Could someone using Threatfire 3.5 confirm my test result?

Discussion in 'other anti-malware software' started by Henk1956, Jun 4, 2008.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Henk, it's not whitelisting afaik, not in this case. It seems logical.
    You asked a question there, he answered. You should explain what you tried, ie, rename AKLT.exe .
    From MrBrian's link:
    You rename it, and TF acts as normal (this is a guess), and since AKLT is not malicious, nothing happens.

    With TF, you have to test with malware.
     
  2. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    The AKLT thing does give to much confusion.

    Will try to find a better way to test this and then post again.
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Depending on your experience, this is more or less relevant:
    I don't recommend you to install malware. I'm just saying that TF can't be tested with ordinary tests, expecting in to act on anything. It's built to detect and block/quarantine real malware.
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I read their answer to your post. Interesting.

    If we assume for the moment that they do use the hash as their moderator says then where would that leave your test result? There must be another reason. Unless I missed it I don't think this question is over. Their moderator would have a few problems IF they don't use the hash.
     
  5. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Escalader & Pedro,

    Pedro, I think you are right considering the MrBrian's link.
    I did try some different things with custom rules and not involving AKLT.
    Now behaviour is quite different and more as expected.
    Only sometimes, after a change in the rules or trusted files, TF does not act according to these changes right away (but eventually it does).

    I have to agree that testing TF is not that simple and it's probably best to test with real malware (but I don't have a VM so I am not going to do that myself).

    Thanks for the help.

    Henk
     
  6. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    Pedro,

    but TF does alert you to keylogging activity for tests 1 and 2. And there is no recourse but to kill and quarantine aklt.exe because the alert keeps popping up if you try to allow it. This is for level 5. I renamed aklt to kencat and it behaved the same.

    test1FLT_TF.jpg

    Test 3 Fails period.

    Test 4, 5 , and 6 gives a TF alert like this:

    Test4AKLT_TF.jpg

    But you can allow the action and then AKLT will capture the keystrokes.

    So the test does seem valid since TF detects some but not all tests.

    I can't confirm changing to winlogon as I get this when I doubleclick, so W2K seems to know what's going on ??:
    winlogonerror.jpg

    If I'm doing something wrong let me know.
     
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    They add the "detection" of these tests so people see it "working".
    Normally and without pressure (from people on forums for one), TF would not detect this. If it did, it's a false alarm, since this test doesn't really harm you.

    TF is closer to AV's than HIPS on that regard, it's not to alert until it finds malware, with 90%+ guarantee it's not a false alarm.
    (the percentage is just to make a point)
    It's "this is malware", and not "this application is doing that, figure it out". :)

    Only if some of the keylogging methods were by themselves indication of malware, like suppose no legitimate program used them, then it would be reasonable to flag it.
    If not, and since legitimate programs will use some or all of these methods as well, TF has to take other things into consideration, before alerting the user "hey, this thing is a trojan, i suggest you quarantine it".

    Just my opinion though.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Hi Henk! You know what i suspect.

    It will be just plain stupid to have a white list based upon names only without any checksum/ hash etc. We should not expect this from any vendor at all.

    The reason I suspect may be as follows. TF is very poor against keyloggers. Now as people try POC keyloggers against TF so they might have added detection for some POCs like AKLT and this detection might be separate from whitelist, not involving a proper checksum/ hash etc.

    Now best way to do that is take an actual malware. Rename to some legit essential windows executabel like winlogon.exe and then execute. I am sure it will be dtected. So many malware samples use names similar to windows own executables.
     
    Last edited: Jun 5, 2008
  9. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Yes aigle, I already admitted that I did some poor testing and jumped to some early conclusions.

    I now learned that TF can not be so easily tested as other security applications.

    I have to live with that, since I don't want to take any risks by testing with real malware.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    May be i will test in that way if I got some time later. Not sure, depends upon time.
     
  11. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Threatfire is not that good against keyloggers. Threatfire is like the last security blanket in your setup. If it gets by your firewall, AV and sandbox, Hopefully, Threatfire will come to the rescue.

    IceCube
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    this seems to confirm that the TF moderator was correct and they do in fact use the hash.
     
  13. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    This might clinch it. I renamed aklt to mstask. Same result on test1 as before. Mstask.exe should be a trusted exe in TF, but TF detected the keylogging.

    test1mstask.jpg

    As an interesting aside note. On another old laptop I have TF and the PCTools firewall. Tests 4,5, and 6 are detected by the firewall with a nice description of the keylogging hook and blocking did stop aklt from detecting the keystrokes. Test 3 was still invisible to the PCTools suite.......but 5 out 6 ain't bad :D
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What has the name of an object to do with its suspicious behavior ? Nothing.
    If an object behaves itself suspicious, the name of the object doesn't matter, the name is only usefull to identify the object. Isn't that logical ?
    What I don't understand about TF is that it doesn't detect every keylogging, while keylogging is always a suspicious behavior and the same activity.
     
    Last edited: Jun 5, 2008
  15. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    not completely. for what it's worth, i thought your explanation nailed it.


    Mike
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.