CIS fail passed keylogger test

ruiky · July 22, 2010, 4:41am

The test.exe is a keylogger test tool and CIS fail passed although d+ prompt text.exe want to access the keyboard and I click “block”.

CIS 4.1…920

[attachment deleted by admin]

burebista · July 22, 2010, 4:47am

Yes indeed. :o
And automatically sanboxed works too without any warnings.
XP SP3 x32, Proactive, AV stateful, FW/D+ Safe Mode, Sandbox enabled/disabled.

Sammo · July 22, 2010, 4:41pm

CIS passes the test on my computer. Once I click 'block" it can not be accessed. I get the following error:
“Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.”

ruiky · July 22, 2010, 11:24pm

are you sure you allow the test.exe to run?

harsha_mic · July 23, 2010, 12:06am

Yes, i can confirm. Test.exe could manage to capture the keystrokes despite of “block” selected for keyboard access alert.

Scenario 1:
→ CIS Proactive Mode + Sandbox Enabled
Result: Not a single alert. Test.exe manages to capture the keystroke successfully.

Scenario 2:
→ CIS Proactive Mode + Sandbox Disabled
2 Alerts
1st Alert (Execution alert) → Clicked “Allow” button
2nd Alert (Keyboard Access alert) → Clicked “Block”
Result: Test.exe manages to capture the keystroke successfully.

Scenario 3:
→ Browser protected with Prevx Safe Online
Result: Passed. Test.exe could not able to capture keystrokes
→ Prevx Safeonline disabled.
Result: Test.exe manages to capture the keystroke successfully.

My System Config - Win 7 64 bit

Could any of the mods confirm the same. And so, devs can take a look.

Thanks,
Harsha.

Sammo · July 23, 2010, 12:14am

I did not allow it to run. If I allow it and then block it when it tries to access the keystrokes CIS will fail to stop the test file. I recommend SpyShelter free. I used it and it kills the test dead - http://www.spyshelter.com >:-D

ruiky · July 23, 2010, 2:49am

It just doesn’t make sense if you did not allow test.exe to run.

Sammo · July 23, 2010, 3:03am

I actually tested it and allowed test.exe to run. I then told CIS to prevent test.exe from accessing keyboard strokes and it was able to do so, thus CIS fails this test. This is why I also use SpyShelter which will not fail the test.

ruiky · July 23, 2010, 3:06am

looks like SpyShelter is good, I hope comodo can block it as soon as possible

Chiron494 · July 23, 2010, 6:08am

Yep, I can confirm that Comodo fails it, even with the sandbox disabled and in proactive mode. Of course I had to allow it to run itself, but still it shouldn’t fail after I specifically deny it access to the keyboard.

AeoniAn · July 23, 2010, 5:33pm

this is happening since v3… nothing new.

I really don’t know why this thread isn’t at BUG REPORTS…

(but seems it doesn’t matter, see how many bugs were announced… I guess they are only messing with v5 now, and we have to wait to see if all 2009-2010 bugs are going to be solved in 2011 - this one (kb+cam+scr) is serious, but that script-bug are the worse.

STILL, CIS IS a very very good piece of costless sw that really do protect you. Not quite close to perfection, but… wait… till v21 at 2020 and see!!!

harsha_mic · July 23, 2010, 10:51pm

can any of the mods confirm whether this issue exists in v5 or not. If it exists, then devs can take a look and try to fix it before a public beta…

andrewuaic · July 24, 2010, 12:49pm

you have a problem with your cis install harsha_mic, happened to me too, sandbox stopped working. reinstall cis and redo the test. you will see the keylogger will be blocked.

Citizen_K · July 24, 2010, 3:17pm

I just tested it in the 2011 version and it does not get blocked.

I was testing with Proactive/Paranoid with both sandbox enabled and disabled. When automatically sandboxed it gets run partially limited and fails.

When running with automatic sandboxing disabled I do get a D+ alert and when I tell to block the direct keyboard access is still fails.

Running the program manually sandboxed it fails with all settings.

I am on Win 7 x86.

Szadout · July 24, 2010, 7:18pm

God bless KeyScrambler

Sammo · July 24, 2010, 8:05pm

KeyScrambler didn’t work for me. SpyShelter does, though.

Szadout · July 24, 2010, 8:22pm

both (Keyscrambler and SpyShelter) are working correctly, pity that both in full-featured versions are payable

BoredNow · July 25, 2010, 4:09am

Can I jump in here with a question?
A few months ago I installed a program (Mp3 cutter1.01) from Cnet.com…it cuts and trims Mp3s

The other day I began using Comodo CIS and it warned me that it (the Mp3 cutter) wanted to make changes…blah blah…and I just figured that I had been using it for a few months with no issues so I allowed it to run.

I’ve since done numerous scans with MWB … Hit man pro …Threatfire with no problems.

Then I did a Zemana test for keyloggers and CIS caught it, but the warning sounded familiar, so I checked the log and the flags were similar to Mp3 cutter!!?
Namely…

Install hook …windows/system32/dwmapi.dll
direct keyboard access

the only difference was that the Zemana keylogger test wanted to …access Com Interface

Why would a Mp3 cutter want to access the keyboard directly?

Do you think I have an invisible keylogger inside my Mp3 cutter?
Can it take screen caps?
Ah the paranoia!!

stuartm · July 25, 2010, 9:47am

Avira lets this test run yet stops spyshelters. If you disable sandbox,use parental control and clear trusted vendors list nothing runs unless its got a comodo digital certificate. Does white listing work? Not if you get your hands on a digital certificate it doesn’t.

lordraiden · July 25, 2010, 4:23pm

Comodo failing in a test is not new:
https://forums.comodo.com/news-announcements-feedback-cis/comodo-41-still-fails-with-spyshelter-leaktests-t55558.0.html