PG 3.0 and Anti-keylogger 5.3

Hi,

I have a problem with PG 3.0 since I download the new version of Anti-keylogger (5.3). The problem is that at every start up PG ask me what to do with a file call (15d0b36a-795a-b40c-a20febef3c30).exe (it is related to Anti-keylogger). So every time I put a hook in the box call "always perform this action" and press permit but for some reason PG doesn't seem to remember and ask me at every start up. So what is the problem and what can I do to resolve it

The application is Anti-Keylogger 5.3.

Thank you,
Atomas31

 

Hi Atomas, Could it be that this file is regularly updated by anti-keylogger by say a daily update? If so it is Process Guards checksumming capability that is picking up the changed status. ie. the new MD5 hash checksum. Or could it be a device within the program that changes the .exe as part of it's own defence system.

I would have thought that an emailt to their product support would be the quickest route for an answer.

Just Guessing. Pilli.

 

also, make sure that the pop-ups your getting feature exactly the same filename (I for one would have to note it down to be sure it's the same next time.)
Then, it would be interesting to know how that filename appears in your PG's security list (i.e. what name, what path, what last action etc.)

Andreas

 

Hi Pilli and Andreas,

OK! This morning I have checked wich filename PG 3.0 where asking me about and it appears it is a different one? the files are located in : c:\documents and settings\ (my full name).(my first name).000\Application Data\

Any idea what is it and yes, I suspect it is probably a way for Anti-keylogger to protect himself (kind of changing is starting key at every startup so it can be recognize at startup by virus and then shut down. (this is a suppposition)! But is there a way I can tell PG to permit any files generate and associate with this program

Thank you for your help,
Atomas31

 

possibly it is a monitoring program, intended to monitor anti-keylogger's main program - when this latter one is attacked, the monitoring one can alert and restart it. (TrojanHunter's Guard once worked like that). For it to work, it must take some measures to insure that it's not being attacked simultaneously - and using a different name on each launch is one of the common attempts for this. Of course, this means you have on each session a "new" program launching, and will be asked to acknowledge and allow it every time.
You should definitely consult your anti-keylogger's docs and maybe contact the developers to find out if that is the case, and if there's something more that this thingy is doing. If not, the most elegant way would be to simply dis-able that self-protection in the anti-keylogger. But again, it depends on your anti-keylogger and its developer whether or not this is possible.

If that is not an option, you're in a bad situation - so first check it out and let's worry about alternatives only if necessary.

Andreas

 

Hi Andreas,

Here's the reply from the support team of Anti-Keylogger :

So my question is :
Is there a way I can tell process guard to always allow files affiliate with Anti-keylogger to start at start up?

Thank you for your help,
Atomas31

 

Hi Atomas, Currently there is no way of turning this off though this is being discussed at DCS.
If you can switch it off Anti-keylogger then I would so so as Process Guards protection is far stronger.

HTH Pilli

 

Hi Pilli,

I also thing that Process Guard is protecting Anti-keylogger better than this new feature in Anti-Keylogger! But the problem,is that the support team seems to tell me that this feature can not be disable This is way I was wondering if there was a way to go around the problem with PG 3.0 beta 2?

By the way, what is being discuss in DCS If it is concerning security program that has that kind of feature (run each time with a random name), what do you thing would be the results of their discussions? Do you think they will come with an answer to this problem?

Thank you,
Atomas31

 

Atomas, Yes the idea, I think, would be to have a list of trusted apps that should not be scanned for checksumming though I have no idea how that would work

EDIT: It was the protection list and install drivers /services that was being discussed sorry.

Pilli

 

Thanks Pilli, I think that would be a great idea to add a list of trusted apps that wouldn't be scan for checksumming!!!

Maybe you should add this to the wish list

Atomas31

 

Hi Peter2150,

The idea is not to disable the scanning checksum for all product but only for specific product that have some protection of their own, protection that make PG ask for permit every time we start them!

Atomas31

 

Peter you are correct it would create a weakness in the defence and Process Guard does stop many keyloggers, any such tool would have to be very carefully used, so maybe as an advanced option for those that have the knowledge.

In fact the more I think about the less I like the idea but you could add something like that to the protection list, a sort of exclusion list, which I know you would like for cases such as AOL.

I'll trust DCS on that one as I know their first consideration will be system security and that of Process Guard.

Cheers. Pilli

 

nah.
what app would you add to exclude from checksumming? You can't tell because it's a different name each time. It would be the other way round: you have a legitimate exe but you only know it's checksum, not its name. Thus, you'd have to have a list of checksums and when an unknown app starts its checksum has to be compared against this whitelist - and only if no match is found, the user is asked to ack/deny. But to be honest, I don't think this is a feasible option - not so much for security issues that could be argued to arise (any app with a checksum conincidentally already on the list would be allowed, even if the checksum came from another app), but more so because of the resource useage and the additional complication.

Although Pilli may have other insight into what's actually being discussed at DCS, I could imagine that another approach would be more attractive - possible even more difficult to implement, but then providing additional ways of handling things: If PG would be able to make its decisions based on which application is launching the "unknown" app. It would not only be interesting to know the "parent" of running processes, but it would also help in certain hard to decide cases. And, so I would assume, this would apply to your case as well, since there is probably a fixed something that is launching the "always new and unknown" copy of your keylogger. (Windows must have a fixed go-to-guy to start the whole thing.)

As it stands, PG has no way of knowing if an unknown app is "affiliated" with a legitimate program. And you will have to either decline from using checksumming/execution protection (protection of programs against modification and termination would still be in place - except for that anti-keylogger thingy which you cannot include in your protection list for it always has a different name), or you will have to continue acknowledgeing the launch of that thingy every time (select allow once in order not to clutter your security list).

Both options are not soo nice, but workable. Best would be if you could talk Anti-keyloggers developers into making this possible to be disabled -- or hear what DCS can do about it and is willing to invest (in short-term) into further PG features. Or you can ask Anti-keylogger developers to get in touch with DCS and suggest them a way of knowing the affiliation. (But then you'd probably still need DCS to add a new feature to PG.)

HTH
Andreas

Edit: Missed a few postings from when I started writing this posting. I hope it does make sense as it is, nonetheless.

 

Yep, Andreas it would be useless to have an exclusion list based on the checksumming given the protection system applied by the Anti laylogger's developers.
NIS and ZA have a way of disabling their guards which then allows PG to protect themand for them to run correctly under PG, Anti-keylogger could probably implement a similar switch.
I imagine this type of name changing would also cause other sandbox type programs to hiccup as well with a request to allow the program to run.

BTW it was the protection list possible exclusions like "allow this x process to install one driver" that I was thinking of that DCS was discussing not the security list, my fuddled brain again

Pilli

 

Peter Neat Don't let those few extra keystrokes wear your digits out

 

Hi everyone

The newest version of Anti-Keylogger is 6.0 now. They have added back an options button with few choices.

Since DCS won't allow PG on more then one computer at a time. Say your laptop and desktop I am forced to use other software on my other computer. Since I have a lifetime LIC for Anti-Keylogger, I will use it.
I use that along with HackerIliminators Process Guard although I don't know all it's protection uses. It does a good enough job for files, registry and processes.
http://www.anti-keyloggers.com/

I really like their Library at Anti-Keyloggers. Some great reading material.

Bruce

 

Hi Controller, You can buy ProcessGuard unlimited home license for just $10 more i.e. $39.95. http://www.diamondcs.com.au/processguard/index.php?page=purchase
ProcessGuard does not require regular definition updates to stop keyloggers like some other software. Not knocking anybody but personally I prefer it that way

Cheers. Pilli