keyboard & mouse input locker test :D

Well it was posted in the comodo forum but i haven't got a chance to test comodo yet because i am on my sisters computer. But oa free fails without even a popup.

WARNING: If your firewall fails then your mouse and keyboard will be disabled. The only way to restore it is to push the power button so your computer will shutdown normally.

The poster showed EQsecure can pass the test.

You need to register at the comodo forums for the download to show in the post.

http://forums.comodo.com/help_for_v3/cfp_v3014273_did_not_pass_the_test-t16851.0.html

Have Fun!

 

Re: Another Interesting keylogger test!

Hello,

From what I can see while testing this executable, it is not a keylogger. Instead, it blocks mouse and keyboard input from the user, which by itself is nothing hard to do since there is publicily available Windows API to do just that (BlockInput () http://msdn2.microsoft.com/en-us/library/ms646290.aspx)

I do not see the point of this "test tool", apart of showing that a program can block mouse and keyboard ? If so, I can build a small executable to open your CDROM drive

If I did miss something about this program, please tell me.

Regards,
gkweb.

 

Re: Another Interesting keylogger test!

Sorry for the weird title .

Is there a way to block it though?

 

Re: Another Interesting keylogger test!

Hello,

You should rename your topic, this tool is a keyboard & mouse input locker, not a keylogger. But you do what you want I'm not a moderator

To answer your question, I am not a developper of security software, therefore I have no clear idea of consequences of doing that, but it is doable yes. Just watch the calls to this specific function, and you catch the potential malware.

However I wonder if a real malware would block keyboard and mouse input. The user is likely to reboot his computer, it is the opposite of being stealth. Moreover, if inputs are blocked, you have nothing to keylogg, it would seems weird to want to lock inputs. But if protection against this can be added easily without any drawback, as this function is never called usually, then why not.

We will see that will be Comodo's answer about that.

Regards,
gkweb.

 

Re: Another Interesting keylogger test!

I've never heard that serious malware would used this technique.

 

Re: Another Interesting keylogger test!

Any mod want to change the title?

~Title changed....Bubba~

 

Re: Another Interesting keylogger test!

The testing paranoia continues. Though it's reassuring to see there are still people who take the time to analyze the significance of such tests instead of blindly freaking out whenever their pet security software fails.

 

Attention Houston, i have a problem. I too use EQS 3.4 but i wasn't alerted to anything after initially allowing explorer to execute TEST.exe. Am i missing a rule someplace? He! I had to reboot to flush from memory. Reminds me of those Windows 98 exploit viruses that used to wreak all sorts of weird displays like suddenly opening the Run box and such.

 

U need v 3.41.

 

I thought i had version 3.41, wheres the details because PROPERTIES, VERSION only shows me this: 2007.8.1.19

 

LOL! The only usefulness that I can see in this is if some hacker of gaming would wanna mess with their opponents, or just simply annoy a user while they trying to do work on their machine>

 

See this.

 

Well with the table i keep it would be just like me to have totally missed that version and instead been using the .rar one, i've re-found the .exe link for 3.41 so i'll retest with it and see what goes.

Thank You aigle for your courtesy.

If by chance you can upload the authentic 3.41 version someplace it would be appreciated along with some ENGLISH interpretation files. I got 2 different 3.41 versions, one is 1.80 and the other is 1.89. When i run the TEST.exe to let explorer open it theres no information above the notify box like was in the screenshot at COMODO and this concerns me. Even after issuing a DENY, the screen & mouse still lock up, so something is not right here.

Wish they would just settle on a single ENGLISH release with all the additionals required and make it easier to pinpoint the version best suited as up-to-date.

 

So much for that test. It blocked the mouse and normal keyboard usage, but CTRL+ALT+DEL still works, letting you terminate the process and get right back to normal.

About the only possible use I see for malware using that idea is if it also blanked the desktop to prevent the user from seeing some specific activity. A little desktop locking app I use for 98 does something like that, allowing only one key combo to function, which brings up a password box. At least it disables CTRL+ALT+DEL.
Rick

 

EQSecure 3.41 (Authentic) does indeed have provisions that disable TEST.EXE as reported. I tested it myself and works.

Still anxious to see if this is just a teaser release for the rest of the developed world or if they will move ahead with more improvements.

I've taken a real fancy to EQS since discovering it has ABSOLUTE script blocking shielding to go along with everything else that it's able to protect.

Very Stable App!

 

I guess it's using BlockInput in an infinite loop

BlockInput can be using for example to avoid "unwanted" user input when a malware is using click simulations to change firewall mode to Allow all.

 

Does it work by extension like Script Defender/Sentry, or as Wormguard which can also block embedded scripts in docs etc? (see here)

 

Good question. In my experience with EQS so far, it's script blocking/alerting trumps both Script Defender & Sentry.

I'm going over that topic again and try to draw out some better comparisons as well as address the absolutes regarding embedded scripts.

Reason being most users no matter which other security programs they protect themselves with, against those SandboxIE or other like apps serve as a containment against them.