This Keylogger Defeats Zemana And Comodo D+

Discussion in 'other anti-malware software' started by markedmanner, Feb 2, 2011.

Thread Status:
Not open for further replies.
  1. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Just found this very very simple keylogger that logs your keystrokes and saves them in a log file and I did not get a single warning from Zemana or Comodo D+ that this was logging what I type. You can download it here: http://16s.us/16k/

    Have yet to test it against spyshelter I assume it will be the same result. I know this logger is very simple but I would hope that something would have notified me that it was logging what I type and even the active window it is being typed in.
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    I'll give it a try.

    Upadte:
    Keylogger warning by OA Premium.
    Even after allowing the file but NOT trusting.

    I think that it got through D+ because you trusted the file, which should not be :D
    Or your Sandbox rights were too high (I usually set it at BLOCK)

    BTW, guys the file is clean according to VT and EAM
     
  3. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,955
    Location:
    Boston, MA
    Comodo did block it under "Untrusted" setting. Sandbox also automatically caught it. D+ has it blocked under the log.
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    Nice report, i couldn't believe it got through D+ :rolleyes:
    I'm not saying it's bullet proof but it's as close as it can get being a Classical HIPS :thumb:
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,578
    I didn't download the file due to lack of information such as source, who created it, etc. In any case, what settings do you have for Comodo D+?
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    @ markedmanner

    Not sure what your settings are, but it gets blocked here :D Did you allow it ?

    pg16.gif

    16.gif

    Not a peep from Prevx PSOL though ? :(

    By the way, thanks for reminding me about this :thumb: I saw it when DL'ing TChunt but got distracted so forgot about it :D
     
  7. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    He set the sandbox settings to a more limited mode (Untrusted) :)


    I guess he did allowed it.
    BTW, PrevX SOL doesn't works like other keylogging programs which are essentially a HIPS, PrevX SOL protects browser activities and keylogging (Such as data theft, fake sites, account details, where the data is being sent etc.)
    Hence the name PrevX SafeOnline

    Other products are advertised as Anti Loggers ;)
     
    Last edited: Feb 2, 2011
  8. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    Defense+ failed here but NAV 2011 got her :thumb:
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    @ Noob

    Hi, PSOL scanned it in the cloud after i allowed it, so i'll be interesting to see what they say in my Prevx thread about it !

    Thanks ;)
     
  10. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,955
    Location:
    Boston, MA
    I have the execution control set for untrusted. I also have run installers outside sandbox and run trusted software both ticked off.
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,955
    Location:
    Boston, MA
    Jimbow, what setting do you have D+ on?
    It caught it for me.
     
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    There are lots of flaws in the default settings of D+, specially the sandbox level.
    You should tweak it a bit and i'm pretty sure it will block it ;)


    You welcome mate *Hugs*
     
  13. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    847
    Location:
    Paris
    I think that the original poster was running Zemana in default mode. I always click on the Expert mode box in Security Settings- this will alert to any keylogging attempt. I believe the default setting will allow commercial programs that are signed (or at least it allows 16K).
     
  14. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    Safe mode but I have sandbox off.
     
  15. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    You should tweak your D+ settings for better protection (You might get a bit more pop ups in the beginning) :)
     
  16. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Spyshelter nailed it:)
     
  17. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    yup spyshelter is definitely caught it :ninja:
     
  18. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    norton said ws.reputation.1
    you cannot rely on that. norton doesn`t know about this file anything. the only thing it knows is that it hasn`t been used by community members therefore it is unsafe.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    CIS with default settings will obviously not intercept it. On maximum paranoid settings, it does intercept. GesWall also stops it.
     

    Attached Files:

    • k.JPG
      k.JPG
      File size:
      30.8 KB
      Views:
      1,622
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    On default settings, CIS will trust it as it,s digitally signed.
     

    Attached Files:

    • k2.JPG
      k2.JPG
      File size:
      39.1 KB
      Views:
      1,627
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    Hi, I just wonder from where zemana picked TCHunt? o_O
     

    Attached Files:

    • 16.gif
      16.gif
      File size:
      16.4 KB
      Views:
      1,618
  22. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    209
    Yes but it automatically blocked/quarantined the download which is what I would expect. That's good enough for me.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,405
    Location:
    Outer space
    Just tried this in a VM with Zemana and latest Threatfire. Not a beep from Zemana too, while Zemana is in expert mode. Threatfire(set to lv 4) only gave a warning after it already captured a few keystrokes.
     
  24. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    473
    Location:
    Europa
    Tested with SpyShelter on W7x64, no problem keylogger blocked.

    rules.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,830
    Location:
    Saudi Arabia/ Pakistan
    May be the reason is that it,s signed. See Zemana settings and turn off trusting signed executables.
     
Thread Status:
Not open for further replies.