Zemana AntiLogger and SpyShelter Premium tested

Discussion in 'other anti-malware software' started by genieautravail, Sep 17, 2013.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    So this is like infect the computer with malware before test an AV, absurd.
    In a normal world the computer is password protected so you can't install the program. Anyway the modifications that you have allowed will create rules in Spyshelter, so simply by deleting them will solve everything.
    You may think that you have proceed with the right methodology but it's absurd, biased and is misleading the people who read it, like you can easily see in your website comments.
     
  2. raymondcc

    raymondcc Registered Member

    Joined:
    Jul 8, 2010
    Posts:
    11
    If you only want to know about the protection result, just refer to the "Install" column and you'll be happy to see that SpyShelter blocked 12 out of 12 tested malware.

    The other tests are just supplementary.

    I've only stated the sentence below on the article:
    "As you can see from the test results above, none of them are perfect in detecting every attack method but SpyShelter and Zemana came close."

    I said "attack method". Nothing about SpyShelter or Zemana unable to block the malware. You just interpret it wrongly.
     
  3. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    You can disagree with how the test is done but you can't say it's biased.

    As raymondcc says, if the app alerted of the installation and blocked it you can consider this a 'PASS' and everyone is happy. I think that if he would have highlighted this aspect in the chart no one would have complained about the test here.

    For the second part, to test if the app detects logging activity of an installed program, I think that you should get a clear alert about something serious being modified in your system, not just a simple change in the registry that every program does. An alert about a hook or about the malware adding itself to the startup list would be enough to give a 'PASS' for me.
     
  4. raymondcc

    raymondcc Registered Member

    Joined:
    Jul 8, 2010
    Posts:
    11
    You can interpret the result table according to 2 different situations.

    1. Protection (Refer to the Install column)
    If you already have the antikeyloggers installed, probably all you need to refer to is the install column which shows that the anti keyloggers detected the installation of keyloggers.

    2. Detection. (Refer to keystrokes, screen, clipboard and audio column)
    If a malware is already present on a system, the antivirus cannot detect it and you have no idea that you're being monitored, you can depend on the antikeylogger to detect the logging actions that is remotely turned on by the controller.

    When a system is already infected and the autostartup has been added before the installation of antikeylogger, the antikeylogger is not capable of determining if the autostartup value is malicious or not. This is when you'll have to depend on the detection modules to tell you that a process is might be suspicious due to logging activity.
     
  5. guest

    guest Guest

    The popups that you allowed during installation allowed the different components, services installed to be allowed later by spyshelter during the test.
    Your methodology is completely wrong, what you have should done is to install the spy software , then install and test Spyshelter, Zemana...

    I was talking about malware as an example.
     
  6. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    He says that he didn't allow anything:
     
  7. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    @raymondcc

    Your friendly ex-mod here. Remember me?

    Anyway, just wanted to say a few things. I understand what you intend to test but the methodology you've used is not exactly suitable for HIPS-like antikeyloggers.

    Proper methodology is to test them on a system which is clean and that the protection is not disabled during installation of the keyloggers. You're supposed to test if they:
    a) alerted the user of the beginning execution process of the keyloggers
    b) alerted the user of any subsequent suspicious behavior right after the prior execution. If they do, it's counted as a pass for each behavior alerted.

    When you chose to disable the antikeyloggers and allowed the keyloggers to be installed, you've invalidated the methodology I mentioned above. This is why guest and some othr members here disagreed with your tests.

    What you've tested was whether the antikeylogger
    protection modules still work on a system that already has a keylogger installed. Problem lies in the way you've presented your results. My suggestion is to revise/update the article and make 2 charts separating the results from your methodology and from
    the one I mentioned earlier on. Be sure to make it known how the 2 tests differ.
     
  8. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    @raymondcc

    I like your test Ray, but I agree that you should seperate results (make 2 tables: protection & detection)

    @everyone

    I don't understand why are you defending these apps, because they have detection capabilities and if they have them than testers should test them, right?
     
    Last edited: Sep 23, 2013
  9. guest

    guest Guest


    The methodology is questionable because some of those spy softwares use the installation to establish hooks, so they don't need to change anything special when they start to capture. The problem is that I don't think that there would be any anti spy software in the world able to block this using this methodology, and probably nobody would be able to code any software able to do it.
     
  10. raymondcc

    raymondcc Registered Member

    Joined:
    Jul 8, 2010
    Posts:
    11
    I've spent a bit more time in re-testing some of the keyloggers with SpyShelter and Zemana using the suggested methodology, which is install the spyware first and then only the antikeyloggers. Here are my findings:

    1. I infected my test system with Bozok RAT that auto startup with Windows and then installed SpyShelter. SpyShelter did not detect Bozok RAT's presence until I activated keylogging or other logging actions.

    2. I infected my system with Advanced Keylogger/Elite Keylogger that auto startup with Windows and then installed SpyShelter. SpyShelter's System Protection (HIPS) detected both Advanced Keylogger and Elite Keylogger because it was hooking onto explorer.exe.

    I didn't find any difference in the test results for detecting keystrokes, screen, clipboard and webcam capture when malware is installed first and then antikeylogger, compared to the original methodology of installing antikeylogger first, disabled the protection, then followed by installing the malware and reactivating the protection.

    However, with the suggested methodology of installing keylogger first then antikeylogger, there is an "additional data" that can be included which is detecting active malware with SpyShelter's System Protection. This will only work if the malware/keylogger hooks onto the system's legitimate process to hide itself. However for trojan RAT such as Bozok that runs as an independent process, SpyShelter's System Protection will not find anything suspicious.

    I will update the article to include an interpretation of the result table rather than letting the readers guess what is it all about and misinterpret it. So there's nothing wrong with the test results if it was explained properly and will be more complete if I add the additional detection data by SpyShelter.
     
  11. guest

    guest Guest

    @raymondcc thanks a lot for your effort
     
  12. raymondcc

    raymondcc Registered Member

    Joined:
    Jul 8, 2010
    Posts:
    11
    I thank you all for your constructive criticism to make the article and test more complete.
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    raymondcc:thumb: :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.