EQSECURITY FAILS AKLT (Anti Key Logger Test)

Hi All

Just Set up EQSecure with Alcyons 20/06/2008 ruleset

Tried the AKLT test (think it was produced by Comodo) It fails the last test Screenshot 2. Has anyone else had this?

Would you have expected Alcyons rules to have prevented it. (There were no pop ups offering allow or block for this Screenshot 2 test)

I must say I am disappointed.

Any other views?

Thanks

Terry

 

AKLT was created here:
http://www.firewallleaktester.com/

 

Yes, I use EQS 3.41 and I know it doesn't pass all AKLT tests. In fact, I thought it failed more than just the last test but could be wrong. I always have a second program to ensure I'm full protected. It's a pity it doesn't pass but I don't think anybody is going to do anything about it.

The ruleset will not affect the keylogger protection at all. It is something built-in to EQS.

 

Rubbish EQ secure does block it. this is the pop up warning I get when I press screen shot2.

 

I have re-tested EQS 3.41 and found that
1. EQS fails getKeyboardState
2. EQS fails GetRawInputData
and yes 3. Fails Screenshot2
All others OK

With regard to Screenshot 2, I got exactly the same pop up as you but the screenshot AKLT_screenshot.jpg was still on the desktop.

 

Hammerman,
If you are using DefenseWall as your sig suggests, then you need not worry as DefenseWall protects against all in that test.

 

Hi All

I can confirm again that in my test EQSecure appeared to pass all tests except the screenshot two. I can also cofirm what hammerman says in that it appears to pass the test BUT the screenshot is NOT blocked.

So why are we getting these different results?

Terry

 

I'm surprised EQS passes all other tests. I get failures for GetKeyboardSate and GetrawInputdata aswell as Screenshot 2 (see images). It looks to me that the ALKT_Screenshot.jpg file is created before the EQS pop-up appears. I think the pop-up is a response to an AKLT request to display the image.

Perhaps arran should not be so quick to rubbish peoples findings.

 

Not sure about screenshot protection but sure EQS does intercept all key logging methods( 1 to 5) of AKLT. If u r getting different results, it might be a conflict on ur system, with some other security software.

 

There is command line in screenshot saving, try to block it, then see if anything is in that image, maybe it is empty (no screen taken)...

 

The jpeg file contains an image of the desktop - it is not empty. The test has failed.

When I press Screenshot 2, I get the following message and the AKLT_screenshot.jpg file is generated at the same time. When I press OK, the EQS pop-up appears in response to the attempt to display the image. The pop-up appears too late because the screenshot has already been taken.

 

Odd results for sure.

The EQS (4.0 Beta) w/Alcyon's Rules does indeed block all of this keylog test flat out for me. XP Pro SP2. No letters show up in fact after the first block for the next 3 i believe, i hit STOP, then proceed to the next test, but on the final 2 the screenshots do seem to been taken and likely have, but i can use EQS to manually BLOCK them or you could use Alcyon's Folder Block rule he made awhile back to block the desktop, My Documents, etc.

In the finjan.vbs i use the blacklist to BLOCK both the desktop & My Documents from any access and that test is stopped cold period.

Back on the AKLT, one of the screenshots you should notice mspaint is launched to show it took the screenshot which can be blocked but i see the concern that any screens are made at all.

I'll have a peer into this myself today because that kind of bugged me too.

EASTER

 

I have uninstalled all security software except Avira and Returnil to avoid possible conflicts. Same result. EQS fails GetKeyboardState, GetRawInputData and Screenshot 2.

I'm using AKLT 3.0. I always close and restart the program between each individual test. I have a text file open all the time using Notepad. After I start each individual test, I enter the text characters in Notepad.

If this is how everybody else is using AKLT and they find that EQS passes all tests, then I'm at a loss.

 

Hmmm

I also tested using AKLT 3 and EQS blocks ALL keylog tests but be advised on some like directX and a couple others EQS alerted and required manual BLOCK, and that was the end of that.

My config is XP Pro SP2. Also i am using not 3.41 but the 4.0 beta that was posted some time ago and made copies of it in case it got lost in this ton of apps i keep on hand.

Dunno why you're being bypassed but i suggest you make sure you have at least Alcyon's very first (2) rules, one showing a date of 20 and the other 26, i do believe i'm using the first (20) and i get a full refusal on AKLT with the slight exception of the screenshots which also require manual BLOCK but i'm looking to make a rule in the blacklist (Alcyon could come up with it in a flash), to BLOCK "all" screenshots of this AKLT.

EASTER

 

Just a wild guess, are u sure you are not typing within the window of AKLT test utility?

To be usre launch notepad every time, click in it and make sure it,s away from window of AKLT utility. Just a guess as I understand u are typing away from it.

 

What aigle says is correct.

Problem with windows sometimes is FOCUS, make sure by using the pointer to click inside the AKLT Test boxes first to acquire full focus or action, then proceed to tap your keyboard letters.
I do this because windows has an uncanny knack at times at diverting focus to another window if opened and can ignore the one you're trying to work with or test.

EASTER

 

Not inside, rather outside of AKLT window.

 

Thanks, i always been under the impression to grab window focus sometimes the pointer an click must take place "ON" the window out-of-focus at the time.

Still, regardless, i get good blocking results either way, but that pesty screenshot test always makes it thru somehow and i'm going to seee if either myself or Alcyon can track this registry or file item down to prevent it.

EASTER

 

That was how I thought the test should be carried out. The focus must be in another window and I am making sure that I type into Notepad away from AKLT window.

 

Now it,s weired. I can say only this. I never got these results on my system. Did u do it in Shadow mode of Returnil?

 

I confirm that my latest ruleset ( v06202008 ) and v3.41 fails with getKeyboardState, GetRawInputData and ScreenShot2. Right now, i have no ideas on how to deal with the first two. I'll need to investigate but i doubt that something can be done with v3.41 due to some limitations. v4b2 should pass them.

Screenshot2 is another story and somewhat a pita to fix. Using my rules, if a real world malware put the files in Windows, System32 (~90% or even more of the malwares adopted patterns) or many other targeted folders, you're safe.

I presume that the only way to make sure that real mawares don't write screenshots in wacky places in your system drive or somewhere else is to globally monitor .jpg and/or other related pic extensions using the write file operation (prompt and block) in file protection settings a special way. Read operation (p&b) could be used too, btw. In fact, you need to whitelist all your installed photo editing softwares, explorer, IE, paint and probably others (allow read & write for .jpg, etc.) using the medium priority section (fps/application rules) followed by a group of rules similar to:

GroupName
Process= * (all actions to ignore & logs = no)
└->File = ?:\*.jpg + all other pic ext. (create file = prompt & block, log=yes & all others actions to ignore & log=no)

If i find something easier, i'll let you know.

 

Check EQS and see if yours uses (like mine) the 112 size driver. I do know it changed from 3.41 to 4.0 beta in size with improvements.

AKLT is stopped dead all except those pesty screenshots i'm still looking for the MS executable or registry entry to block it entirely.

If anyone finds it pls post your results.

I'm getting close though thanks to Google. I would prefer (if possible) just to toggle the Print Screen feature since it doesn't pose any near or immediate threat to me. But i would feel better knowing those last 2 tests are blocked entirely.

EASTER

 

Hi All

As the originator of this thread I have been literally enthralled at the commentary.

As a novice I would not expect to create impact, but when a number of Wilders worthy posters start getting differing results, apparently unnexplainable at the moment. Then, despite all the postulations about how good EQSecure is, with or without Alcyons Ruleset, one wonders just how good it is (EQSecure).

Just in case anyone gets the wrong idea, I criticise no one, this thread is helping me enormously in software evaluation.

Thank you and keep the commentary flowing for the benefit of all.

Terry

 

The Screenshot 2 uses the BitBlt function in library ..\system32\gdi32.dll to take the screenshot. I tried to stop AKLT.exe loading this library using EQS. I got a log entry stating that gdi32.dll had been blocked from loading but when I check with 'Whats Running', AKLT.exe has still loaded gdi32.dll. Therefore the screenshot is still taken.

This seems to mean that the EQS rule for blocking the loading of library gdi32.dll has been bypassed somehow.

When I block loading of all libraries, AKLT does not even start. I do not use the Load Library File protection normally. Perhaps I should.

Does Comodo or any other program pass the Screenshot 2 test? If it did, I would be interested to see the pop-up.

 

Defensewall vs Screenshot 2 test.



DefenseWall's Log.............