Try your anti-keylogger protection

[aigle]

I tried some interesting POCs from here:

http://www.zemana.com/list/list.asp?ktgr_id=413

My observations:

CFP

Key Logger Simulation Test - - - - - PASS
Screen-Logger Simulation Test - - - PASS
Webcam Logger Simulation Test - - PASS
Clipboard Logger Simulation Test - - FAIL
SSL Logger Simulation Test - - - - - POC not Available so far

EQSecure

Key Logger Simulation Test - - - - - PASS
Screen-Logger Simulation Test - - - FAIL
Webcam Logger Simulation Test - - FAIL
Clipboard Logger Simulation Test - - FAIL
SSL Logger Simulation Test - - - - - POC not Available so far

GesWall

Key Logger Simulation Test - - - - - PASS
Screen-Logger Simulation Test - - - FAIL
Webcam Logger Simulation Test - - PASS
Clipboard Logger Simulation Test - - FAIL
SSL Logger Simulation Test - - - - - POC not Available so far

SafeSpace

Key Logger Simulation Test - - - - - PASS
Screen-Logger Simulation Test - - - PASS
Webcam Logger Simulation Test - - PASS
Clipboard Logger Simulation Test - - PASS
SSL Logger Simulation Test - - - - - POC not Available so far


OA Free Run Safer

All FAIL

ThretFire

All FAIL ( Solcroft! I know what u will say and I understand and agree with you to some extent, though not fully).

Have fun!!

Anyone can try:

ProSecurity
DefenceWall
SSM
SBIE

Thanks

Edit: I have edited the reults, there were some wrong copy/ paste before.

[lucas1985]

Quote:

Originally Posted by aigle

OA Free Run Safer

All FAIL

LUA's kicking some ass

[subset]

Hi,

"You can repeat the same test by installing Zemana Antilogger into your system."
Anti Logger License Purchasing: 1 user License 39.50 USD
"Zemana AntiLogger, with its proactive protection method provides you real time , powerful protection."

Has anyone tested Zemana AntiLogger against a real keylogger?
Or does it just pass their own tests?

Cheers

[aigle]

http://www.wilderssecurity.com/showp...2&postcount=64

[farmerlee]

Keyscrambler passes the keylogger simulation test.

[CogitoErgoSum]

Under Vista 32 SP1:

DefenseWall v2.30

Key-Logger Simulation Test - Pass(*Note: Detected and gave me the option to terminate this test on the spot via the pop-up notification.)
Screen-Logger Simulation Test - Pass(*Note: Blocked silently.)
WebCam-Logger Simulation Test - Tentative Pass(*Note: Although, I do not have a webcam, I ran this test anyway and observed in DW's log that all attempts to make changes to the registry were blocked silently.)
Clipboard-Logger Simulation Test - ?(*Note: Does not appear to work when run as "untrusted". I will have to get Ilya to look at this particular test.)




Peace & Gratitude,

CogitoErgoSum

[aigle]

Quote:

Originally Posted by CogitoErgoSum

WebCam-Logger Simulation Test - Tentative Pass(*Note: Although, I do not have a webcam, I ran this test anyway and observed in DW's log that all attempts to make changes to the registry were blocked silently.)

It will be best to have this test done with a web cam I think. The only way to know.

Thanks for the reults.

[solcroft]

Quote:

Originally Posted by aigle

Solcroft! I know what u will say and I understand and agree with you to some extent, though not fully.

Actually, no I won't. You know the facts, and I'm beginning to sound like a broken record anyway.

I test with real malware. POCs are to behavior blockers what the EICAR test file is to antivirus software: just a weak replacement used by sissies who feel the need to trick themselves into thinking they're doing any meaningful tests. But I'm sure you already know that.

[Huupi]

Simple as that,most all reputable antimalwares are smarter the n the users of these fakes. LOL

[Ilya Rabinovich]

Quote:

Originally Posted by CogitoErgoSum

Clipboard-Logger Simulation Test - ?

Had no problems with it.

As about webcam- I still didn't made my mind if need to implement it. The reason is following: there are too many software nowadays (ICQ and other popular IM software, Skype and other VoIP clients) that are using webcam. Not sure if I need alert on each of it as it is impossible to automatically block it out. Also, in future, more and more software will be using webcams in order to improve its functionality. So- I'm in doubts about this point. Is it really about security?

[zopzop]

Quote:

Originally Posted by lucas1985

LUA's kicking some ass

SRP for the win!!!!!1111

[GES/POR]

Can anyone test Bufferzone,Prevx and Sandboxie please.

[Franklin]

With the keylogger test press alt+1, alt+2, alt+3 using the num pad on the right side of the keyboard for the numbers.

You should get ☺, ☻, and ♥ yet the keylogger shows 1, 2 and 3.

What does this mean? Don't know, just posting as a quirk that may fool some keyloggers maybe.

Sandboxie doesn't stop keylogging but they can't send that data out over the net when SB is configured for only your browser to connect out.
Alt Key Codes

[bellgamin]

Why exclude SSM & ProSecurity?

P.S. I have the same attitude toward sandboxes as does my cat.

[Franklin]

Quote:

Originally Posted by bellgamin

P.S. I have the same attitude toward sandboxes as does my cat.

Smart cat ya got there knowing where all the crap ends up.

[solcroft]

Quote:

Originally Posted by Franklin

Sandboxie doesn't stop keylogging but they can't send that data out over the net when SB is configured for only your browser to connect out.

A common misconception. Sandboxie cannot stop keyloggers from manipulating your browser process and use it to connect out.

[Huupi]

Quote:

Originally Posted by solcroft

A common misconception. Sandboxie cannot stop keyloggers from manipulating your browser process and use it to connect out.

Solcroft, Should i ditch Sandboxie because of this,or should i trust Tsuk who is actually saying that no data can escape,if configured right ?

Can you explain a bit how this can happen ?

AFAIK if the keylogger rename itself to akin like your browser,SBIE is aware of this and denies connection.

But maybe there other ways to lure SBIE in allowing connections.i dont know.

So angry waiting to teach us.

edit : none of my security fires up if i click keylogger exe,smart enough to distinguish !

[solcroft]

Quote:

Originally Posted by Huupi

Solcroft, Should i ditch Sandboxie because of this,or should i trust Tsuk who is actually saying that no data can escape,if configured right ?

All I'm saying that your claim was inaccurate. And now that you know that, what you choose to do with that knowledge is your own business.

But right now, I'm trying very hard not to laugh. Oh wow, something's not absolutely flawlessly perfect, it needs to be ditched. You believed it was impenetrable just because some stranger over the Internet said so, and now you're asking another stranger if you need to ditch it. Seriously: grow up.

Quote:

Originally Posted by Huupi

Can you explain a bit how this can happen ?

Like I said, run the leaktests and see for yourself. I did it some while ago, but WB3 was one of those that broke past Sandboxie IIRC. So all a keylogger would need to do is to use the same connection techniques as the leaktests do, and there you go.

[arran]

Quote:

Originally Posted by solcroft

A common misconception. Sandboxie cannot stop keyloggers from manipulating your browser process and use it to connect out.

are you saying that keyloggers inside the sandbox can take over your browser and use the browser to connect out?

wouldn't a good hips prevent a key logger from taking over your browser ?

[solcroft]

Quote:

Originally Posted by arran

are you saying that keyloggers inside the sandbox can take over your browser and use the browser to connect out?

Yes.

Quote:

Originally Posted by arran

wouldn't a good hips prevent a key logger from taking over your browser ?

No, the HIPS won't do that. It will, however, give the smart user an opportunity to stop that from happening.

[arran]

hmm well the only ways I can think of to stop keyloogers inside sandboxie.

1. use mvps hosts file and hopefully the keyloggers server is on mvps hosts file
filter list.

2. allways clean out sandboxie before go to log into your online bank or any other login place.

3. hopefully your hips will give you a popup warning to block the keylogger from taking over your browser.

Edit Actually you should be able to configure your hips to monitor your browser
inside sandboxie.

any one know of any other ways??

[aigle]

Quote:

Originally Posted by Franklin

Sandboxie doesn't stop keylogging but they can't send that data out over the net when SB is configured for only your browser to connect out.
[/url]

It might not be so straight forward. I guess that data can be sent just by loading a dll into ur browser. SBIE will not complain at all. Just a guess, I may be wrong though.

[Stijnson]

How are keyloggers typically 'installed' on ones system? Is there one specific method or do they come in all sizes and manners?
How can one protect his system (apart from the usual AV/AS software)? Browser plugins perhaps?

[Franklin]

Obscure methods exist to by bypass most security apps and a keylogger would have to authored specifically to bypass a configured Sandboxie to stop as such employing a parent/child process.

If anyone has a poc would you be able to post it over at Sandboxie's forum so it can be looked at?

You can only help one of the best ever security apps get better.

[controler]

Hello

A while back I did some tests with commercial key loggers. Some of you may remember.
Back then you could download all new versions for free trial use. Now the makers got smart and some of them do not give a free trial. This way at least if the AV's are going to catch them, someone will have to pay for it.
My test simply comprised of downloading the newest version and running them through Virus Total. The interesting part is only a hand full of AV' were adding them. The reasons may have been legal issues, I don't know.
I am sure most still added for ITW key loggers, I never tested that.
But of course the most common way for these to get installed is if someone has access to your computer such as an IT person, spouse, yo mama or dad ect.

Can you people tell me if HIPS have become easy to use for the home user?