Threatfire Detecting A keyloger

Discussion in 'other anti-malware software' started by Hermescomputers, Oct 17, 2007.

Thread Status:
Not open for further replies.
  1. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hi bunch!

    My Installed TF picked up a program I use to monitor Processor Core Temperature as logging Keystrokes....

    It has never happened before, and it flagged the behavior several times. while I was playing GRAW 1 This morning...
    However the program has to have a rule set created initially for TF to allow it to run because of the way it extracts data from processors cores. But the message in those instances is never specific. This time it was... very specific as in key logging.

    I allowed it and tried to put a scope on it's executable to see if it would transmit but My scope failed for some reasons. Virus total came clean as did all my other security application. I am curious what would have triggered it's payload (in this case key logging), and if even it is a key logger.

    For those interested in digging into this one here it is:
    The Program is CoreTemp
    http://www.thecoolest.zerobrains.com/CoreTemp/

    Here is a pic of the report
     

    Attached Files:

  2. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    I haven't used either program but is it possible that CoreTemp uses "hot keys" and that is what Threatfire is picking up?
     
  3. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Well, I guess it would be possible if it did. However this is an incredibly simple program that reads the processor core temperature sensors integrated into the CPU's themselves instead of the motherboard under socket thermal diode...

    Besides I have used both programs together for quite some time and it has never triggered an alarm besides during program load out.

    Here is a pic of CoreTemp for your info:
     

    Attached Files:

  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    ThreatFire (formerly Cyberhawk) appears is still exhibiting the same concerns the final Cyberhawk version was dealing with at Novatix.
    I suspect the developers ratchetted up the sensitivity in one or more of it's drivers to pick up the slightest activity and what your experiencing is no real surprise although setting it as allowed should end that notify alert, but there will likely be others depending on even if a legit good program, maybe even a screenshot proggy, reads the screen; ThreatFire may just jump up on those too.
    I still say they have the sensitivity set a tad bit too high in it.
     
  5. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?

    Well... I'm using Snagit screen capture as well and it has never had a glitch with it... Besides, I am constantly experimenting with all sorts of tools and programs and this is my first FP with it, if that is what it is...
     
  6. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    I used to have the old Cyberhawk version of this software, had it installed for a few months, and gradually it started to alert me to all sorts of programs logging keystroke, for example, out of the blue one day it started alerting me to "msn messenger is logging keystrokes" then a few days later it was "Avast! antivirus is logging keystrokes" and there were over time several others, it just seemed to gradually turn on my system (these were not newly installed programs) I got rid of it in the end.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hello tradetime

    Yeah, i experienced the exact same decline. At some very early versions it was Xtremely formidable and was a nice compliment for another security app named SSM for me, but then it started alerting out-of-the-blue on later versions on everything from Explorer to Notepad of all things and those FP's became much to numerous.

    Who knows?
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Cyberhawk's old keylogging rules were nothing but trouble. That being said, the newer versions have fine-tuned this rule considerably and more or less solved the problem. If the old keylogging rule was the only thing that discouraged you from using Cyberhawk, then I'd say the new ThreatFire should pose no problems for you.

    EASTER, enough is enough. You have been attacking TF ever since it was released just because, as you put it yourself, it was bought by PC Tools. I challenge you to state your security setup and provide me with some screenshots of the said FPs, because as far as I can tell, for some mysterious reason you appear to be the only one suffering from them, and if you can't prove that you really do suffer from these inexplicable, irreproduceable maladies, then it's not polite to claim that you do.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Solcroft, Easter

    Being a happy CyberHawk Pro user with own made custom rules, I immediately posted the how to (make custome rules) when ThreatFire free had the same capabilities of CyberHawk Pro.

    Having a lot of additional registry and file protection custom rules (and some trojan downloader protection), I really can not say ThreatFire is a FP shooter. In fact I can recall only one FP.

    I think Powershadow, EQSecure, ThreatFire free and Online Armor free are real good aps in their class, which beat many paid programs in effectiveness and usablity even withour considering they are free.

    Regards Kees
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    In my experience when u want to monitor for all sort of key logging, u will sure get some alerts about legit applications monitoring keystrokes.

    The more aggressive is the monitoring, more alerts u get.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I would be more than happy to but it's not going to be anytime soon i'm afraid.
    But when i do free up some time i will reload ThreatFire again and snap some screenies of this behavior. If it works for you and you're satisfied with the results, then all the better for your confidence right?

    And yes PC Tools is the last place i would have traded my creations to, sorry but is a matter of personal preference ans they just don't fit into my scheme of reliable protections.

    I still fancy CyberHawk and also still keep those early releases, one of these days i'll sort them out according to release dates and the like and filter thru which perform best and those that showed marked limitations from previous releases.

    But thats another project for another time, and that time is at a premium on this end for the foreseeable future right now.
     
  12. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Why am I not surprised? I guess a prequisite of being a "INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER" is to make vague airy claims without being able to back them up.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thats a pretty unfair assumption LUSHER given the fact that my work load is such lately that i can't always fit time in right away when someone makes a demand where i would have to drop everything ATM and turn my attention completely away to something which really is not going to make any difference anyhow.

    I'm just stating the facts from the past weeks i tried ThreatFire, contrary to whats been suggested, although i don't favor PC Tools, i just so do happen to WANT to offer a perfect report on TF since it is taken from the specs of CyberHawk internally, which i have always applauded for being a very nice behavioral blocker in the past. PC Tools has nothing whatsoever to do with my disappointment in TF, it's a same old issue of raising some FP's that mirror exactly what i experienced before in the final CyberHawk versions. I still hold to the belief untill proven otherwise, that within those (4) drivers lurk the issues experienced and reported by not just me but others as well as evident by this Topic.
     
  14. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Unfair? Maybe.

    But I'm holding you to a higher standards (not very high mind you) from someone claiming to be "INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER".

    Sure the average poster can make general ancedotal observations on their experiences without expecting to be taken that seriously, but i expect something more from someone claiming your expertise level.... given your bold signature.....

    If you are not going to hold yourself to higher standards, it might be better to drop your signature to avoid misleading people...

    And i would add that I'm not saying this because of only one incident...
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Your very welcome to your opinions even when they are so far off the mark.

    What you're really getting at is offering proof of the FP issue that still exists in the ThreatFire that i installed and run over a course of time. Mind you the FP issue really is minor in scope IMO, but indeed present and an annoyance nonetheless, at least thats what it was doing repeatedly when alerting to Explorer time and time again. The same happened with last versions of CyberHawk but more pronounced in those compared to ThreatFire.

    And standards have nothing to do with the simple observations noticed about it.

    As i said before, if time permits, i'll reload it and run a day long session again where should it reoccur i'll screenshot along with details for some to comment on or offer a solution against.
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Er... well, it's me again!

    I got another "Brand New" Keyloger detection. This time a different app. (On a brand new freshly loaded copy of XP PRO X32. w/SP2.

    So here it is this time, again while I was playing a game. This time GRAW 2. the pop up came up in the background. with a warning about my UPS monitoring software logging keystrokes...
     

    Attached Files:

    Last edited: Oct 26, 2007
  17. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    for those interested in the application itself, here is whatever info I gathered up in my analysis:
    A scope is keeping track of Internet transaction related to this process just in case.
    It is to be noted that neither BOCLean & NOD32 detected this as a key logger. Also a scan at virustotal.com came up negative x30 or so AV's...

    Additional information
    File PowerMonitor.exe
    File size: 450560 bytes
    MD5: 3eaeaf8941d757e0ad9d5306f7c2eada
    SHA1: 1a1b6c1c3477d55b066dce2e1870d659bc03801a

    Powerwmonitor.exe with it's associated server & Services.
     

    Attached Files:

    Last edited: Oct 26, 2007
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Just for good measure!
    Here is the scan result for the possible key logger:
     

    Attached Files:

  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    If you've been using the file all this while with no problems, then chances are that it's an FP.

    I notice the second FP was on a program with similar functions as the first. Looks like the keylogger rule is still misinterpreting certain types of programs as malicious.
     
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I'm pretty sure it's an FP... But what naggs me is that both came up during a game of GRAW 1 & 2. I wonder what is stimulating these FP's if that is what they are during these types of activity i.e. during gaming sessions.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I will not bother a keylogging alert from TF about a legit software on my system.

    As I knopw TF only detects two keylogging methods:

    GetkeyState
    GetAsyncKeystate

    Any software who detects these two methods, produces some false alarms about legit software. I have experienced it with NeoavaGuard and EQSecure.

    No sure why they did not added common keyboard hook( WH_Keyboard_ll) type keylogging detection? It must be easier to implement with few false positives. Very poor keylogging detection by TF indeed.
     
  22. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello Again!

    I have another client who went into a panic over a possible false positive...
    So here it is:

    The key logger alert was triggered while the user was typing the password into his Yahoo Email account. (By AVG Antivirus?)
    I scanned the file via Virustotal.com and came up negative for infections. I certainly hope this is an FP due to it's implications.
    This is peculiar as to its timing. The executable is located in the appropriate directory...


    File avgw.exe received on 10.29.2007 13:21:17 (CET) (@Virustotal.com)
    Additional information
    File size: 219136 bytes
    MD5: b331ef4c7437f5093d703340678469eb
    SHA1: f5aadab9c25a117347215406e85e1ad416c7a3b6
     

    Attached Files:

    Last edited: Oct 29, 2007
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U will get it off and on. I am sure. I have yet to see an application which is detecting GetkeyState and GetAsyncKeystate type of ketlogginga nd not giving alerts about legit applications.

    Answer is very simple. If u truse the application, allow it. If applicatiosn is unknown deny it.

    Arrhh ... new TF has no deny buttion. They replaced it with Qyuarantine-- a very unwise decision for a behav blocker in my opinion.
    What if some day it alerts somehow about a suspicious action by explorer.exe and quarantines it.

    I have since long posted on their forums to give three options: Allow, Deny and Quaratine but sofar they seems to be not interested.
    Deny can be used by users for know applications and quarantine for unknown applications.

    Let me say, I just noticed a weakness of TF compared to classical HIPS, there u can juts deny a specific action of an application( eg, stop keyborad hook of ur messenger) while allowing it to run otherwise but in TF u can just allow it to run with all it,s actions or deny its execution at all. Option of not having a Deny option has made the situition worse!

    I think atleast in case of keylogger alert there should be an option to just deny the keylogging action. It,s easy tio be implemented or not- it,s another story.
     
    Last edited: Oct 29, 2007
  24. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello Eagle,

    Yep, I'm with you on this, the deny button would be a charming addition to this great tool.

    Those Keylogers are hard to detect... My only concern in this Alert is the uncanny timing for it. The guy was actually typing his password on a site while trying to collect his email, he called me at 7:00am to report it. kinda scary actually for him and I can understand it quite nicely myself...

    I cant wait for those guys to fix this. It's getting a bit annoying on my end... I realize the solution is simple, just allow applications that are legit but, The Joe Average users out there have no frigging ideas what that might be even on a good day!!!

    Those tools have to work, no excuses!
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    For average users, it can be a scary alert, I agree. If I am in their place, I will just add detection of keyboard hooking by default( still absent in TF) and kepp other types of keylogging detection as optional in advanced settings.

    Many months back, I suggessted them to add an option for trusted applications, so that u can just add ur security software in this category but I think they did not feel the necessity for this option.
     
Loading...
Thread Status:
Not open for further replies.