Try your anti-keylogger protection

Discussion in 'other anti-malware software' started by aigle, Apr 1, 2008.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Hi,

    This Zemana AntiLogger tool looks interesting, has anyone already checked it out? Is it only an AK tool or is it a full blown HIPS?
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    ZA ForceField Beta :)

    Key Logger Simulation Test - - - - - PASS
    Screen-Logger Simulation Test - - - PASS
    Webcam Logger Simulation Test - - not applicable
    Clipboard Logger Simulation Test - - FAIL

    Fax
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    No, and they will not.
     
  4. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Of the ones I have used, here is how I would rank their ease of use:

    Easy to use
    Threatfire
    Prevx

    Medium
    OnlineArmor
    ProSecurity

    Complex
    System Safety Monitor
    Comodo Defence+
     
  5. wraithdu

    wraithdu Registered Member

    Joined:
    Jul 22, 2007
    Posts:
    21
    Regarding discussion of Sandboxie, could someone please configure it as I've outlined here -
    http://www.sandboxie.com/phpbb/viewtopic.php?p=20121#20121
    and retest? I think results should be very good.

    Granted, this sandbox setup is not ideal for everyday activity, but for safe browsing, it's close to as good as it gets (IMO).
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks wraithdu:

    It looks really good so i'll try this out myself. I been following discussions over there although not yet signed up as a member but a lot of very useful exchanges with real solutions have been evident.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    After using wraithdu's SB ini settings nothing will run in the sandbox except FF and for a test I added wmplayer.exe which ran as well.

    Tried the delete volume test, keyboard.exe and all the leaktests at Matousecs with every test unable to run.

    Nice bit of work wraithdu :thumb:
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I would like to have an answer on that too. If these keyloggers are nothing but installed registries and/or files, I remove them during reboot.

    They try to scare me with malware like killdisk and robodog also. After awhile I noticed they are nothing but installed .exe-files, I kill all these with Anti-Executable.
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Execution prevention. Nice thinking!
     
  10. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    wraithdu

    Your proposal to block anything from executing. How does this apply if you have separate sandboxes set up for each browser, mail client and wmp. I ask this question because under global settings I note you have Firefox.exe as the only browser specified.

    Thanks for your help

    Terry
     
  11. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    @Wraithdu: You say to put this

    in the sandbox.

    Where do I do this exactly?
     
  12. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Configuration - Edit Configuration - Paste that line in box settings not global.

    EDIT: Example...

    [GlobalSettings]

    ProcessGroup=<restricted>,k-meleon.exe,sandboxiedcomlaunch.exe,sandboxierpcss.exe,start.exe

    [DefaultBox]

    ClosedFilePath=!<restricted>,*
    ClosedIpcPath=!<restricted>,*

    Only listed programs can run and connect to internet.
     
    Last edited: Apr 4, 2008
  13. wraithdu

    wraithdu Registered Member

    Joined:
    Jul 22, 2007
    Posts:
    21
    You can set up as many process groups as you want. So create a process group for each sandbox you have and define the programs you want to allow to run in that sandbox. Then under each sandbox section, use the corresponding process group.

    Ex -

    [GlobalSettings]
    ProcessGroup=<restricted1>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
    ProcessGroup=<restricted2>,wmp.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe
    ProcessGroup=<restricted3>,thunderbird.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe

    (sandbox headings)
    [Firefox]
    ClosedFilePath=!<restricted1>,*

    [WMP]
    ClosedFilePath=!<restricted2>,*

    [Thunderbird]
    ClosedFilePath=!<restricted3>,*

    @MikeNAS
    You can use either (or both) of the ClosedFilePath and ClosedIpcPath settings, as each individually will also have the same effect.
     
  14. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks, that's very helpful (again :D)
     
  15. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    I have always used that ClosedIpcPath=!<restricted>,* only but I'm gonna test that ClosedFilePath=!<restricted>,* too and try to compare those. Are they exactly same? Of course I use ClosedFilePath to block internet connections.

    ClosedFilePath=!<restricted>,\Device\RawIp
    ClosedFilePath=!<restricted>,\Device\Ip*
    ClosedFilePath=!<restricted>,\Device\Tcp*
    ClosedFilePath=!<restricted>,\Device\Afd*
     
  16. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi Wraithdu

    That was great thanks

    Couple of points.

    1) Supposing each sandbox is already set up to allow only a named browser/application to connect to the internet, how do the new config additions as per your post relate to these. ie Do I need to delete the settings that name a browser/application for each sandbox before I add the new settings

    2) I very rarely use IE7 except where Firefox and or Opera dont work. So how would you configure IE7? You mentioned something about including SandboxieCrypto.exe. Can you explain in detail?

    Thank you very much

    Terry
     
  17. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    In your example that would only mean K-Meleon, right?
     
  18. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    K-Meleon yeah.

    EDIT:

    This block internet connections:

    ClosedFilePath=!<restricted>,\Device\RawIp
    ClosedFilePath=!<restricted>,\Device\Ip*
    ClosedFilePath=!<restricted>,\Device\Tcp*
    ClosedFilePath=!<restricted>,\Device\Afd*

    This block other programs:

    ClosedFilePath=!<restricted>,* or/and ClosedIpcPath=!<restricted>,* <- Not sure if those are exactly same.
     
  19. wraithdu

    wraithdu Registered Member

    Joined:
    Jul 22, 2007
    Posts:
    21
    ClosedFilePath and ClosedIpcPath are different, but in this context they produce the same result - an application crash. There's no harm in using both settings together.
     
    Last edited: Apr 4, 2008
  20. wraithdu

    wraithdu Registered Member

    Joined:
    Jul 22, 2007
    Posts:
    21
    The internet restricting ClosedFilePath settings are a subset of *, so if you're using the same process group, then the internet settings are redundant. An app can't connect to the internet if it can't run!

    SandboxieCrypto.exe is the only difference, add it to the process group with IE7 in it. SandboxieCrypto.exe is another Sandboxie helper process (like the others listed), but I've only seen it used by IE.
     
  21. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Yep I was thinking they may be redundant but they still could be handy if wmplayer is allowed/forced to run sandboxed with those settings stopping it from phoning home.
     
  22. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi Wraithdu

    To be absolutely clear. These are the settings I refer to asbelow

    ClosedFilePath=!iexplore.exe,\Device\Afd*
    ClosedFilePath=!iexplore.exe,\Device\Tcp
    ClosedFilePath=!iexplore.exe,\Device\Udp
    ClosedFilePath=!iexplore.exe,\Device\RawIp

    Each sandbox cotains these four settings, one for IE7, one for Firefox etc. There is nothing in the global settings.

    It is the above settings I am asking about in terms of are they redundant if I use your GlobalSettings ProcessGroup. Sorry to be pedantic I just want to be sure

    Thanks

    Terry
     
  23. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I would include Mamutu with TF and Prevx.
     
  24. controler

    controler Guest

    Does anyone know if any of these POC's are in the wild at this time?

    aiglel posted:

    http://www.zemana.com/list/list.asp?ktgr_id=413

    I have also tried most of these HIPS. I have not tried Prevx or Online Armour for some years now and both had a ton of pop ups back then.

    If all you do is visit security forums, check e-mail ( not clicking on everything)
    and browse normal sites you usually don't need any protection. I haven't had any for a few months now. I even went to some porn sites just to see LOL

    I do use Firefox with no script though. I guess this would be one of the best suggestions for a home user. I see alot more home users using Firefox all the time but not alot of them know about NoScript.

    I would hope most home users know how to use Google so if they do suspect something they can find a thread on the subject, weather it be here or another forum.
     
  25. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.