Solved

Concern regarding Webroot SecureAnywhere Keylogger protection.

  • 30 January 2015
  • 13 replies
  • 990 views

Userlevel 2
I tested webroot's secureanywhere keylogger and screengrabber protection using the Anti-Keylogger Tester (ALKT v3.0) which has 7 different methods to test for capturing keystrokes, and 2 different methods for screen grabs.
 
So far, webroot secureanywhere complete failed to protect 3 out of the 9 total methods. The failures are listed below.
 
For the keyboard Lowlevel hook test - webroot failed to protect against keystrokes. Every single keystroke was intercepted.
For the keyboard GetRawInputData test - some letters in words are being intercepted.
 
For the screengrab screenshot 1 test (pushes a "print screen" keystroke) - a screen grab was successfully obtained.
 
Questions:
1. Is webroot aware of these fails? 
2. What are the implications of these failures in a real-world scenario?
3. Can Webroot please address this? If not addressable, why?
 
Thanks in advance.
 
icon

Best answer by DanP 4 February 2015, 22:39

View original

13 replies

Userlevel 7
Badge +52
Hello
Please read:
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/If-I-have-WRSA-do-I-need-an-anti-keylogger/m-p/113920#M6934
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/If-I-have-WRSA-do-I-need-an-anti-keylogger/m-p/113934#M6937
 

 
 
Userlevel 7
Badge +35
 
Hello,
 
I just had a quick look at this, and one of the first things I did was click on the hyperlink at the bottom of the Anti-Keylogger Tester. Here's what popped up:
 


 
I have no further comments.
 
-Dan
 
Userlevel 7
Badge +56
And I get a Web Block!
 
Daniel
 

Userlevel 2
This is where i got the tool from.
 
http://www.snapfiles.com/get/antikeyloggertester.html
 
 
Userlevel 7
Badge +56
Well still these Keylogging tools don't show the true strength of WSA see here from MRG Testing:  https://community.webroot.com/t5/Announcements-and-Release-Notes/Nice-Report-Webroot/m-p/134917 and Here: https://community.webroot.com/t5/Announcements-and-Release-Notes/WSA-performance-in-MRG-Effitas-360-Assessment-amp-Certification/m-p/164205
 
Thanks,
 
Daniel 😉
Userlevel 2
Thanks for the links Daniel.
 
I don't doubt that webroot is awesome. I use it myself.
 
As a consumer, I would just like to understand technically how webroot would protect me against the scenarios I highlighted in the test results above.
 
 BTW,  I don't know why this has been listed as "Solved."
 
DanP, the fact that you weren't able to get to the tool doesn't indicate that this has been solved, nor do I find the no further comment remark assuring from a Webroot threat researcher.
 
 
Userlevel 7
Badge +56
Just like I said these testing tools are useless IMO this is not the first time for this type of discussion and Real World Testing is where it's at and if there was a hole Webroot would patch it up as they are always updating all the Shields all the time see this thread: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Identity-shield-fails-MitB-simulators/td-p/15958 and here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Identity-Shield-not-working/m-p/69399/highlight/true#M3975 and someone asking if they need a Anti-Keylogger with WSA: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/If-I-have-WRSA-do-I-need-an-anti-keylogger/m-p/113348
 
Thanks,
 
Daniel ;)
Userlevel 7
@ wrote:
Just like I said these testing tools are useless IMO this is not the first time for this type of discussion and Real World Testing is where it's at and if there was a hole Webroot would patch it up as they are always updating all the Shields all the time see this thread: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Identity-shield-fails-MitB-simulators/td-p/15958 and here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Identity-Shield-not-working/m-p/69399/highlight/true#M3975 and someone asking if they need a Anti-Keylogger with WSA: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/If-I-have-WRSA-do-I-need-an-anti-keylogger/m-p/113348
 
Thanks,
 
Daniel ;)
Amen to all of that, Daniel...completely agree.  
 
For my spin on this...if I may?...there are certain things that one should take on trust/the professionals word for, and that IMHO is very definitively the case when it comes to the efficiency of an antimalware app.  Yes, we 'consumers' can test certain aspects, and we do via the beta channel, but that is more down to the usability aspects of the product than the 'hardcore' defensive features...unless one is indulging in private malware testing...the discussion of which is a nono here in the Community...as we all know and agree with...:D
 
Baldrick
Userlevel 7
Badge +35
I was able to download the tool - the screenshot I posted was the result of clicking the hyperlink in the GUI looking for more information on the app and what I got was a redirect to a tech support scam page and pop-up. I thought that behavior said enough about the app since a security app should not include hyperlinks that redirect to such content.
 
As far as failing the tests is concerned, the app is from 2009 and being a tool rather than a malicious keylogger the file was whitelisted some time ago, which was likely why it was able to capture some keystrokes using certain methods. Print Screen is a legitimate fuction used by numerous legitimate apps so we would not consider allowing Print Screen a failure.
 
Our performance in real-world scenarios using techniques that are currently used can be seen in the tests conducted by MRG that TripleHelix posted links to.
 
-Dan
Userlevel 2
@  - Thanks for the clarification.
 
This was the answer I was looking for. Given the fact that this keylogger was whitelisted, it functioned as it was designed to and captured oartially what it was supposed.  I can accept that.  Zemana also has an keylogger tester - is that white listed too?
 
A few follow up questions
 
- What would happen if a keylogger is NOT whitelisted? 
 
- Is there a way to override the whitelisting of a key logger to actively block it ? Perhaps deeper than the IdentityShield App Protection? This keylogger was automatically set to block - assuming because it made it into the whitelist - but still managed to capture certain functions. Could I in theory manually set an application to block more?
 
- Does webroot publish a whitelist of apps for review?
 
 
Userlevel 2
@ 
 
While there are certain things that one should "trust the professional's word," there is the concept of "trust, but verify" which most security professionals worth their salt will understand.
 
Professionals still gladly provide information to we "consumers" so that we the consumers can make informed decisions and informed opinions on topics the professionals claim expertise on.
 
Userlevel 7
Badge +35
@ wrote:
@  - Thanks for the clarification.
 
This was the answer I was looking for. Given the fact that this keylogger was whitelisted, it functioned as it was designed to and captured oartially what it was supposed.  I can accept that.  Zemana also has an keylogger tester - is that white listed too?
 
A few follow up questions
 
- What would happen if a keylogger is NOT whitelisted? 
 
- Is there a way to override the whitelisting of a key logger to actively block it ? Perhaps deeper than the IdentityShield App Protection? This keylogger was automatically set to block - assuming because it made it into the whitelist - but still managed to capture certain functions. Could I in theory manually set an application to block more?
 
- Does webroot publish a whitelist of apps for review?
 
 
The Zemena test app is whitelisted as well, yes. 
 
With the exception of a few enterprise-class system monitor apps that include keylogging functionality, keyloggers should be blocked. If an unknown keylogger were to get installed, the Identity Shield will block it from capturing data using a number of methods. The most important funtion of the Identity Shield is protecting data entered into web forms from being captured - this is one of the more common ways that malware attempts to steal your credit card or banking information. 
 
If a malicious keylogger is whitelisted, you can block it completely the Control Active Processes functionality in the System Control tab under the Utilities menu. I would also suggest creating a support ticket and reporting it to us to get it blocked.
 
We do not publish a list of whitelisted apps. As I mentioned earlier there are very few applications with keylogging functionality that would be whitelisted.
 
-Dan
 
 
Userlevel 2
@ Thanks for the details DanP. 
 
 
@ @ @  - thanks for your contribution.
 

Reply