Solved

Identity Shield not working

  • 23 November 2013
  • 31 replies
  • 148 views

Userlevel 7
  • Community Leader
  • 314 replies
I have been testing Webroot's Identity Shield and multiple times it does not stop the screen grabing attack. It is sucsesfull at blocking most (most, but not all) keystrokes from being logged, however, when using a screen capture program Webroot does not block or even notify that an application is attempting to take screenshots. I have tried uninstalling and reinstalling Webroot multiple times but I get the same results. Please advise.
 
Shran
icon

Best answer by JoeJ 25 November 2013, 23:04

View original

31 replies

Userlevel 7
Thank you all for your assistance. I bought WSA today and now I have a full year's subscription instead of a trial :D
 
Shran
Userlevel 5
@ wrote:
@ Thank you! Also while your here I have a burning question I've never been able to figure out:
 
Can you describe the changes in Windows 8/8.1 that have reduced the ability for keyloggers and other scrapers to function correctly, while also limiting the ability of protection products to hook in as deeply to protect it? This a claim from a competitor as to why their product features are not as extensive on Win8.
There haven't been any limitations we've encountered. The only relevant difference would be any 64bit platform having PatchGuard which blocks certain types of kernel changes, but this isn't unique to Win8. The primary AV-relevant change in Win8 is the fact that Microsoft are now requiring any firewall developer to use the built-in firewall APIs.
Userlevel 7
Badge
@ Thank you! Also while your here I have a burning question I've never been able to figure out:
 
Can you describe the changes in Windows 8/8.1 that have reduced the ability for keyloggers and other scrapers to function correctly, while also limiting the ability of protection products to hook in as deeply to protect it? This a claim from a competitor as to why their product features are not as extensive on Win8.
Userlevel 5
@ wrote:
Hi @ 
How would you describe WSA's whole-system anti-logging capabilities as compared to a protect that doesn't focus on browsers specifically?
 
Information stealing threats are primarily focused on browsers today, although you can add additional applications to be protected as wanted (like Excel, Word, Notepad, etc.) However, most of WSA's kernel-level anti-logging is application agnostic so you're already receiving a sizable amount of protection silently over all applications against advanced information stealing threats.
Userlevel 7
Badge
Hi @ 
How would you describe WSA's whole-system anti-logging capabilities as compared to a protect that doesn't focus on browsers specifically?
Userlevel 7
Badge +56
Thanks Joe for the great info I will bookmark for future reference!
 
Cheers,
 
Daniel 😉
Userlevel 5
I suggest not configuring system applications like explorer.exe as protected applications - it will definitely cause odd system behavior as it will prevent other components of the system from communicating with Explorer. There is a considerable amount of logic in place to allow legitimate screen capturing but block malicious use of screen data. I've tested it here on Windows 7 x64 and XP 32bit right now and it is working properly, so I suspect the testing tools are not simulating malware accurately.
 
Control keys like capslock, backspace, shift, etc. will be allowed through as if they are blocked, the OS loses context. As for random keystrokes coming through, this could be due to if the foreground window loses focus or isn't being actively typed into.
 
In any event, screen grabbers and keyloggers are almost irrelevant these days when it comes to real malware. Threats are using much more advanced techniques which is what WSA focuses on protecting: man in the browser attacks, memory injection, system call hooking, and a myriad of other approaches. They tend to not use the obvious ones like screen capture/keylogging because they generate too much data and are too easy to detect as malicious behaviors. WSA excels at blocking the most advanced techniques and has been doing so for years without any threats bypassing it.
Userlevel 7
Badge +56
I'm not sure but as you found it to be an issue and maybe someone from the Webroot Staff will chime in @ @ I just have my Browsers in the ID Shield I feel for me not to add anything else.
 
Daniel 😉
Userlevel 7
Hey Daniel,

I removed the "explorer.exe" process from the Identity Shield protected processes, as it kept glitching up, meaning it would not protect explorer.exe even when it was the only thing running (I didn't get the padlock) after a reboot. Now, it seems to be working better against the screengrabbers when I have my browsers open. Do you think it's possible that having "explorer.exe" protected was causing some interfearence with protecting the browsers?

Shran
Userlevel 7
Badge +56
Yes no need to be Trolls.


 
Daniel
Userlevel 7
Yup!
 
Good teamwork, and we have a lot of fun doing it 🙂
Userlevel 7
Badge +56
I should say my Brother in Crime!

Userlevel 7
@ wrote:
Yeppers my Buddy in crime! :D
 
Daniel
 
 

Userlevel 7
Badge +56
Yeppers my Buddy in crime! :D
 
Daniel
Userlevel 7
He flashes it at me with great regularity 🙂
Userlevel 7
LOL, that's a good one.

Userlevel 7
Badge +56
You like sticking your tongue out allot eh!  OK 

This is David's favorite. 😃
Userlevel 7
I am using Firefox x86 version 25.0.1.
I also added the explorer.exe process to Webroot's Identity Shield so that it protects not just the browsers but pretty much everything since explorer.exe is almost always running :P

Shran
Userlevel 7
Badge +56
What Browser are you using and is it 32bit or 64bit and version number? Supported Browsers are IE, Firefox, Chrome 32bit.
 
Here's a small video on the 2012 version but basically the same have a look: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202#.UpKL8-LZG_o
 
Also note that WSA protects both HTTPS & HTTP by default now!
 
Daniel
Userlevel 7
Yes, those are pretty recent, it's actually the "WD Edition" not the full version, since I can use the WD version for free because I bought a WD external hard drive. :P

Do you have any idea why the program might be taking screenshots still? It's listed as bad and unknown so it must not be whitelisted. All shields are turned on, keylogger protection still works (I view the keylogger logs and it doesn't pick up anything useful), but that [b] program is still able to pick up screenshots.
Edit: here is what the keystroke log looks like after I typed that message:
y e i o  -Caps Lock-  -Caps Lock-  v      '   -Back-   i s -Back-  -Back-   -Back- ,  h { -Caps Lock-  -Caps Lock-  -Back-  -Back- [ -Caps Lock- ]  -Caps Lock-  -Back- . -Back-  -Back-  -Back-  -Back-  -Back-  -Back-  -Back- r   b  k p s. -Enter-
 -Caps Lock-  -Caps Lock-  -Back-  -Back-  -Back- :  s   eo g s    -Caps Lock-  -Caps Lock-  e a e: -Enter-
 
Nothing that could really be used by a spyware user, but every once in a while it picks up a letter here and there.
Shran
Userlevel 7
Badge +56
Well you have some Acronis files as unknown so that must be a new update! LOL
 
acronis rueimagehome
 
Daniel
Userlevel 7
Hey Daniel,

Those [b] and [u] files are just the monitoring files that I am using to test the ID shield. I am using them on a completely separate hard drive that I use for testing so it isn't my "main" system and I purposefully put those files there to test the ID shield so I don't need to send a help ticket 🙂 Thank you for the suggestion though, I just wipe this hard drive since it is only 100 GB when I'm done with testing 🙂 I've tested a lot of stuff on this hard drive as its isolated from my main system, Avast betas, Norton, Bitdefender, etc. and now Webroot :)

Shran
Userlevel 7
Badge +56
You're very welcome and thanks for the nice comment and we want it to be this way most of us are Volunteers and we help the Webroot Staff we get guidance from them and also I have been using Prevx since 2004 and Webroot Acquired them in Nov 2010 and they even made it better with more tools and options so some of us know it quite well from the Prevx days! We are a great bunch of Members and Staff Members it's great and you will not fine that also from any AV Support Forum!
 
Hey I see that your running Active Malware [b] and have some Unknowns [u] you can send them the lines via a Support Ticket and they will get those fixed up even if they FP's!
 
Cheers,
 
Daniel

Userlevel 7
1. Right Click on the Webroot Tray Icon and Save a Scan Log and look for the program that your using to see if it is marked good as a [g] will be in front of the line or lines if another let me know what is says and even post the lines.
 
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
 
HTH,
 
Daniel ;)
 

Userlevel 7
Badge +56
1. Right Click on the Webroot Tray Icon and Save a Scan Log and look for the program that your using to see if it is marked good as a [g] will be in front of the line or lines if another let me know what is says and even post the lines.
 
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
 
HTH,
 
Daniel ;)
 

Reply