Through the Eyes of a Keylogger versus HIPS

Agreed, that's why I avoided the signature based detection and tested against KIS HIPS capabilities.

KIS examined the app as it is not (or was not) on their white or black list and it made it untrusted. Not based on signature but by the apps likely activities. I deliberately moved the app to the other 2 standard KIS HIPS categories Low and High restricted to test them out. Both of which failed to prevent the apps activities.

Cheers

 

Good, thats what I wanted to know.

You can't pass leaktests either with a antivirus it don't have that functionality..
Thats fighting the test and not the actual problem.

 

does it means that KIS2009 built in HIPS is weak against this kind of Keylogger and do you have recommended security software i should team-up with KIS and Sandboxie to protect me against Keylogger?

also, i dont know how the virutal keyboard of KIS will work against this kind of Keylogger.

 

Getting a bit OT probably but this link might interest you. https://www.wilderssecurity.com/showthread.php?t=219377.

I thought Zemana would help but not so sure after these tests! Defensewall will alert but not stop until you choose to terminate I think. If you find anything else give a holler!

Cheers

 

AntiLogger 1.7.2.973 (Friday, March 13, 2009):

* Improved : Improved detection of autostart locations.
* Fixed : Fixed a bug that will result msconfig or regedit to not functioning properly.
* Fixed : A tray icon bug fixed.
* Fixed : Fixed a bug that will result AntiLogger to freeze in some situations.
* Fixed : Many small bugfixes and improvements.

Maybe someone can test this version of Zemana's AntiLogger?

 

That is correct.
One person from another forum tested on this test Privacy Keyboard and he told that it passed every test with flying colors, does anyone can confirm that?

 

Just downloaded Privacy Keyboard and tried it,
Keyloggers - Fail
Screenlogger - Pass
Clipboard logger - Fail

 

AppGuard shut this one down to. Amazing.

 

Updated Zemana to new version, Disabled Zemana and downloaded the Eyes of a Keylogger test to my desktop. Enabled Zemana protection and ran first test "What the keyloggers see" Zemana pop-up blocked it and none of the other tests will run. This time Zemana is alerting when the tests are run, not on the download of the tests.

 

KIS 2009 passes Keylogging and screenlogging, fails clipboard logging (doesn't have that functionality)
Keylogging is detected regardless of HIPS group, to pass screenlogging it should be placed in High restricted (or just modify Low restricted to prompt on such activities).
XP SP3

 

Thanks Dark Star

 

Avira Premium results;

Keyloggers - Passed
Screenlogger - Passed
Clipboard logger - Passed

http://i44.tinypic.com/15ew8qq.jpg

 

Yes cool, but Avira do not have HIPS - only signatures.

 

Threatfire failed too(tested with default config.)No alerts displayed. Please confirm, but looks like BB at moment not offer the same security as a classical HIPS(at least HIPS like D+ don't block but alert about what's going on right?)

 

*darn* Can't you guy see what this truley is?

Its a test..

Passing the test by signature is called "fighting the test and not the real problem." You are NOT protected from the actual PROBLEM.. If this file gets modified it would easily bypass all those "signature" detection based stuff..

And blocking its execution is still not considered a pass either. Its no "wow" factor off that, CIS easily prevents this from running and so does all HIPS I suppose. The question is, would you be alerted if a application that you let run starts monitor your keyboard?

PrevX so far - UNKNOWN
AppGuard - UNKNOWN
Avira Premium - FAIL, its a HIPS test damit..

Understand that, if a av detects it or not dosn't matter, you are still not protected from the attack that way. As this is just an example attack and a modified attack (file) using a similar technique would monitor your keystrokes without a problem until your AV vendor gets the sample, no doubts about it.. And that can take time, sometimes a keylogger is undetected for hours other times weeks or more..

 

Correct Classical HIPS is the strongest thing out there saying something else is a lie.. A BB is not bad but a HIPS is stronger.. Much stronger.. And D+ can block this test from running just set it to proactive security, doubt you even has to do that, but what the heck and click no to the alerts. DIES. But thats not how you are supposed to do this test..


Due to its design a BB blocker will never be as strong as a classical hips.. but that don't mean it will offer bad protection..

 

I support Iam_me's statements - well put I might add - on determining the effectiveness of the tested security products against this keylogger.

It can be difficult to resist the feeling of satisfaction that arises upon seeing the security product alert on attempted execution of the test file (it's happened to me before), but as long as the test emulates the common situation where the downloaded file is intended without reserve to be launched by the user, then stopping its execution attempt is meaningless; only the behaviour of the file after it's launched and how effectively the security product detects and reports the subsequent behaviour, as well as the effectiveness of the user is at interpreting and responding to the warnings is what truly matters.

I would contend, however, that blocking a file's attempted execution if it's not expected is certainly a valid response under this circumstance.

 

@ Iam_me "...And D+ can block this test from running just set it to proactive security..." This is the first mode that i do the test . And really the test can be easily blocked on the first execution. But is like you say... this is not how the test need be executed...

But i have a doubt and if anyone here can explain me, please: When I run the test with D+, i run the test through sandboxie and write and manipulate clipboard in a notepad in the real system; if the clipboard for the systems (real and virtual) are the same (or can communicate), no chance to use this to escape the virtual system? or send anything to the real system? sorry if this is a little offtopic or a dumb question

 

Excuse me but i beg to differ on the suspend MODE, once an app (anyone) is SUSPENDED, IT IS EFFECTIVELY STOPPED OR ABORTED from proceeding. That paralalyzed program cannot send or infect no matter what once it's ABORTED.

But it is up to the user to delete it completely since it entered the system at the start.

EASTER

 

Still good. Most apps can't stop clipboard logging because it doesn't seem to beimportant. I doubt people copy and paste their credit card info.

 

sometime i copy paste my c/c

 

Aren't you scared someone will come to your computer and paste by accident? Happens to me sometimes since copy doesn't always work first time.

 

I think screen logging will probably concern more about privacy than security as most passwords are hidden by circular dots when logging in at most https: sites. Rarely do I see actual password characters shown as they are typed.

 

Snoop Free seemed to block it, i say seemed because after clicking DENY i could still type in the box in #1 but #2 & #3 were effectively empty.

EASTER

 

SnooPFree still has some power