Zemana Screenlogger

I have set Defence+ to “Paranoid”, and I also have disabled “My Own Safe Files list”. So now I should have no whitelists in use except for what I create myself. I just got that confirmed in this thread:
https://forums.comodo.com/defense-sandbox-help-cis/how-to-disable-the-comodo-safelist-t59650.0.html

Any new file executing on my system should now provoke a pop-up, right?

Now I’ve tried the Zemana Screenlogger on my 64 bit Windows 7.
http://www.zemana.com/screenlogger_test.aspx

NO pop-up! Zemana Screenlogger is able to run and CIS is NOT giving me any pop-up.

Any comments? Anything we can do to troubleshoot this issue?

Seven x64, Proactive mode, FW and D+ in Safe mode, Sandbox enabled.
I receive a D+ warning followed by automated Sandbox and no matter how I respond at D+ alert when I press Start on Zemana nothing happens.

[attachment deleted by admin]

For me it’s sandboxed and then I get the global hook warning. I blocked it and it couldn’t get any screenshots.

Thank your very much for your feedback. I have now reinstalled CIS and tried to run Zemana Screenlogger again. With the default settings it was blocked. But now I have changed Defence+ back to “paranoid” and again I get no pop-up when running Zemana Screenlogger (let me know if you need a screenshot to believe me because I admit this seems strange). Changing back to default “Safe mode” does not change this behavior.

Further more I have noticed that I also did not get any pop-up for Notepad, Firefox and a few other programs. It doesn’t really make sense since I disabled all whitelisting, and I DID get lots of pop-ups for other applications after I reinstalled CIS.

Could I get you to try the Zemana Screenlogger using Paranoid mode, and then switch back to Safe mode and try again?

I deleted the rules for it from Computer Security Policy and then changed from Proactive Security to Paranoid Mode for Defense+.

It is sandboxed and I still get the hook alert. It is the same as in Proactive Security.

I now once again delete the rules made for it from Computer Security Policy and then change Defense+ back to Safe Mode.

I run it again and I get exactly the same results.

I assume that the problem for you is leftover rules in your Computer Security Policy. Check that out and see if that solves your problem. I’m not sure why that would be a problem, but I believe it’s probably the only thing we did differently.

Also, I went from Safe Mode to Paranoid mode and passed without any popups except that it was sandboxed. Switching back and forth makes no dfference. It can’t record my screen and I don’t have to answer any alerts. I’m not sure what yours is doing unless you allowed it and accidently told it to remember your decision.

Thank you very much for your help Chiron, I really appreciate it.

I have checked the Computer Security Policy but not found anything that looks unusual or like I should have accidentally allowed Zemana Screenlogger. Also, just as an example, Firefox is not listed but is still running fine and without any pop-ups.

I do have Zemana Screenlogger in “My pending files” but I would not expect that it should then just be allowed. Nevertheless it still runs without me getting any pop-up.

By the way, it seems that my issue is similar to this:
https://forums.comodo.com/defense-sandbox-help-cis/defense-doesnt-alert-enough-t59503.0.html

And this:
https://forums.comodo.com/defense-sandbox-help-cis/defense-not-working-t59645.0.html

I’ve done some further testing on a couple of virtual PC’s running Windows Vista and 7 (both 32 and 64 bit). Even though I just got a pop-up when I wanted to open Notepad, I could still run Zemana Screenlogger. It was blocked by the sandbox this time, but still no pop-up from Defence+.

It about the same on the other virtual PC’s. Generally no pop-up even with all Defence+ at maximum security and all whitelists off. And this was done on a completely different host pc, so it does not seem like a hardware issue specific to my home PC.

And here is something interesting: I just tested PC Tools Firewall Plus the same way on a virtual Windows XP 32 bit. I disabled all whitelists and STILL Zemana Screenlogger ran without problems.

I have even tried to remove EVERYTHING in “Computer Security Policy” on my CIS. Obviously the pop-ups started immediately and I had to allow a lot of applications. The first thing I ran myself however was Zemana Screenlogger. It was stopped by the sandbox, but STILL no pop-up asking me to allow or deny.

Pananoid mode has this description:

  • Computer securicy policy is applied.
  • Every action that is not listed in the policy is alerted to the user.

Yet I’m still getting NO pop-up for Zemana Screenlogger on several different operating systems. On my own physical PC it’s not even caught in the sandbox.

Seems to me like all this should NOT be happening. How can we troubleshoot this further? It might be a bug in CIS, so I suggest we examine it further, and I’m ready to assist if needed.

Have you tried this on your actual computer yet? It seems like you’re only testing it in a virtual environment. This could change the way that CIS reacts.

As this application isn’t dangerous can you try it on a real computer and let us know what the results are?

Blocked by “real” windows sp3 pro (32 bits) with cis v3 (hence no sandbox), set to proactive, firewall custom, defense+ paranoid everything checked, normal image execution, no trusted software.

If i block and remember, a new rule is automatically created for ScreenLogger, blocking the screen protection item.

Chiron; yes, it was on my actual physical PC that I first experienced this issue. I have then been able to reproduce the issue on several virtual PC’s. On the virtual PC’s the Zemana Screenlogger is caught in the CIS sandbox, but I still don’t get any pop-up to allow or deny. On my physical PC it is not even caught in the sandbox, it just runs.

Puzzle partly solved. I have contacted Zemana and they don’t seem to mind me quoting them. So this is their reply:

[b][i]First, we thank you for contacting Zemana technical support.

As we understand from your post on Comodo forums, you are using 64 bit OS.

Currently It is not possible to stop screen logging or similar activities
without patching kernel (SSDT) which is protected by KPP (Kernel Patch
Protection - informally known as PatchGuard). Because Microsoft extended the
core of the operating system kernel in the x64 editions of Windows with KPP
in such a way that self-checks are routinely performed to detect tampering.
Comodo must make changes to the kernel to implement proactive protection for
Screen logging activity. These changes are detected by PatchGuard as
tampering, so the system will crash (BSOD) soon after changes is detected.

There is only one way to hack KPP but Comodo will never do it neither us,
that’s why we are not releasing 64 bit version of AntiLogtger yet.
We are trying to implement our protection with Microsoft-documented
interfaces but currently it’s very difficult to implement a certain
behaviors.

Please feel free to contact us if you have any further questions or
suggestions.
If you need to reply to this email, please include all previous messages for
reference!

Best Regards,
Zemana Customer Support Department
Zemana Ltd.
[/i][/b]

So apparently this is probably a limitation of all application firewalls running on a 64-bit platform. But is it something to be concerned about? Could it be used to circumvent an application firewall and compromise a system? Any opinions about that?

Here’s a post on x64 issues

https://forums.comodo.com/empty-t54248.0.html

But I ran the test on my computer. This is a Windows 7 x64. ???

I really can’t explain that. I’m here because I hope someone smarter than me can explain this stuff. :slight_smile:
By the way, I have now been able to reproduce the issue on another Windows 7 64-bit. The Zemana Screenlogger simply runs, it is not caught in the sandbox, it does not trigger any pop-up, and all Defence+ settings are at max security with no whitelists in action.

I guess application firewalls simply have their limitations and can’t stop all programs from running. An interesting question is if this can be used to circumvent an application firewall and compromise a system. I have asked Zemana about it and this is their reply:

Yes, unfortunately it’s possible if the malware is “zero day” one. It’s not until your AV software, updates their virus fingerprints and you then take that update that your AV would know what to look for.

What do you guys think? Can CIS be circumvented by sufficiently advanced malware?

Well all software is vulnerable if you look hard enough you can find ways.
But it should not be that you don’t get any alert.

Can you test with Comodo Leak Test

And see what turns up?

Thank you Ronny. I ran the test and scored 200 of the 340 points. Is that normal?

You may want to know that I did not receive a single pop-up. Should I?

Yes, something is wrong, unless all settings are in Learning mode or disabled that is…
Can you try a clean install and leave things default (or maybe disable sandbox) an try again?

I have uninstalled CIS, rebooted, installed CIS again, rebooted. So I now have default settings and yet I get more points in the test: 220 this time.
During the test I got a single pop-up about “accessing the internet” or something like that. I blocked it.

Is this normal or should CIS give a better score than 220?

I have also just tried Zemana Screenlogger again. Now I get a pop-up and it is also caught in the sandbox.

Win 7/32
CIS 4.1 screenlogger.exe sandboxed and contained.

CIS 5 beta screenlogger sandboxed and NOT contained, captured screen, no alert.

Then I found screenlogger.exe in the defense+ events as “scanned online found safe”.
Please advice

update: since zemana made it on the trusted vendor list, screenlogger is white-listed also, hence the failed test. Kind of renders the test useless.