Some keylogging methods are not detected with ThreatFire (V3.0.14 - .21 X32)

[Guest]

[MrBrian]

Some types of keylogging are no longer detected by v3.0.18.309 on Windows XP SP2.  All 7 keylogging methods from AKLT (http://www.firewallleaktester.com/aklt.htm) were detected in older CFP versions - such as v3.0.14.276 - but with v3.0.18.309 some of the methods are no longer detected.

Since I was testing this in a virtual machine, perhaps somebody can try to replicate these results on a physical machine, just to make sure it wasn't an issue with virtual machines only or an interaction with new software I have installed recently.

Version: v3.0.18.309
CPU: 32 bit
OS: Win XP SP2
Other security programs running: NOD32, ThreatFire
Defense+ Security Level: Paranoid Mode
Firewall Security Level: Custom Policy Mode

[salmonela]

Everything is fine here (comodo detected and stopped all keyloging and screenshoting tries) on "physical" machine (non virtual):
Version: v3.0.18.309
CPU: 32 bit
OS: Win XP SP2 Pro
Defense+ Security Level: Train with Safe Mode
Other security programs: Kaspersky IS (without FW and Proactive Defense-behavior blocker components), Comodo Memory Firewall.
Tested aklt v.3 with focus (while typing) on notepad, see screenies of warnings beneath...

[MrBrian]

Thanks for the feedback salmonela

I looked at your screenshots.  I could not tell if, for every one of the AKLT tests, you actually did receive an alert for low-level keyboard access or global hook (for keylogging tests) or an alert for reading the screen directly (for the screen reading tests).  Some of your screenshots showed other types of alerts, which don't matter for the purposes of this type of testing.  Do you remember if you received the proper alert for each of the tests, salmonela?

[vignesh]

Hi,
    I see that only the test 'screenshot2' failed.. but the tests you were mentioned are pass.
Please verify the attached snapshots.

CFP:3.0.18.309
OS:Win XP SP2 x32
Defense+:Train with safe
Firewall:Train with safe

[MrBrian]

I see that only the test 'screenshot2' failed.. but the tests you were mentioned are pass.
Please verify the attached snapshots.

Thanks hiddenstar

Just to make sure, I tested this again inside a virtual machine.  Same results as I got before.  I also have the latest version of ThreatFire installed in the VMware v5.5.5 virtual machine.  Perhaps it's failing due to interaction with ThreatFire.  Or maybe it's because the test was done inside a virtual machine.  Has anybody else done the AKLT tests with v3.0.18.309?

[salmonela]

Ok, 2nd screenie popped up on execution of AKLT and all two screenshoting attempts from AKLT failed.
screenie 4 affect "GetKeyState", "GetAsyncKeyState", "GetKeyboardState" and "GetRawInputData"
screenie 5,6 blocked "DirectX" from keyloging
screen 7 blocked "LowLewel Hook" and "JournalRecord Hook"

Note: retested again, method by method (tested one method, closed AKLT, open AKLT, tested second method...) and also while pop up windows (warnings) from CFP stays unanswered on screen...
All AKLT tests are passed by CFP

[MrBrian]

I tested this issue inside a virtual machine with v3.0.14.276, and got the same results, namely some AKLT keylogging tests gave no appropriate alert.  Then I uninstalled ThreatFire in the virtual machine and rebooted.  All of the keylogging tests in AKLT then triggered appropriate alerts in CFP.

I then tested on my physical machine with v3.0.14.276 and ThreatFire v3.0.14.16.  Again, some of the AKLT keylogging tests failed, namely GetKeyState, GetAsyncKeyState, and GetRawInputData.  ThreatFire also did not warn of keylogging during any of these 3 tests.  The other four tests - GetKeyboardState, DirectX, LowLevel Hook, and JournalRecord Hook - triggered appropriate alerts in CFP.

Thus, it seems that there is an interaction issue between Comodo Firewall and ThreatFire that prevents some keylogging methods from being detected.  There is a thread at ThreatFire forum about this issue - http://www.pctools.com/forum/showthread.php?t=50792.

[gibran]

I don't know much about TF but it looks like a HIPS thus conflict is inevitable. I guess you should use CFP firewall only to install TF.

[MrBrian]

I don't know much about TF but it looks like a HIPS thus conflict is inevitable. I guess you should use CFP firewall only to install TF.

I do realize that both are HIPS products but there are good reasons to use both instead of just one.  This is the only issue I've seen so far in the week or so that I've had ThreatFire installed.  I'm hoping it can be fixed by one of the vendors.  If not, then perhaps the installer for CFP should warn about the issue if ThreatFire is already installed.

[gibran]

I do realize that both are HIPS products but there are good reasons to use both instead of just one.  This is the only issue I've seen so far in the week or so that I've had ThreatFire installed.  I'm hoping it can be fixed by one of the vendors.  If not, then perhaps the installer for CFP should warn about the issue if ThreatFire is already installed.

Ok. understood.

if you disable keyboard in Advanced\D+ settings\Monitor settings Does TF catch keyloggers?

[MrBrian]

Ok. understood.

if you disable keyboard in Advanced\D+ settings\Monitor settings Does TF catch keyloggers?

No - not in physical machine.  In virtual machine, if I recall correctly, ThreatFire catches keyloggers without changing this setting.

[gibran]

No - not in physical machine.  In virtual machine, if I recall correctly, ThreatFire catches keyloggers without changing this setting.

You never mentioned this before. So did you actually tested this too?
Does TF has a setting like CFP that allow to disable a protection monitor?

[MrBrian]

Does TF has a setting like CFP that allow to disable a protection monitor?

No

You never mentioned this before. So did you actually tested this too?

Yes.  Comodo Firewall behaves the same in VMware virtual machine as with physical machine in regards to the AKLT keylogging tests when ThreatFire is installed.  But in a virtual machine with Comodo Firewall 3 installed, ThreatFire catches a subset of the AKLT keylogging tests, while in a physical machine ThreatFire catches none of them, if I recall correctly.  Your results of course may vary....

[gibran]

Yes.  Comodo Firewall behaves the same in VMware virtual machine as with physical machine in regards to the AKLT keylogging tests when ThreatFire is installed.  But in a virtual machine with Comodo Firewall 3 installed, ThreatFire catches a subset of the AKLT keylogging tests, while in a physical machine ThreatFire catches none of them, if I recall correctly.  Your results of course may vary....

Yep I understood your test case but I proposed a variation,
that is if you disable keyboard in Advanced\D+ settings\Monitor settings  CFP will not catch those keylogging leaktests but it should enable TF to catch them in physical machine

[MrBrian]

Yep I understood your test case but I proposed a variation,
that is if you disable keyboard in Advanced\D+ settings\Monitor settings  CFP will not catch those keylogging leaktests but it should enable TF to catch them in physical machine

Sorry if my previous answer of "No - not in physical machine" was unclear.  I meant that I did try this variation in the physical machine, but it made no difference in ThreatFire's ability to catch keyloggers.  Thanks for the good suggestion though.

[Tags:]