Passing AKLT

Discussion in 'other anti-malware software' started by LoneWolf, Sep 11, 2007.

Thread Status:
Not open for further replies.
  1. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Last edited: Sep 11, 2007
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    geswall passes everything except the second screen capture one. gentlesecurity is aware of this and they don't feel the method used in the second screen capture test is a security threat.

    edit

    safespace beta (which i'm trialing) passed all except the direct x test.the makers are aware of this fact and they said the final release of safespace would pass it.
     
    Last edited: Sep 11, 2007
  3. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Not should- it already protects from all the 5 methods if untrusted. Just download and check out by yourself!
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Hmmmmm. Then why am I getting these results ?
    Am I doing something wrong ?
    Screenshots of my results from AKLT.
    Run as untrusted.
    I don't get it, DW protects from this right ?
    TOP LEFT ONE IS THE FIRST TEST MY MOUSE RAN OVER THE BOX AND THE DISCRIPION FOR THE TEST CHANGED , SAME GOES FOR THE SECOND ONE....

    The only one I see DW passing is the third AK test with DirectX.
     

    Attached Files:

    Last edited: Sep 12, 2007
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    This is the second screen capture test.
    The first one failed too, captured.
    But to big to put a screenshot.
    o_O o_O o_O
     

    Attached Files:

  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Have you seen the notification window on both of events?

    Sorry, what is captured?

    I have a feeling that something is wrong with defensewall_serv.exe launch. Are standard (hook-based) keyloggers failed to get keystrokes?
     
  7. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    From DW?
    Just one alert from DW on the directX keyloggger.
    First two tests it recorded my keystrokes(from pics in previous post)


    My screen. If took a pic of what was on my monitor at the time.

    Maybe something wrong with my copy off DW o_O
    I have 2.04 installed.(trial)

    Should this be in my DW folder ? Do not see it there.

    Is there a safe one I can test ?
     
    Last edited: Sep 13, 2007
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    In fact, 2.05 is the most recent. Try to check it out.

    No, it is in %windows directory%\system32 folder.

    For example, with this one (methods 3 and 4):
    http://dl1.syssafety.com/download/keylogger.exe?pid=140
    I'll try to find some GUI-based if you need.
     
  9. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Just tried to update to 2.05 thru the program and got this message.
    Guess i'll try to uninstall and install new 2.05.
     

    Attached Files:

    • DW.png
      DW.png
      File size:
      109.2 KB
      Views:
      0
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I knew it!!!! Something is wrong with my service, that is why you had those horrible results!

    OK, download and install 2.05 right from my site. Then check for AKLT screenshots results. In case it is still leaky- mail me to support [at] softsphere [dot] com and I'll send you service executable with debug output to the file. I really don't like the situation you have and I must understand why it happens.

    Installing 2.05- don't forget to switch off your security suite (at least, their behavioral parts)- they could interferer with setup program.
     
  11. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    DW 2.04 uninstalled. Will install 2.05 now. :thumb:
    Thanks for the help. :D
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Still the same with 2.05 as was with 2.04
     

    Attached Files:

  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Screenshot here failed again. :(
     

    Attached Files:

  14. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    After trying this myself, the first 2 tests, the alarm notification box pops up as in LoneWolfs test.
    The same for the 3rd test, only it also opens my web browser and goes to the http://www.firewallleaktester.com web page.

    Test 4 and 5 are passed ok.
     
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello LoneWolf,

    I decided to give this test a try. The first three tests(GetKeyState, GetAsyncKeyState and DirectX) triggered DefenseWall notifications as expected. After each and every attempted keylogging intrusion in the first three tests, I clicked upon the "terminate" option in the DW notification. The fourth test(Screenshot 1) launched mspaint.exe which was empty. I don't know if this is considered a pass or a fail. The fifth test(Screenshot 2) supposedly created a screenshot .jpg of my desktop which was to be shown in my default web browser(Opera). After allowing my firewall(LnS) to allow Opera to display this .jpg, all I got was a blacked out window. I don't know if this is considered a pass or a fail. I am inclined to believe that it is a pass. Ilya, please confirm that I performed the tests correctly.


    Peace & Love,

    CogitoErgoSum
     
  16. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    One other thing i would like to know.

    Should defensewall be disabled before downloading AKLT, and then re-enabled of course before testing AKLT.

    My reason for asking is that Defensewall will run AKLT as untrusted if DW is enabled when downloading, therefore maybe giving a false result from the test, and if it is then run as trusted then Defensewall fails all tests.
     
  17. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Cognito, it is right the way DW should protect you from screenshot hijack- AKLT can't get any information from trusted windows and, thus, show only a bacjground. JUts run AKLT as trusted and compare all the screen capture results with AKLT untrusted ones.
     
  18. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    Thanks Ilya, i have now performed another test running as untrusted.

    Test1, 2 and 3 all failed.
    The notification box popped up, i clicked terminate, but as you can see from my screenshots they all failed.

    Test 4 and 5 both passed.

    Running as untrusted all 5 tests fail.
     

    Attached Files:

  19. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello Ilya,

    Thanks for the confirmation.


    Peace & Love,

    CogitoErgoSum
     
  20. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello LoneWolf,

    Before performing another test of AKLT against DefenseWall v2.05, please check that you have the dwall_service.dll installed which is located in c:\windows\system32. Maybe RegProt and/or WinPatrol Plus prevented the proper installation of DW?


    Peace & Love,

    CogitoErgoSum
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Tony, I know about this bug- I was not really accurate with driver's improvement, "Termination" button will works with the next version of DefenseWall.

    As about "failed" tests- you see, I can't just block those keystrokes input methods as they are wildly used by many legitimate software. For example, ICQ v5 is using GetActiveKeyState methods, QuickTime- same thing, many games are using DirectX keylogging. I just can't simply block those methods out!
     
  22. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    721
    Location:
    Cumbria, England
    Thanks for the reply and explanation Ilya.

    Could i ask one more question, when the notification box pops up, it is only for a few seconds.
    If i dont click terminate, then does DefenseWall automatically terminate the application/process etc as the notification box disappears.
     
  23. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    1. Not a "few seconds", but 15 seconds. It is described into technical documentation.

    2. No, no automatical termination as, this case, DW thinks that is is a legitimate activity. One more time- it is just a notification windows if it is impossible to decide in automatic regime if this behavior legitimate or not. Those activity are: GetKeyState, GetAsyncKeyState and DirectX keylogging plus clipboard date access (this technique is used by all the download managers that need to be set as untristed). So, this case I need use anomaly detection technique.
     
Thread Status:
Not open for further replies.