EQSECURITY FAILS AKLT (Anti Key Logger Test)

Discussion in 'other anti-malware software' started by TerryWood, Jul 11, 2008.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi All

    Just Set up EQSecure with Alcyons 20/06/2008 ruleset

    Tried the AKLT test (think it was produced by Comodo) It fails the last test Screenshot 2. Has anyone else had this?

    Would you have expected Alcyons rules to have prevented it. (There were no pop ups offering allow or block for this Screenshot 2 test)

    I must say I am disappointed.

    Any other views?

    Thanks

    Terry
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Last edited: Jul 11, 2008
  3. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Yes, I use EQS 3.41 and I know it doesn't pass all AKLT tests. In fact, I thought it failed more than just the last test but could be wrong. I always have a second program to ensure I'm full protected. It's a pity it doesn't pass but I don't think anybody is going to do anything about it.

    The ruleset will not affect the keylogger protection at all. It is something built-in to EQS.
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Rubbish EQ secure does block it. this is the pop up warning I get when I press screen shot2.
     

    Attached Files:

  5. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I have re-tested EQS 3.41 and found that
    1. EQS fails getKeyboardState
    2. EQS fails GetRawInputData
    and yes 3. Fails Screenshot2
    All others OK

    With regard to Screenshot 2, I got exactly the same pop up as you but the screenshot AKLT_screenshot.jpg was still on the desktop.
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Hammerman,
    If you are using DefenseWall as your sig suggests, then you need not worry as DefenseWall protects against all in that test.
     
  7. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi All

    I can confirm again that in my test EQSecure appeared to pass all tests except the screenshot two. I can also cofirm what hammerman says in that it appears to pass the test BUT the screenshot is NOT blocked.

    So why are we getting these different results?

    Terry
     
  8. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I'm surprised EQS passes all other tests. I get failures for GetKeyboardSate and GetrawInputdata aswell as Screenshot 2 (see images). It looks to me that the ALKT_Screenshot.jpg file is created before the EQS pop-up appears. I think the pop-up is a response to an AKLT request to display the image.

    Perhaps arran should not be so quick to rubbish peoples findings.
     

    Attached Files:

  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not sure about screenshot protection but sure EQS does intercept all key logging methods( 1 to 5) of AKLT. If u r getting different results, it might be a conflict on ur system, with some other security software.
     
    Last edited: Jul 12, 2008
  10. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    There is command line in screenshot saving, try to block it, then see if anything is in that image, maybe it is empty (no screen taken)...
     
    Last edited: Jul 12, 2008
  11. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    The jpeg file contains an image of the desktop - it is not empty. The test has failed.

    When I press Screenshot 2, I get the following message and the AKLT_screenshot.jpg file is generated at the same time. When I press OK, the EQS pop-up appears in response to the attempt to display the image. The pop-up appears too late because the screenshot has already been taken.
     

    Attached Files:

    • eqs.JPG
      eqs.JPG
      File size:
      40.6 KB
      Views:
      433
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Odd results for sure.

    The EQS (4.0 Beta) w/Alcyon's Rules does indeed block all of this keylog test flat out for me. XP Pro SP2. No letters show up in fact after the first block for the next 3 i believe, i hit STOP, then proceed to the next test, but on the final 2 the screenshots do seem to been taken and likely have, but i can use EQS to manually BLOCK them or you could use Alcyon's Folder Block rule he made awhile back to block the desktop, My Documents, etc.

    In the finjan.vbs i use the blacklist to BLOCK both the desktop & My Documents from any access and that test is stopped cold period.

    Back on the AKLT, one of the screenshots you should notice mspaint is launched to show it took the screenshot which can be blocked but i see the concern that any screens are made at all.

    I'll have a peer into this myself today because that kind of bugged me too.

    EASTER
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I have uninstalled all security software except Avira and Returnil to avoid possible conflicts. Same result. EQS fails GetKeyboardState, GetRawInputData and Screenshot 2.

    I'm using AKLT 3.0. I always close and restart the program between each individual test. I have a text file open all the time using Notepad. After I start each individual test, I enter the text characters in Notepad.

    If this is how everybody else is using AKLT and they find that EQS passes all tests, then I'm at a loss.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hmmm

    I also tested using AKLT 3 and EQS blocks ALL keylog tests but be advised on some like directX and a couple others EQS alerted and required manual BLOCK, and that was the end of that.

    My config is XP Pro SP2. Also i am using not 3.41 but the 4.0 beta that was posted some time ago and made copies of it in case it got lost in this ton of apps i keep on hand.

    Dunno why you're being bypassed but i suggest you make sure you have at least Alcyon's very first (2) rules, one showing a date of 20 and the other 26, i do believe i'm using the first (20) and i get a full refusal on AKLT with the slight exception of the screenshots which also require manual BLOCK but i'm looking to make a rule in the blacklist (Alcyon could come up with it in a flash), to BLOCK "all" screenshots of this AKLT.

    EASTER
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just a wild guess, are u sure you are not typing within the window of AKLT test utility?

    To be usre launch notepad every time, click in it and make sure it,s away from window of AKLT utility. Just a guess as I understand u are typing away from it.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    What aigle says is correct.

    Problem with windows sometimes is FOCUS, make sure by using the pointer to click inside the AKLT Test boxes first to acquire full focus or action, then proceed to tap your keyboard letters.
    I do this because windows has an uncanny knack at times at diverting focus to another window if opened and can ignore the one you're trying to work with or test.

    EASTER
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not inside, rather outside of AKLT window.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)

    Thanks, i always been under the impression to grab window focus sometimes the pointer an click must take place "ON" the window out-of-focus at the time.

    Still, regardless, i get good blocking results either way, but that pesty screenshot test always makes it thru somehow and i'm going to seee if either myself or Alcyon can track this registry or file item down to prevent it.

    EASTER
     
  19. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    That was how I thought the test should be carried out. The focus must be in another window and I am making sure that I type into Notepad away from AKLT window.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Now it,s weired. I can say only this. I never got these results on my system. Did u do it in Shadow mode of Returnil?
     
  21. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    I confirm that my latest ruleset ( v06202008 ) and v3.41 fails with getKeyboardState, GetRawInputData and ScreenShot2. Right now, i have no ideas on how to deal with the first two. I'll need to investigate but i doubt that something can be done with v3.41 due to some limitations. v4b2 should pass them.

    Screenshot2 is another story and somewhat a pita to fix. Using my rules, if a real world malware put the files in Windows, System32 (~90% or even more of the malwares adopted patterns) or many other targeted folders, you're safe.

    I presume that the only way to make sure that real mawares don't write screenshots in wacky places in your system drive or somewhere else is to globally monitor .jpg and/or other related pic extensions using the write file operation (prompt and block) in file protection settings a special way. Read operation (p&b) could be used too, btw. In fact, you need to whitelist all your installed photo editing softwares, explorer, IE, paint and probably others (allow read & write for .jpg, etc.) using the medium priority section (fps/application rules) followed by a group of rules similar to:

    GroupName
    Process= * (all actions to ignore & logs = no)
    └->File = ?:\*.jpg + all other pic ext. (create file = prompt & block, log=yes & all others actions to ignore & log=no)

    If i find something easier, i'll let you know.
     
    Last edited: Jul 13, 2008
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Check EQS and see if yours uses (like mine) the 112 size driver. I do know it changed from 3.41 to 4.0 beta in size with improvements.

    AKLT is stopped dead all except those pesty screenshots i'm still looking for the MS executable or registry entry to block it entirely.

    If anyone finds it pls post your results.

    I'm getting close though thanks to Google. I would prefer (if possible) just to toggle the Print Screen feature since it doesn't pose any near or immediate threat to me. But i would feel better knowing those last 2 tests are blocked entirely.

    EASTER
     
    Last edited: Jul 13, 2008
  23. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi All

    As the originator of this thread I have been literally enthralled at the commentary.

    As a novice I would not expect to create impact, but when a number of Wilders worthy posters start getting differing results, apparently unnexplainable at the moment. Then, despite all the postulations about how good EQSecure is, with or without Alcyons Ruleset, one wonders just how good it is (EQSecure).

    Just in case anyone gets the wrong idea, I criticise no one, this thread is helping me enormously in software evaluation.

    Thank you and keep the commentary flowing for the benefit of all.

    Terry
     
  24. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    The Screenshot 2 uses the BitBlt function in library ..\system32\gdi32.dll to take the screenshot. I tried to stop AKLT.exe loading this library using EQS. I got a log entry stating that gdi32.dll had been blocked from loading but when I check with 'Whats Running', AKLT.exe has still loaded gdi32.dll. Therefore the screenshot is still taken.

    This seems to mean that the EQS rule for blocking the loading of library gdi32.dll has been bypassed somehow.

    When I block loading of all libraries, AKLT does not even start. I do not use the Load Library File protection normally. Perhaps I should.

    Does Comodo or any other program pass the Screenshot 2 test? If it did, I would be interested to see the pop-up.
     
  25. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Defensewall vs Screenshot 2 test.

    2008-07-17_004556.png

    DefenseWall's Log.............

    2008-07-17_005216.png
     
Loading...
Thread Status:
Not open for further replies.