keyboard & mouse input locker test :D

Discussion in 'other anti-malware software' started by Coolio10, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. Coolio10
    Offline

    Coolio10 Registered Member

    Well it was posted in the comodo forum but i haven't got a chance to test comodo yet because i am on my sisters computer. But oa free fails without even a popup.

    WARNING: If your firewall fails then your mouse and keyboard will be disabled. The only way to restore it is to push the power button so your computer will shutdown normally.

    The poster showed EQsecure can pass the test.

    You need to register at the comodo forums for the download to show in the post.

    http://forums.comodo.com/help_for_v3/cfp_v3014273_did_not_pass_the_test-t16851.0.html

    Have Fun!
  2. gkweb
    Offline

    gkweb Expert Firewall Tester

    Re: Another Interesting keylogger test! :D

    Hello,

    From what I can see while testing this executable, it is not a keylogger. Instead, it blocks mouse and keyboard input from the user, which by itself is nothing hard to do since there is publicily available Windows API to do just that (BlockInput () http://msdn2.microsoft.com/en-us/library/ms646290.aspx)

    I do not see the point of this "test tool", apart of showing that a program can block mouse and keyboard ? If so, I can build a small executable to open your CDROM drive :)

    If I did miss something about this program, please tell me.

    Regards,
    gkweb.
  3. Coolio10
    Offline

    Coolio10 Registered Member

    Re: Another Interesting keylogger test! :D

    Sorry for the weird title :D.

    Is there a way to block it though?
  4. gkweb
    Offline

    gkweb Expert Firewall Tester

    Re: Another Interesting keylogger test! :D

    Hello,

    You should rename your topic, this tool is a keyboard & mouse input locker, not a keylogger. But you do what you want I'm not a moderator :)

    To answer your question, I am not a developper of security software, therefore I have no clear idea of consequences of doing that, but it is doable yes. Just watch the calls to this specific function, and you catch the potential malware.

    However I wonder if a real malware would block keyboard and mouse input. The user is likely to reboot his computer, it is the opposite of being stealth. Moreover, if inputs are blocked, you have nothing to keylogg, it would seems weird to want to lock inputs. But if protection against this can be added easily without any drawback, as this function is never called usually, then why not.

    We will see that will be Comodo's answer about that.

    Regards,
    gkweb.
  5. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Re: Another Interesting keylogger test! :D

    I've never heard that serious malware would used this technique.
  6. Coolio10
    Offline

    Coolio10 Registered Member

    Re: Another Interesting keylogger test! :D

    Any mod want to change the title?

    ~Title changed....Bubba~
    Last edited by a moderator: Dec 9, 2007
  7. solcroft
    Offline

    solcroft Registered Member

    Re: Another Interesting keylogger test! :D

    The testing paranoia continues. Though it's reassuring to see there are still people who take the time to analyze the significance of such tests instead of blindly freaking out whenever their pet security software fails.
  8. EASTER
    Offline

    EASTER Registered Member

    Attention Houston, i have a problem. I too use EQS 3.4 but i wasn't alerted to anything after initially allowing explorer to execute TEST.exe. Am i missing a rule someplace? He! I had to reboot to flush from memory. Reminds me of those Windows 98 exploit viruses that used to wreak all sorts of weird displays like suddenly opening the Run box and such.
  9. aigle
    Offline

    aigle Registered Member

    U need v 3.41.
  10. EASTER
    Offline

    EASTER Registered Member

    I thought i had version 3.41, wheres the details because PROPERTIES, VERSION only shows me this: 2007.8.1.19 o_O
  11. yankinNcrankin
    Offline

    yankinNcrankin Registered Member

    LOL! The only usefulness that I can see in this is if some hacker of gaming would wanna mess with their opponents, or just simply annoy a user while they trying to do work on their machine> :D
  12. aigle
    Offline

    aigle Registered Member

    See this.

    Attached Files:

  13. EASTER
    Offline

    EASTER Registered Member

    Well with the table i keep it would be just like me to have totally missed that version and instead been using the .rar one, i've re-found the .exe link for 3.41 so i'll retest with it and see what goes.

    Thank You aigle for your courtesy.

    If by chance you can upload the authentic 3.41 version someplace it would be appreciated along with some ENGLISH interpretation files. I got 2 different 3.41 versions, one is 1.80 and the other is 1.89. When i run the TEST.exe to let explorer open it theres no information above the notify box like was in the screenshot at COMODO and this concerns me. Even after issuing a DENY, the screen & mouse still lock up, so something is not right here.

    Wish they would just settle on a single ENGLISH release with all the additionals required and make it easier to pinpoint the version best suited as up-to-date.
    Last edited: Dec 9, 2007
  14. herbalist
    Offline

    herbalist Guest

    So much for that test. It blocked the mouse and normal keyboard usage, but CTRL+ALT+DEL still works, letting you terminate the process and get right back to normal.

    About the only possible use I see for malware using that idea is if it also blanked the desktop to prevent the user from seeing some specific activity. A little desktop locking app I use for 98 does something like that, allowing only one key combo to function, which brings up a password box. At least it disables CTRL+ALT+DEL.
    Rick
  15. EASTER
    Offline

    EASTER Registered Member

    EQSecure 3.41 (Authentic) does indeed have provisions that disable TEST.EXE as reported. I tested it myself and works.

    Still anxious to see if this is just a teaser release for the rest of the developed world or if they will move ahead with more improvements.

    I've taken a real fancy to EQS since discovering it has ABSOLUTE script blocking shielding to go along with everything else that it's able to protect.

    Very Stable App!
  16. ggf31416
    Offline

    ggf31416 Registered Member

    I guess it's using BlockInput in an infinite loop

    BlockInput can be using for example to avoid "unwanted" user input when a malware is using click simulations to change firewall mode to Allow all.
  17. Pedro
    Offline

    Pedro Registered Member

    Does it work by extension like Script Defender/Sentry, or as Wormguard which can also block embedded scripts in docs etc? (see here)
    Last edited: Dec 21, 2007
  18. EASTER
    Offline

    EASTER Registered Member

    Good question. In my experience with EQS so far, it's script blocking/alerting trumps both Script Defender & Sentry.

    I'm going over that topic again and try to draw out some better comparisons as well as address the absolutes regarding embedded scripts.

    Reason being most users no matter which other security programs they protect themselves with, against those SandboxIE or other like apps serve as a containment against them.
Thread Status:
Not open for further replies.