MRG Effitas Antilogger & Browser Security Test

Hi Page.

Keyscrambler is marketed as a product which secures the browser and protects users against financial malware (they specifically state this – see here for example http://www.qfxsoftware.com/press.htm and as such it is valid to include them in the test.

They state on their homepage “75% of malicious code infections have keystroke logging (keylogging) capability….. That's why you need KeyScrambler, to stay one step ahead of the bad guys.” – If they are not talking about financial malware here, what are they talking about?

Regards,
Sveta

 

Thanks raiden that helped.

MRG doesn't provide MD5 and do not share testing tools with the vendors. If I remember correctly they are not even a certified testing organization so I wouldn't stress myself over their results just my two cents

 

I didn't see that info written anywhere, so you must have info from the tester?
Also, the way I see it, the MRG Crimeware Simulator must be downloaded to the desktop and then executed, and if KeyScrambler isn't going to step up, then Sandboxie will not let it run and/or a HIPS will light up. I understand that the simulator must be installed and executed in order to conduct the test, but all I'm saying is that on some systems, it wouldn't even get that far.

 

Hi Sveta

That makes sense to me, definitely.
But I was responding to a poster who said KS failed obviously because it is not written to protect against this type of malware. In other words, I wanted to know what was so obvious about it.

 

I totally agree! A x64 banking test would be very nice! Most of the Win 7 users are on x64 (90% ?), so I don't understand why MRG would conduct tests on a 32-bit version of Windows 7. It makes no sense.

 

This is 100% incorrect, I believe there are at least 5-6 vendor representatives on these forums that can verify that we DO share samples with them.

Also, about certifications, we invented this type of testing, how can somebody else certify us for something we started.

AMTSO , for example, prohibit the creation of malware or simulators - which would not go down well with banks etc who want us to test their security in a way that models how real criminals attack.

If you are concerned about our credibility, you will be able to see a dedicated TV program featuring our work, its made by one of the biggest TV networks in the world.

Regards,
Sveta

 

I am not sure which vendors you are talking about but the samples are not shared with Spyshelter that is included in your tests.

 

There is merit to their stand as I suppose there is some value in your coding (in that is possible to help plug some holes that others have yet to discover). I hope your statement to test or model like real criminals is mere figure of speech / marketing talk .

 

Exactly right Cudni, after all, we are here to help vendors, banks, organizations ect to improve their security, to do this we need to perform "tomorrow's" tests today.

Regards,
Sveta

 

1) This is how zeus and modern banking malware works, and this simulator try to do the same.

2) Sandboxie is bypassed by this simulator and by modern banking malware this is why is not tested. Maybe Sveta can explain why.
SS is an HIPS one of the best and it has fail.
Seems that somehow the simulator avoid the execution control programs.
But Sveta can answer much better to all this.

 

I haven't read the test results yet, but where is it shown - whatever the source - that Sandboxie has been bypassed by this simulator or ZeuS, SpyEye, etc?

A) Unless there's some bug in Sandboxie, that someone is aware of, or unintentionally bypassed, then Start/Run and Internet Access restrictions should take care of it.

B) The other possibility would be for the this keylogger to be placed inside the browser's own process, via an exploit exploiting a bug in the browser or in a plugin. This would mean that the keylogger would never touch the hard disk, which on its turn Sandboxie couldn't do anything about it.

Otherwise, I don't see how Sandboxie would be bypassed.

 

click the grey Trusteer icon in your browser and add the website:
http://www.trusteer.com/sites/default/files/unprotected.JPG

 

thanks moon

 

Defensewall passed thanks for testing

 

I found the source about sandboxie that it's suppose that will be bypassed. I hope that Sveta can provide us some technical details.

http://forums.malwareresearchgroup.com/viewtopic.php?f=29&t=582&p=2130&hilit=sandboxie#p2130

 

I think there is a large gulf or chasm between "it's supposed that it will be bypassed" and "the author does not present it as a solution against FM."

No disrespect intended but no conclusion can be drawn from this whatsoever in the absence of testing.

There are lots of potential threats that the author of Sandboxie states it was not designed for and which it still is very effective protection against (especially when one is familiar with the various settings and restrictions).

 

If the simulator is launched out of the sandbox or even inside if there is no restrictions and is able to capture the Internet traffic how is sandboxie going to avoid that? sandboxie also protects the traffic?

From the sandboxie developer

ssj100

You can read all the details here: http://www.sandboxie.com/phpbb/viewtopic.php?t=7764&sid=03b28859a64b91ce0f5bb9e2c1ea9b86

 

Can you possibly give more info about this? Wich channel etc.. Thanks.

 

Thanks for the additional info (which I hadn't previously seen), guest.

As I suspected, Sandboxie will pass if one takes advantage of its various (and pretty straightforward) configuration settings. I understand that in its "default" mode it may not pass.

My only concern is that it would pass if properly configured and now I feel confident that it will do so (as I have my sandboxes set up to be quite restrictive).

Again, I appreciate your pointing me to the other threads.

 

You are welcome, anyway take into account that if the malware runs outside sandboxie, or if the computer is already infected there is nothing to do to avoid it.

 

Yes that's understood, of course.

 

kudos to Trusteer and Quaresso who silently blocked the bad stuff.
they are also available for32/ 64bits.

i think those two are the only ones from the bunch who passed the tests that are also 64 bits compatible.

tnx for the test Sveta!

 

I never really understood this default fetish thing. If we really want default, then by all means don't test any security solutions besides Windows Defender and UAC, considering the operating system where the tests are performed is Windows 7 Ultimate Service Pack 1 32 bit.

From the moment we install security software, that is not part of the operating system, in my book we're no longer on default mode, but rather on fine tuning mode.

The way I see it, tests should be performed by applying the most effective settings, and then see which security software is more effective and better protects the users, and preferably silent.

Shouldn't tests be conducted that way? So that users can know which solution will protect them in a more effective and silent way?

If we really want this default thing, then shouldn't Trusteer Rapport be out of the test? I believe I've read* that it only protects the website of bank, by default. If the bank is a partner, that is.

* https://www.wilderssecurity.com/showpost.php?&p=1896466&postcount=39

In MRG Effitas Antilogger & Browser Security Test, it appears that Paypal website was the one picked to test this.

Is Paypal protected by default? Or, does Trusteer protect regardless of the website being added? Or, do new versions have more websites protected by default?


Thanks

 

Paypal is one of the over 100 sites that are protected by default.
you can manually add any https site to your list.

 

In an ideal world I'd agree, but most software comes with their settings at the default level, and the average Joe is going to, in most cases, leave it at that. Perhaps there should be two sets of tests, one using default settings and the other at the maximum level possible.