New keylogger tests from Zemana

Kaspersky virtual keyboard not intercepted by zemana keylogger (pic1)
Kaspersky passed ScreenLogger (pic2)

 

Zemana is in a so called "Forced whitelist", so even if you move it to Low/High restricted, PDM/HIPS will auto-allow suspicious actions for that application.
Please check your Application Filtering/PDM reports for Zemana and you'll see that the keylogging method is intercepted (but not blocked due to forced whielist).
If any other application used the keylogging technique utilized by Zemana, you'd receive a prompt where you could decide to Block/Allow.

 

I see what you mean, thanks , but what with "commercial" keyloggers? Are you tried some of those?

 

Only one, and keylogging was intercepted...
But this is going off topic.

 

Thanks again OT ends

 

So this way malware can be whitelisted also?

 

Hmmm...... u failed to undersatnd these tests. No use of testing signature based applications with these tests( except for some file heuristics testing).

 

So KAV intercepts all tests succesfully?

 

no

unless you will tweak "application filtering"

 

Ok, atleast it intercepts all when applications are marked as restricted. Am I true?

No other HIPS is able to do so.

 

low restricted....not high restricted or untrusted

 

That does not matter. After all it has the ability to intercept all activities. No other applications has this ability so far.

 

I dont know which way to get to the page KIS Rule Applications to tweak security settings like you showed. Mine is running Kis2009 build454.

 

The developers are the ones creating the "forced whitelist", so no, I don't think malware will/can be whitelisted...
As I said:

 

See pic:



Ok, Umnik betatester on Kaspersky forum has successfully removed digital signature from zamana keylogger, now keylogger is placed in low restricted group and successfully tagged as keylogger by KAV/KIS (see pic

No it can not intercept clipboard logging and I didnt test webcamlogger, I suggest you to try KIS 2009 it is very interesting application with innovative way in which HIPS functions...

 

When I tried Outpost, I could not get Outpost to pass the Keylogger test. Is it because I chose automatic rule creation when installing Outpost?

 

I tried testing the Webcam logger with KIS but every time I pressed the start button the application crashed..

 

Just downloaded OA 177. It passes key, screen and web loggers quite smart. No crashes, no FPs and no logging. Popup appears right after you press "Start" button.

 

Hi,

thank you alex for info. I wonder when OA v3 will finish beta tests.

 

That,s nice.

 

There is an unresolved problem with MS. I do not understand the details, but to succesfully register FW and AV in Vista security center you need to have special agreement with MS and also there is something special about code signing which should be done using crosscertificates from MS which were not updated for a long time. For now this is the only showstopper as far as I understand.

 

Hi Einsturzende,
I too don't see any such option in the rights section. I am running KIS 2009 buil 454 on Vista SP1 32-bit.



--- EDIT ---

I moved manually Zemana tests from Trusted to Low Restricted group. But still KIS 2009 failed in all tests.

 

Not all options are available on Vista, AFAIK.

Moving the application to specific groups has no effect on keylogger detection, the PDM component is the one detecting the keyloggers (some types, hook installation is covered by HIPS), the only thing affecting whether the PDM will alert you is the "Do not notify..." option in the PDM settings (related to digitally signed apps)... and the "forced whitelist" thing.

 

Aaah.... Crap !! So will KIS 2009 MP1 fix this ?

Ok, I didn't understand that fully !!
So are you saying that by changing PDM settings and the forced whitelist option/settings, I can make the test to fail ?
If yes, could you guide me to where I can change this forced whitelist option and PDM notification. Thanks

 

Dunno, it depends on whether MS will allow access to the Vista kernel/API... so, yeah, up to MS again

You can instead try the Zemana keylog test without the digital signature, which KIS detects as a keylogger without any modifications to the settings (the "forced whitelst" is then bypassed: no digital signature, the .exe is changed=> not in the whitelist anymore).(you can find the modified Zemana keylogger in the Beta section of KL forums, I'm not sure if it's permitted to upload modified applications here... Einsturzende already showed the results a few posts above)
The "forced whitelist" cannot be modified/altered AFAIK, that's why it's called "forced"
The PDM option to notify you for suspicious behavior of digitally signed apps is in System security>PDM settings>uncheck "Do not notify about detection..." at the bottom.