good antilogger?

Discussion in 'other anti-malware software' started by zagmarfish, Feb 27, 2017.

  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,742

    The other day I noticed a lot of svchost connections when I had to browser open and was not getting a Windows update. I did block svchost with a third party FW , while watching the connections. Even though svchost showed blocked , it kept trying new IP address connections. Then while leaving it blocked, I tried to open some of my browsers and they did all open but without svchost allowed there was no internet connection.
    And so when you say svchost and browser is not blocked, do you mean by Windows firewall?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,562
    Location:
    The Netherlands
    Yes or by third party firewall. You can not block these processes from outbound access, at least not fully. That's why I always monitor svchost.exe for suspicious outbound connections. I do block explorer.exe from outbound access, for some reason it does sometimes try to connect out.

    Monitoring the browser is a lot harder of course, because you can't know which connections are legit or not. The only thing you can do is install anti-tracking extensions, but that does not stop the browser and extensions from spying on you. So it comes down to trust.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    3,565
    Location:
    U.S.A.
    DNS resolution is performed by svchost.exe.

    In Win 10, svchost.exe is used for everything "under the sun." Difficult if not impossible to monitor outbound connections from it.
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,815
    Location:
    when i can counter-troll
    Only few ports on Svchost has to be allowed. so at least you will reduce the "unwanted" outbound connections.
     
  5. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,742
    Rasheed
    I use Adguard for the anti tracking part. Not the extension but rather the paid desktop version.

    itman
    For sure. I was just goofing around because of too much time. I only Blocked the svchost.exe at the time.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,742
    not to get too off topic but take a look at my screen shot. a million Skype connections and I have never used Skype o_O
     

    Attached Files:

  7. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,326
  8. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,540
    By default Skypehost.exe is running in the background even if you don't use Skype. You can disable it:
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,742
    Actually today is the first time I saw it's connections. Thanks, I will disable that bugger.
    I think this version came with Office that I got when I was still working and so It might be different.
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,065
    Location:
    Paris
    Rasheed- It is a simple concept and intuitively obvious. That's why I wonder why many feel comfortable using Windows Firewall (without any of the onerous tweaks) as WF at default has Zero Outbound protection.

    But again, I wonder at many things...
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,742
    CS yes Windosw does have outbound control but I chose to use a third party software to control it. Unless you want to get deep into the Windows Firewall
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    3,608
    Location:
    Among the gum trees
    If you are worried about outbound connections doesn't that mean your machine is already compromised?

    If you can't trust the programs you install, then why install them?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    3,565
    Location:
    U.S.A.
    Yes, svchost.exe really only requires for the most part ports 53/67/68/UDP and 80/443/TCP outbound connections. The problem is allowing all services those connections is insecure. So multiple outbound svchost.exe firewall rules have to be created; one for each requesting service. And the user has to have the smarts to know what is a legit service versus a malware one.
     
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,815
    Location:
    when i can counter-troll
    because if you are a home user, using only your home network , being careful on what you allow on your system, and don't let RATs or keyloggers active on your system, you won't need much of "outbound control"

    Exact.

    Exact, not a easy task for beginners sure. I just use WF with advanced settings (all outbound connections, in all profiles blocked) then disabled a whole batch of rules, create manually some for my needed apps, etc...
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,562
    Location:
    The Netherlands
    I don't see what's wrong with the Windows Firewall, like I said you have to use a HIPS to protect against firewall bypassing methods, this means don't allow apps to inject code into network enabled processes, and don't allow apps to install drivers for no good reason. BTW, is it possible for you to test SpyShelter against popular banking trojans?
     
  16. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    9
    Location:
    europe
    Oh my god, I forgot about this thread.

    Well thank you to everyone participating.
    I've been busy with something lately but I'll have a look at your answers asap.

    Thank you.
     
  17. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    964
    Location:
    USA, MICHIGAN
    Good luck poster most of the topics here are off-topic not a whole lot of good information.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    3,565
    Location:
    U.S.A.
    It doesn't have any intrusion detection system(IDS), so you're not protected against any of the threats shown in the below screen shot. Nor does it have any botnet protection.
    Eset_IDS.png
     
  19. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    9
    Location:
    europe
    Yes indeed.
    I didn't think such a trivial question could generate so much debates and arguments. :argh:
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,815
    Location:
    when i can counter-troll
    not its purpose anyway, WF is just a basic FW meant to block inbound connections only, and it is enough for most users. About botnet , it is not the job of a FW to protect about it. If you are part of a botnet , it means you are compromised by a RAT , so your security setup failed already.

    If you need an IPS/IDS , then you have to add a 3rd party FW. I don't think MS will add those kind of features to its FW (i wish they do ^^ ).
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,540
    Location:
    Poland - Cracow
    It reminds me similar question that appears on forum from time to time- "if you want/need (optional) anti-logger/HIPS/anti-exe...or whatever you mean...doesn't that mean your machine is already compromised/infected?" How is the sense of discuss if everything comes down to such question?
    Should I be compromised if I want to control what want go out from my system? Why you don't conssider that someone want to reduce amount of leaking data also...why should I agree that some apps want to call and speak with its servers? May I have a quite "clean" network traffic or you are for idea that everything could send/receive data without our knowledge or control?
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    3,608
    Location:
    Among the gum trees
    If you're worried about such things then I suggest you're using the wrong Operating System and / or have the wrong programs installed.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    3,608
    Location:
    Among the gum trees
    @ichito , Don't get me wrong, it's your machine. I use O&O Shutup10 to reduce Windows 10 telemetry but I'm not obsessed by it, if I was I wouldn't be using Windows. All that said, we're going a bit off topic now about @zagmarfish 's recommendation for a good anti-keylogger, no?
     
  24. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,540
    Location:
    Poland - Cracow
    I think you try to ridicule my words...it's your matter but looking on your security setup one month ago I think you've felt more worried than happy
    https://www.wilderssecurity.com/thr...etup-these-days.111264/page-1538#post-2651568
    Cheers.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    3,608
    Location:
    Among the gum trees
    Again, off topic. :rolleyes:

    I'm not in the slightest ridiculing you, and my set up is for the fun and enjoyment of security software, not for fear of infection.

    If you wish to continue this discussion feel free to send me a PM because I will not continue to take this thread any further off topic.

    Cheers.