Anti Keylogger Test - how to protect against this?

Hi!

Current DefenseWall's betas have full anti-keylogging support- some methods automatically blocks, some notified about (they can no be automatically blocked because some legitimate programs use them).

 

But ALL keyloggers, no matter what method they use, they do CHANGE your harddisk somewhere. Am I right about this ?

 

No, it may send it via Internet without saving to hard drive (pagefile is not counts as file).

 

A very sneaking keylogger indeed, which is a problem in my boot-to-restore solution.

Suppose I run regedit and go to :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
and I change the value "0" into "1" (= Clear Page File Enabled)
Then Exit Registry and Reboot.

Then my boot-to-restore would clear the pagefile at shutdown and the keylogger would be gone.

Is that a possible solution grand master Ilya ?

PS: I noticed that the shutdown lasts alot longer with cleaning the page file.

 

Doesn't the pagefile automatically reset itself when you are using FD-ISR to freeze your snapshot?

 

Latest KAV7 also detects all three keylogging attempts by AKLT, as told by one user here.

 

No, I mean, keylogger may save its data into memory buffer (it could be pagefile-based if you have it enabled) and then send this buffer via Internet to its owner, clean it up and get data again.

 

AFAIK FDISR ignores the pagefile completely, it's not included in the copy/update along with 3 other objects, but I don't remember them.
Acadia knows all four and published them somewhere in the forum of FDISR.

 

I don't understand the last part (red in bold), does it mean I can't do anything about it ?
Does DefenseWall kill such sneaky keyloggers or will DW kill them in the next version(s) ?

 

http://www.raxco.com/support/windows/fdisr/fdisr_faqs.cfm

1. pagefile file
2. hibernate file
3. *.tmp
4. System Restore data

Mike

 

I might be wrong, but that doesn't solve anything. Excluding files doesn't clean them, they are just not included in the snapshot, that's all.

 

What I was only answering your question... "but I don't remember them."

"Acadia, Mike, & Erik knows all four and published them somewhere in the forum of FDISR."

Mike

 

Yes you are right. You answered my question and thanks for that.
I was too occupied with these POSSIBLE nasty keyloggers on my pagefile.
My apologizes.

 

I mean that there is no need for keylogger to dave its data into file- it may store it into memory buffer, send via Internet and, as data is sent, use same buffer for new data captured.

Well, DefenseWall stops traditional keyloggers from proper work, as about advanced keyloggers- DW will notify you about it (v2.0), but won't stop its job as some legitimate applications (original ICQ client, for instance) are using those techniques to get keystrokes.

 

OK. But now I do this :
1. I clean the pagefile.sys at Shutdown, which I didn't before.
2. And my RAM is normally clean when I reboot.
3. If there is something changed on my harddisk, that will also be removed during reboot.
So the keylogger in my RAM and/or my pagefile.sys is completely gone after reboot.

 

Keylogger in pagefile.sys? You should be missed my point. It is just swap file, nothing more. It could be used by system to store some memory data, but it can't store structured information like executable file. In fact, keylogger will gone after reboot with FD-ISR, but between reboots you need extra defense layer (anti-keylogger, anti-screecapturer, sensitive files protection from being hijacked).

 

Does that also include some rootkit or hider which might have circumvented the system and installed a keylogger that sends info based on a set time/date?

I'm of the mind DefenseWall and even HIPS programs pretty well squelches those attempts. Also what about a web site exploited page that uses iframes or another method to rapidly bombard the protection app untill it either closes with an error thus allowing entry for the intruder or fails completely?

Thanks.

 

This does not include sophisticated tech on ultra low level.

 

<snip>

Yes I see there is at least one keylogger all anti maleware doesn't detect at that site. One of the programs is BoClean

edited to remove quote of keylogger spam - Detox

 

1 post spamming keyloggers for sale removed. Really now...

 

Not to go OT, but I have heard of keylogging programs available to buyers who want to track where their spouse goes to online or to track children PC accesses. A bit of privacy issues involved of course.

 

Detox

I only replied to a poster and you removed his post making it look like I am spamming? Not cool. besides when did you start removing links to maleware again which some programs do not remove or detect? If you would like to take this Pri, be my guest.


con

 

Well, gotta agree. Posters link to programs they suggest all the time. ALL the time. What made your post any different? It's not like you have 5 total posts fercrissakes, you have over 3,000!!!!!!!

 

I understand now. I was mistaken as well. Thanks LowWatermark!