances. Once Prevx sees you are visiting a secured website (i.e.
https://www.paypal.com) it will load protection onto that instance. Keystrokes typed into the browser will be protected, but not necessarily keystrokes entered into another program (like Notepad).
- Clipboard protection will prevent any untrusted program from seeing clipboard data. By default, every program is untrusted and Prevx has to manually add a program to be trusted.
- Using build 3.0.5.85 or earlier, a "Compatibility Mode" exists which causes Prevx to not load all of the screen grabber protection. This mode is triggered when configuring protection down from Maximum to High. If you've ever done this within your Prevx installation, it will
not be reset by changing configuration back up to High. This is to allow us to persist the configuration past a reboot, but we've since reassessed this approach and will have it changed in the next build. However, currently you will need to uninstall/reboot/reinstall if you have changed configuration options like this.
- SafeOnline is partially incompatible with Zemana AntiLogger and both products cannot load screen protection at the same time.
- SafeOnline will only protect against credential-relevant threats, intentionally not bothering with webcam loggers or sound loggers.
We strongly recommend using real infections to test the protection of Prevx, but we do think that leaktests are a valuable way to test the protection. SafeOnline's protection is incremental to the rest of the protection provided by Prevx 3.0 and while it provides a significant layer on top of what Prevx 3.0 provides, it isn't a silver bullet. However, we have yet to find a leaktest or threat which bypasses SafeOnline when everything is fully configured on a compatible operating system. In the event that something would eventually get past SafeOnline, Prevx will be immediately aware of the threat and will block it using the Prevx 3.0 antimalware functionality.
Our current (partial) list of leaktests is:
- PASSED - Firewall Leaktester - AKLT - GetKeyState
- PASSED - Firewall Leaktester - AKLT - GetAsyncKeyState
- PASSED - Firewall Leaktester - AKLT - GetKeyboardState
- PASSED - Firewall Leaktester - AKLT - DirectX
- PASSED - Firewall Leaktester - AKLT - LowLevel Hook
- PASSED - Firewall Leaktester - AKLT - JournalRecord Hook
- PASSED - Firewall Leaktester - AKLT - GetRawInputData
- PASSED - Firewall Leaktester - AKLT - Screenshot 1
- PASSED - Firewall Leaktester - AKLT - Screenshot 2
- PASSED - Zemana - ScreenLogger Simulation Test
- PASSED - Zemana - ClipBoardLogger Simulation Test
- PASSED - Zemana - Keylogger Simulation Test
- PASSED - Zemana - SSL Logger Simulation Test
- OUT OF SCOPE - Zemana - WebcamLogger Simulation Test
- PASSED - Alpin Software - Through the Eyes of a Keylogger - Key logging
- PASSED - Alpin Software - Through the Eyes of a Keylogger - Screen Logging
- PASSED - Alpin Software - Through the Eyes of a Keylogger - Clipboard Logging
- PASSED - SpyShelter - AntiTest Keylogging
- PASSED - SpyShelter - AntiTest Screenshot
- PASSED - SpyShelter - AntiTest Clipboard monitoring
- OUT OF SCOPE - SpyShelter - AntiTest Webcam Capture
- OUT OF SCOPE - SpyShelter - AntiTest System protection
- OUT OF SCOPE - SpyShelter - AntiTest Sound record
- PASSED - Chpie - Rootkit.com - Global Specific I/O Address Space Trap Keylogger
- PASSED - Greg Hoglund - IDT-based Basic Keyboard Sniffer
- PASSED - Atif Aziz - IECache Viewer
- PASSED - NirSoft - IE Cookie Viewer
- PASSED - NirSoft - IE Password Viewer
- PASSED - NirSoft - Protected Storage PassView
- PASSED - NirSoft - PasswordFox
- PASSED - Pro Data Doctor - Password Recovery
- PASSED - Amecisco, Inc. - Invisible Keylogger Stealth 2.1
- PASSED - Security Xploded - RemoteDll
- PASSED - Keylack Software - Asterisk Password Viewer
- PASSED - Komodia - SSL sniffer
- PASSED - ram verma - LoginMgr (BHO)
- PASSED - YourBankHere Demo - PatchDemo Browser Hooking
- PASSED - YourBankHere Demo - OverlayWindow
- PASSED - Snadboy - Snadboy's Revelation v2 - Password Viewer
- PASSED - System Safety Ltd. - Keylogger 1 (GetKeyState)
- PASSED - System Safety Ltd. - Keylogger 2 (GetAsyncKeyState)
- PASSED - System Safety Ltd. - Keylogger 3 (Low Level Keyboard Hook)
- PASSED - System Safety Ltd. - Keylogger 4 (Journal Record Hook)
- PASSED - DiamondCS - KeyHook
- PASSED - Unknown - Keyboard Listener
Let me know if you find anything else we should test!