PG 3.0 and Anti-keylogger 5.3

Discussion in 'ProcessGuard' started by Atomas31, Oct 2, 2004.

Thread Status:
Not open for further replies.
  1. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi,

    I have a problem with PG 3.0 since I download the new version of Anti-keylogger (5.3). The problem is that at every start up PG ask me what to do with a file call (15d0b36a-795a-b40c-a20febef3c30).exe (it is related to Anti-keylogger). So every time I put a hook in the box call "always perform this action" and press permit but for some reason PG doesn't seem to remember and ask me at every start up. So what is the problem and what can I do to resolve ito_O

    The application is Anti-Keylogger 5.3.

    Thank you,
    Atomas31
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Atomas, Could it be that this file is regularly updated by anti-keylogger by say a daily update? If so it is Process Guards checksumming capability that is picking up the changed status. ie. the new MD5 hash checksum. Or could it be a device within the program that changes the .exe as part of it's own defence system.

    I would have thought that an emailt to their product support would be the quickest route for an answer.

    Just Guessing. Pilli.
     
  3. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    also, make sure that the pop-ups your getting feature exactly the same filename (I for one would have to note it down to be sure it's the same next time.)
    Then, it would be interesting to know how that filename appears in your PG's security list (i.e. what name, what path, what last action etc.)

    Andreas
     
  4. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Pilli and Andreas,

    OK! This morning I have checked wich filename PG 3.0 where asking me about and it appears it is a different one? the files are located in : c:\documents and settings\ (my full name).(my first name).000\Application Data\

    Any idea what is it and yes, I suspect it is probably a way for Anti-keylogger to protect himself (kind of changing is starting key at every startup so it can be recognize at startup by virus and then shut down. (this is a suppposition)! But is there a way I can tell PG to permit any files generate and associate with this programo_O

    Thank you for your help,
    Atomas31
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    possibly it is a monitoring program, intended to monitor anti-keylogger's main program - when this latter one is attacked, the monitoring one can alert and restart it. (TrojanHunter's Guard once worked like that). For it to work, it must take some measures to insure that it's not being attacked simultaneously - and using a different name on each launch is one of the common attempts for this. Of course, this means you have on each session a "new" program launching, and will be asked to acknowledge and allow it every time.
    You should definitely consult your anti-keylogger's docs and maybe contact the developers to find out if that is the case, and if there's something more that this thingy is doing. If not, the most elegant way would be to simply dis-able that self-protection in the anti-keylogger. But again, it depends on your anti-keylogger and its developer whether or not this is possible.

    If that is not an option, you're in a bad situation - so first check it out and let's worry about alternatives only if necessary.

    Andreas
     
  6. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Andreas,

    Here's the reply from the support team of Anti-Keylogger :

    So my question is :
    Is there a way I can tell process guard to always allow files affiliate with Anti-keylogger to start at start up?

    Thank you for your help,
    Atomas31
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Atomas, Currently there is no way of turning this off though this is being discussed at DCS.
    If you can switch it off Anti-keylogger then I would so so as Process Guards protection is far stronger.

    HTH Pilli
     
  8. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Pilli,

    I also thing that Process Guard is protecting Anti-keylogger better than this new feature in Anti-Keylogger! But the problem,is that the support team seems to tell me that this feature can not be disableo_O This is way I was wondering if there was a way to go around the problem with PG 3.0 beta 2?

    By the way, what is being discuss in DCSo_O If it is concerning security program that has that kind of feature (run each time with a random name), what do you thing would be the results of their discussions? Do you think they will come with an answer to this problem?

    Thank you,
    Atomas31
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Atomas, Yes the idea, I think, would be to have a list of trusted apps that should not be scanned for checksumming though I have no idea how that would work :)

    EDIT: It was the protection list and install drivers /services that was being discussed sorry.

    Pilli
     
    Last edited: Oct 4, 2004
  10. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Thanks Pilli, I think that would be a great idea to add a list of trusted apps that wouldn't be scan for checksumming!!!

    Maybe you should add this to the wish list :)

    Atomas31
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Maybe I am missing something, but if you are going to run Process Guard why ever run an anti-keylogger program. Process Guard should protect you from that along with everything else it does.

    Also to me the idea of a protected list that is checksum scanned sounds like could open some doors that aren't good.

    Lets say you set PG so it doesn't checksum scan. I as a malware author easily find out that the the anti-Keylogger exe changes it's key and PG would bother stopping it. SO...... what do I name my mischief making program. Yep, and now it is on your system and runs and bingo, no PG checksumming and it runs. Hmmm.
     
  12. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Peter2150,

    The idea is not to disable the scanning checksum for all product but only for specific product that have some protection of their own, protection that make PG ask for permit every time we start them!

    Atomas31
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Peter you are correct it would create a weakness in the defence and Process Guard does stop many keyloggers, any such tool would have to be very carefully used, so maybe as an advanced option for those that have the knowledge.

    In fact the more I think about the less I like the idea but you could add something like that to the protection list, a sort of exclusion list, which I know you would like for cases such as AOL.

    I'll trust DCS on that one as I know their first consideration will be system security and that of Process Guard.

    Cheers. Pilli
     
  14. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    nah.
    what app would you add to exclude from checksumming? You can't tell because it's a different name each time. It would be the other way round: you have a legitimate exe but you only know it's checksum, not its name. Thus, you'd have to have a list of checksums and when an unknown app starts its checksum has to be compared against this whitelist - and only if no match is found, the user is asked to ack/deny. But to be honest, I don't think this is a feasible option - not so much for security issues that could be argued to arise (any app with a checksum conincidentally already on the list would be allowed, even if the checksum came from another app), but more so because of the resource useage and the additional complication.

    Although Pilli may have other insight into what's actually being discussed at DCS, I could imagine that another approach would be more attractive - possible even more difficult to implement, but then providing additional ways of handling things: If PG would be able to make its decisions based on which application is launching the "unknown" app. It would not only be interesting to know the "parent" of running processes, but it would also help in certain hard to decide cases. And, so I would assume, this would apply to your case as well, since there is probably a fixed something that is launching the "always new and unknown" copy of your keylogger. (Windows must have a fixed go-to-guy to start the whole thing.)

    As it stands, PG has no way of knowing if an unknown app is "affiliated" with a legitimate program. And you will have to either decline from using checksumming/execution protection (protection of programs against modification and termination would still be in place - except for that anti-keylogger thingy which you cannot include in your protection list for it always has a different name), or you will have to continue acknowledgeing the launch of that thingy every time (select allow once in order not to clutter your security list).

    Both options are not soo nice, but workable. Best would be if you could talk Anti-keyloggers developers into making this possible to be disabled -- or hear what DCS can do about it and is willing to invest (in short-term) into further PG features. Or you can ask Anti-keylogger developers to get in touch with DCS and suggest them a way of knowing the affiliation. (But then you'd probably still need DCS to add a new feature to PG.)

    HTH
    Andreas

    Edit: Missed a few postings from when I started writing this posting. I hope it does make sense as it is, nonetheless.
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yep, Andreas it would be useless to have an exclusion list based on the checksumming given the protection system applied by the Anti laylogger's developers.
    NIS and ZA have a way of disabling their guards which then allows PG to protect themand for them to run correctly under PG, Anti-keylogger could probably implement a similar switch.
    I imagine this type of name changing would also cause other sandbox type programs to hiccup as well with a request to allow the program to run.

    BTW it was the protection list possible exclusions like "allow this x process to install one driver" that I was thinking of that DCS was discussing not the security list, my fuddled brain again :)

    Pilli
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Hi Pilli

    I have an interim fix for AOL on the services.exe needing to install services/drivers. I leave it uncheck so if I forget AOL gets blocked, I then go and check the box on services.exe, start the log on process, and then immediately uncheck the box. Works, and I am protected. High tech eh?
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Peter Neat :) Don't let those few extra keystrokes wear your digits out :D
     
  18. controler

    controler Guest

    Hi everyone

    The newest version of Anti-Keylogger is 6.0 now. They have added back an options button with few choices.

    Since DCS won't allow PG on more then one computer at a time. Say your laptop and desktop I am forced to use other software on my other computer. Since I have a lifetime LIC for Anti-Keylogger, I will use it.
    I use that along with HackerIliminators Process Guard although I don't know all it's protection uses. It does a good enough job for files, registry and processes.
    http://www.anti-keyloggers.com/

    I really like their Library at Anti-Keyloggers. Some great reading material.

    Bruce
     
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Controller, You can buy ProcessGuard unlimited home license for just $10 more i.e. $39.95. http://www.diamondcs.com.au/processguard/index.php?page=purchase
    ProcessGuard does not require regular definition updates to stop keyloggers like some other software. Not knocking anybody but personally I prefer it that way :)

    Cheers. Pilli
     
Thread Status:
Not open for further replies.