Zemana Keylogger Test & Prevx 3.0?

Just running Zemana Keylogger to test my defences (NIS2010 & Prevx 3.0). http://download.zemana.com/Products/Simulations/keyboard.exe

Am i supposed to be able to write in the keylogger without getting a warning of some sort from either NIS or Prevx?

 

SafeOnline will protect keystrokes typed into a secured web browser (i.e. one that's on an HTTPS website). Could you try going to https://www.paypal.com with SafeOnline enabled and see the results? The keylogger should think that no keystrokes even exist

 

Yup, works on https. Thanks for this reminder, i completely forgot how this protection works.

 

I'm not sure if this is a problem. The logger screen test by the same company is not blocked :-(

 

It will be provided you are on an HTTPS website with protection on Maximum. If not, could you let me know what operating system you're using and if you have any other security software installed (namely Zemana Antilogger itself, which causes Prevx to enter into "Compatibility Mode" and lower protection to High).

Thanks!

 

Hi,

i use Win7 64bit, 8GB RAM. Tested with Firefox, IE and Chrome. HTTPS on max in SafeOnline (Vers. 3.0.5.187), tested on paypal. The another security software installed are emsisoft Antimalware.

 

Now I myself am probably come up with the cause. After the start of the Screen Logger Prevx reported an infection. I have allowed the program (for once). This program will probably also be allowed to bypass the SafeOnline protection, right?

 

No that's not correct. You do need to allowing the program to run in Prevx. However, the SafeOnline component should still prevent screen logging.

I just tested it and its working for me.

 

That's the cause Because of PatchGuard, not all of the Prevx screengrabber protection can be loaded. However, you're still protected against the other techniques which SafeOnline blocks (which admittedly are far more threatening than a screengrabber )

 

Hi Joe,

and what says MSFT about this case?

Why there is no API for this, in order that third party software can work with PatchGuard on Win7 64bit?

regards,

iNsuRRecTiON

 

Because wouldn't that mean malware could use the API as well? I'm not very into this sort of stuff, but wouldn't it be theoretically possible?

 

Joe,
I am running PSO 3.0.5.187 and Zemana Antilogger together and SafeOnline protection is shown as Maximum for HTTPS websites - see screenshot.
Has Prevx entered into "Compatibility Mode" and lowered protection to High even though it still shows Maximum in the UI?
Or is my set up unique

 

It will have disabled the specific protection that it incompatible with Zemana. We've contacted them and are working on getting the two products to work together, but because they both try to protect the screen, it will cause some issues However, there are other aspects of screen grabber protection that will still function (ones more likely used by malicious screen grabbers) as Prevx covers them but Zemana doesn't at this point.

I do suspect this is part of the reason, but more so, Microsoft has limited access into some areas of the kernel for improved stability. The changes are overall very beneficial, but they do require some different approaches by security software developers. Personally, I'm a big proponent of Microsoft's changes even though they do require more work on our end. By including digital signature verification and implementing PatchGuard, they provide, out-of-the-box, much more security than many security solutions even have in their entire product set. Granted, they aren't perfect and like anything else can be circumvented, but it is a significant step in the right direction

Prevx 4's SafeOnline will include additional protection for screengrabbers on 64bit but it won't be quite as strong as on 32bit, although it should at least bridge the gap (and frankly, if someone was to spend the effort to get around it on 64bit, they should be doing something more nefarious than taking screenshots... and anything more advanced in an information stealing trojan will be blocked by SafeOnline )

 

Thanks for the answer!

 

Hi,

I don't think so, that can prevented with digital signatures and so on.

MSFT is already providing API's to access the kernel with PatchGuard on x64, but not what is required to fix those outstanding problems.

Symantec and others, already using these APIs, which they have requested from MSFT..

See also here: http://www.sandboxie.com/index.php?NotesAbout64BitEdition

And here: http://web.archive.org/web/20080325114949/www.sandboxie.com/index.php?WindowsVista64