AVZ Antiviral Toolkit vs. various keyloggers

Discussion in 'other anti-malware software' started by MrBrian, Jul 9, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    AVZ Antiviral Toolkit (avz4.zip) has heuristic detection of keyloggers by using neural networks. Also, AVZ Antiviral Toolkit can detect rootkits. It would be great to see how well AVZ Antiviral Toolkit detects various keyloggers.

    Here is the proposed methodology for those of you who want to test this program against a given keylogger:
    1. Download and unzip avz4.zip. No installation is necessary.
    2. Run the program.
    3. Leave all settings at defaults.
    4. Click 'Start' button and wait until it's finished.
    5. Look at File->View suspicious objects list. If any of the keylogger's objects appear in this list, then we count this as a successful detection, and otherwise failure.

    I tested Elite Keylogger v4.1 Build 149 trial vs. AVZ Antiviral Toolkit v4.30. The suspicious objects list showed driver ntmtlf2k.sys with the description 'kernel-mode hook', so AVZ Antiviral Toolkit v4.30 was successful in detection of this particular keylogger :). Furthermore, the log showed that this particular driver hooks only functions associated with keystrokes.

    If some of you wish to test other keyloggers, please post the results here!
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    did you try it againts the zemana webcam logger test? and if you did how was it?
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I didn't. Even though this is not a keylogger (right?) you could still try to see if AVZ Antiviral Toolkit finds it.
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is a keylogger leak test from zemana .
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    The below entries are flagged in red (suspicious) but quite easy to ascertain they belong to Returnil and Winpatrol.

    Function NtCreateSection (4B) intercepted (819D7703->8020348A), hook C:\Windows\system32\Drivers\RVFsSec.sys
    Function NtLoadDriver (A5) intercepted (81998384->802036B4), hook C:\Windows\system32\Drivers\RVFsSec.sys

    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL --> Suspicion for Keylogger or Trojan DLL
    C:\Program Files\BillP Studios\WinPatrol\PATROLPRO.DLL>>> Behavioural analysis

     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the PATROLPRO.DLL is for sure WinPatrol Pro.
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    imagine if you get a false positive an it is a windows fileso_O and that goes for all the antivirus/antispyware scaners out there.we probably recognize it is a false positive alert but what about mom:doubt: .she maybe click delete or quarintine.thesame goes for software firewalls,mom click yes and get a blue screen.
     
Loading...
Thread Status:
Not open for further replies.