CFP fails Clipboard Logger Simulation Test

[Guest]

[aigle]

http://www.zemana.com/list/list.asp?ktgr_id=426

More detrails here:

http://www.wilderssecurity.com/showthread.php?t=204941

Can the interception for this behavior be added in some future version?

Thanks

[salmonela]

Yes, great test.
Another challenge to Comodo crew.
There is also more tests on that site, one particular will be very interested to Comodo (SSL Logger Simulation)

Screeny of CFP failure:

[aigle]

Hi thanks for that.

BTW u did not tried so far my malware sample where CFP is not able to detect memory modification.

[egemen]

http://www.zemana.com/list/list.asp?ktgr_id=426

More detrails here:

http://www.wilderssecurity.com/showthread.php?t=204941

Can the interception for this behavior be added in some future version?

Thanks

Yep. It seems CFP misses to catch clipboard callbacks. We will be introducing the defense against this with the upcoming versions. No worries.

the other tests should be ok.

[aigle]

Thanks for this.

[salmonela]

Yep. It seems CFP misses to catch clipboard callbacks. We will be introducing the defense against this with the upcoming versions. No worries.

the other tests should be ok.

It seems nothing yet for this new 3.0.22.349 build?

[salmonela]

BUMP
Upcoming version will detect clipboard logger test?

[aigle]

They promised to add it but seems so far it,s not done.

[Goose18]

*bump*     

Yep. It seems CFP misses to catch clipboard callbacks. We will be introducing the defense against this with the upcoming versions. No worries.

the other tests should be ok.

Any news on on fixing this in a future version? 

[aigle]

Hmmmm.... I am still waiting. I did not bump as I was waiting for next version.

[fOrTy_7]

CFP version 3.5.50676.393 still doesn't pass this Clipboard-Logger Simulation Test  .

[aigle]

Yes, I can confirm.

[hippocrates]

Does anyone know how to configure the latest CIS Beta such that it can detect Zemana keylogger and screen logger?

I failed all the tests with CIS, even on paranoid mode.  Thanks a lot.

[Yuriy]

I failed all the tests with CIS, even on paranoid mode.  Thanks a lot.

For me CF 3.5 passes these two tests (Defense+ shows relevant alerts and if we block these activities, all is ok). Settings are chosen during installation: proactive defense. After installation of CF relevant Defense+ settings are not changed. Defense+ is in safe mode.

Check if settings "keyboard" and "computer monitor" are checked (are on) under gui-defense+ -advanced-defense+ settings-monitor settings. Make sure relative Zemana's executables (keylogger and screen logger) are not listed under gui-defense+ -my own safe files. Delete appropriate rules for these executables from Computer security policy of Defense+.
Now Defense+ should catch them if set to Safe or Paranoid modes. 

[hippocrates]

For me CF 3.5 passes these two tests (Defense+ shows relevant alerts and if we block these activities, all is ok). Settings are chosen during installation: proactive defense. After installation of CF relevant Defense+ settings are not changed. Defense+ is in safe mode.

Check if settings "keyboard" and "computer monitor" are checked (are on) under gui-defense+ -advanced-defense+ settings-monitor settings. Make sure relative Zemana's executables (keylogger and screen logger) are not listed under gui-defense+ -my own safe files. Delete appropriate rules for these executables from Computer security policy of Defense+.
Now Defense+ should catch them if set to Safe or Paranoid modes. 

Wow, it worked! Thanks a lot.

It seems that the 'Computer monitor' and 'keyboard' are not selected by default under the normal installation of CIS.  In fact under 'Monitor Settings', most of the objects are not selected to be monitored.  It's unlike a normal installation of CFP 3.0 where all the options are ticked.

One thing that I had noticed soon after enabling keyboard monitor was Firefox 3.0.1 asked for permission to access to the keyboard.  At first I thought it was because I was typing this reply.  However, after I blocked it (just to experiment with it), I found that I can still type into this message box, right now!  If this is not the case, why on earth is Firefox trying to monitor my keystrokes?

Going back to the keylogger issue, should we suggest to Comodo to enable keyboard, monitor, and probably disk monitors by default in CIS?  Under current default settings, Defense+ is vulnerable against key- and screen-loggers.

And how about other activities to monitor?  Is it wise to leave them unticked too?

------------------

NEWLY ADDED: Now Firefox tried to monitor my screen, what is going on?

[Tags:]