tds 3 and keylogger detection

Discussion in 'Trojan Defence Suite' started by the mul, Feb 22, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    I would like your opinion on how good is tds at keylogger detection, and i have heard that it detects a lot of them, but do u think this is enough or does it warrant another programme as a back up in keylogger detection.
    Most people nowadays have a backup av programme, so do we need an extra keylogger detection programme as well.

    your help is most appreciated

    The Mul
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Until someone does a truly comprehensive test on ProcessGuard to see if it's going to fulfill the role of a resident, "catch-them-all" anti-keylogger app, I totally suggest and recommend a dedicated anti-keylogging app IF you really concerned (for whatever reason) about the possibility of being key-logged.

    The top three are:

    SpyCop "Home" edition: http://spycop.com/products.htm (The one I use - and, IMO, the best).

    Anti-Keylogger SOHO Edition: http://www.anti-keyloggers.com/

    WhosWatchingMe: http://www.trapware.com/index.html

    That's just my opinion, of course. Pete
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mul, PG will stop most keyloggers.
    TDS3 finds many - Check Help - Primary list.
    To add another layer just run AdAware or Spybot.
     
  4. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks pilli for your reply, and also thanks to spy1.
    I have spybot, and also ad aware, so i will stick with this at the moment. As u said pilli, pg stops most keyloggers and that is good enough for me.


    Have a nice day
    the mul
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Just let's all promise to send anything suspicious to submit@diamondcs.com.au so there is less and less chance anything is missed at all. Gavin doesn't mind having many doubles, better then missing one which could get on the loose harming somebody at all!
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Pilli - I hate to say it, but that claim is so totally un-supported as to be useless. There hasn't been a single broad-based, definitve test of PG's ability to detect keyloggers at all.

    Until there is, I stand by what I posted above. Pete
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK


    Agreed there has been no definitve tests keyloggers with PG or any other programme as far as I am aware but by it's very nature it can stop many if not all keyloggers that use the SetWindowsHookEx method and it can do this without the need for daily updates, prevention is better than cure IMO. This is demonstrated here:
    http://www.diamondcs.com.au/processguard/index.php?page=attack-keystroke-loggers

    As to being next to useles I disagree. :) All part of a layered protection approach.
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Process Guard has the ability to stop nearly all software keyloggers. It can block the main one which is SetWindowsHookEx() always. Finally a lot of newer keyloggers these days are becoming driver based and PG can also stop these.

    Not to mention that without these major key logging abilities at their disposal, keyloggers would have to turn to reading process memory and other such "process" methods, which PG can also block.

    Of course, PG does not "detect" keyloggers already installed and it couldn't stop a keylogger driver which was already installed. But without a pro-active solution which PG is I doubt you would be able to stop as much as it can.

    -Jason-
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Pete, your stance is a very safe one - when it comes to a new program it's always best to test capabilities rather than just take the developers word for it, and indeed Process Guard certainly is a fairly new program, and nobody has ever done a thorough test of its protection against keyloggers so you're right to be cautious, BUT ... I can tell you that:
    - it has worked against every keylogger we've tested it against
    - virtually all keyloggers use the same technique, which is blocked by Process Guard
    - it has a 'global' protection effect which is why it can effectively block every keylogger
    - there are a couple of new, very advanced driver-based keyloggers (quite difficult to develop), but even these are blocked by Process Guard's driver-blocking capability
    - Proof-of-concept can be downloaded here - it's a harmless, simple demo program which captures keystrokes and displays the last key pressed. With Process Guard's protection in place, it cannot capture your keystrokes.

    So although your cautious "wait until it's tested against every keylogger" approach is a safe one, I don't think there's any need for such concern - you can't decrease your security level by using it, and it IS already proven that it does block ALL keyloggers that use the keyboard message interception method of keylogging (the method used by every keylogging trojan we've ever seen).

    But you say that you shouldn't rely on Process Guard because it hasn't yet been tested against hundreds of keyloggers ... but, the anti-keylog programs you've mentioned also haven't been tested ... :)
    They've been around longer than Process Guard, but that doesn't mean much, and actually I think you'll find if you do your own testing that Process Guard's anti-keylog protection is stronger than all of them combined - but please don't take my word for it, test for yourself. :)

    Cheers,
    Wayne
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Look, I'm not saying that people shouldn't have ProcessGuard - I think everyone on Earth should have ProcessGuard, actually! And I mean that!

    I'm probably even more excited and enthusiastic about it's "real-time detection" capabilities in regard to keyloggers than YOU are (do you have any idea how much time gets spent here - at seventeen minutes a pop, with everything else shut down - over the course of weeks, months and years - simply doing FULL scans for keyloggers?).

    BUT the fact remains - ProcessGuard will not detect a pre-exisiting keylogger that already is hidden, active and driver-driven on someone's computer.

    Now, the alternative strategy here is (of course) to be using the anti-crapware app, the anti-trojan app, the AV and the firewall of your choice for "surface" detection of the more common keyloggers - but if you're actually suspecting the presence of a keylogger for any reason - or you simply want to make absolutely sure (within reason) that you don't have any type of a keylogger whatsoever on your computer before you go to relying totally on PG for detection, then at the very least, one needs to install, update (if applicable) and run a full, in-depth scan with a dedicated, top-of-the-line anti-keylogger program - even if it's only long enough to take advantage of whatever trial-period that program offers, just for safety's sake.

    And BTW, since we all agree that "layered defenses" are the way to go, it certainly wouldn't hurt to purchase whatever anti-keylogger specific program we finally decide upon, now would it? :D

    Is this clear enough now? Pete
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    My apologies Pete if I came across the wrong way, I was just trying to help clarify things :)

    Process Guard was never designed as a 'keylog detector', although when it blocks keyloggers (at the time they obtain a hook), Process Guard's window will show the offending program. :)

    Process Guard loads very early - typically a lot earlier than any keyloggers, so you're correct in that if you've just installed Process Guard then it won't alert to any programs that already have hooks, but as soon as you reboot, Process Guard should load straight away and even if a keylogger is set to start automatically, Process Guard should've started before it, so its request for a hook should be blocked by Process Guard. :)

    But here's something you might find rather curious Pete! - Process Guard (as you know) was never designed as protection against keyloggers - that's just one of the inadvertant protections it offers as kind of a welcome side-effect from one of its main protections, but the end result is actually more effective against keyloggers than any other anti-keylogger program I've ever seen - I encourage you to try this for yourself :)

    Cheers,
    Wayne
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    No apologies needed, Wayne (accepted on principle, of course) - I'm thrilled flat to death with PG and not shy about letting people know about it.

    Since I installed ProcessGuard,I have never felt this safe on the Internet before - and I thank DCS for that. Pete
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pete, you also have already TDS in your anti-keylogger toolkit, i've been told top notch and lots of keyloggers added to it's detection, so don't forget to use it also for that goal. If you find any "suspicious" detection please submit@diamondcs.com.au is waiting for it.

    Rootkits same story i guess?
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Jooske - Correct - same story.

    The majority of people (myself included, at one time) don't have a clue as to what a rootkit is or can do - much less whether they're being affected/infected by one or not.

    Since I'm relatively (99.99999...%) sure I didn't have one on here prior to getting and installing PG, I no longer feel like I have to worry about ever being affected/infected by one now that I do have PG on here.

    It's amazing what one little (properly-designed, state-of-the-art, benchmark of protection) program can do for one's piece-of-mind, isn't it?

    Of course, I'm well-aware of the dangers that could be presented by something totally new - but that's the nature of the game.

    And I've been given every reason to expect (given their performance so far) DiamondCS to be on top of those future threats, as well.

    (Basically, on the whole, Pete is a very happy camper! <g>). Pete
     
Thread Status:
Not open for further replies.