Try your anti-keylogger protection

Hi,

This Zemana AntiLogger tool looks interesting, has anyone already checked it out? Is it only an AK tool or is it a full blown HIPS?

 

ZA ForceField Beta

Key Logger Simulation Test - - - - - PASS
Screen-Logger Simulation Test - - - PASS
Webcam Logger Simulation Test - - not applicable
Clipboard Logger Simulation Test - - FAIL

Fax

 

No, and they will not.

 

Of the ones I have used, here is how I would rank their ease of use:

Easy to use
Threatfire
Prevx

Medium
OnlineArmor
ProSecurity

Complex
System Safety Monitor
Comodo Defence+

 

Regarding discussion of Sandboxie, could someone please configure it as I've outlined here -
http://www.sandboxie.com/phpbb/viewtopic.php?p=20121#20121
and retest? I think results should be very good.

Granted, this sandbox setup is not ideal for everyday activity, but for safe browsing, it's close to as good as it gets (IMO).

 

Thanks wraithdu:

It looks really good so i'll try this out myself. I been following discussions over there although not yet signed up as a member but a lot of very useful exchanges with real solutions have been evident.

 

After using wraithdu's SB ini settings nothing will run in the sandbox except FF and for a test I added wmplayer.exe which ran as well.

Tried the delete volume test, keyboard.exe and all the leaktests at Matousecs with every test unable to run.

Nice bit of work wraithdu

 

I would like to have an answer on that too. If these keyloggers are nothing but installed registries and/or files, I remove them during reboot.

They try to scare me with malware like killdisk and robodog also. After awhile I noticed they are nothing but installed .exe-files, I kill all these with Anti-Executable.

 

Execution prevention. Nice thinking!

 

wraithdu

Your proposal to block anything from executing. How does this apply if you have separate sandboxes set up for each browser, mail client and wmp. I ask this question because under global settings I note you have Firefox.exe as the only browser specified.

Thanks for your help

Terry

 

@Wraithdu: You say to put this

in the sandbox.

Where do I do this exactly?

 

Configuration - Edit Configuration - Paste that line in box settings not global.

EDIT: Example...

[GlobalSettings]

ProcessGroup=<restricted>,k-meleon.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

[DefaultBox]

ClosedFilePath=!<restricted>,*
ClosedIpcPath=!<restricted>,*

Only listed programs can run and connect to internet.

 

You can set up as many process groups as you want. So create a process group for each sandbox you have and define the programs you want to allow to run in that sandbox. Then under each sandbox section, use the corresponding process group.

Ex -

[GlobalSettings]
ProcessGroup=<restricted1>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted2>,wmp.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
ProcessGroup=<restricted3>,thunderbird.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe

(sandbox headings)
[Firefox]
ClosedFilePath=!<restricted1>,*

[WMP]
ClosedFilePath=!<restricted2>,*

[Thunderbird]
ClosedFilePath=!<restricted3>,*

@MikeNAS
You can use either (or both) of the ClosedFilePath and ClosedIpcPath settings, as each individually will also have the same effect.

 

Thanks, that's very helpful (again )

 

I have always used that ClosedIpcPath=!<restricted>,* only but I'm gonna test that ClosedFilePath=!<restricted>,* too and try to compare those. Are they exactly same? Of course I use ClosedFilePath to block internet connections.

ClosedFilePath=!<restricted>,\Device\RawIp
ClosedFilePath=!<restricted>,\Device\Ip*
ClosedFilePath=!<restricted>,\Device\Tcp*
ClosedFilePath=!<restricted>,\Device\Afd*

 

Hi Wraithdu

That was great thanks

Couple of points.

1) Supposing each sandbox is already set up to allow only a named browser/application to connect to the internet, how do the new config additions as per your post relate to these. ie Do I need to delete the settings that name a browser/application for each sandbox before I add the new settings

2) I very rarely use IE7 except where Firefox and or Opera dont work. So how would you configure IE7? You mentioned something about including SandboxieCrypto.exe. Can you explain in detail?

Thank you very much

Terry

 

In your example that would only mean K-Meleon, right?

 

K-Meleon yeah.

EDIT:

This block internet connections:

ClosedFilePath=!<restricted>,\Device\RawIp
ClosedFilePath=!<restricted>,\Device\Ip*
ClosedFilePath=!<restricted>,\Device\Tcp*
ClosedFilePath=!<restricted>,\Device\Afd*

This block other programs:

ClosedFilePath=!<restricted>,* or/and ClosedIpcPath=!<restricted>,* <- Not sure if those are exactly same.

 

ClosedFilePath and ClosedIpcPath are different, but in this context they produce the same result - an application crash. There's no harm in using both settings together.

 

The internet restricting ClosedFilePath settings are a subset of *, so if you're using the same process group, then the internet settings are redundant. An app can't connect to the internet if it can't run!

SandboxieCrypto.exe is the only difference, add it to the process group with IE7 in it. SandboxieCrypto.exe is another Sandboxie helper process (like the others listed), but I've only seen it used by IE.

 

Yep I was thinking they may be redundant but they still could be handy if wmplayer is allowed/forced to run sandboxed with those settings stopping it from phoning home.

 

Hi Wraithdu

To be absolutely clear. These are the settings I refer to asbelow

ClosedFilePath=!iexplore.exe,\Device\Afd*
ClosedFilePath=!iexplore.exe,\Device\Tcp
ClosedFilePath=!iexplore.exe,\Device\Udp
ClosedFilePath=!iexplore.exe,\Device\RawIp

Each sandbox cotains these four settings, one for IE7, one for Firefox etc. There is nothing in the global settings.

It is the above settings I am asking about in terms of are they redundant if I use your GlobalSettings ProcessGroup. Sorry to be pedantic I just want to be sure

Thanks

Terry

 

I would include Mamutu with TF and Prevx.

 

Does anyone know if any of these POC's are in the wild at this time?

aiglel posted:

http://www.zemana.com/list/list.asp?ktgr_id=413

I have also tried most of these HIPS. I have not tried Prevx or Online Armour for some years now and both had a ton of pop ups back then.

If all you do is visit security forums, check e-mail ( not clicking on everything)
and browse normal sites you usually don't need any protection. I haven't had any for a few months now. I even went to some porn sites just to see LOL

I do use Firefox with no script though. I guess this would be one of the best suggestions for a home user. I see alot more home users using Firefox all the time but not alot of them know about NoScript.

I would hope most home users know how to use Google so if they do suspect something they can find a thread on the subject, weather it be here or another forum.

 

Something what I have done 2 months ago

https://www.wilderssecurity.com/showthread.php?t=199581