Zemana Antilogger works HOW exactly?

Discussion in 'other anti-malware software' started by Gullible Jones, Jun 30, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @FOXP2 - ROFL, and thanks I guess. I don't know anything about CastleCops.

    Yeah, you want to watch out for that; it's the sort of thing that can eventually turn around and bite you (as many a Mac user has discovered).
     
  2. controler

    controler Guest

    Yes that and Bullguard plus Malwarbytes :)
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks. It would be surprising to me if they only blocked code injection, since all HIPS can do that. :)

    EDIT: Did you check it with Process Explorer (lower pane - View DLLs)?
     
    Last edited: Jul 11, 2014
  4. controler

    controler Guest

    Rasheed

    What exactly are you wanting to see with Process Explorer?
    I have looked at the DLLs of IE. Are you looking for a specific DLL?
    Only one I see unsigned is by Sendori, which I find strange since MAlwarebytes was flagging that as adware at one time but not anymore and neither does Bullguard. C:\Windows\System32\plsapp64.dll
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ controler

    I´m looking for a .dll file that´s related to Zemana, inside browsers like IE, Firefox, Chrome and Opera. If it´s not injecting code into browsers, then the anti SSL-logger protection is not really that advanced. :)
     
  6. controler

    controler Guest

    Ok I do not see any DLLs tied to Zemana using Process Explorer. Just Bullguard and Malwarebytes antiexploit. Unless they are hidden from Process Explorer?
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks. So perhaps Gullible Jones is right, I think Zemana is simply trying to stop unknown apps from hijacking the browser, by preventing code injection. All HIPS can do that, but Zemana probably uses a white-list to stop it from breaking legitimate apps. The reason why I asked about this, is because some tools like MBAE and Trusteer actually inject code into apps in order to monitor them from the "inside". :)
     
  8. controler

    controler Guest

    the only thing I see in Process Explorer is this related to Zemana under System. One Sys file.

    C:\Windows\system32\drivers\AntiLog64.sys
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    A quick update:

    I have asked a few technical questions to the Zemana support team, and after weeks still no reply, even when they told me numerous of times they would get back at me. Very unprofessional, what a joke. :thumbd:
     
  10. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Zemana AntiLogger FREE *does* inject a .dll into browers (like IE), as can be seen via Process Explorer...
    the .dll name is
    KeyCrypt32.dll (for a 32-bit process)
    KeyCrypt64.dll (for a 64-bit process)

    Note: When you update Zemana, it adds a parenthetical numerical suffix to the file name, so you may see something like
    KeyCrypt32(4).dll
     
  11. controler

    controler Guest

    Ky331

    you need to tell me how to see that in PE. I have looked and can not find anything other than what I posted for IE. The only thing I see is a Crypt64 dll by MS
     
  12. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Easiest way would be to use process explorer by sysinternals/ms right click on the program you launched and then check the threads tab. It should show up near the top as it constantly cycles through the keycrypt(x).dll when it is loaded...eg notepad, internet explorer, firefox, chrome. If it's not loading in the threads something may be wrong with your install. I found that installing the free version inside a sub directory (I'm not on Win 8 x64) of the regular paid version resulted in the free version claiming it was always loaded and protecting my keystrokes but the dll was actually never loading. I sent a report to them but never received any more word aside from the default email robot response. Obviously I've installed it in a separate folder since and it now loads properly but it does point to a huge flaw in it's self-detection IMO.
     
    Last edited: Sep 1, 2014
  13. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    I'm using PE 16.01
    Under VIEW, I have checked SHOW LOWER PANE
    and under Lower Pane View, I have checked DLLs.
    Select/Highlight the browser (or other program/process) you're interested in.
    If you sort the DLLs by NAME you should find KeyCrypt... alternatively if you sort by COMPANY, you can look under Zemana (probably at the very bottom of the list).
     
  14. controler

    controler Guest

    Ok. Using ver 16.03. I have no option with right click to select Threads.
    Like before I select View. I select view lower pane. I try both show DLL's and I try Threads and on this Win 8.1 64 bit , I see no such files.

    However, If I am installing a program, I do get a warning from Zemana for injections.
     
  15. controler

    controler Guest

    Looking at the Zemana logs on my machine, the only two things I see listed for activity are, ProcessCreate and Code Injector.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks but I was only interested in the Pro version, because it also claims to protect against banking trojans.
    AFAIK, the only way to be really proactive is to inject code into the browser to monitor memory modification. :)
     
  17. controler

    controler Guest

    I am sorry but I have the paid version and I think that is the Pro version you refer too?
     
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    On the paid version what is 'system defense' and is that solely related to loggers or is that an attempt to break out of the box and do more?
     
  19. FOXP2

    FOXP2 Guest

  20. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.