Getting key logged with a sandboxed keylogging tester.And in Virtual Kiosk

Zemana key log tester. I right clicked on it and said run in sand box and it key logged me. Then I went into virtual kiosk and ran it and tried a normal keyboard and it logged it see screen shots attached is tester. See attachments. The virtual keyboard was not logged. This was cool.

I ran the keylogger test on my desktop sandboxed then went in to the virtual kiosk to see if it could log the keyboard while being sandboxed outside the kiosk. It could not log this way. This is with a PS/2 Keyboard which saves a usb port!

I edited the lay out with capitals, spaces and basic paragraph structure for a better read. Eric

[attachment deleted by admin]

I remember seeing somewhere a screenshot showing that Partially Limited, isn’t enough to stop keyloggers, and the sandboxed needs to be set to either limited or restricted or higher to stop the keylogs.

But the part about the kiosk is that should not happen and I see that as a flaw.

Does the same thing happen when connecting the keyboard to a USB port?

That’s with the sandbox set to untrusted not partially limited. let me get a usb keyboard and see what it does.
Yes it logs the usb keyboard as well running it as untrusted. and it logs the usb if i run the test in the virtual kiosk as well usb or ps2. inside or outside the virtual kiosk. attached now is virtual kiosk screenshot with usb keyboard.

[attachment deleted by admin]

I have reproduced this on W8 x64 with proactive, HIPS off and fully virtual enabled.

Edit: When run outside of kiosk it fails to log keystrokes from inside kiosk
When run in kiosk it fails to log keystrokes outside of kiosk

Right. But if logging out side the kiosk and running in sandbox it logs usb and ps2 keyboards
And when running it in the virtual kiosk it logs usb and ps2 keyboards.
but i didn’t know it logged when fully virtualized as well…ouch…
And the virtual keyboard it does not log at least.
:o

I’m not certain this information is current but in the thread here: https://forums.comodo.com/bug-reports-cis/d-not-blocking-properly-certain-key-loggers-when-isolating-their-prosses-v6-t91304.0.html
mouse1 says

And

But then

So I’m a little bit confused whether that is what is happening or not, you could go look through the thread yourselves to get a better view of what was being discussed and hopefully mouse1 could perhaps comment on this and note whether it’s right or wrong or undecided. 88)

PS. I was the one who added bold and color etc.

What we have been told is that foreground processes can screenshot and (I think) keylog, background ones cannot. The intent is to create screenshot and keylogging rules which keep you safe without alerts and without preventing genuine programs running. Not easy.

It’s interpreting the first statement which is difficult. If foreground means ‘continuously with focus’ it seems trivial. So maybe it does not mean that. Maybe it means ‘has focus at some stage’ or ‘has been clicked on at some stage’. Maybe it means ‘is in front at some stage’. Maybe it means ‘has a window’ - if so how big? That’s what we are trying to work out.

Difficult to know what’s a bug and what’s not unless we do.

I have raised a query in the mod’s Board. Hopefully a dev will post here or there to clarify.

Very sorry for the confusion

Best wishes

Mouse

OK treating it as a potential bug for the moment, seems like one to me.

Dr Haze or anyone else, could I have a bug report re this exploit in fully virtual please as well?

Many thanks in anticipation

Mouse

Ok I can file the report if need be…
at work right now so will be later this evening
Thanks

That’s much appreciated, thanks.

Mike

This is not a bug guys:

Here is what is expected from CIS 6:

1 - If a keylogger is running inside Kiosk, it should not be able to log any keys while you use the computer outside the kiosk or vice versa.
2 - If a keylogger is running in sandbox in users’ desktop, SOME background keylloggers will be blocked, SOME will not be. This depends on the technique used.
3 - Static HIPS should detect any keylogging attempt whether it is backgorund or foreground(i.e. if an appis not sandboxed and not safe and HIPS is enabled)

Just to be clear about something. Regardless of whether the keyloggers are blocked or not the user will always receive a firewall alert before any of the logged information could be trasmitted. Is this true for keyloggers, regardless of whether fully virtualized or Behavioral Blocked?

Thanks.

yes. Firewall works independently. It will show alerts(if alerts are enabled).

Thank you.

This is an important issue that can easily be misunderstood
Thanks for response and clarification :-TU

Thanks for your response which is much appreciated.

[edit:] Could you please define what you mean by foreground and background. Does foreground=window with focus while you are typing? That is the one you are typing into?

So this implies that if its running in the Kiosk it’s allowed to keylog in the Kiosk? In the Kiosk, in default config, outbound firewall connections are allowed by default. So there’s a risk here?

2 - If a keylogger is running in sandbox in users' desktop, SOME background keylloggers will be blocked, SOME will not be. This depends on the technique used.
I struggle with the idea of a foreground keylogger. Would that not be a fake app?

Just out of interest, why are only some background loggers trapped?

3 - Static HIPS should detect any keylogging attempt whether it is backgorund or foreground(i.e. if an appis not sandboxed and not safe and HIPS is enabled)
Would it be possible to enable static HIPS in Kiosk, for those who wanted it? Even by registry key?

Best wishes

Mouse

Background logging in a improvement over 5.x which doesnt block any keylogging at all. So when we AUTOMATICALLY block something, we have to make sure that it is reasonable.

In kiosk or not, firewall is going to show you alerts if you want it to show.

Thanks very much for this info.

I added a line by edit, sorry to confuse, but could you clarify this?

[edit:] Could you please define what you mean by foreground and background. Does foreground=window with focus while you are typing? That is the one you are typing into?

yes. thats what it means. It deosnt mean it is visible. It must be active.