blues

Firefox Question

Recommended Posts

I know that many legitimate programs are identified as key or screen loggers by OA so that we are aware of potential issues and have the opportunity to deny this activity if we choose.

 

I can remember Firefox being identified in the past as a "keylogger" but since about a week or so back I now see it also identified as a "screen logger" as well.

I don't recall seeing this previously.

 

Has something changed with Firefox or is OA now identifying a characteristic of Firefox that was there all along but not alerted to?

 

Would just like to ensure that this isn't indicative of any potential breach of security especially when I log into a financial institution via "Banking Mode" (and utilize Sandboxie.to enhance security).

 

Thanks in advance.   I continue to be hugely impressed by the tandem of  OA & EAM.

Share this post


Link to post
Share on other sites

May I ask what version of Firefox you are using, and if you remember when you had installed that version of Firefox?

Share this post


Link to post
Share on other sites

Hi Arthur...

19.0.2    Installed right after it was announced as far as I know.

(I also recently upgraded to the latest beta of Sandboxie as well. Not sure if that could have some hand in this.)

Share this post


Link to post
Share on other sites

I've noticed that quite a few of the apps I run have this 'screen logger' warning.  I was wondering what it is that OA spots that makes it think that an app is doing this?   I'm guessing that it's use of some set / family of screen control features (ie an API or subset) which can be used in a program to do a bunch of things one/some of which might be logging. 

 

I'm hoping that the problem is that when programmers write apps they often use general libraries of program code; such a library might offer a set of functions or procedures to do various things, none of which are logging, but all of which use the same underlying OS API as a logger might use, and perhaps OA is unable to tell if logging is actually taking place.  Some clues would be useful.... eg links to MSDN pages where such things are described. 

Share this post


Link to post
Share on other sites

@blues,

 

I experienced the same, during the manual upgrade (via GUI) of one of the recent versions of FF - I don't remember which one exactly, but I'm sure it wasn'tt any of the 19.xx.

 

For some reason, OA didn't trust the new components of FF automatically and asked me what to do during the upgrade process - actually 3 or 4  pop-ups. The same happened shortly after with Thunderbird as well.

Perhaps it was just a temporary problem (server side related) with the online look-up (see the "Contact Anti-Malware Network in realtime" option in Programs/Options).

 

Cheers,

N.

 

--------------------

Win XP Pro SP3
Avast! Free AV 8.0.1483
Online Armor Free 6.0.0.1736

Share this post


Link to post
Share on other sites

I noticed this morning that when I had the keylogger permission blocked for Thunderbird that I could not check for updates by going to "help", "about Thunderbird", "Check for Updates".

When it was re-enabled I was able to do so.

I deleted the OA keylogger permissions for Firefox last night so we'll see when it next resurfaces.   As I recall, "Plug-in Container" asked for the permission about a week or so back while trying to run a video.  If I didn't give it permission it wouldn't run.  I don't recall the other specific instances where within Firefox.exe itself the permission was requested or needed.

Hopefully one of the Emsisoft folks can tell us more and whether there are any concerns on our end.

Share this post


Link to post
Share on other sites

Hopefully one of the Emsisoft folks can tell us more and whether there are any concerns on our end.

I doubt there is any reason to be concerned. There are many legitimate programs that function in such a way that Online Armor will detect as a "screen logger" or a "key logger". To know more than that, we will need Debug Logs.

To get Debug Logs, please open Online Armor, go to Options in the menu on the left, click the little check box to enable debug mode, restart your computer, and then try reproducing your problem with Firefox and these warnings. After that, please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs), upload it to a website such as DepositFiles/BayFiles/etc (which one you use is up to you), and then copy and paste the link to download the file into a reply (or you can send it to me in a Private Message if you don't want the link posted publicly on the forums). Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder.

Share this post


Link to post
Share on other sites

Thanks, Arthur.  I'm not too concerned, more curious.  With Sandboxie, any changes would be deleted once the program is closed in any case.

 

I suppose I was more concerned about the possibility of a malware initiating the screen or key logging though I'm pretty sure OA or EAM would pick up any attempt at code injection etc.

I'm not going to bother with debug logs at this juncture but do appreciate the info for future reference.

Share this post


Link to post
Share on other sites

By the way, as withThunderbird, I found that if I blocked Firefox within the keylogger menu of OA and then went within Firefox to "Help", "About Firefox", "Check For Updates" it would not work.

 

However, If I went back and "allowed" the Firefox entry within OA's keylogger menu, then all was copacetic.

 

Looks like Firefox and Thunderbird require these permissions to function properly.  

 

From here on I'll just let OA, EAM & Sandboxie do their respective jobs to protect both Firefox and Thunderbird as well as the overall system from any intruders.

Share this post


Link to post
Share on other sites

... If I went back and "allowed" the Firefox entry within OA's keylogger menu, then all was copacetic.

 

Looks like Firefox and Thunderbird require these permissions to function properly.

Their updater must do something that triggers the keylogger protection in Online Armor.

Share this post


Link to post
Share on other sites

...  Which API functions is OA looking at?

I'll have to apologize, as we will not be able to answer that question. We just don't want to reveal too much about the internal workings of Online Armor. ;)

Share this post


Link to post
Share on other sites

I understand.  But the fact remains that quite a few programs I have seem to use features, hopefully innocently, which look to OA as if they might not be innocent.  I'd quite like to pursue with the programmers of those programs the idea that perhaps they should change what they're doing.  It's going to be hard to do that if I can't tell them which API functions are the problem areas.

Share this post


Link to post
Share on other sites

The issue is that a HIPS does not make decisions automatically, unless rules are explicitly created for that application. Online Armor does use methods to reduce the number of notifications you will receive, and each notification will have an option to remember your decision (and many times even to add the application as Trusted).

Share this post


Link to post
Share on other sites

I'll have to apologize, as we will not be able to answer that question. We just don't want to reveal too much about the internal workings of Online Armor. wink.png

 

Not muh gets by the crack security staff at Emsisoft... wink.png

505178_Tin-Sign-FIFE-Security-Agency.jpg

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.