Passing AKLT

As far as keyloggers go,
is there something out there that passes all 5 of the AKLT ?
http://www.firewallleaktester.com/aklt.htm
Just wondering.
Should DW protect from these ?

 

geswall passes everything except the second screen capture one. gentlesecurity is aware of this and they don't feel the method used in the second screen capture test is a security threat.

edit

safespace beta (which i'm trialing) passed all except the direct x test.the makers are aware of this fact and they said the final release of safespace would pass it.

 

Not should- it already protects from all the 5 methods if untrusted. Just download and check out by yourself!

 

Hmmmmm. Then why am I getting these results ?
Am I doing something wrong ?
Screenshots of my results from AKLT.
Run as untrusted.
I don't get it, DW protects from this right ?
TOP LEFT ONE IS THE FIRST TEST MY MOUSE RAN OVER THE BOX AND THE DISCRIPION FOR THE TEST CHANGED , SAME GOES FOR THE SECOND ONE....

The only one I see DW passing is the third AK test with DirectX.

 

This is the second screen capture test.
The first one failed too, captured.
But to big to put a screenshot.

 

Have you seen the notification window on both of events?

Sorry, what is captured?

I have a feeling that something is wrong with defensewall_serv.exe launch. Are standard (hook-based) keyloggers failed to get keystrokes?

 

From DW?
Just one alert from DW on the directX keyloggger.
First two tests it recorded my keystrokes(from pics in previous post)

My screen. If took a pic of what was on my monitor at the time.

Maybe something wrong with my copy off DW
I have 2.04 installed.(trial)

Should this be in my DW folder ? Do not see it there.

Is there a safe one I can test ?

 

In fact, 2.05 is the most recent. Try to check it out.

No, it is in %windows directory%\system32 folder.

For example, with this one (methods 3 and 4):
http://dl1.syssafety.com/download/keylogger.exe?pid=140
I'll try to find some GUI-based if you need.

 

Just tried to update to 2.05 thru the program and got this message.
Guess i'll try to uninstall and install new 2.05.

 

I knew it!!!! Something is wrong with my service, that is why you had those horrible results!

OK, download and install 2.05 right from my site. Then check for AKLT screenshots results. In case it is still leaky- mail me to support [at] softsphere [dot] com and I'll send you service executable with debug output to the file. I really don't like the situation you have and I must understand why it happens.

Installing 2.05- don't forget to switch off your security suite (at least, their behavioral parts)- they could interferer with setup program.

 

DW 2.04 uninstalled. Will install 2.05 now.
Thanks for the help.

 

Still the same with 2.05 as was with 2.04

 

Screenshot here failed again.

 

After trying this myself, the first 2 tests, the alarm notification box pops up as in LoneWolfs test.
The same for the 3rd test, only it also opens my web browser and goes to the http://www.firewallleaktester.com web page.

Test 4 and 5 are passed ok.

 

Hello LoneWolf,

I decided to give this test a try. The first three tests(GetKeyState, GetAsyncKeyState and DirectX) triggered DefenseWall notifications as expected. After each and every attempted keylogging intrusion in the first three tests, I clicked upon the "terminate" option in the DW notification. The fourth test(Screenshot 1) launched mspaint.exe which was empty. I don't know if this is considered a pass or a fail. The fifth test(Screenshot 2) supposedly created a screenshot .jpg of my desktop which was to be shown in my default web browser(Opera). After allowing my firewall(LnS) to allow Opera to display this .jpg, all I got was a blacked out window. I don't know if this is considered a pass or a fail. I am inclined to believe that it is a pass. Ilya, please confirm that I performed the tests correctly.


Peace & Love,

CogitoErgoSum

 

One other thing i would like to know.

Should defensewall be disabled before downloading AKLT, and then re-enabled of course before testing AKLT.

My reason for asking is that Defensewall will run AKLT as untrusted if DW is enabled when downloading, therefore maybe giving a false result from the test, and if it is then run as trusted then Defensewall fails all tests.

 

Cognito, it is right the way DW should protect you from screenshot hijack- AKLT can't get any information from trusted windows and, thus, show only a bacjground. JUts run AKLT as trusted and compare all the screen capture results with AKLT untrusted ones.

 

Thanks Ilya, i have now performed another test running as untrusted.

Test1, 2 and 3 all failed.
The notification box popped up, i clicked terminate, but as you can see from my screenshots they all failed.

Test 4 and 5 both passed.

Running as untrusted all 5 tests fail.

 

Hello Ilya,

Thanks for the confirmation.


Peace & Love,

CogitoErgoSum

 

Hello LoneWolf,

Before performing another test of AKLT against DefenseWall v2.05, please check that you have the dwall_service.dll installed which is located in c:\windows\system32. Maybe RegProt and/or WinPatrol Plus prevented the proper installation of DW?


Peace & Love,

CogitoErgoSum

 

Tony, I know about this bug- I was not really accurate with driver's improvement, "Termination" button will works with the next version of DefenseWall.

As about "failed" tests- you see, I can't just block those keystrokes input methods as they are wildly used by many legitimate software. For example, ICQ v5 is using GetActiveKeyState methods, QuickTime- same thing, many games are using DirectX keylogging. I just can't simply block those methods out!

 

Thanks for the reply and explanation Ilya.

Could i ask one more question, when the notification box pops up, it is only for a few seconds.
If i dont click terminate, then does DefenseWall automatically terminate the application/process etc as the notification box disappears.

 

1. Not a "few seconds", but 15 seconds. It is described into technical documentation.

2. No, no automatical termination as, this case, DW thinks that is is a legitimate activity. One more time- it is just a notification windows if it is impossible to decide in automatic regime if this behavior legitimate or not. Those activity are: GetKeyState, GetAsyncKeyState and DirectX keylogging plus clipboard date access (this technique is used by all the download managers that need to be set as untristed). So, this case I need use anomaly detection technique.