MRG Effitas Antilogger & Browser Security Test

OK. So, it doesn't only protect the bank's website.

But, I believe that it should protect every https website, by default. Just in case, because one never knows what websites users access.

Considering that, like TonyW mentioned, most average users will leave applications at default settings, if a user downloads Trusteer believing it will protect credentials entered in the bank website, without understanding that the bank must be a partner to be protected by default, then by default it doesn't protect the user.

Prevx SafeOnline protects every https website. The user doesn't have to change settings for that.

Rapport will only protect those websites that come protected by default. But, by default it doesn't protect every https website. We need to manually add them, as you mentioned.

And, one could argue that users should be aware of that, but as the thread I pointed shows, someone wasn't aware... I wonder how many more people aren't aware, and they simply download because they see mentions to it in some blog, which the author isn't capable of actually explaining how the application actually works? It happens a lot.

So, if Trusteer enters the test... then Sandboxie should to... with proper settings.

We can't simply decide to test one of the protected (by default) websites. Users can enter confidential info in any https website, and they should all be guarded by default.

 

i'm one of those who always read TFM so it's no problem with me, but i agree with you https should all be protected in Trusteer by default.

you can't expect Joe/Jane Average to spend time learning how their security apps work.

 

I am amazed some people are putting so much weight into a 32-bit banking test when most of us are on x64 already.

 

Has there been a poll to determine that?
I wonder if it isn't the other way around?

 

Dont assume any such thing. In case your wondering,there's a ton of companies that are using 32 bit systems and most people I personally know,still are using 32-bit systems,including myself. Matter of fact,when I get a custom PC built,it will also be 32-bit.

 

lol, I believe most still use XP, some are probably using Win 95, or Win 98.

Edit: I'm wrong https://www.wilderssecurity.com/showthread.php?t=281664

 

I couldn't agree more. People keep talking about the average Joe, but the truth is one either has an interest in security or couldn't care less (in which case when they are affluent Joes they delegate the security of their computer to a technical subordinate).

These tests are done with security minded people as readers, and therefore default settings are meaningless.

 

I liked a lot my Vista64 when I had it for more than a year. I like a lot Vista32 because I can't find some specific drivers for the 64 bit system, and I don't see why I should upgrade my other 3 notebooks to Win7 from XP when they are working perfectly. I can believe that most new computers in the States and Sweden are now sold with 64 bit system, but in Asia for example 32 bit rules, as a lot of third party software written in Japanese, Korean, Chinese etc. is compatible with 32 bit systems only.

 

The users are aware there is a big icon that is gray when is not working and green when is working in fact during the installation they explain to the users this. Just with 2 clicks you can add a product to be protected.

Also there are 2 or 3 settings to tweak because some of the protection by default is only active for the partner websites and not for the added manually. For example capture the screen, this also would be an inconvenience because the program will alert you if you try to capture the screen in any https website, so it would be annoying, the same happens with prevx and the crtl+alt+supr and the screen capture.

I think that the problem is that the customer of Trusteer Rapport are the partner banks and not the users, so they focus the product to those banks, anyway changing a few settings and protecting manually the sites you want you can get the same protection.

Anyway I think like you, It should protect by default any https website but maybe it needs many resources to do all this because of some virtualization or whatever, you can request it here: http://www.trusteer.com/product-feedback I did it

 

Agreed.

In Sweden (and probably whole western Europe), stores don't deliver computers with 32-bit systems anymore. Windows 7 is used by more personal computers than XP. Therefore, it makes no sense to me that MRG only conduct a 32-bit test and not test on the x64 platform as well.

 

And thats ok.

Though I can say - your test is interesting, it has no external validity.
In house simulators, which only exist in laboratories don't say much about real world relevance. Even if you say "they are constructed to act like real banking-malware" - it remains a question of believe or not.

Cynical and critical people can say:
- The simulator is specially constructed to let certain products look bad.
- Or, why should something be blocked that doesn't exist in real world? (ok - the " it behaves like real.." could be an argument - but where is the proof?)

Has the simulator a digital signature again? If yes - which?

 

@Sveta

There is any malware in the world able to do what your simulator does or any malware using the same techniques?
Can you share the MD5?

 

If you read the thread I mentioned a few posts behind, you'll see someone was not aware of what needed to be done.

I'm not arguing that people should be aware. They should. Reality is a bit different, though.

But, as Osaban mentioned...

This is 100% true. So, with that in mind... I can't possibly understand the exclusion of Sandboxie from such tests.

My relatives don't chase these kind of stuff (these antimalware tests). They don't even known about them. I like to consider them the average Joes/Janes.

If it weren't for me, they wouldn't know things like Prevx SafeOnline, etc.

In what comes to antimalware apps, they know names like AVG or avast!. And, that's it.

 

When I ordered my Dell desktop in May 2010 I couldn't get a 32 bit.

 

lol..good for you. way to go buddy

 

I'm late to this, but another nice test from MRG. Good to see the bar being set higher for these banking malware tests and hopefully those vendors that failed will improve their products to provide additional protection.

 

But the cynical question remains: For what they should "provide additional protection"? For in-house simulators - and/or for real threats??

 

ofcourse for real malware

 

Well, the way I have always read MRG's description of their simulator is that it is exactly that - it simulates exactly the same actions that real malware performs. The reason for using a simulator in these tests would be exactly the same reason anybody uses a simulator in testing other software solutions - predictability, repeatability and confidence in the results because the coding of the simulator is fully understood.

I have never taken the use of the word simulator as a replacement for "proof of concept", which is what some may be trying to imply here. The fact that some software passes and blocks the simulator and others don't suggests that several anti-logger vendors have coded to block these sorts of attacks. So since they block them, would it not be reasonable to conclude that the 'simulator' is simulating something which several vendors perceived as a valid attack vector, but which several other haven't addressed?

 

Hi SLE,

Whilst we are not disclosing details about the simulator at the moment, I can confirm that it uses the same attack method as several types of ITW malware and therefore is a valid representation of a threat.

You will notice that Quaresso, Rapport and Zemana already protect against this attack – this will not have been an accident, but by design – to protect against malware using this method.

Regards,
Sveta

 

It's only one possibility see my post 86 It remains a question of "believe it or not, we don't give details, but we say..." But I won't go into a discussion circle yet and won't talk everthing bad. So atm (sig!) I accept Svetas statement:

Ok. But a little info? Is it digitally signed again...?

 

For sure, a little bit more information would be nice. For example, what are the key differences between this version of the simulator and the previous. We know that no vendors, even those that failed, complained (at least publicly) about the previous version of the simulator so we can sort of take it as read that the methodology was valid. What has changed in this version? Is it basically the same as the previous simulator but with a modified attack vector? Or are there substantial differences which should lead us to view this as a completely separate test, rather than a minor evolution of the previous?

 

I'm not sure if vendors ever got the simulator. IMO they get only real-samples from MRG, simualtors were in-house.
Beside that: Not complaining is no argument for validity. MRG is atm no big testing organisation where vendors must look close and take care. MRG tests have not so much publicity and so not much influence on products image.
btw.: can't open the zipfile with the report on MRG site. If anyone is able, PN with repack would be nice.

 

If I recall correctly, Comodo got the simulator (unintentionally), but did not raise issue with it on the basis of what it did. Prevx also fixed the fail it had in the June 2011 test (i.e. "test is valid, we failed, we'll fix it"). Prior to that Spyshelter argued strongly against their 'fail' rating, but like the others did not raise issue with the simulator itself.

The ongoing lack of complaints from the vendors about the simulator persuades me that the test is valid. It's not just this test, it's the June 2011 test, the June 2010 test, and the April 2010 test. IMO, you'd expect by now that after 4 tests at least one vendor would have raised issue with the simulator approach if there were indeed issues with it.

 

In the Prevx forum, BoerenkoolMetWorst said Chris of MRG says: