EQSECURITY FAILS AKLT (Anti Key Logger Test)

hammerman · Jul 17, 2008

Thanks LoneWolf.

Do you get the message (post #11) that the screenshot has been saved successfully? Has the .jpg file been created when you look in the folder in which AKLT is located?

LoneWolf · Jul 17, 2008

hammerman said:

Thanks LoneWolf.

Do you get the message (post #11) that the screenshot has been saved successfully? Has the .jpg file been created when you look in the folder in which AKLT is located?
Click to expand...

Yes to both questions.
But the JPEG image is still only a black screen, nothing recorded.

EASTER · Jul 17, 2008

hammerman said:

The Screenshot 2 uses the BitBlt function in library ..\system32\gdi32.dll to take the screenshot. I tried to stop AKLT.exe loading this library using EQS. I got a log entry stating that gdi32.dll had been blocked from loading but when I check with 'Whats Running', AKLT.exe has still loaded gdi32.dll. Therefore the screenshot is still taken.

This seems to mean that the EQS rule for blocking the loading of library gdi32.dll has been bypassed somehow.

When I block loading of all libraries, AKLT does not even start. I do not use the Load Library File protection normally. Perhaps I should.

Does Comodo or any other program pass the Screenshot 2 test? If it did, I would be interested to see the pop-up.
Click to expand...

Thanks hammerman for nailing down the exact item and indeed it escapes EQS. Another reason why it would be nice to see this and some other improvements/preventions added to form and complete a final version 4.

Since i'm a english only literate, it behooves me to just be content with what is untill or unless we are greeted one day with a final 4 that also addresses this little quirk too.

EASTER

aigle · Jul 17, 2008

hammerman said:

I have re-tested EQS 3.41 and found that
1. EQS fails getKeyboardState
2. EQS fails GetRawInputData
Click to expand...

Same finding on my system. Did not test screen shots protection.

TerryWood · Jul 17, 2008

Hi all

Can this be put right by additional rules? (I'm thinking here of Alcyons)

Terry

aigle · Jul 17, 2008

I don,t think so.

Alcyon · Jul 17, 2008

For EQS v3.41, there's nothing to do about GetKeyboardState and GetRawInputData but for the screenshot2 poc, like i've said earlier, you can whitelist all default win xp apps and your installed third-party applications dealing with jpg (plus the other formats) followed by a "prompt and block" rule for the same extensions in the application rules section of file protection settings. I'll probably post an example soon.

EASTER · Jul 18, 2008

I would hope the beta 4.0 link was still good but by now i'm not so sure, but once again, it absolutely STOPS/BLOCKS aklt 3.0 keylog test "all of them" above the 2 screenshots that are evasive although i been able to block the first one, the second one gets taken regardless.

I also stand corrected on EQS 3.41 driver which is a chief componant of this HIPS. The 75Kb refers to old 3.40 and 3.41's driver(s) is larger, i been able to find from my own past downloads, EQS driver measures, of 107, 110, 111, and the current 112 that i been using for quite awhile and Alcyon's 3.41 RulesSets seem to work fine with it.

This tells me active improvements were implimented into this particular componant as well as some dll's which defintely have to do with the sandbox feature, but i don't bother with that feature hardly at all.

EASTER

Log in or Sign up

EQSECURITY FAILS AKLT (Anti Key Logger Test)

hammerman Registered Member

LoneWolf Registered Member

EASTER Registered Member

aigle Registered Member

TerryWood Registered Member

aigle Registered Member

Alcyon Registered Member

EASTER Registered Member

Log in or Sign up

EQSECURITY FAILS AKLT (Anti Key Logger Test)

hammerman Registered Member

LoneWolf Registered Member

EASTER Registered Member

aigle Registered Member

TerryWood Registered Member

aigle Registered Member

Alcyon Registered Member

EASTER Registered Member

Useful Searches