AntiKeylogger + Lots more App discovery

Discussion in 'other anti-malware software' started by StevieO, Oct 2, 2009.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Trusteer Rapport

    Discovered this completely by accident whilst searching for something else.


    http://www.trusteer.com/technology


    First of all you fill in an online form, then you can download the initial file.

    1.png

    This then downloads the main installer.

    2.png

    I chose not to send data

    3.png

    4.png

    More to follow -
     
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Please be aware that i'm only presenting all this as an App for TESTING purposes. I myself will be testing it with various things to see how it measures up.

    More -

    A compatability test then starts

    5.png

    6.png

    install comp.png

    rap user.png

    More to follow -
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    More -

    This is the config panel

    dash1.png

    dash2.png

    Security policy panel, which i had to paste together, hence it doesn't look as i would have wished ! Lots of nice options in here.

    secpol.png

    Another panel highlights some potential security problems. I had already set SSDP to manual in Services, but it picked up the fact that i should disable it altogether, which i did. I purposely havn't updated Flash, and i'm still tinkering with the HOSTS. So spot on for alerting to these.

    ssdp.png

    More to follow -
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    More -

    I tested it on a number of www's including HTTP and also HTTPS ones like Hotmail and a few banks. I found that NatWest appears to be a partner, so it automatically leaps into action.

    bank.png

    I had previously blocked IP's in the dashboard !

    nat2.png

    Other www's such as CitiBank and Hotmail arn't partners, so no alert.

    citi.png

    You can add protection to any www you choose, but the free version only lets you have 3. I think it's 3 extra on top of the partner ones ?

    $.png


    They seem to be associated in some way with - http://www.dnsstuff.com - which is fine with me.

    I realise some of their claims are quite broad, and others have tested it in the past and found that it's not perfect, what is. Some links from last year, and earlier on this year, have shown that under a particular circumstance keylogging took place. I'm not sure whether this was on previous versions ?

    Having said that i think it's worth testing, but at this stage i havn't amassed enough data etc to 100% recommend it.

    All in all, so far, it seems very comprehensive. Uncluttered easy to read GUI/panels etc, and fairly straightforward to set up and configure etc.

    You might like to try it, test it and post your results too.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    very interesting application;)
     
  6. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    424
    Location:
    UK
    Thanks for all this info. I assume that this will not run in conjunction with Keyscrambler?
     
  7. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    I have been using Keyscrambler and Snoop Free Privacy Shield for 2 years
    and Trusteer for 12 months, all at the same time, same machine - NO problems whatsoever.

    As StevieO shows re. Trusteer Free, as soon as one uses it to guard 3 financial institutions it won't guard a 4th one, but does tell you that's your lot,
    unless you upgrade to the Pro-edition.
     
  8. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    424
    Location:
    UK
    Thanks for that, I'm also running SnoopFree. I will take look at this new app'
     
  9. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Well i've made some initial tests, and it's Excellent news.

    Using AKLT.exe

    This has a mixture of seven safe KL + two Screen Capture tests.

    Anti-Keylogger Leak Tester courtesy of Guillaume Kaddouch of - www.firewallleaktester.com - fame, but not fortune, who's www is still up, but no longer active. Go there and see why !!!

    It is available from here though - http://www.softpedia.com/progDownload/Anti-KeyLogger-Tester-Download-107459.html

    Hotmail SSL login panel was used for the test, which i had included in Trusteer Rapport to protect against KL's etc.

    alt1.png

    alt2.png

    alt3.png

    alt4.png

    alt5.png

    More to follow -
     
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    More -

    alt6.png

    alt7.png

    AKLT-SS 1 HM.png

    AKLT-SS 2 HM.png

    More to follow -
     
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    More -


    Zemana tests - keyboard.exe - ScreenLogger.exe - ClipBoardLogger.exe

    Zemana -- KL.png

    Zemana - -SC.png

    Zemana - -Clip.png

    So with these tests it successfully passed ALL 8 attempts at Keylogging and 3 Screen Captures, and only failed on the Copy/Paste = 11/12

    Naturally as Anti Screen Capture was enabled, i was prevented from taking the above screenies by TR. So after the successful tests i had to disable TR and then take them.

    Keylogging + Screen Capture prevention with the above tests works as advertised. And of course it has all the other potentially useful things going for it, shown above in my previous screenies, of which i could confirm positively on the things i noted.


    More to follow -
     
  12. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    More -

    What i did find was that whilst TR was enabled/running, my mouse response seemed to be slightly more sluggish ? Also on checking via Task Manager it was consuming between 20% - 24% CPU ?

    ZA cpu.png

    ZA Rap Log.png

    Looking at my FW logs i saw repeated outbound attempts, even though i had disabled Updates and Send Errors etc in the Dashboard, and blocked outbounds for it ?

    Conclusion -

    I can't fault it's Keylogging and Screen Capture blocking abilities. The above CPU usage, mouse, and outbounds are a concern. For free it's very good, but only allows 3 extra www's of your choice to be protected.

    For now i'm going to keep it and experiment further.
     
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Huwge

    Pleasure, and let us know your impressions etc.

    MICRO


    I'm surprised you're able to run TR + KS + SF all together without any of them falling over each other, fighting to intercept/block etc ! But as you've been using this combo for 12 months without any noticeable problems, that's good.

    Just to clarify, it's not only financial institutions it helps protect, but ANY 3 www's you choose to add, HTTP and/or HTTPS. The paid has unlimited www's.
     
  14. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Interesting indeed. Good work, StevieO
     
  15. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Only bit of an item of interest with mine when all three were running was the very strange to me fact that AKLT was somehow able to take a screenshot
    on one of it's *tests* using *MSPaint.exe* and place it it AKLT's folder - I needed to remove the available copies of Paint, but didn't ever use it so it was no loss.

    You are quite correct re. TR's Outbound UDP's Stevie., I had to block all access both ways TCP/UDP via my FW.
    With interest rates now about to begin their ascent I am a bit concerned
    because I have so many accounts and TR only covers three, while I switch
    accounts quickly to whoever offers the best rates at any given time.
    Probably have to think about upgrading TR but I am scared of all the Moths
    if I have to go in my pocket.
     
  16. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I think an austrialan bank uses some similar software , it provides it to its customers free of charge.
     
  17. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    424
    Location:
    UK
    Excellent testing, thanks for the efforts.

    As you said, it is a concern with the outbound attempts and the CPu usage. Wonder if someone from the company will pick up on this thread and comment !
     
  18. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    You may be thinking of OSD's, HSBC and Rabobank offer them free to their customers and I use both but have not heard of a TR
    type of offer.
     
  19. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Keyboard_Commando

    Thanx

    Joeythedude

    Yes TR is also provided free by some banks etc.

    Huwge

    Thanx. I hope someone from TR can respond, i might email them and then hopefully we'll get some answers. They won't be dissapointed with the Anti test results though !

    MICRO

    I can't explain why paint was able to do that on your PC, especially with all 3, but on mine i was safe !

    It's not the Moths you need to worry about it's the holes the've eaten away and allowed your $ to escape lol.

    *************

    A funny thing happened today. Booted up with all cookies/cache etc cleaned as usual, went straight to Hotmail to log in, and got this ZA prompt -

    LSA.png

    I had received just a few in the last couple of days, and wondered why i was getting them. I thought it might be connected with TR, as i hadn't ever had one before. I can confirm it was TR doing that.

    Not sure why TR is trying to gain outbound access via LSA shell ? Whatever that is ?

    The only reason i've been experiencing the extra CPU usage, is due to TR attempting to call out via several methods. As soon as i shut TR down the activity ceases.

    Actually, yes i will email them as i'd like to know what's occurring and why.
     
  20. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,443
    Location:
    U.S.A.
    FYI. Details on LSA Shell Export-Version from bleepingcomputer.com. Do scan your computer as soon as possible.
     
  21. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    JRViejo

    Hi, Thanx for the heads up.

    I did some Googling, and there were lots of mixed reports about it. Anyway i narrowed them down, and this is just one example.


    search lsa.png

    Same file size, and dates are OK.

    As a precaution i had it scanned - http://www.virustotal.com/analisis/...668f8c4aad0d139f362635efb30482b4ed-1254768070 ~ Note - inclusion of this VirusTotal link is not an alteration of the stated Policy. This was to address a specific diagnostic question and was approved prior to the post appearing. In the typical AM rush, communication of that approval was mishandled by me, hence the original removal and now reappearance of this link - Blue ~

    Result: 0/41 (0.00%)

    VT shows File size: 13312 bytes which is identical to one of my shown sizes. The difference appears to be between Size and Size on Disk !

    I have Avira and Prevx running full time, and they havn't noticed anything connected with this.

    Just out of curiosity i did an online scan at ESET -

    e1.png

    Yes it found 367 nasties lol, but i had more than that which it didn't find. Also quite a lot of FP's too ? All the detects were in various Rootkit/Malware etc folders that i've collected for some time, so no real threats.

    I have to say that i felt all along it was the genuine file, but never does any harm to check. So Thanx for your concern and info !

    Now if only i could establish why TR was trying to use LSA Shell Export-Version
     
    Last edited by a moderator: Oct 6, 2009
  22. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,443
    Location:
    U.S.A.
    StevieO, glad to hear that the scan was negative. Perhaps emailing Trusteer might give you the answer you are seeking, if you have not done so already.

    PS. Had no choice but to remove your VT link, as per policy.

    JR
     
  23. Trusteer

    Trusteer Registered Member

    Joined:
    Oct 6, 2009
    Posts:
    5
    Hello from Trusteer...

    First - thanks for the comprehensive review. We would like to clarify the two issues brought up in the post above:

    1. The CPU consumption issue - the process that consumes CPU here is not Rapport. It is vsmon.exe - which is part of ZoneAlarm.

    2. The outbound connections established by Rapport's processes are requests for configuration updates, health signals, etc. - this is a perfectly normal and by design behavior of Rapport.

    Again - thanks for your analysis. We'll be happy to address any additional/follow-up questions here or through our support mailbox.

    The Trusteer team.
     
  24. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Trusteer

    Hi and Thanx for dropping by and responding to my email, that was quick !

    Pleasure on the review/test.

    Could you please respond comprehensively in turn to these points -


    1. The CPU consumption issue -

    * Yes i know it's vsmon.exe = ZA but the high CPU activity is Entirely due to TR's almost constant barrage of trying to phone home.

    * How can i prevent all the phone home attempts = high CPU/ZA activity ?

    * Why was TR is trying to gain outbound access via LSA shell ?


    2. The outbound connections by TR, configuration updates, health signals, etc. -

    * As i mentioned, i have disabled Updates and Send Errors etc in the Dashboard, so why is TR still trying to phone home ?

    * What exactly are these configuration updates, health signals, etc ?

    * If i didn't block the phone home attempts in ZA, how frequently would connections occur. Every few minutes, hourly, daily ?

    TIA
     
  25. Trusteer

    Trusteer Registered Member

    Joined:
    Oct 6, 2009
    Posts:
    5
    Regarding the high CPU consumption of ZoneAlarm in the presence of Rapport - we tried to reproduce this in the lab, using the latest ZoneAlarm and the Rapport version you have, but so far we have not seen the phenomenon you described. On the other hand, we did find many references in the Internet to ZoneAlarm high CPU consumption, having nothing to do with Rapport.

    Regarding LSA - Rapport doesn't use LSA to connect to the Internet.

    Regarding the phone home attempts you see - as I mentioned, these are configuration requests (the subscribed businesses can control various aspects of the security policy enforced by Rapport on their sites through the configuration). They are issued several times a day. Note that if a configuration request fails, Rapport will retry every 15 minutes. It is impossible to turn off configuration updates.

    Hope this clarifies your findings.

    Best,
    The Trusteer team.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.