keyboard & mouse input locker test :D

Discussion in 'other anti-malware software' started by Coolio10, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Well it was posted in the comodo forum but i haven't got a chance to test comodo yet because i am on my sisters computer. But oa free fails without even a popup.

    WARNING: If your firewall fails then your mouse and keyboard will be disabled. The only way to restore it is to push the power button so your computer will shutdown normally.

    The poster showed EQsecure can pass the test.

    You need to register at the comodo forums for the download to show in the post.

    http://forums.comodo.com/help_for_v3/cfp_v3014273_did_not_pass_the_test-t16851.0.html

    Have Fun!
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Re: Another Interesting keylogger test! :D

    Hello,

    From what I can see while testing this executable, it is not a keylogger. Instead, it blocks mouse and keyboard input from the user, which by itself is nothing hard to do since there is publicily available Windows API to do just that (BlockInput () http://msdn2.microsoft.com/en-us/library/ms646290.aspx)

    I do not see the point of this "test tool", apart of showing that a program can block mouse and keyboard ? If so, I can build a small executable to open your CDROM drive :)

    If I did miss something about this program, please tell me.

    Regards,
    gkweb.
     
  3. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Re: Another Interesting keylogger test! :D

    Sorry for the weird title :D.

    Is there a way to block it though?
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Re: Another Interesting keylogger test! :D

    Hello,

    You should rename your topic, this tool is a keyboard & mouse input locker, not a keylogger. But you do what you want I'm not a moderator :)

    To answer your question, I am not a developper of security software, therefore I have no clear idea of consequences of doing that, but it is doable yes. Just watch the calls to this specific function, and you catch the potential malware.

    However I wonder if a real malware would block keyboard and mouse input. The user is likely to reboot his computer, it is the opposite of being stealth. Moreover, if inputs are blocked, you have nothing to keylogg, it would seems weird to want to lock inputs. But if protection against this can be added easily without any drawback, as this function is never called usually, then why not.

    We will see that will be Comodo's answer about that.

    Regards,
    gkweb.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Re: Another Interesting keylogger test! :D

    I've never heard that serious malware would used this technique.
     
  6. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Re: Another Interesting keylogger test! :D

    Any mod want to change the title?

    ~Title changed....Bubba~
     
    Last edited by a moderator: Dec 9, 2007
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: Another Interesting keylogger test! :D

    The testing paranoia continues. Though it's reassuring to see there are still people who take the time to analyze the significance of such tests instead of blindly freaking out whenever their pet security software fails.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,255
    Location:
    U.S.A. (South)
    Attention Houston, i have a problem. I too use EQS 3.4 but i wasn't alerted to anything after initially allowing explorer to execute TEST.exe. Am i missing a rule someplace? He! I had to reboot to flush from memory. Reminds me of those Windows 98 exploit viruses that used to wreak all sorts of weird displays like suddenly opening the Run box and such.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    U need v 3.41.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,255
    Location:
    U.S.A. (South)
    I thought i had version 3.41, wheres the details because PROPERTIES, VERSION only shows me this: 2007.8.1.19 o_O
     
  11. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    LOL! The only usefulness that I can see in this is if some hacker of gaming would wanna mess with their opponents, or just simply annoy a user while they trying to do work on their machine> :D
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    See this.
     

    Attached Files:

  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,255
    Location:
    U.S.A. (South)
    Well with the table i keep it would be just like me to have totally missed that version and instead been using the .rar one, i've re-found the .exe link for 3.41 so i'll retest with it and see what goes.

    Thank You aigle for your courtesy.

    If by chance you can upload the authentic 3.41 version someplace it would be appreciated along with some ENGLISH interpretation files. I got 2 different 3.41 versions, one is 1.80 and the other is 1.89. When i run the TEST.exe to let explorer open it theres no information above the notify box like was in the screenshot at COMODO and this concerns me. Even after issuing a DENY, the screen & mouse still lock up, so something is not right here.

    Wish they would just settle on a single ENGLISH release with all the additionals required and make it easier to pinpoint the version best suited as up-to-date.
     
    Last edited: Dec 9, 2007
  14. herbalist

    herbalist Guest

    So much for that test. It blocked the mouse and normal keyboard usage, but CTRL+ALT+DEL still works, letting you terminate the process and get right back to normal.

    About the only possible use I see for malware using that idea is if it also blanked the desktop to prevent the user from seeing some specific activity. A little desktop locking app I use for 98 does something like that, allowing only one key combo to function, which brings up a password box. At least it disables CTRL+ALT+DEL.
    Rick
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,255
    Location:
    U.S.A. (South)
    EQSecure 3.41 (Authentic) does indeed have provisions that disable TEST.EXE as reported. I tested it myself and works.

    Still anxious to see if this is just a teaser release for the rest of the developed world or if they will move ahead with more improvements.

    I've taken a real fancy to EQS since discovering it has ABSOLUTE script blocking shielding to go along with everything else that it's able to protect.

    Very Stable App!
     
  16. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    313
    Location:
    Uruguay
    I guess it's using BlockInput in an infinite loop

    BlockInput can be using for example to avoid "unwanted" user input when a malware is using click simulations to change firewall mode to Allow all.
     
  17. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,499
    Does it work by extension like Script Defender/Sentry, or as Wormguard which can also block embedded scripts in docs etc? (see here)
     
    Last edited: Dec 21, 2007
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,255
    Location:
    U.S.A. (South)
    Good question. In my experience with EQS so far, it's script blocking/alerting trumps both Script Defender & Sentry.

    I'm going over that topic again and try to draw out some better comparisons as well as address the absolutes regarding embedded scripts.

    Reason being most users no matter which other security programs they protect themselves with, against those SandboxIE or other like apps serve as a containment against them.
     
Thread Status:
Not open for further replies.