Loganton4386

Keyloggers not detected by MBAM

28 posts in this topic

Hi I was wondering if MBAM detects all of the keyloggers on this site, since it doesn't detect the installers for them, and I don't want to try and install a keylogger on my PC. I was going to send the installers via sample submit, but there are like 20 on the site. Here's the website, and let me know if they will be added to MBAMs detection list, or if they are already on it.

hxxp://www.spyarsenal.com/download.html

Share this post


Link to post
Share on other sites

Greetings :)

I'm not sure if MBAM detects them or not, but in the future when posting links to something that may be questionable or considered by some to be malware please mung the links using a format such as hxxp instead of http so that they are not active.

Also, just for reference, even if MBAM doesn't detect them, any antivirus with behavioral detections and/or HIPS should be able to detect any kind of keylogger.

Thanks :)

Share this post


Link to post
Share on other sites
I'm not sure if MBAM detects them or not

Here is nosirrah on that topic:

A lot of loggers we find get listed as spyware . These are pure malware loggers that have no legit version or function .

Comercial keyloggers are something we have been thinking about but there are big issues as most of the time they are installed for a legit reason , I almost never see comercial keyloggers in the wild used by malware .

HTH

Share this post


Link to post
Share on other sites

Read what Bill Pytlovany of WinPatrol fame has to say about keyloggers

Scott did his homework on the functionality of keyloggers but neglected to understand how often these programs are used for malicious intent. In my own research, I spent a great deal of time listening to the folks at NNEDV(National Network to End Domestic Violence). If Scott had talked with anyone who deals with domestic violence he would understand just how horrible and dangerous these programs are. Their primary customers are not parents.

http://billpstudios.blogspot.com/2008/10/shame-on-windows-secrets-newsletter.html

I have used WinPatrol for about the same time as Malwarebytes as a Layered Defence approach to system security in that not any individual security application can provide 100% protection from today's prolific malware writers that are on the Internet today.

The features of FREE vs PLUS versions is here:

http://www.winpatrol.com/compare.html

Share this post


Link to post
Share on other sites
Read what Bill Pytlovany of WinPatrol fame has to say about keyloggers

I'm 100% with Bill Pytlovany on this...

If Scott had talked with anyone who deals with domestic violence he would understand just how horrible and dangerous these programs are. Their primary customers are not parents.

I think I'll look a little closer at WinPatrol. ;)

Share this post


Link to post
Share on other sites

I even have a WinPatrol USB Flash Wristband that I put my applicatons on to take with me when I go to help somone when they ask me for help with their system. They usually are amazed when I run Malwarebytes and it removes the infection and then I show them how to order it after showing the benefits of its resident protection.

Share this post


Link to post
Share on other sites

I think the primary concern for companies like Malwarebytes' that opt not to detect commercial keyloggers is the primary user of keyloggers: corporations. They use them to legally monitor computer use by their employees. I'm not saying the scenario described by Bill doesn't occur, I'm sure it does, but I will guarantee that more licenses (including volume licenses) for commercial keyloggers have been sold to businesses than angry abusive husbands.

Again, that's why I leave it to my AV/HIPS etc (like WinPatrol). KAV catches them all, not necessarily by name, but it identifies that they're capturing user input. It does the same for every game I load the first time I run it ;) .

Share this post


Link to post
Share on other sites
I think the primary concern for companies like Malwarebytes' that opt not to detect commercial keyloggers is the primary user of keyloggers: corporations. They use them to legally monitor computer use by their employees. I'm not saying the scenario described by Bill doesn't occur, I'm sure it does, but I will guarantee that more licenses (including volume licenses) for commercial keyloggers have been sold to businesses than angry abusive husbands.

So the corporation puts the monitoring program on the MBAM ignore list and that takes care of that. No?

Share this post


Link to post
Share on other sites

No, I believe (but cannot confirm since I'm not a developer for Malwarebytes') that they simply choose not to detect any commercial keyloggers whatsoever due to the fact that many of MBAM's license holders are corporations with corporate licenses. It would be detrimental to a large segment of Malwarebytes' customers to add such detections.

Share this post


Link to post
Share on other sites
No, I believe (but cannot confirm since I'm not a developer for Malwarebytes') that they simply choose not to detect any commercial keyloggers whatsoever due to the fact that many of MBAM's license holders are corporations with corporate licenses. It would be detrimental to a large segment of Malwarebytes' customers to add such detections.

Please explain why what I said (the corporation puts the monitoring program on the MBAM ignore list and that takes care of that) would not be the simple solution to corporations not wanting their monitoring software detected by MBAM?

It's the same thing a home user would do if he or she wanted to install a commercial keylogger on their computer and run MBAM at the same time. They'd put the commercial keylogger on MBAM's ignore list.

That pretty much eliminates the big concern.

What about these AVs and HIPS you're talking about that you trust to catch the keylogger? They all have corporate customers, don't they? What do you think they do about detecting commercial keyloggers and keeping their corporate clients happy? I'd say it is exclusion lists and ignore lists put in place by the IT guy.

Share this post


Link to post
Share on other sites

The trouble is, as MBAM works now, anyone could remove a detection from MBAM's ignore list and even having it listed there means it's been detected before, which would also show up in the Protection Logs, thus tipping off the employee in question to the use of a keylogger, something the company may not want. They are legally allowed to install keyloggers on their own machines without telling their employees about it.

Kaspersky doesn't do whitelisting for corporate keyloggers, they list them as a possibly unwanted program (PUP), but many AV vendors do whitelist these apps and don't detect them at all.

Share this post


Link to post
Share on other sites
They are legally allowed to install keyloggers on their own machines without telling their employees about it.

Never in question here by me.

The trouble is, as MBAM works now, anyone could remove a detection from MBAM's ignore list and even having it listed there means it's been detected before, which would also show up in the Protection Logs, thus tipping off the employee in question to the use of a keylogger, something the company may not want.

I am not an IT professional, but it strikes me as odd that non-admin user employees in a company have the ability to see security program logs and configurations. I don't even believe that is how it works.

Anyway, like you, I use a layered approach to security, so I will rely on other programs besides MBAM to detect commercial keyloggers.

Take care, exile360 ;)

Share this post


Link to post
Share on other sites
I am not an IT professional, but it strikes me as odd that non-admin user employees in a company have the ability to see security program logs and configurations. I don't even believe that is how it works.

Any user can execute mbam.exe (the scanner) and it will list the items in the Ignore List tab with a single click. This may be altered in the future, but currently that's how it works.

Share this post


Link to post
Share on other sites

Just a few other thoughts for you, mynorgeek :)

I don't think you should have commercial keyloggers anyway on your system, unless you bought it used, share it with someone else, or have let others use it before. And it certainly doesn't sound as though you'd ever install any yourself.

;)

Also, please use the "add reply" button at the bottom of the page when replying.

Thanks :)

Share this post


Link to post
Share on other sites
Also, please use the "add reply" button at the bottom of the page when replying. Thanks ;)

Hello mountaintree16,

Would you please tell me why you've asked me to do that? What is wrong with using the Reply button? Thanks.

I don't think you should have commercial keyloggers anyway on your system, unless you bought it used, share it with someone else, or have let others use it before. And it certainly doesn't sound as though you'd ever install any yourself.

Oh, as for this, one can never be too sure. But mainly I am concerned about all MBAM users, not just myself. And that would then include many who might have a commercial keylogger. :)

Share this post


Link to post
Share on other sites

@ Mynorgeek

Sure.

Because its unnecessary to quote everyone all the time and it makes the forum easier to read :)

Oh, okay. That's understandable, about the keylogger concerns. However, there is pretty much zilch chance of a commercial keylogger actually being used by malware ;)

Share this post


Link to post
Share on other sites
Sure. Because its unnecessary to quote everyone all the time and it makes the forum easier to read :)

Two things. I don't quote everyone all the time, and I think it makes the forum easier to read when quotes are used. So we see it differently. In addition, sometimes the person you've responded to edits their post, but the quote shows the original text. They can't edit the quote, can they?.

Oh, okay. that's understandable, about the keylogger concerns. However, there is pretty much zilch chance of a commercial keylogger actually being used by malware ;)

Whether or not it is used by malware isn't my concern. When it is actually used by the person who put it there is. :)

Share this post


Link to post
Share on other sites

@ mynorgeek

True, but if you take a peek around, most admins and many mods and others ask people to please not quote unless absolutely necessary ;) Plus with longer posts sometimes it can be annoying to have all that quoteage.

True, but, if you can't trust the computer that you are using, why enter personal information, passwords etc... into it to begin with? That way, no need to be leery of keyloggers :)

Share this post


Link to post
Share on other sites
True, but if you take a peek around, most admins and many mods and others ask people to please not quote unless absolutely necessary ;) Plus with longer posts sometimes it can be annoying to have all that quoteage.

We're covering the same old ground. You find it annoying, I find it easier and quite succinct. I believe I'll stick to this way of doing it at the risk of annoying you too much.

True, but, if you can't trust the computer that you are using, why enter personal information, passwords etc... into it to begin with? That way, no need to be leery of keyloggers :)

Just a few moments ago I noted that I am concerned about all MBAM users, not just myself. Remember?

Share this post


Link to post
Share on other sites

Yes, I do remember ;)

My advice goes to others as well - commercial keyloggers basically have zilch chance of being used by malware and if they don't trust a machine, they shouldn't enter personal information into it. (Checking personal email at work/public computer, banking at work/public computer, etc..., just as an example).

Share this post


Link to post
Share on other sites
My advice goes to others as well - commercial keyloggers basically have zilch chance of being used by malware and if they don't trust a machine, they shouldn't enter personal information into it. (Checking personal email at work/public computer, banking at work/public computer, etc..., just as an example).

Not very good advice, I'm afraid. Again, commercial keyloggers being used by malware is not the issue. It's the person who installed the keylogger who is the threat. As for, "if they don't trust a machine, they shouldn't enter personal information into it", that makes no sense to me. Of course we don't trust our machines. That's why we install security programs. Once installed, the trust level increases. But if the security program does not protect against all threats... and you can't tell me one that does... then your trust is not well founded, is it? So we all are going to trust our computers as much as we can, and enter senstive data, but we're always going to want the best protection from our installed apps.

Have a nice evening/morning/day, mountaintree16. ;)

Share this post


Link to post
Share on other sites

I think you just summed it up yourself mynorgeek ;) :

Again, commercial keyloggers being used by malware is not the issue. It's the person who installed the keylogger who is the threat.
Malwarebytes' Anti-Malware is designed to detect and protect users from malicious software, not legitimate software being used in an illegitimate way by malicious users. That's the line. It may at times be a fine one, but I don't see too much gray area with regards to keyloggers. If it is legitimate and not used by internet threats in the form of malware (malicious software) then it should not be detected by MBAM.

Share this post


Link to post
Share on other sites

I 100% agree with and back up what Exile just posted to you above my post here.

That being said, I think we must agree to disagree on this subject, and I'm sure we can agree on that ;)

You have a nice day as well, mynorgeek :)

Share this post


Link to post
Share on other sites

Another such example would be tools like Avenger, created by one of Malwarebytes' own developers, Swandog46. It has actually been used in the past by the Banker Trojan in order to disable security tools, modify system files and do other malicious things. They use it because it is so powerful, although its intended purpose is for the use of forum helpers in removing malware from systems in online help forums. Malwarebytes' should not detect Avenger.exe as malware simply because it can be used maliciously, even if there are cases where it indeed is. Instead, they should simply focus on the Banker Trojan itself (which is what they did when it happened) and leave Swandog46's tool whitelisted as safe since its primary purpose is a helpful one.

Believe it or not, the same is true of commercial keyloggers. They are created and sold for a legitimate purpose, not illegal tracking of users without their consent and there's no way for MBAM to know the difference in the "intent" of the user who installed it.

Share this post


Link to post
Share on other sites
Malwarebytes' Anti-Malware is designed to detect and protect users from malicious software, not legitimate software being used in an illegitimate way by malicious users. That's the line. It may at times be a fine one, but I don't see too much gray area with regards to keyloggers. If it is legitimate and not used by internet threats in the form of malware (malicious software) then it should not be detected by MBAM.

To be clear, all malicious software has a human behind it who is attempting to benefit from its installation in some way. "Legitimate" keyloggers are used at times by people who have bad intentions. They can cause untold harm. Having a great program like MBAM identify these commercial keyloggers as PUPs would be ideal, in my opinion. And the enterprise version of MBAM can be written differently, to satisfy the corporations who wish to anonymously monitor employee activity.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.