New keylogger tests from Zemana

Discussion in 'other anti-malware software' started by aigle, Aug 21, 2008.

Thread Status:
Not open for further replies.
  1. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Kaspersky virtual keyboard not intercepted by zemana keylogger (pic1) ;)
    Kaspersky passed ScreenLogger (pic2) ;)

    23.8.png

    screenshot.png
     
    Last edited: Aug 23, 2008
  2. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    Zemana is in a so called "Forced whitelist", so even if you move it to Low/High restricted, PDM/HIPS will auto-allow suspicious actions for that application.
    Please check your Application Filtering/PDM reports for Zemana and you'll see that the keylogging method is intercepted (but not blocked due to forced whielist).
    If any other application used the keylogging technique utilized by Zemana, you'd receive a prompt where you could decide to Block/Allow. :)
     
  3. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    I see what you mean, thanks :), but what with "commercial" keyloggers? Are you tried some of those?
    keylogger.png
     
    Last edited: Aug 23, 2008
  4. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    Only one, and keylogging was intercepted... :)
    But this is going off topic. ;)
     
  5. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    So this way malware can be whitelisted also?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    Hmmm...... u failed to undersatnd these tests. No use of testing signature based applications with these tests( except for some file heuristics testing).
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    So KAV intercepts all tests succesfully?
     
  9. fce

    fce Registered Member

    Joined:
    May 20, 2007
    Posts:
    758
    no

    unless you will tweak "application filtering"
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    Ok, atleast it intercepts all when applications are marked as restricted. Am I true?

    No other HIPS is able to do so.
     
  11. fce

    fce Registered Member

    Joined:
    May 20, 2007
    Posts:
    758
    low restricted....not high restricted or untrusted
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    That does not matter. After all it has the ability to intercept all activities. No other applications has this ability so far.
     
  13. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    I dont know which way to get to the page KIS Rule Applications to tweak security settings like you showed. Mine is running Kis2009 build454.
     
  14. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    The developers are the ones creating the "forced whitelist", so no, I don't think malware will/can be whitelisted... ;)
    As I said:
    :)
     
  15. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    See pic:

    rights modification.png

    Ok, Umnik betatester on Kaspersky forum has successfully removed digital signature from zamana keylogger, now keylogger is placed in low restricted group and successfully tagged as keylogger by KAV/KIS (see pic:)

    Zemana keylogger.png

    No it can not intercept clipboard logging and I didnt test webcamlogger, I suggest you to try KIS 2009 it is very interesting application with innovative way in which HIPS functions...
     
    Last edited: Aug 24, 2008
  16. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    When I tried Outpost, I could not get Outpost to pass the Keylogger test. Is it because I chose automatic rule creation when installing Outpost?
     
  17. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I tried testing the Webcam logger with KIS but every time I pressed the start button the application crashed..
     
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Just downloaded OA 177. It passes key, screen and web loggers quite smart. No crashes, no FPs and no logging. Popup appears right after you press "Start" button.
     

    Attached Files:

    • 7.gif
      7.gif
      File size:
      21.8 KB
      Views:
      782
    • 8.gif
      8.gif
      File size:
      22.1 KB
      Views:
      670
    • 9.gif
      9.gif
      File size:
      21.8 KB
      Views:
      668
  19. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Hi,

    thank you alex for info. I wonder when OA v3 will finish beta tests.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    That,s nice. :thumb:
     
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    There is an unresolved problem with MS. I do not understand the details, but to succesfully register FW and AV in Vista security center you need to have special agreement with MS and also there is something special about code signing which should be done using crosscertificates from MS which were not updated for a long time. For now this is the only showstopper as far as I understand.
     
    Last edited: Aug 29, 2008
  22. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Hi Einsturzende,
    I too don't see any such option in the rights section. I am running KIS 2009 buil 454 on Vista SP1 32-bit.

    KIS-rule.jpg

    --- EDIT ---

    I moved manually Zemana tests from Trusted to Low Restricted group. But still KIS 2009 failed in all tests. o_O
     
    Last edited: Aug 29, 2008
  23. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    Not all options are available on Vista, AFAIK.
    Moving the application to specific groups has no effect on keylogger detection, the PDM component is the one detecting the keyloggers (some types, hook installation is covered by HIPS), the only thing affecting whether the PDM will alert you is the "Do not notify..." option in the PDM settings (related to digitally signed apps)... and the "forced whitelist" thing. :)
     
  24. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Aaah.... Crap !! :( So will KIS 2009 MP1 fix this ?
    Ok, I didn't understand that fully !! o_O
    So are you saying that by changing PDM settings and the forced whitelist option/settings, I can make the test to fail ?
    If yes, could you guide me to where I can change this forced whitelist option and PDM notification. Thanks :thumb:
     
  25. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    792
    Dunno, it depends on whether MS will allow access to the Vista kernel/API... so, yeah, up to MS again :p :D
    You can instead try the Zemana keylog test without the digital signature, which KIS detects as a keylogger without any modifications to the settings (the "forced whitelst" is then bypassed: no digital signature, the .exe is changed=> not in the whitelist anymore).(you can find the modified Zemana keylogger in the Beta section of KL forums, I'm not sure if it's permitted to upload modified applications here... Einsturzende already showed the results a few posts above)
    The "forced whitelist" cannot be modified/altered AFAIK, that's why it's called "forced" :D
    The PDM option to notify you for suspicious behavior of digitally signed apps is in System security>PDM settings>uncheck "Do not notify about detection..." at the bottom.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.