Author Topic: Some keylogging methods are not detected with ThreatFire (V3.0.14 - .21 X32)  (Read 29614 times)

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Some types of keylogging are no longer detected by v3.0.18.309 on Windows XP SP2.  All 7 keylogging methods from AKLT (http://www.firewallleaktester.com/aklt.htm) were detected in older CFP versions - such as v3.0.14.276 - but with v3.0.18.309 some of the methods are no longer detected.

Since I was testing this in a virtual machine, perhaps somebody can try to replicate these results on a physical machine, just to make sure it wasn't an issue with virtual machines only or an interaction with new software I have installed recently.

Version: v3.0.18.309
CPU: 32 bit
OS: Win XP SP2
Other security programs running: NOD32, ThreatFire
Defense+ Security Level: Paranoid Mode
Firewall Security Level: Custom Policy Mode
« Last Edit: March 29, 2008, 08:33:23 AM by MrBrian »

Offline salmonela

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 637
  • COMODO Volunteer DEModerator
Re: Some keylogging methods are not detected anymore (V3.0.18 X32)
« Reply #1 on: February 27, 2008, 12:17:55 AM »
Everything is fine here (comodo detected and stopped all keyloging and screenshoting tries) on "physical" machine (non virtual):
Version: v3.0.18.309
CPU: 32 bit
OS: Win XP SP2 Pro
Defense+ Security Level: Train with Safe Mode
Other security programs: Kaspersky IS (without FW and Proactive Defense-behavior blocker components), Comodo Memory Firewall.
Tested aklt v.3 with focus (while typing) on notepad, see screenies of warnings beneath...


[attachment deleted by admin]
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Some keylogging methods are not detected anymore (V3.0.18 X32)
« Reply #2 on: February 27, 2008, 01:25:10 AM »
Thanks for the feedback salmonela :)

I looked at your screenshots.  I could not tell if, for every one of the AKLT tests, you actually did receive an alert for low-level keyboard access or global hook (for keylogging tests) or an alert for reading the screen directly (for the screen reading tests).  Some of your screenshots showed other types of alerts, which don't matter for the purposes of this type of testing.  Do you remember if you received the proper alert for each of the tests, salmonela?
« Last Edit: February 27, 2008, 01:33:59 AM by MrBrian »

Offline vignesh

  • Comodo Member
  • **
  • Posts: 44
Re: Some keylogging methods are not detected anymore (V3.0.18 X32)
« Reply #3 on: February 27, 2008, 02:05:39 AM »
Hi,
    I see that only the test 'screenshot2' failed.. but the tests you were mentioned are pass.
Please verify the attached snapshots.

CFP:3.0.18.309
OS:Win XP SP2 x32
Defense+:Train with safe
Firewall:Train with safe


[attachment deleted by admin]
« Last Edit: February 27, 2008, 03:36:07 AM by hiddenstar »
Regards,
Vicky.

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Some keylogging methods are not detected anymore (V3.0.18 X32)
« Reply #4 on: February 27, 2008, 04:39:42 AM »
I see that only the test 'screenshot2' failed.. but the tests you were mentioned are pass.
Please verify the attached snapshots.

Thanks hiddenstar :)

Just to make sure, I tested this again inside a virtual machine.  Same results as I got before.  I also have the latest version of ThreatFire installed in the VMware v5.5.5 virtual machine.  Perhaps it's failing due to interaction with ThreatFire.  Or maybe it's because the test was done inside a virtual machine.  Has anybody else done the AKLT tests with v3.0.18.309?

Offline salmonela

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 637
  • COMODO Volunteer DEModerator
Re: Some keylogging methods are not detected anymore (V3.0.18 X32)
« Reply #5 on: February 27, 2008, 10:33:51 AM »
Ok, 2nd screenie popped up on execution of AKLT and all two screenshoting attempts from AKLT failed.
screenie 4 affect "GetKeyState", "GetAsyncKeyState", "GetKeyboardState" and "GetRawInputData"
screenie 5,6 blocked "DirectX" from keyloging
screen 7 blocked "LowLewel Hook" and "JournalRecord Hook"

Note: retested again, method by method (tested one method, closed AKLT, open AKLT, tested second method...) and also while pop up windows (warnings) from CFP stays unanswered on screen...
All AKLT tests are passed by CFP
« Last Edit: February 27, 2008, 10:35:57 AM by salmonela »
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Some keylogging methods are not detected anymore (V3.0.18 X32)
« Reply #6 on: February 27, 2008, 11:51:13 AM »
I tested this issue inside a virtual machine with v3.0.14.276, and got the same results, namely some AKLT keylogging tests gave no appropriate alert.  Then I uninstalled ThreatFire in the virtual machine and rebooted.  All of the keylogging tests in AKLT then triggered appropriate alerts in CFP.

I then tested on my physical machine with v3.0.14.276 and ThreatFire v3.0.14.16.  Again, some of the AKLT keylogging tests failed, namely GetKeyState, GetAsyncKeyState, and GetRawInputData.  ThreatFire also did not warn of keylogging during any of these 3 tests.  The other four tests - GetKeyboardState, DirectX, LowLevel Hook, and JournalRecord Hook - triggered appropriate alerts in CFP.

Thus, it seems that there is an interaction issue between Comodo Firewall and ThreatFire that prevents some keylogging methods from being detected.  There is a thread at ThreatFire forum about this issue - http://www.pctools.com/forum/showthread.php?t=50792.
« Last Edit: February 27, 2008, 12:32:09 PM by MrBrian »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
I don't know much about TF but it looks like a HIPS thus conflict is inevitable. I guess you should use CFP firewall only to install TF.
« Last Edit: February 27, 2008, 06:06:55 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
I don't know much about TF but it looks like a HIPS thus conflict is inevitable. I guess you should use CFP firewall only to install TF.

I do realize that both are HIPS products but there are good reasons to use both instead of just one.  This is the only issue I've seen so far in the week or so that I've had ThreatFire installed.  I'm hoping it can be fixed by one of the vendors.  If not, then perhaps the installer for CFP should warn about the issue if ThreatFire is already installed.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
I do realize that both are HIPS products but there are good reasons to use both instead of just one.  This is the only issue I've seen so far in the week or so that I've had ThreatFire installed.  I'm hoping it can be fixed by one of the vendors.  If not, then perhaps the installer for CFP should warn about the issue if ThreatFire is already installed.

Ok. understood.

if you disable keyboard in Advanced\D+ settings\Monitor settings Does TF catch keyloggers?
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Ok. understood.

if you disable keyboard in Advanced\D+ settings\Monitor settings Does TF catch keyloggers?

No - not in physical machine.  In virtual machine, if I recall correctly, ThreatFire catches keyloggers without changing this setting.
« Last Edit: February 28, 2008, 02:17:15 AM by MrBrian »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
No - not in physical machine.  In virtual machine, if I recall correctly, ThreatFire catches keyloggers without changing this setting.

You never mentioned this before. So did you actually tested this too?
Does TF has a setting like CFP that allow to disable a protection monitor?
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Does TF has a setting like CFP that allow to disable a protection monitor?

No

You never mentioned this before. So did you actually tested this too?

Yes.  Comodo Firewall behaves the same in VMware virtual machine as with physical machine in regards to the AKLT keylogging tests when ThreatFire is installed.  But in a virtual machine with Comodo Firewall 3 installed, ThreatFire catches a subset of the AKLT keylogging tests, while in a physical machine ThreatFire catches none of them, if I recall correctly.  Your results of course may vary....



Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Yes.  Comodo Firewall behaves the same in VMware virtual machine as with physical machine in regards to the AKLT keylogging tests when ThreatFire is installed.  But in a virtual machine with Comodo Firewall 3 installed, ThreatFire catches a subset of the AKLT keylogging tests, while in a physical machine ThreatFire catches none of them, if I recall correctly.  Your results of course may vary....

Yep I understood your test case but I proposed a variation,
that is if you disable keyboard in Advanced\D+ settings\Monitor settings  CFP will not catch those keylogging leaktests but it should enable TF to catch them in physical machine
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Yep I understood your test case but I proposed a variation,
that is if you disable keyboard in Advanced\D+ settings\Monitor settings  CFP will not catch those keylogging leaktests but it should enable TF to catch them in physical machine

Sorry if my previous answer of "No - not in physical machine" was unclear.  I meant that I did try this variation in the physical machine, but it made no difference in ThreatFire's ability to catch keyloggers.  Thanks for the good suggestion though.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek