about the keylogger and the screen logger

pikusek · November 19, 2011, 3:26am

I know this and therefore I use the alerts with the option “More options” (I call it “long-alert”). I have more control over the programs. I know - a lot of clicking, but I can afford to allow files such as “MSCTF.dll” or “dwmapi.dll” to run without damage to the system (provided the sandbox is off). With the option “Fewer options” (I call it “short alert”), I have already decided on “MSCTF.dll”.
But I noticed another interesting thing. If I have enabled sandbox and how I adjust the level of “untrusted” (505.png), I can “to take” the screen (tested program “Security Test Tool 1.4” (503.png) and “Zemana ScreenLogger Simulation Test v1.0.0.33” (500.png)), but the keylogger is no chance to intercept the keyboard (502.png) .

[attachment deleted by admin]

mouse1 · November 19, 2011, 9:22am

This is I think a reflection of this design feature: here.

pikusek · November 19, 2011, 2:15pm

Exactly.

It is blocks, if the sandbox is disabled. Show an additional alerts. D+ in “Safe Mode” (photos 528,533, 530, 531 and 532).

If the sandbox is enabled, then all is not blocked (“Partially Limited” - photos 534 to 537. “Untrusted” - the same behavior whithout alert from photo 534).

[attachment deleted by admin]

miloszcz · November 19, 2011, 7:54pm

To sum up:

Partially limited cannot block loggers,
Defense+ CAN block loggers,
Restrictions level above partially limited can block loggers.

grahamcopley · November 22, 2011, 5:13pm

a256886572008 - This seems like a major flaw in CIS, which should not occur with the default install settings.

Comodo should issue an urgent fix for this - so (as requested by mouse1) could you please create a bug report for this ASAP?

a256886572008 · November 23, 2011, 2:12am

https://forums.comodo.com/format-verified-issue-reports-cis/partially-limited-policy-cannot-block-some-keyloggers-and-screengrabbers-t78638.0.html

loveboy_lion · November 26, 2011, 2:53am

even 5.9 fails in partially limited

mouse1 · November 26, 2011, 10:07am

I assume what you have is a pre-release build, maybe even a pre-Beta, loveboy, not the final release version? May be worth making that clear so as not to confuse…

Best wishes

Mouse

loveboy_lion · November 26, 2011, 10:26am

I may not have 5.9 stable but it works fine anyways 5.9 stable version will be out by the end of this month

mouse1 · November 26, 2011, 11:08am

Maybe…Maybe not.

malwarekiller · May 31, 2013, 4:22pm

Is keylogging protection now in CIS 6 sandbox when it is in partially limited?

as I dont see it here: Comodo Preset Configurations, Firewall Security | Comodo Internet Security v6.2

a256886572008 · May 31, 2013, 4:42pm

2013-05-05 13:33:45 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Sandboxed As Partially Limited
2013-05-05 13:33:48 C:\WINDOWS\system32\net1.exe Sandboxed As Partially Limited

2013-05-05 13:33:48 C:\WINDOWS\system32\conime.exe Sandboxed As Partially Limited

2013-05-05 13:33:56 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Modify File \Device\NamedPipe\atsvc

2013-05-05 13:33:56 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Modify Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39B1D41D

2013-05-05 13:33:56 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Modify File C:\WINDOWS\39B1D41D\svchsot.exe

2013-05-05 13:33:56 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Access Memory C:\WINDOWS\explorer.exe

2013-05-05 13:35:45 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Direct Keyboard Access

2013-05-05 13:35:53 C:\Documents and Settings\All Users\Application Data\Shared Space\3813343\30.exe Modify File C:\WINDOWS\system32\39B1D41D.key