bocl

Mamutu for "Average Joe"

Recommended Posts

Hi,

I wanted to test MAMUTU antikeylogger protection and I installed Ardamax Keylogger 3.5.3 .

I did not get any reaction from MAMUTU's antikeylogger protection (I got an allarm that a progrm wants to start with Windows and I allowed ONLY that behaviour).

Ardamax Keylogger 3.5.3 is installed on my PC and is logging everything still no reaction from Mamutu.

Any comments?

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

Hi,

I would really appreciate an answer from any of developpers / moderators!

"Keylogger related behavior " is mentioned in the list of behaviors MAMUTU is suposed to monitor, yet my Ardamax Keylogger 3.5.3 is installed in my PC, is logging everithing and MAMUTU doesn't react at all.

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

Try updating your definitions.

Hi,

MAMUTU is suposed to be '"behavior based" and not "definition based". There is a white list but I doubt that Ardamax Keylogger 3.5.3 is on that list.

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

Hi Claudiu,

Your post was overlooked

1st, I hope that developers will reply, but while you were waiting you could search for “keylogger” keyword & find many discussions about the matter in this & the old forum, that could give you some if not all answers

For example, this one

Please read referenced thread from the old forum as well, where there are some answers by the developers http://forum.emsisoft.com/Default.aspx?g=posts&t=4050

As far as I know, this particular kelogger is recognized by EAM's signatures (onAccess/onExecution)

Ardamax Keylogger or even earlier version Keylogger 2.8

As for the Behavioral Blocker – it may not be recognized even in its so called ”hidden mode”, because it is not precisely “windowless” ; not installed invisibly; there could be several other factors; etc.

Again … the developers may add to that

Cheers!

Share this post


Link to post
Share on other sites

Few questions:

Is the process hidden from Task Manager or by any other means?

Is it hiding it's files?

Is it creating, sending or storing log files of what it is recording?

Is it hiding these log files?

Share this post


Link to post
Share on other sites

Few questions:

Is the process hidden from Task Manager or by any other means?

Is it hiding it's files?

Is it creating, sending or storing log files of what it is recording?

Is it hiding these log files?

Hi,

From Ardamax website:

"Invisible mode makes it absolutely invisible to anyone. Ardamax Keylogger is not visible in the task bar, system tray, Windows 2000/XP/2003/Vista/Windows 7 Task Manager, process viewers (Process Explorer, WinTasks etc.), Start Menu and Windows Startup list."

" Email log delivery - keylogger can send you recorded logs through e-mail delivery at set times - perfect for remote monitoring! "

Claudiu

Share this post


Link to post
Share on other sites

Are those enabled though?

Here is an alert from Mamutu with a live keylogger, which is trying to install invisibly.

Warning received:

Emsisoft Mamutu - Version 3.0

Behavior Blocker log

Date PID Source Event Behavior/Infection

11/2/2010 9:10:50 PM 644 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.Spyware

11/2/2010 9:10:23 PM 644 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.HiddenInstallation

11/2/2010 9:10:14 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.CodeInjector

11/2/2010 9:09:55 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User

11/2/2010 9:09:22 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.AutorunCreation

11/2/2010 9:09:16 PM 1376 C:\DOCUMENTS AND SETTINGS\BRYCE\DESKTOP\MICROSOFT EXTRACTOR.EXE Allowed by User Behavior.HiddenInstallation

Share this post


Link to post
Share on other sites

Hi,

I recently received from BrendaK (Tanks!) few screenshots proving that Mamutu is able to detect keylogers;

Let's take a look:

The application is :Microsoft Extractor.exe; For average user seems to be a legitim application from Microsoft.Not a lot of info on internet...

The explication: "...Mamutu detected a possible malicious behaviour....If you know what the program is ...then click Allow ". At this point the Average Joe is still confused.

So now Mamutu is giving a sugestion what to do : ALLOW!!!!!!!

Yet, the default sellection is "Block"

So, what do you think "The Average Joe" will do with the programm named :Microsoft Extractor.exe????

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

Which wording would you suggest instead?

Problem is that behavior blocking can never give a 100% sure decision if a program is good or bad. If it could, we could simply auto-confirm all the alert windows. ;)

Behavior blocking always needs some brain of the person sitting in front of the screen. Thinking about things like: Where is that program from? Can I trust it? etc.

We try to reduce the number of non-needed alerts to an absolute minimum, but especially for keyloggers it's very hard to give a really good estimation if the vendor is not on our list of known good ones.

Share this post


Link to post
Share on other sites

We try to reduce the number of non-needed alerts to an absolute minimum, but especially for keyloggers it's very hard to give a really good estimation if the vendor is not on our list of known good ones.

Hi Cristian,

From a previous answer of yours:

"You're right, signature based virus scanners will catch almost 99.9% of all viruses, but it needs only ONE missed malware item to steal your data, or business secrets, or clear your bank account, or..."

So, with this confusing approach from Mamutu ( "Mamutu detected a possible malicious behaviour....If you know what the program is then click Allow" / sugestion what to do : ALLOW / default sellection is "Block") how soon do you think "the average Joe" will ALLOW that "ONE missed malware item to steal your data, or business secrets, or clear your bank account"??

If the vendor is not on your list of known good ones, why the Mamutu's suggestion is "ALLOW" then?

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

Mamutu does not 'suggest' to allow it. It just describes how to handle the alert. It describes two possible scenarios:

1. You know the program, then click allow.

2. You don't know the program, then click block.

That's all. The description block does not specifically recommend any action, it just describes both options.

Share this post


Link to post
Share on other sites

Mamutu does not 'suggest' to allow it. It just describes how to handle the alert. It describes two possible scenarios:

1. You know the program, then click allow.

2. You don't know the program, then click block.

That's all. The description block does not specifically recommend any action, it just describes both options.

Well, look at the screenshot again; it clearly says:

Suggestion: Allow (I circled it in red)

Share this post


Link to post
Share on other sites

Hi Bocl,

The problem with relying on the behavior of programs is that many malicious programs use similar installation methods to valid programs, and vice-versa. So, yes, the suggestion does say allow, but that is because many valid programs install services invisibly, so as to not annoy the user. However, the default choice is block ;)

We will continually try to improve our product to allow the user to make the best decision possible and feedback such as this is very valuable for us. So, with this information, we will try and improve the suggestions made to the user. :)

Share this post


Link to post
Share on other sites

Hi Bocl,

The problem with relying on the behavior of programs is that many malicious programs use similar installation methods to valid programs, and vice-versa. So, yes, the suggestion does say allow, but that is because many valid programs install services invisibly, so as to not annoy the user. However, the default choice is block ;)

We will continually try to improve our product to allow the user to make the best decision possible and feedback such as this is very valuable for us. So, with this information, we will try and improve the suggestions made to the user. :)

Hi,

I am happy to hear that.With a huge White list / Black list and a real Comunity feature, Mamutu could be the best Behavior Based Malware Blocking in the market.

Thanks,

Claudiu

Share this post


Link to post
Share on other sites

[...]

The problem with relying on the behavior of programs is that many malicious programs use similar installation methods to valid programs, and vice-versa. So, yes, the suggestion does say allow, but that is because many valid programs install services invisibly, so as to not annoy the user. However, the default choice is block ;)

[...]

Hi Brendan,

as you can see on bocl's and yours screenshot, you disabled the Anti-Malware Community feature. EAM suggests "Allow", even for a red-risk alert.

If you enable the Anti-Malware Community feature, EAM will suggest "Not Available" (for a threat which does not exist in the database, etc...). You can see this in this video for example: Mamutu YouTube Review

I think this is inconsistent (and may a bug?) behavior. I think the rating and the resulting suggestion should be the same for a (red-)risk threat with disabled Anti-Malware Community feature and with enabled Anti-Malware Community, but without meaningful statement. What do you think?

Share this post


Link to post
Share on other sites

Hi Brendan,

as you can see on bocl's and yours screenshot, you disabled the Anti-Malware Community feature. EAM suggests "Allow", even for a red-risk alert.

If you enable the Anti-Malware Community feature, EAM will suggest "Not Available" (for a threat which does not exist in the database, etc...). You can see this in this video for example: Mamutu YouTube Review

I think this is inconsistent (and may a bug?) behavior. I think the rating and the resulting suggestion should be the same for a (red-)risk threat with disabled Anti-Malware Community feature and with enabled Anti-Malware Community, but without meaningful statement. What do you think?

I can see what you are trying to say :) Yes, it could be conflicting to users. I will pass it on to the developers so they can have a look and change it where necessary to make it more understandable for the user.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.