Keylogger question

Discussion in 'ProcessGuard' started by Mart, Nov 30, 2004.

Thread Status:
Not open for further replies.
  1. Mart

    Mart Guest

    I have recently installed and purchased ProcessGuard 3.05. I'm also running F-Prot antivirus and ZoneAlarm Pro. Firefox is the browser. Because I have an online bank account and do quite a bit of online shopping, the nastiest thing I can imagine getting onto the computer is a keylogger. I'm pretty careful and may never get one but you never know...

    Am I protected enough against this threat using ProcessGuard and the other programs I have, or would I be well advised to get a dedicated keylogger detector in addition to them? I've been looking at Keylogger Killer and Security Task Manager. Would installing either of these be a case of overkill?

    With thanks

    Mart
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Process Guard will prevent almost any keylogger from being able to create the hooks it needs to obtain your keypresses while ZoneAlarm will alert you to any attempts by a keylogger trojan to send data over the Internet so I would suggest that you are quite well protected as long as you keep a careful eye over what they report.

    The only real keylogger threat that is not covered is that of a hardware keylogger - but someone would need physical access to your computer to install this. See the Internet Cafe Computer and Passwords, etc. thread for a more detailed discussion.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It would be wise NOT to use Internet Explorer, due to the amount of attacks it comes under and the risks. By default you can install BHO's - browser plugins to "improve" the browser. However, often these are spyware or bank keyloggers. If you do use IE, why not do what I do - set up BHO's I know and trust, then disable BHO installations

    Internet Explorer TOOLS > Internet Options > Advanced. Untick this option

    "Allow third-party browser extensions"

    Already installed BHO's are still installed and working, but new ones cannot be added without you specifically turning this option on before installing them. Its a bit of a hassle, but considering the number of malicious BHO's, its worth it :)
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Another way to help keep nasties out of IE is a couple of utilities. One is free BHODemon that keeps track of the Browser Helper OBjects. Sounds an alert if anything relating to them changes. Another utility, not free, but inexpensive is PopupCop by Edensoft. Aside from popups it blocks activeX stuff unless you allow it, blocks scripts, and also makes it easy to get out of some the trap loops in some websites. I use IE exclusively and with these utilities and F-Prot realtime scanning I've never had a problem.
     
  5. Mart

    Mart Guest

    Thanks everyone. I don't use Internet Explorer. I've been a Firefox convert since version 0.4. IE only gets used occasionally for pages that won't display properly in Firefox. I have got Spybot's SD Helper active in Internet Explorer for those rare pages, so I hope that protects me?

    Can ProcessGuard protect a user against saying 'OK to run' in the case of a keylogger? I've heard of a program called PCAudit, a keylogging test that attempts to bypass firewalls posing as legitimate program. A user might mistakenly give firewall access permissions to a trojan such as PCAudit simulates. Would ProcessGuard say 'Sorry mate, to dangerous to run this' (or words to that effect) and stop it dead?

    I hope that with care I'd never get such a trojan. You actually have to install the test on purpose and let it try to do its stuff. I'd be a bit worried about doing that anyway if it's going to try and get info out past the firewall.
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Mart,
    that's the good thing about PG. It is two protection layers in itself.
    First, it will ask for your confirmation to allow "justdownloaded.exe" to run. But even if you allow that, justdownloaded will not be allowed to install global hooks, drivers or services etc. unless you explicitly configure ProcessGuard to allow that. (But you will not get a message "too dangerous to be allowed to run", justdownloaded.exe will just fail to perform these actions. And you can see in PG's log what has happened.)
    I am not a keylogger expert, so I'm not perfectly sure if these protection aspects (modification/injection of your running higher-privileged software, hooks/services/drivers installs) covers all the bases a keylogger might use as an attack vector, but what is covered is covered for good.

    HTH,
    Andreas
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Of course. Very smart. It's hard to believe that despite repeated warnings from nearly everyone who is anyone in computing, including CERT(!), there are actually regulars on this security site(!!!!) who still use IE as posts above show. What will it take? There are certain things about IE's browser engine that make it vulnerable in and of itself. No amount of security tools can make IE as safe as Firefox without a single security tool running!
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Unfortunately there are some programs that use IE as an integral part of there structure. One example is Intuits Quickbooks. Won't run without IE. Since I can't/won't give up Quickbooks, I use IE and lock it down. Had some nasties try, but so far they haven't got past the defenses.
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    As far as I understand, products such as Keylogger Killer will warn you that programs are using Global Hooks (some programs such as Quicken require global hooks) but will not actually prevent a program from acquiring these hooks. PG is better in that it will proactively prevent the hooks from being acquired unless permission is granted. This is one of the reaons I installed a licensed (as opposed to the free) copy of PG 3.0.

    Rich
     
  10. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Me too Rich, the exact same reason. ProcessGuard is just a good tool, plain and simple.

    -------------
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The major danger in IE is allowing SCRIPTS to run, which I will never do. Every vulnerability I can think of that can be used by a site, needs scripting to work. Some sites require scripting and these undergo a close examination before even thinking of allowing Firefox to run said script ;) Its easy in most cases, load the site without scripting, then view the source, VBScript and JavaScript are viewable or downloadable in the case of .js

    IE should only really get the go ahead on trusted sites. If you disable scripting and ActiveX, you can secure IE a lot better than you might think :)
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I'd agree with this but with one caveat. Disabling active content with IE can only be done via security zone settings and there have been exploits that bypassed these (see Microsoft Internet Explorer Security Zone and Internet Explorer Security Zone Bypass and Address Bar Spoofing Vulnerability for examples). As such, using third party software (like a firewall or web filter) to disable scripting should be considered for those choosing to use IE. However most of these cannot filter HTTPS sites - only Proxomitron appears to be able to do this as detailed in The dangers of HTTPS thread.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You can do a lot more to secure I.E. than some people seem to think. I use it exclusively and I have not been infected yet - despite visiting some pretty dodgy sites! Reconfiguring the settings on the Advanced tab helps, so too does a FW, like ZAP, with restrictions on scripting. Another thing I do is I have maximum safety settings on ALL Web Zones (including the 'Safe' Zone), that gets over some of what is referred to above. When I'm at sites I'm comfortable with, I put the Internet Zone settings to default and allow cookies - but only if it is necessary for these sites to display properly.

    What is the point of investing good money in things like PG and your AV, AT etc, if there is going to be no risk at all? All browsers carry some risk, but I'm content to use I.E. until I come a cropper - but even then, if PG saves my bacon it might not matter so much anyway!
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    I agree that IE can really be made pretty safe. I have scripting and activeX turned on, but I also have an excellent watchdog sniffing for unwanted applications of them.

    Pete
     
Thread Status:
Not open for further replies.