Zemana keylogs fully virtualized in & outside the Virtual Kiosk [M256]

A. CIS6 2674 Zemana Key Logger Successfuly Logs keystrokes when Sandboxed as Untrusted. Also Logs keystroke when run in the virtual kiosk.It does NOT log the virtual keyboard in the Virtual Kiosk
This happens with USB and PS2 Keyboards.

  1. What you did:Went to http://www.zemana.com/SecurityTests.aspx and download their keylogging tester and ran it as untrusted/sandbox and in the virtual kiosk
  2. What actually happened or you actually saw: Perfect keylogging
  3. What you expected to happen or see:No keyboard stokes from a PS/2 or a USB keyboard being logged while I type
  4. How you tried to fix it & what happened: No. After hearing from another forum member it does it even when fully virtualized i stopped there
  5. If its a software compatibility problem have you tried the compatibility fixes (link in format)?:no
  6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):
    Avast!7.0.1474 Free Av version, Superantispyware 5.6.1014
  7. Whether you can make the problem happen again, and if so exact steps to make it happen:Right click on the key sim test with your sandbox settings as untrusted and say run in comodo sand box
  8. Any other information (eg your guess regarding the cause, with reasons):Maybe Comodo Can encrypt PS/2USB keybords and while their at it encrypt the virtual keyboard in the virtual kiosk

B. Files appended. (Please zip unless screenshots).Screenshot, Killswitch Log, And Diagnostc, and keylogger test program
0. A diagnostics report file (Click ‘?’ in top right of main GUI) Required for all issues):

  1. Screenshots of the 6.0 Killswitch Process Tab (see Advanced tasks ~ Watch Activity) or 5.x Active process list. If accessible, required for all issues:
  2. Screenshots illustrating the bug:included
  3. Screenshots of related CIS event logs:doesn’t give an alert
  4. A CIS config report or file.included
  5. Crash or freeze dump file:N/A
  6. Screenshot of More~About page. Can be used instead of typed product and AV database version.

C. Your set-up

  1. CIS version, AV database version & configuration used: 6.0.2708 Proactive
  2. a) Have you updated (without uninstall) from a previous version of CIS:NO
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:YES
  3. a) Have you imported a config from a previous version of CIS:NO
    b) if so, have U tried a standard config (without losing settings - if not please do)?:N/A
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):Firewall Settings, ticked block fragmented IP Traffic, ticked enable anti-ARP spoofing. Enabled Stealth Ports,do protocol analysis, Filter loopback traffic, filter Ipv6 traffic
  5. Defense+, Sandbox, Firewall & AV security levels: Hips=Safe, Sandbox/BB= untrusted, Firewall = SAFE, CAV = Not Installed.
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows 8 x64,UAC Off, Administrator level account
  7. Other security and utility software currently installed: Superantispyware 5.6.1014, Avast!7.0.1474 Free version
  8. Other security software previously installed at any time since Windows was last installed:NONE
  9. Virtual machine used (Please do NOT use Virtual box):NONE
    *issue occurs on two different PC’S both running Windows 8 x64 pro, UAC OFff, Administrator accounts

[attachment deleted by admin]

Cross reference to thread in which this was discussed:

Note The Paid For Zemana AnitLogger cannot protect it self from this test either.
Inother words it fails it’s own test. read this thread.

After Egemens replies (see linked topic). Here’s what I propose.

  1. This forum’s declared scope is to document user ‘issues’ not just things that meet the technical definition of bugs. Behavior (or lack of it) that poses significant problems for users given the overall design intent of CIS. Vulnerability to some forms of keylogging is a problem, and CIS intends to block keyloggers where it can without usability problems, AFAIK.
  2. Egemen has said he does not regard this as a bug - paraphrasing it’s a compromise between security and usability, the best they can do given current technology. So I feel it’s an intermediate case. A design limitation they’d like to fix if they knew how.
  3. I will therefore forward this (and leave the prior report on file), marking it’s ‘enhancement or bug’ status on the tracker as ‘debatable’.

You may wish to note this as a wish list item as well.

Hope that’s acceptable to all.

Best wishes


Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again


It’s reassuring knowing a logger cannot phone home without say so (if FW alerts are on)
I think that the ability to create separate rules for the kiosk/sandboxed apps would be a nice addition to CIS
ie turn HIPS and high FW alerts on in VK and sandboxed apps
Thanks for helping clarify this issue mouse :-TU

Hi Dr Haze.

Just wanted to check if this was fixed for you in 2801:

I tested this by running it in the FV Sandbox. After opening it I opened up a non-virtualized instance of Comodo Dragon. What I found was that even if I made Dragon full screen and typed into the URL bar, the keys were logged by the keylog test run in the FV sandbox.

By the way, this issue is probably very similar to the one I raise here, although as it’s a different tester it’s probably best to leave them separate. I’m just posting it for the devs benefit.

Thus, this is still not fixed with CIS version 6.1.276867.2813.

Tracker updated, thanks

This is still not fixed with CIS version 6.2.282872.2847.

I have received feedback from the devs that apparently this is by design. Foreground screen access is allowed in partially limited or fully virtualized.

Thus, I will move this to Resolved.

Actually, after additional discussions, this has been re-opened. I’ll now move this back to format verified.

Thank you.

Upon further review, Comodo has classified this as a possible enhancement.

I have thus moved this to the Wishlist.