Prevx vs new SpyShelter TestTool

Discussion in 'Prevx Releases' started by shadek, Sep 29, 2010.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I just tested the new keylogger from SpyShelter. Prevx detected it as malicious of course! :thumb: However, this post is about 'being' infected and how much Prevx protects me against the new generation of malware.

    I allowed it (once) an ran it hoping Prevx would also protect me even if "infected". I go to my bank (HTTPS setting at max), enter a random ID, and boom! All was registered in the keylogger. They could easily steal my information if the keylogger actually was malware.

    Furthermore, even though the settings are at max. The SpyShelter application could take screenshots from my bank page (https) when settings at max. It could also access my clipboard data in the https-protected environment. My system has been totally compromised. Prevx SO has been become a sitting duck with this on my computer. I am very curious how they bypassed all of Prevx' areas of protection. Was it that I allowed it to run once (?) or actually a legit new way to gather my data?

    Just letting you guys know there is a really nasty piece of new generation key logger out. Hope Prevx will answer to these new threat-techniques soon as we can except them to occur in the wild sooner or later! I'll provide screenshot for proof. The SpyShelter Security TestTool can be downloaded at their site.
     

    Attached Files:

    Last edited: Sep 29, 2010
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I guess the reason is, You Allowed it !

    Not really, due to the above.
     
  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I tried it.... I let it RUN!!! Prevx Passed all tests except all the System Protection and Screenshot tests.

    Keylog (Passed)
    Webcam (Passed)
    Clipboard (Passed)
    SYSTEM PROTECTION test (All tests failed)
    Screenshot tests (All tests failed but...)


    You had to make Spyshelter TestTool the main window to click the screenshot button... thus Prevx does not intercept screenshots since you have to make the browser the main window for Prevx to block the screenshot. :)
     
    Last edited: Sep 29, 2010
  4. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    CloneRanger, I allowed it once, only. I can see why the printscreen protection did not work since Firefox wasn't highlighted when it was made by the TestTool... but the keylogger really got through the defense. Good thing is that the TestTool was detected naturally. So it's not like I was in danger... but I can't help myself from thinking _what if_?
     
    Last edited: Sep 29, 2010
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    What version of SafeOnline are you running? :doubt:
     
  6. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Latest RC 3.0.5.206.
     
  7. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I tried it.... I let it RUN!!! Prevx Passed all tests except all the System Protection and Screenshot tests.


    Prevx SafeOnline latest stable build. v.3.0.5.199 Settings: MAXIMUM
    TestTool: Running as Admin
    Browsers: Running as Admin

    Prevx Detected the tool (but I let it run and infect me)

    Browser: Opera
    • Keylog (Passed)
    • Webcam (N/A) (I don't have a webcam LOL)
    • Clipboard (Passed)
    • SYSTEM PROTECTION test (All tests failed)
    • Screenshot tests (All tests failed but...)


    Browser: Internet Explorer
    • Keylog (Failed)
    • Webcam (N/A) (I don't have a webcam LOL)
    • Clipboard (Passed)
    • SYSTEM PROTECTION test (All tests failed)
    • Screenshot tests (All tests failed but...)

    Browser: SRWare Iron
    • Keylog (Failed)
    • Webcam (N/A) (I don't have a webcam LOL)
    • Clipboard (Passed)
    • SYSTEM PROTECTION test (All tests failed)
    • Screenshot tests (All tests failed but...)

    You had to make Spyshelter TestTool the main window to click the screenshot button... thus Prevx does not intercept screenshots since you have to make the browser the main window for Prevx to block the screenshot. (not really a fail for me but still. as long as it can take screenshot even a tiny corner of my browser I consider it a fail)

     
    Last edited: Sep 29, 2010
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yeah, it seem browser dependent. I'm using Firefox and Prevx fails to protect me. Some browsers are more vulnerable than others it seems; which makes me wonder, what browser to use to get maximum protection from Prevx?
     
  9. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    looks like Prevx works best under Opera no? :D
     
  10. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    The more I read, the more I realize that the 'allow once' option used can't be the culprit behind this, as different browsers are affected in different ways. Some browsers are left vulnerable to the TestTool while others are not. I hope Joe comes riding in and saying it's due to the users' allowance, but I doubt it.
     
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    btw I'm using latest stable build. v.3.0.5.199
     
  12. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I can't test the stable version as one of my games crashes then. .206 works a lot better for me. :)
     
    Last edited: Sep 29, 2010
  13. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    I have prevx Sol, max settings. If need keyscrambler?

    If Prevx encrypts keystrokes on sites www, http, etc?
     
  14. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Normally, Prevx SO is enough for protecting you on the web. It has provided an excellent protection against keyloggers so far. This is the first time I've actually experienced Prevx not preventing keylogging. SpyShelter claims they have a new way of recording the key strokes, so I think that must be it. However, we need more information from Joe before we make any conclusions of whether or not Prevx has finally been beaten by a keylogging tool. It could very well be that I clicked 'allow once' that leaves me unprotected. I am very sure Prevx will look into this and _IF_ there's a problem, they'll add protection as soon as they can.

    But most importantly, Prevx _does_ detect the TestTool as malware, so no errors there! The keylogger only has a chance to record my strokes because I let it! I did it to test the protection of Prevx SO when being infected. And that's where things become weird, as you're standing with your trousers down and find out you're not as protected as you thought you were. :) But Joe will enlighten us as soon as his day at work begins. :)
     
    Last edited: Sep 29, 2010
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello all,
    Quite a few posts here so I'll try to clear up everything :)

    - SafeOnline will fully protect against SpyShelter tests including the screen grabber tests (except for the system protection) provided you are on Maximum protection
    - Different browsers shouldn't be affected as protection is applied beneath the browser itself. However some keyboards/languages could potentially cause protection to function differently and also it's possible that other security software can cause incompatibilities that require SafeOnline to somewhat "step out of the way" in certain cases
    - Protection is primarily applied when the browser tab is "green" so you'll either have to be under a pre-configured domain or a licensed SafeOnline with an HTTPS website
    - Not all keys are always protected (this is because of incompatibilities with foreign keys - you'll want to try alphabetic keys to really test the protection properly)
    - Because of PatchGuard, some protection (screen grabber/clipboard grabber) cannot be loaded on x64 (and if any product says it can, it is lying to you :))
    - Clicking 'Allow' will let it through quite a few areas of the Prevx protection as it then defines it as trusted within the local database

    Hope that answers the questions - let me know if this clarifies anything. I've tested SpyShelter's leaktest again and we do indeed block each of the tests except for the sound grabbing (?) and system "protection" as only an overly annoying HIPS would find the system protection :)
     
  16. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I'm having problems on my end and I'm a bit confused. It does not explain why it does not pass the tests for me and a few others. Why? I'm very curious. I assume you had to 'Allow once' as well like me and Konata Izumi and we can't get Prevx to pass the tests. Is there any way I can verify that 'SafeOnline' protects me when testing SpyShelter's test? __I disabled Prevx and started the SS-test and then enabled Prevx again. Thus avoiding trusting the SS-test__ (!!), and I get the same result as before. I'm not protected against this keylogger, at least not by the looks of it.
     

    Attached Files:

    Last edited: Sep 29, 2010
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The keylogger results that you're seeing are unusual - could you let me know what language your keyboard is in and if you have any other security software installed? I mentioned it in the previous post but SafeOnline has to use different keyboard protection for some languages which could possibly explain some of the issues.
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Edit - one note: where did you type the test text into? SafeOnline will only protect keystrokes entered into the browser itself.
     
  19. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I'm typing it into Firefox. I'm currently using Swedish layout on my keyboard. I have no other security softwares installed (there goes my policy against revealing my entire security setup :p). I'll provide another screenshot where you can see all 'evidence'. :) Note that I did the whole procedure again when starting the application so it's not set to 'Trust Always' or Trust Once'. I also restarted Firefox in order to let SafeOnline module start fresh and updated before testing.
     

    Attached Files:

  20. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    zemana could block all test in spyshelter tool
     
  21. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Please stay on topic. This has nothing to do with Zemana and, not to sound rude, I couldn't care less about the protection it provides.
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks for the update :thumb: I've checked through our protection and it looks like because of the non-ASCII characters in Swedish, we're detecting an incompatibility and during off some of the keylogger protection.

    To verify this, could you try changing to an English layout and see if that allows the protection to function properly? Over time, we've had quite a few users with stray keyboard issues caused from foreign language layouts and it looks like we're a bit biased to English/Latin-based languages.
     
  23. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I'll switch to English layout at once and do some testing. :)

    EDIT: I did some testing and it does not seem to help. Kunata Izumi suggested there might be differences between different browsers. Should I test with i.e. IE 9?
     

    Attached Files:

    Last edited: Sep 29, 2010
  24. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    I also have a problem with SpyShelter test tool. Test Tool capture keystroke. I swap language on english. Nothing no help. Normally use polish language and Firefox 3.6.10
     
  25. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Just to complement ... I tested it with the Czech keyboard, SafeOnline on max. and result is as Joe has obtained, i.e. SafeOnline protects against SpyShelter.
     
Thread Status:
Not open for further replies.