Solved

Identity Shield not working

  • 23 November 2013
  • 31 replies
  • 162 views

Userlevel 7
  • Community Leader
  • 314 replies
I have been testing Webroot's Identity Shield and multiple times it does not stop the screen grabing attack. It is sucsesfull at blocking most (most, but not all) keystrokes from being logged, however, when using a screen capture program Webroot does not block or even notify that an application is attempting to take screenshots. I have tried uninstalling and reinstalling Webroot multiple times but I get the same results. Please advise.
 
Shran
icon

Best answer by JoeJ 25 November 2013, 23:04

View original

31 replies

Userlevel 7
Badge +56
Hi Shran,
 
Webroot does block all known and unknown keyloggers I assume your using some testing software as some of them have to be used in the foreground so that makes the Browser Window behind so not protected as you can see if the little yellow padlock on the tray Icon to be protected! 


 
Please see here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/WSA-scores-100-in-MRG-Efitas-tests/m-p/54082/highlight/true#M2670
 
Also WSA does not block known good screen capture tools like Snagit, HoverSnap and even windows own Snipping Tool but you can block them if you feel it's necessary but will protect you from Malicious Screen Grabbers.
 
Also read here from the Online Helpfile: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C6_IDProtection/CH6a_ManagingID.htm
 


 
HTH,
 
Daniel 😉
Userlevel 7
Hi Daniel,

Thanks for your response. I am using a keylogger that runs in the background, not the foreground. I made sure that they lock icon was over the Webroot icon as I was typing and it was the whole time. To be a little more specific about not all keystrokes being blocked, I mean I would go to my email (I have an address I use for testing) or Facebook and type in login information, and when I reviewed the keystroke log it would look like this "f E dax [Capslock] h . da" etc. All of those are keystrokes that I actually typed so I know it wasn't just my real keystrokes being scrambled. That's what I mean about most but not all being blocked. No, that is not enough for a keylogger user to be able to actually get any useful information, but I thought I should mention it. As for the screencapture, I was using an "Unknown" file, and I verified it was unknown by using Webroot's system control. I had it set to grab a screenshot every 60 seconds, also running silently in the background. Webroot allowed the screenshots even though it was an unknown file, and I verified that the padlock was on the Webroot icon in testing this as well. Interestingly though, Webroot did block the screenshots in one test case installation, but not in any of the others using the same program.

Thanks,

Shran
Userlevel 7
Badge +6
Well...this isn't good..
Userlevel 7
@
 
Yes, I hate to be the bearer of bad news as the saying goes, and I really do love Webroot, so, Daniel, and all other's reading this, please do not think I don't like Webroot because of this; I really do like Webroot alot, but I just wanted to point this out. For all I know it could be a problem with my own computer.
 
Still have faith in Webroot!
 
Shran
Userlevel 7
Badge +56
@ So is it a Testing keylogger that WSA is not detecting as it could be Whitelisted as a testing tool can you tell us more info of what your using or is it an actual Malicious keylogger? Then it would help to better answer you're question.
 
Thanks,
 
Daniel
Userlevel 7
Hi Daniel,

As far as I know, it is not a "remote keylogger", meaning that it won't actually send my keystrokes off like a real piece of spyware, its more like a "spy tool" that you would put on your computer to see what people are doing on your own computer, but, it is not one of the reputable ones like "Net Nanny", it is one of those kind of shady ones that's like "free see what people are typing" if you know what I mean, so I don't think it's whitelisted either, for that reason and because I would type something like "StarTrek_DaxFan-1985" and the keylogger would pick up "S _ n 1 8". So, most of the password (that is not a real password by the way :P) was blocked, if it was whitelisted wouldn't it have picked up everything? I could be wrong though, please correct me if I am 🙂. As for the screen capture, what's interesting about that is that I tested it again last night, and for the most part, most screenshots were blocked, but after a reboot, all my Webroot settings were defaulted (not really related to the original topic but thought I should mention it) and the program was again able to grab screenshots, even though Webroot said in its Identity Protection settings that the file was set to "block". I'm thinking that perhaps it is Norton interfering? I know Webroot plays nice, but that doesn't mean Norton isn't being a butt-head 😛.
Userlevel 7
Badge +56
1. Right Click on the Webroot Tray Icon and Save a Scan Log and look for the program that your using to see if it is marked good as a [g] will be in front of the line or lines if another let me know what is says and even post the lines.
 
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
 
HTH,
 
Daniel ;)
 

Userlevel 7
1. Right Click on the Webroot Tray Icon and Save a Scan Log and look for the program that your using to see if it is marked good as a [g] will be in front of the line or lines if another let me know what is says and even post the lines.
 
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
 
HTH,
 
Daniel ;)
 

Userlevel 7
Badge +56
You're very welcome and thanks for the nice comment and we want it to be this way most of us are Volunteers and we help the Webroot Staff we get guidance from them and also I have been using Prevx since 2004 and Webroot Acquired them in Nov 2010 and they even made it better with more tools and options so some of us know it quite well from the Prevx days! We are a great bunch of Members and Staff Members it's great and you will not fine that also from any AV Support Forum!
 
Hey I see that your running Active Malware [b] and have some Unknowns [u] you can send them the lines via a Support Ticket and they will get those fixed up even if they FP's!
 
Cheers,
 
Daniel

Userlevel 7
Hey Daniel,

Those [b] and [u] files are just the monitoring files that I am using to test the ID shield. I am using them on a completely separate hard drive that I use for testing so it isn't my "main" system and I purposefully put those files there to test the ID shield so I don't need to send a help ticket 🙂 Thank you for the suggestion though, I just wipe this hard drive since it is only 100 GB when I'm done with testing 🙂 I've tested a lot of stuff on this hard drive as its isolated from my main system, Avast betas, Norton, Bitdefender, etc. and now Webroot :)

Shran
Userlevel 7
Badge +56
Well you have some Acronis files as unknown so that must be a new update! LOL
 
acronis rueimagehome
 
Daniel
Userlevel 7
Yes, those are pretty recent, it's actually the "WD Edition" not the full version, since I can use the WD version for free because I bought a WD external hard drive. :P

Do you have any idea why the program might be taking screenshots still? It's listed as bad and unknown so it must not be whitelisted. All shields are turned on, keylogger protection still works (I view the keylogger logs and it doesn't pick up anything useful), but that [b] program is still able to pick up screenshots.
Edit: here is what the keystroke log looks like after I typed that message:
y e i o  -Caps Lock-  -Caps Lock-  v      '   -Back-   i s -Back-  -Back-   -Back- ,  h { -Caps Lock-  -Caps Lock-  -Back-  -Back- [ -Caps Lock- ]  -Caps Lock-  -Back- . -Back-  -Back-  -Back-  -Back-  -Back-  -Back-  -Back- r   b  k p s. -Enter-
 -Caps Lock-  -Caps Lock-  -Back-  -Back-  -Back- :  s   eo g s    -Caps Lock-  -Caps Lock-  e a e: -Enter-
 
Nothing that could really be used by a spyware user, but every once in a while it picks up a letter here and there.
Shran
Userlevel 7
Badge +56
What Browser are you using and is it 32bit or 64bit and version number? Supported Browsers are IE, Firefox, Chrome 32bit.
 
Here's a small video on the 2012 version but basically the same have a look: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202#.UpKL8-LZG_o
 
Also note that WSA protects both HTTPS & HTTP by default now!
 
Daniel
Userlevel 7
I am using Firefox x86 version 25.0.1.
I also added the explorer.exe process to Webroot's Identity Shield so that it protects not just the browsers but pretty much everything since explorer.exe is almost always running :P

Shran
Userlevel 7
Badge +56
You like sticking your tongue out allot eh!  OK 

This is David's favorite. 😃
Userlevel 7
LOL, that's a good one.

Userlevel 7
He flashes it at me with great regularity 🙂
Userlevel 7
Badge +56
Yeppers my Buddy in crime! :D
 
Daniel
Userlevel 7
@ wrote:
Yeppers my Buddy in crime! :D
 
Daniel
 
 

Userlevel 7
Badge +56
I should say my Brother in Crime!

Userlevel 7
Yup!
 
Good teamwork, and we have a lot of fun doing it 🙂
Userlevel 7
Badge +56
Yes no need to be Trolls.


 
Daniel
Userlevel 7
Hey Daniel,

I removed the "explorer.exe" process from the Identity Shield protected processes, as it kept glitching up, meaning it would not protect explorer.exe even when it was the only thing running (I didn't get the padlock) after a reboot. Now, it seems to be working better against the screengrabbers when I have my browsers open. Do you think it's possible that having "explorer.exe" protected was causing some interfearence with protecting the browsers?

Shran
Userlevel 7
Badge +56
I'm not sure but as you found it to be an issue and maybe someone from the Webroot Staff will chime in @ @ I just have my Browsers in the ID Shield I feel for me not to add anything else.
 
Daniel 😉
Userlevel 5
I suggest not configuring system applications like explorer.exe as protected applications - it will definitely cause odd system behavior as it will prevent other components of the system from communicating with Explorer. There is a considerable amount of logic in place to allow legitimate screen capturing but block malicious use of screen data. I've tested it here on Windows 7 x64 and XP 32bit right now and it is working properly, so I suspect the testing tools are not simulating malware accurately.
 
Control keys like capslock, backspace, shift, etc. will be allowed through as if they are blocked, the OS loses context. As for random keystrokes coming through, this could be due to if the foreground window loses focus or isn't being actively typed into.
 
In any event, screen grabbers and keyloggers are almost irrelevant these days when it comes to real malware. Threats are using much more advanced techniques which is what WSA focuses on protecting: man in the browser attacks, memory injection, system call hooking, and a myriad of other approaches. They tend to not use the obvious ones like screen capture/keylogging because they generate too much data and are too easy to detect as malicious behaviors. WSA excels at blocking the most advanced techniques and has been doing so for years without any threats bypassing it.

Reply