While Matousec’s Security Software Testing Suite is designed for 32-bit Windows XP, some of the tests work also on 64-bit Windows 7. I gave them a try and got some troubling results:
Level 4 keylog1 - Failed and CIS didn’t prompt for keyboard access
Level 5 keylog2 - Failed and no prompt
Level 5 breakout1 - Failed (While in console the test reports it passed, IE does browse to the Matousec site and receives the failure message.)
Level 6 ddetest - Passed actually, but only if IE is disallowed to execute its own image iexplore.exe - which IE requires allowing atleast once. No alert about Window Message which I assume there should have been.
Level 6 firehole - Failed and no prompt
Level 7 keylog5 - Failed and no prompt
So it seems keyboard logging is possible and the firewall can be bypassed by taking control of a browser.
Settings used: New installation with Maximum Proactive configuration, Sandbox disabled, Defense+ in Safe Mode and tests repeated in Paranoid Mode, signed applications not trusted. CIS version 4.1.150349.920.
So, bugs or limitations on 64-bit platform? Developers, any comment?
If somebody bear with me and explain me as for dummies how the heck I can use that suite I’ll happily test those bypassed tests. Weekend is started here and I’m bored to death. ;D
Before you laugh at me I’ve downloaded that suite and run exe’s from folders but a brief cmd windows appears and disappears. :o
Quote “SSTS is designed for Windows XP Service Pack 3 with Internet Explorer 8.Various tests may be compatible with other Windows versions and browsers too,but the functionality is not guaranteed there.”
The tests that do work and CIS fails to catch are what matter. They leave observable evidence, not hiding behind a gui that only gives a fail/pass result for each or clean up after themselves including repairing anything they may break. (The particular tests mentioned shouldn’t be damaging but some in the test suite can be.)
You won’t be able to use the test suite to create a full evaluation a la Matousec for Windows 7 64-bit but that’s not the point here. We don’t usually get a chance to ask for a “Windows 7 Ready” sticker from malware either.
Warning: This software is used for testing of security products and should never be used on production machines. Using this software may damage or erase your data. This software is provided “as is” and without warranty of any kind. More information about each test can be found in its source code file and in the shared source code files of the whole suite.
By using SSTS you agree with its licence that is included in the archive in licence.txt.
SSTS is designed for Windows XP Service Pack 3 with Internet Explorer 8. Various tests may be compatible with other Windows versions and browsers too, but the functionality is not guaranteed there.
It would be interesting to get Dave Matousec’s opinion about these tests being used on Win 7 x64, but then maybe he’s already expressed his opinion on the validity of these tests in this excerpt from his website.
It would be interesting to get Dave Matousec's opinion about these tests being used on Win 7 x64, but then maybe he's already expressed his opinion on the validity of these tests in this excerpt from his website.
Some of them cannot run or work properly because they attempt to load 32-bit drivers or use other too platform specific methods, others can. On 32-bit XP and Win 7, CIS can successfully intercept those methods of DLL hooking, DDE, window messaging and keylogging so something’s amiss. I think that much is valid.
Yes Microsoft made it harder for both parties, their patch guard and other new restrictions on 64bit is a new way to turn for both malware writers and security software vendors…
I personally don’t think these hooks pose “high risk” to your system if you know a little bit on how to stay secure, for a program to key-log it first has to get installed on your system so there should have been alerts already on other parts of the program to prevent that.