Mamutu for "Average Joe"

[bocl]

Hi,

I wanted to test MAMUTU antikeylogger protection and I installed Ardamax Keylogger 3.5.3 .

I did not get any reaction from MAMUTU's antikeylogger protection (I got an allarm that a progrm wants to start with Windows and I allowed ONLY that behaviour).

Ardamax Keylogger 3.5.3 is installed on my PC and is logging everything still no reaction from Mamutu.

Any comments?

Thanks,

Claudiu

[bocl]

Hi,

I would really appreciate an answer from any of developpers / moderators!

"Keylogger related behavior " is mentioned in the list of behaviors MAMUTU is suposed to monitor, yet my Ardamax Keylogger 3.5.3 is installed in my PC, is logging everithing and MAMUTU doesn't react at all.

Thanks,

Claudiu

[Guest postcard]

Try updating your definitions.

[bocl]

Try updating your definitions.

Hi,

MAMUTU is suposed to be '"behavior based" and not "definition based". There is a white list but I doubt that Ardamax Keylogger 3.5.3 is on that list.

Thanks,

Claudiu

[Lynx]

Hi Claudiu,

Your post was overlooked

1st, I hope that developers will reply, but while you were waiting you could search for “keylogger” keyword & find many discussions about the matter in this & the old forum, that could give you some if not all answers

For example, this one

Please read referenced thread from the old forum as well, where there are some answers by the developers http://forum.emsisoft.com/Default.aspx?g=posts&t=4050

As far as I know, this particular kelogger is recognized by EAM's signatures (onAccess/onExecution)

Ardamax Keylogger or even earlier version Keylogger 2.8

As for the Behavioral Blocker – it may not be recognized even in its so called ”hidden mode”, because it is not precisely “windowless” ; not installed invisibly; there could be several other factors; etc.

Again … the developers may add to that

Cheers!

[BrendanK.]

Few questions:

Is the process hidden from Task Manager or by any other means?

Is it hiding it's files?

Is it creating, sending or storing log files of what it is recording?

Is it hiding these log files?

[bocl]

Few questions:

Is the process hidden from Task Manager or by any other means?

Is it hiding it's files?

Is it creating, sending or storing log files of what it is recording?

Is it hiding these log files?

Hi,

From Ardamax website:

"Invisible mode makes it absolutely invisible to anyone. Ardamax Keylogger is not visible in the task bar, system tray, Windows 2000/XP/2003/Vista/Windows 7 Task Manager, process viewers (Process Explorer, WinTasks etc.), Start Menu and Windows Startup list."

" Email log delivery - keylogger can send you recorded logs through e-mail delivery at set times - perfect for remote monitoring! "

Claudiu

[BrendanK.]

Are those enabled though?

Here is an alert from Mamutu with a live keylogger, which is trying to install invisibly.

Warning received:

Emsisoft Mamutu - Version 3.0

Behavior Blocker log

Date PID Source Event Behavior/Infection

11/2/2010 9:10:50 PM 644 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.Spyware

11/2/2010 9:10:23 PM 644 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.HiddenInstallation

11/2/2010 9:10:14 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.CodeInjector

11/2/2010 9:09:55 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User

11/2/2010 9:09:22 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.AutorunCreation

11/2/2010 9:09:16 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.HiddenInstallation

[bocl]

Hi,

I recently received from BrendaK (Tanks!) few screenshots proving that Mamutu is able to detect keylogers;

Let's take a look:

The application is :Microsoft Extractor.exe; For average user seems to be a legitim application from Microsoft.Not a lot of info on internet...

The explication: "...Mamutu detected a possible malicious behaviour....If you know what the program is ...then click Allow ". At this point the Average Joe is still confused.

So now Mamutu is giving a sugestion what to do : ALLOW!!!!!!!

Yet, the default sellection is "Block"

So, what do you think "The Average Joe" will do with the programm named :Microsoft Extractor.exe????

Thanks,

Claudiu

[Christian Mairoll]

Which wording would you suggest instead?

Problem is that behavior blocking can never give a 100% sure decision if a program is good or bad. If it could, we could simply auto-confirm all the alert windows.

Behavior blocking always needs some brain of the person sitting in front of the screen. Thinking about things like: Where is that program from? Can I trust it? etc.

We try to reduce the number of non-needed alerts to an absolute minimum, but especially for keyloggers it's very hard to give a really good estimation if the vendor is not on our list of known good ones.

[bocl]

We try to reduce the number of non-needed alerts to an absolute minimum, but especially for keyloggers it's very hard to give a really good estimation if the vendor is not on our list of known good ones.

Hi Cristian,

From a previous answer of yours:

"You're right, signature based virus scanners will catch almost 99.9% of all viruses, but it needs only ONE missed malware item to steal your data, or business secrets, or clear your bank account, or..."

So, with this confusing approach from Mamutu ( "Mamutu detected a possible malicious behaviour....If you know what the program is then click Allow" / sugestion what to do : ALLOW / default sellection is "Block") how soon do you think "the average Joe" will ALLOW that "ONE missed malware item to steal your data, or business secrets, or clear your bank account"??

If the vendor is not on your list of known good ones, why the Mamutu's suggestion is "ALLOW" then?

Thanks,

Claudiu

[Christian Mairoll]

Mamutu does not 'suggest' to allow it. It just describes how to handle the alert. It describes two possible scenarios:

1. You know the program, then click allow.

2. You don't know the program, then click block.

That's all. The description block does not specifically recommend any action, it just describes both options.

[bocl]

Mamutu does not 'suggest' to allow it. It just describes how to handle the alert. It describes two possible scenarios:

1. You know the program, then click allow.

2. You don't know the program, then click block.

That's all. The description block does not specifically recommend any action, it just describes both options.

Well, look at the screenshot again; it clearly says:

Suggestion: Allow (I circled it in red)

[BrendanK.]

Hi Bocl,

The problem with relying on the behavior of programs is that many malicious programs use similar installation methods to valid programs, and vice-versa. So, yes, the suggestion does say allow, but that is because many valid programs install services invisibly, so as to not annoy the user. However, the default choice is block

We will continually try to improve our product to allow the user to make the best decision possible and feedback such as this is very valuable for us. So, with this information, we will try and improve the suggestions made to the user.

[bocl]

Hi Bocl,

The problem with relying on the behavior of programs is that many malicious programs use similar installation methods to valid programs, and vice-versa. So, yes, the suggestion does say allow, but that is because many valid programs install services invisibly, so as to not annoy the user. However, the default choice is block

We will continually try to improve our product to allow the user to make the best decision possible and feedback such as this is very valuable for us. So, with this information, we will try and improve the suggestions made to the user.

Hi,

I am happy to hear that.With a huge White list / Black list and a real Comunity feature, Mamutu could be the best Behavior Based Malware Blocking in the market.

Thanks,

Claudiu

[Hachi']

[...]

The problem with relying on the behavior of programs is that many malicious programs use similar installation methods to valid programs, and vice-versa. So, yes, the suggestion does say allow, but that is because many valid programs install services invisibly, so as to not annoy the user. However, the default choice is block

[...]

Hi Brendan,

as you can see on bocl's and yours screenshot, you disabled the Anti-Malware Community feature. EAM suggests "Allow", even for a red-risk alert.

If you enable the Anti-Malware Community feature, EAM will suggest "Not Available" (for a threat which does not exist in the database, etc...). You can see this in this video for example: Mamutu YouTube Review

I think this is inconsistent (and may a bug?) behavior. I think the rating and the resulting suggestion should be the same for a (red-)risk threat with disabled Anti-Malware Community feature and with enabled Anti-Malware Community, but without meaningful statement. What do you think?

[BrendanK.]

Hi Brendan,

as you can see on bocl's and yours screenshot, you disabled the Anti-Malware Community feature. EAM suggests "Allow", even for a red-risk alert.

If you enable the Anti-Malware Community feature, EAM will suggest "Not Available" (for a threat which does not exist in the database, etc...). You can see this in this video for example: Mamutu YouTube Review

I think this is inconsistent (and may a bug?) behavior. I think the rating and the resulting suggestion should be the same for a (red-)risk threat with disabled Anti-Malware Community feature and with enabled Anti-Malware Community, but without meaningful statement. What do you think?

I can see what you are trying to say Yes, it could be conflicting to users. I will pass it on to the developers so they can have a look and change it where necessary to make it more understandable for the user.