Trusteer Rapport - Opinions?

Have just downloaded Trusteer Rapport from Natwest and found some of it's features interesting. It encrypts keyboard strokes at kernel level just like KeyScrambler but also does a lot more. It blocks all access to information in your browser so that malware cannot read it. It also protects your browser from unknown toolbars and add-ons/extenstions by isolating them from browser. And finally it protects against pishing, pharming and dns type attacks.

Here's some info:

http://www.trusteer.com/product/technology
http://www.trusteer.com/presentation-how-it-works

This got me thinking because I've been using Geswall which is not compatible with it. It has made me realise that while programs like Geswall, Defensewall and Comodo Firewall etc do a good job of protecting your system, are they really so good at protecting your browser? Geswall or Defensewall will let an executable or virus run for instance because the executable/virus would be untrusted if it came in through your browser. Can that executable/virus potentially read info in your browser not just through keylogging but also by directly reading fields or accessing the browsers internal storage? If so these solutions are not very good at protecting private information in the browser. Is something like Rapport essential then? What are your views?

 

DW and GW both will stop keyloggers while protecting the browser. The methods that keyloggers use to capture your keystokes are actually denied by both of these programs as long as the keylogger is ran isolated/untrusted. I've used GW on my home computer for quite a while and DW on hundreds of computers at work. None of those computers have been infected when DW or GW was functioning. I'm not familiar with Trusteer so I can't give you an opinion but I do know that if you are using Defensewall (maybe combined with a good traditional AV) you really don't need anything else.

 

I know these programs have some keylogger protection, but what about directly reading information in the browser either from the fields or the browsers internal storage? As far as I know both Defensewall and Geswall will allow this because any malware would be untrusted and have access to other untrusted resources. Or am I wrong? Would malware have to access an interface by a method that would be blocked? This is what I really want to know.

Also what about malware in add-ons etc. Take a look at this report:

http://www.theregister.co.uk/2010/02/05/malicious_firefox_extensions/

 

Yes, as far as I know malware would have to use methods that are restricted by both DW & GW. I don't know of any malware that reads the data in the specific fields as opposed to capturing it from your keystokes (I'm not saying it doesn't exist, I honestly don't know). Another method malware can use is screen logging which again both of these apps prevent. As for your question about add-ons; I don't know. I'll let other members comment on that.

 

Well, I personally think it's a good piece of software. Especially if you get the free version from your bank.

When I tried it, I didn't find a need for it, but that's just me. I reckon it would be great for the casual computer user.

 

Revert sandbox solutions are ineffective against driver-level malware.

 

Could you please elaborate a little Ilya? How does malware actually read data from a browser other than through keyloggers? I'm interested in the technical aspects. Can javascript read data or must it be an executable that somehow connects to the browser. Does DefenseWall protect the browsers internal data store?

 

Aigle informed me that DW "...can,t stop some keylogging behaviors like getkeystate etc, though will notify you."

Can someone please translate this comment to doofus-level English?

 

Think there was a thread on Trusteer Rapport a few months back.

@bellgamin

Yes, he means apps that revert a system to a previous state, do not prevent against active infections/keylogging etc.

 

Several months ago StevieO did a review of Trusteer and I installed it too -
Seemed to be a good security App. but had a major drawback for me, it calls home
*several times a DAY* - One of their people replied in this link below,
'Trusteer', but I was less than happy with his input and so uninstalled the App. which was a PITA and needed a bit of work to accomplish.

StevieO asked if they would consider such and such but the reply was a bit dismissive and so that was the end of TR.

https://www.wilderssecurity.com/showthread.php?t=254757&highlight=TRUSTEER RAPPORT

 

I thought DW had no way to distinguish if the getKeyState was initiated from a legitimate source that's why DW displays a message. I may be wrong.

 

"Revert to previous state" WILL obviate infections if the "previous state" was itself uninfected.

I agree that "revert to previous state" won't protect against keyloggers. However, if your firewall protects against "unauthorized" outgoing connections, then prudent use of that capability will effectively geld keyloggers from transmitting any data.

IMO, the critical question is: Does DW BLOCK an app's attempt to getkeystate during the interim period (however long that might be) until the user replies to DW's alert pop-up?

 

All is simple- malware, sitting in the kernel may read keystrokes directly via KeyboardClassXX object IRP_MJ_READ hooking. And even lower- with using 0x60/0x61 port reading. And get screenshots with using EngXXX kernel-level functions.

So, the only way to stop it is to implement protection against driver installation.

Yes, it does prevent it.

 

DefenseWall can't block it because some legitimate apps are using it (ICQ, for instance). But the notifications are quite fast. BTW, it's a bit offtopic here.

 

Ilya,
Just to be sure we understand this - just what do you class as "Revert Solution Sandboxes".
Is it just the software that works in the way that Rapport and the SafeOnline component of Prevx does or do you mean/include such as Returnil, Shadow Defender and Deep Freeze?

 

There is a free version for home users.

Anyone knows any web site where I can test trusteer?

 

http://www.trusteer.com/
http://www.trusteer.com/product-0

 

There are two types (generally) of sandboxes- direct sandboxes (we isolate OS from potentially dangerous applications) and revert sandboxes (we isolate certain applications from the OS and the rest of apps). So, as you can see here, it is impossible to isolate certain processes from the kernel of the OS, it's totally technical, non-improvable issue.

 

Authentium has a similar program they call "Safe Central"....i tried the beta test on it and it was interesting...seemed to have a few bugs still though...

 

Yeah, that´s a drawback for me too, I hate apps who are phoning home. It does look like a cool tool though, I´ve read that trojans are capable of bypassing the two-factor authentication method, by simply redirecting people to a fake banking site (Man-in-the-middle attack), a tool like Trusteer would be able to prevent this.

 

I like it a lot.

I use IE8 only for on-line banking some hardening IE8 registry tweaks (running LUA + SRP on XP Pro)

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
"NoChangeDefaultSearchProvider"=dword:00000001
"NoSearchBox"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Advanced"=dword:00000001
"Autoconfig"=dword:00000001
"Cache"=dword:00000001
"Certficates"=dword:00000001
"Connection Settings"=dword:00000001
"HomePage"=dword:00000001
"Profiles"=dword:00000001
"Proxy"=dword:00000001

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003

I have also taken away add value, add subkey and delete rights with REGEDIT from those three HKCU keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

With Trusteer Rapport I have added the banking sites and am using this setup (see pic). Works great (protects IE proces, prevents screen prints/capture and encrypts keys ), with much less phoning home. Before I do on-line banking I clear the cache/history when I am finished I do the same.

For daily browsing I use Iron with new tab behavior, IE-tab, Adsweep, Flash block and WOT. Enjoying the chrome sandbox and speed

 

You have to add the websites to protect. Just try a print screen when on a protected website. Trusteer also hooks the keyboard with 'Rapportservice.exe', so I guess it works . There are a few of settings which you establish through your browser (phising, certificate validation), other settings are not needed when using Hex web practises (clear history + temp + cache before banking and afterwards). The default policy settings of the free version need attention (see previous post).

 

I found that Trusteer Rapport didn't protect against some of the keylogging methods in the AKLT tester. Also it doesn't protect against screen capture using BitBlt (only the keybaord print screen key method).

I am using PrevX SafeOnline which offers more protection that Rapport and passes all of the AKLT tests (plus some more). Its not free though.

 

The typical scenario one would add trusteer rapport is that of an uninfected machine. So this will make some of the AKLT irrelevant. Also I would assume sanity of the user that he/she will shut browser down, start and clean history and the go into banking mode, same reversed procedure when finished.

On Wndows7 Vista x64 bits (kernel patch protection), objects of a lower priviledge are not allowed to change higher objects, IE8 runs with Low rights (and the consequetive Chrome tabs also run Low, first instance runs with Medium rights and acts as the functional monitoring program). So side by side injection of the browser of same rights object (Low, meaning you can't do a lot to be honest). Trusteer Rapport protects the browser proces from modification by other processes (does NOT protect against Low intergirty services, but there are no or few services running Low rights), so in practise it will add a lot of security to a simple Win7 + AV setup (for these types of user SBIEx64 might be to complicated and DefenseWall does not have an x64 version)

Regards Kees

 

I don't agree. If a "Young" trojan gets by your other defences on your machine and uses one of the keylogging methods that Trusteer Rapport fails to protect against, then it can get log your key presses to steal login details etc.

AKLT is just a test program. It lets you test your defences against 7 different ways of logging your keyboard entries. With Rapport, only 4 of these are protected. With PrevX SafeOnline, they are all protected.