Through the Eyes of a Keylogger versus HIPS

Well, I is crazy, and would not catching it intially on install be the most favorable method for protection.

 

I would not catch it either as comodo do alarm a lot more.. Still I can see how comodo do not fully pass as it don't give the precise alerts thats being asked for..

PrevX has added a signature for this by the look on the alert, is that a pass? No its not. This test is supposed to test a technique and should NOT be threated as a virus.. Adding this file to the database is a easy and cheap way to fight this test.. The question remains would it catch this attack if this was modified a bit, making the signature unusable? we don't know since PrevX is relaying on signature in this case.. A good coder could probably make a "real" in the wild keylogger functioning in a similar manner Undetected from this signature..

Still if you catch the actual tecnique, the coder would have to find an other way to keylog.

 

prevx will catch them all with signiture or in the wild when heuristic is on high

 

to me it passes. Anything else is fluff. Any that catch it on install pass. Plain and simple.

 

I disagree. If so all passes.. Comodo gives some alerts blocking those and the app won't run or bew able to do anything at all.. Wooho great pass, This is ridiculous..

Adding it to the CIS AV database would also be a pass?

If so all those matusec tests are really easy, a AV with no outbound or inbound filtering could pass it by label all of those tests as "potentially bad" or virus or whatever and become the Best firewall against leaks.. give me a break.. Who are you trying to fool..


Its the teqnique that matters when it comes to these kinds of tests.. A modified version would most likley get UD (undetected) past PrevX.. Adding a single definition is nothing and is NOT a allround protection against anything. Adding a signature will prove good on paper but if a hacker does a similar application it won't provide decent protection against any attack, since the hacker change some stuff test, bam undetected. If you catch the actual technique a similar program won't be able too fool your software.

 

Hi LoneWolf, your second SS where "Create new process" alert on explorer.exe attempts to create target through-the-eyes-...... needs to be allowed otherwise the tests can't be run. This is just simple stopping of the executable but you have to assume allowing of the executable, even if only temporarily, because in reality this will be the intent.

After that you deny the "Low level keyboard access" as I've done with a permanent rule as seen in my SS's.

The way I see it - and this is unfortunate - this test absolutely annihilates MD 2.1.0 beta 1

MD does not alert on the first test - Fails

MD alerts with "Access keyboard in low level"; I deny permanently but screen captures still take place - Fails

Third test - Fails

Fourth test - Fails

 

Finally someone agreeing and understanding what those tests are made for.. Block execution is NOT a pass.. *yawn*

 

Yes, this is the right way to test it against MD.

 

I appreciate your feedback, and was in fact just about to reply on this thread.

Such issue is not related with the keylogger test. I guess it was just a coincidence.

It's a bug in Opera 10 Alpha, latest build.


Thanks

 

MD passes keylogging for me. 'What Keyloggers see' is running as I type this and I have a permanent deny for 'Access keyboard in low level'.

This is true, I get a prompt which then suspends TTEOAK, but regardless whether a permanent deny is in place it seems to capture anyway.

Edit: I also received a prompt for the first test.

 

Hi tony,

you mean the keylogger is not logging any keystrokes in test 1? I get the initial alert as seen in the SS from MD which I of course allow otherwise no tests can be run, but then the keylogger logs my keystrokes with no alerts from MD.

 

That is correct. However it is capturing active window titlebar text.

Yes of course I permit the test to take place and I still get prompted for 'Access keyboard in low level' on both test 1+2, although test 2 fails.

 

I see, I don't get the "Access keyboard low level" alert for test 1 Only for test 2 but as in your case MD also fails.

 

Only latest MD beta running on my system, no other security software:

 

I'm asking xiaolin to take a look

 

Yes I did allow the first pop up from MD to let it execute and got an alert on all the tests which I simply chose deny and kill process.
Your testing took it further, I'll be waiting to hear what xiaolin has to say about this test.

 

I run with Mamutu and DriveSentry and the 2 fail at all tests. No alerts are displayed for mamutu. DriveSentry alert only for a write to the disk for a creation of a .tmp file before and after the test.

 

Fair enough LoneWolf, and xiaolin has conformed MD's not yet ready to protect against this type of action:

 

KIS denied me to download the file....kill joy!

Anybody try it using KIS2009 (OS: Vista)?

 

That's the easy way out.

This test is designed to run it, and then objectively observe the results of your security apps if they are capable of suspending it long enough to kill it, or simply strong enough to block all 3 attempts.

Nifty new test however, my congrats on another test app especially as to do with keylogging.

EASTER

 

I disabled anti-malware to facilitate the download. The application filtering then examines it as it is not listed good or bad. Unsurprisingly as KIS flags it as a trojan the application filtering puts it into untrusted. This stops it from running.

If you move it to Low Restricted or High Restricted KIS2009 on Vista 32 fails all the tests.

Depends how you look at it. You either think KIS nailed it early so no need to worry or like me you are a little disappointed that in Low or High restricted it did not generate an alert or other action.

Cheers

 

so KIS2009 automatically put it on to untrusted apps....is that the right way to pass this kind of test for KIS2009 or you need to put it on to High/Low restriction to see if KIS will pass the test?

btw, what's your KIS set up?

 

SUSPENDING OR KILLING THE APPLICATION IS NOT A PASS..
If so a classical HIPS(still the strongest thing out there against anything) such as CIS Passed ALL TESTS. as it is capable to stop all applications from startup upon execution its "bullet proof" in that sense nothing bad or unknown can run without popups..

ALL VIRUSES TROJANS MALEWARES AND TESTS..THERE IS NOT A SINGLE ONE OF THEM THAT YOU CAN'T SUSPEND WITH CIS..

A signature is absolutely not a pass.. And on top of that Kaspersky labels it the wrong way.

Is those 4 techniques cached is the question? Adding a single signature won't provide protection against the attack in those tests, just the test it self, that is harmless. Would it catch a real keylogger doing a similar thing is the question.. Relaying on a signature means that yes this harmless test won't run, but a similar app using the same attack would fool you. Catching the technique is much better and means that you are you protected from the actual attack and no modified variant can fool you.

 

Ofc don't get me wrong..

Its not a fail for kaspersky we don't know kasps results yet..

This is a HIPS Test.. And that is what are supposed to be tested..

Not the antivirus part..

 

Each to their own. I'm sure most would say the fact that the intentions of the programme were recognised by KIS and blocked at point of download, write and execution then even if these were bypassed subsequently made the app untrusted is a pass.

I'd just have been happier if a High Restricted programme was also prevented from logging key strokes/capturing screens etc. It would be interesting to see KIS results on XP where the HIPS features dig deeper.

The test is deliberately not designed for this but from the areas protected it is likely on High Restricted an alert would have been given had the application tried writing the data to a file or phoning home.

Settings are fairly standard except I select all of the pro-active defence categories and do not automatically trust signed applications.

Cheers