Keylogger

[pegas]

Quote:

Originally Posted by Triple Helix

Could be I just Tested Opera, IE9 32bit & 64bit and Firefox and they all passed my testing as I use US English I even tried Canadian French keyboard input and it worked fine. Attachment 235101

TH

I tried also another two test files (ClipBoard and Webcam logger) and WSA succeeded. I had a WSA prompt for the both files. So only Keylogger is where WSA failed in my case.

[Triple Helix]

Quote:

Originally Posted by pegas

I tried also another two test files (ClipBoard and Webcam logger) and WSA succeeded. I had a WSA prompt for the both files. So only Keylogger is where WSA failed in my case.

Hey this is the new pop-up window that IBK was talking about here in the recent test that needed user interaction: http://www.wilderssecurity.com/showp...4&postcount=51 and what Joe was mentioning: http://www.wilderssecurity.com/showp...2&postcount=14 Cool

TH

[trjam]

WSA needs to be able to do this automatically if you choose so.

[Triple Helix]

Quote:

Originally Posted by trjam

WSA needs to be able to do this automatically if you choose so.

But that's why WSA got such a High score in that test:

Blocked 88.2%
User dependent 11.2%
Compromised 0.6%

TH

[trjam]

I understand but it is the kid factor. You should be able to tick a setting so if this pops up, it chooses to block it automatically.

[Triple Helix]

Quote:

Originally Posted by trjam

I understand but it is the kid factor. You should be able to tick a setting so if this pops up, it chooses to block it automatically.

We had that same discussion about WSA's Firewall and the Auto Allow if a person try's to block a known good file such as svchost.exe it could break there PC. I'm sure Joe will chime in!

TH

[BoerenkoolMetWorst]

Quote:

Originally Posted by Triple Helix

Hey this is the new pop-up window that IBK was talking about here in the recent test that needed user interaction: http://www.wilderssecurity.com/showp...4&postcount=51 and what Joe was mentioning: http://www.wilderssecurity.com/showp...2&postcount=14 Cool

TH

Attachment 235105

Are you sure? This one only pops up if you have the "warn before blocking.." option ticked in Identity Shield settings. Besides, even if you block it, the malware would still run on your system, so WSA doesn't pass the test, so I think IBK is talking about another popup.

[Triple Helix]

Quote:

Originally Posted by BoerenkoolMetWorst

Are you sure? This one only pops up if you have the "warn before blocking.." option ticked in Identity Shield settings. Besides, even if you block it, the malware would still run on your system, so WSA doesn't pass the test, so I think IBK is talking about another popup.

That could be true as I did ask Joe for a snapshot of the window that IBK mentioned and he couldn't supply me one at the time.

TH

[pegas]

Quote:

Originally Posted by Triple Helix

That could be true as I did ask Joe for a snapshot of the window and he couldn't supply me one at the time.

TH

TH can you check something for me?

I have blocked ClipBoard and Webcam logger test files and then the both files deleted from the Protected Applications list. Now I am trying to test the both files again but they are blocked even if I deleted them from the Protected Applications list. It looks like WSA remembers the action also for the already deleted files. I thought that if any file is deleted from the list and run this file again I will get a new prompt.

Can you confirm such behaviour?

[puff-m-d]

Go to System Tools > System Control > Control Active Processes... If you block something under Protected Applications it adds the process to Control Active Processes as being blocked too. It might be that you need to delete them there. It may be under PC Security > Quarantine > Detection Configuration also as the process is added there also so would need deleting. I am not sure of this but one of these could very well be your problem...

[Triple Helix]

I didn't block anything and it only shows in Active processes when running and it's under Monitored and I tried a second time and no pop-up and for me there is nothing under Detection Configuration so I scanned the files and:

[u] c:\users\daniel\downloads\clipboardlogger.exe [MD5: ACF401027A26261C79EE0A622CB505AC] [Flags: 000A0000.12871]
[X] c:\users\daniel\downloads\keyboard.exe [MD5: 4015B96AD426FBC02F88E22E3CB850CB] [Flags: 00080810.11812]
[X] c:\users\daniel\downloads\webcamlogger.exe [MD5: 6026649E74B52F81576494F9C082DAC0] [Flags: 00080010.12870]


Wed 17-10-2012 09:43:53.0017 Monitoring process C:\Users\Daniel\Downloads\WebcamLogger.exe [6026649E74B52F81576494F9C082DAC0]. Type: 3 (12870)
Wed 17-10-2012 09:43:53.0017 Monitoring process C:\Users\Daniel\Downloads\WebcamLogger.exe [6026649E74B52F81576494F9C082DAC0]. Type: 4 (12870)
Wed 17-10-2012 09:43:53.0017 Monitoring process C:\Users\Daniel\Downloads\WebcamLogger.exe [6026649E74B52F81576494F9C082DAC0]. Type: 5 (12870)
Wed 17-10-2012 09:43:53.0017 Monitoring process C:\Users\Daniel\Downloads\WebcamLogger.exe [6026649E74B52F81576494F9C082DAC0]. Type: 7 (12870)
Wed 17-10-2012 09:43:53.0048 Monitoring process C:\Users\Daniel\Downloads\WebcamLogger.exe [6026649E74B52F81576494F9C082DAC0]. Type: 8 (12870)
Wed 17-10-2012 09:43:53.0048 Monitoring process C:\Users\Daniel\Downloads\WebcamLogger.exe [6026649E74B52F81576494F9C082DAC0]. Type: 6 (12870)
Wed 17-10-2012 09:56:23.0960 Monitoring process C:\Users\Daniel\Downloads\ClipBoardLogger.exe [ACF401027A26261C79EE0A622CB505AC]. Type: 3 (12871)
Wed 17-10-2012 09:56:23.0960 Monitoring process C:\Users\Daniel\Downloads\ClipBoardLogger.exe [ACF401027A26261C79EE0A622CB505AC]. Type: 4 (12871)
Wed 17-10-2012 09:56:23.0960 Monitoring process C:\Users\Daniel\Downloads\ClipBoardLogger.exe [ACF401027A26261C79EE0A622CB505AC]. Type: 5 (12871)
Wed 17-10-2012 09:56:23.0960 Monitoring process C:\Users\Daniel\Downloads\ClipBoardLogger.exe [ACF401027A26261C79EE0A622CB505AC]. Type: 7 (12871)
Wed 17-10-2012 09:56:23.0975 Monitoring process C:\Users\Daniel\Downloads\ClipBoardLogger.exe [ACF401027A26261C79EE0A622CB505AC]. Type: 8 (12871)
Wed 17-10-2012 09:56:23.0975 Monitoring process C:\Users\Daniel\Downloads\ClipBoardLogger.exe [ACF401027A26261C79EE0A622CB505AC]. Type: 6 (12871)
Wed 17-10-2012 09:58:00.0664 Monitoring process C:\Users\Daniel\Downloads\Keyboard.exe [4015B96AD426FBC02F88E22E3CB850CB]. Type: 3 (11812)
Wed 17-10-2012 09:58:00.0664 Monitoring process C:\Users\Daniel\Downloads\Keyboard.exe [4015B96AD426FBC02F88E22E3CB850CB]. Type: 4 (11812)
Wed 17-10-2012 09:58:00.0664 Monitoring process C:\Users\Daniel\Downloads\Keyboard.exe [4015B96AD426FBC02F88E22E3CB850CB]. Type: 5 (11812)
Wed 17-10-2012 09:58:00.0664 Monitoring process C:\Users\Daniel\Downloads\Keyboard.exe [4015B96AD426FBC02F88E22E3CB850CB]. Type: 7 (11812)
Wed 17-10-2012 09:58:00.0680 Monitoring process C:\Users\Daniel\Downloads\Keyboard.exe [4015B96AD426FBC02F88E22E3CB850CB]. Type: 8 (11812)

[pegas]

Quote:

Originally Posted by puff-m-d

Go to System Tools > System Control > Control Active Processes... If you block something under Protected Applications it adds the process to Control Active Processes as being blocked too. It might be that you need to delete them there. It may be under PC Security > Quarantine > Detection Configuration also as the process is added there also so would need deleting. I am not sure of this but one of these could very well be your problem...

Thx puff.

If you run the file it appears within the active processes with status Monitor but you cannot delete this process you can only terminate it. As for the Detection Configuration the file is not listed here when runs.

[Triple Helix]

Quote:

Originally Posted by pegas

Thx puff.

If you run the file it appears within the active processes with status Monitor but you cannot delete this process you can only terminate it. As for the Detection Configuration the file is not listed here when runs.

That's true as the files don't install and just run in the users area so termination is the only option. But you can add them to Detection Configuration.

TH

[puff-m-d]

Do you have the following box checked under Settings?

[puff-m-d]

Quote:

Originally Posted by trjam

WSA needs to be able to do this automatically if you choose so.

Check my above post. This may be what you are looking for... By default it is unchecked.

[Triple Helix]

Quote:

Originally Posted by puff-m-d

Do you have the following box checked under Settings?

I have it checked.

TH

[puff-m-d]

What it sounds like then is the files are not blacklisted yet as they are being monitored. I do not believe you will get the pop-up on any monitored file, you only will if the file has been blacklisted.

[Triple Helix]

Since I have now Blocked under Detection Configuration when I try to Execute I get this pop-up.

TH

[puff-m-d]

Cool ... That proves it!

[pegas]

Quote:

Originally Posted by Triple Helix

That's true as the files don't install and just run in the users area so termination is the only option. But you can add them to Detection Configuration.

TH

Attachment 235109

Yes, you can add them. However it changes nothing as regards WSA prompts. You can have files added with any status but you won't be having WSA warning.

[PrevxHelp]

Quote:

Originally Posted by trjam

I understand but it is the kid factor. You should be able to tick a setting so if this pops up, it chooses to block it automatically.

It does, by default.

[WebrootPartner]

Hello,

we have just done a keylogger test with ID Shield and found it is not protecting at all, all keystrokes are logged by the test keylogger that is actually being monitored by WSA (not Allow).

Further investigation showed us that it has to be related to some kind of keyboard driver issue, because if you eg. install 2 keyboards HU and EN and you happen to select EN to be the active keyboard the keylogger still logs the HU keyboard characters on that key.
See screenshot:


http://www.filedropper.com/wsa-id-shield-not-working

So this bug might effect every non-EN keyboard users, which is rather very sad.
How can it happen with such a promoted feature in WSA?
It is a serious bug - I actually remember that in November 2011 this function worked pretty good, I personally did several demo with it successfully in NOV-DEC 2011, but it does not work at all now.


I also reported this bug to the team represented Webroot on Infosec London this April.

Please fix this bug as soon as possible!

Br,
Gyozo

[szaki2]

Yes Hungarian Windows
I try with windows xp and Bussines! version of WSA and padlock and identity shield not work.

[Triple Helix]

With these Simulators and real Keyloggers the Identity Shield only protects Browsers when on HTTPS sites by default and you can set HTTP to Max to get the Padlock on the Tray Icon for all websites it's doesn't protect other applications only if it's a true Keylogger then WSA will detect as malware and remove it. Please read the Online Help File for more info: https://detail.webrootanywhere.com/a...ity_Protection

Thanks,

TH

[PrevxHelp]

Quote:

Originally Posted by WebrootPartner

Hello,

we have just done a keylogger test with ID Shield and found it is not protecting at all, all keystrokes are logged by the test keylogger that is actually being monitored by WSA (not Allow).

Further investigation showed us that it has to be related to some kind of keyboard driver issue, because if you eg. install 2 keyboards HU and EN and you happen to select EN to be the active keyboard the keylogger still logs the HU keyboard characters on that key.
See screenshot:

So this bug might effect every non-EN keyboard users, which is rather very sad.
How can it happen with such a promoted feature in WSA?
It is a serious bug - I actually remember that in November 2011 this function worked pretty good, I personally did several demo with it successfully in NOV-DEC 2011, but it does not work at all now.


I also reported this bug to the team represented Webroot on Infosec London this April.

Please fix this bug as soon as possible!

Br,
Gyozo

Could you let me know if this is just on other characters or on alphanumeric characters? We will generally let non-alphanumeric characters through as the OS handles them differently to where they can't be hidden safely without impacting the entry of some keystrokes.