I have been testing Webroot's Identity Shield and multiple times it does not stop the screen grabing attack. It is sucsesfull at blocking most (most, but not all) keystrokes from being logged, however, when using a screen capture program Webroot does not block or even notify that an application is attempting to take screenshots. I have tried uninstalling and reinstalling Webroot multiple times but I get the same results. Please advise.
Shran
Page 1 / 2
Hi Shran,
Webroot does block all known and unknown keyloggers I assume your using some testing software as some of them have to be used in the foreground so that makes the Browser Window behind so not protected as you can see if the little yellow padlock on the tray Icon to be protected!
Please see here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/WSA-scores-100-in-MRG-Efitas-tests/m-p/54082/highlight/true#M2670
Also WSA does not block known good screen capture tools like Snagit, HoverSnap and even windows own Snipping Tool but you can block them if you feel it's necessary but will protect you from Malicious Screen Grabbers.
Also read here from the Online Helpfile: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C6_IDProtection/CH6a_ManagingID.htm
HTH,
Daniel 😉
Webroot does block all known and unknown keyloggers I assume your using some testing software as some of them have to be used in the foreground so that makes the Browser Window behind so not protected as you can see if the little yellow padlock on the tray Icon to be protected!
Please see here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/WSA-scores-100-in-MRG-Efitas-tests/m-p/54082/highlight/true#M2670
Also WSA does not block known good screen capture tools like Snagit, HoverSnap and even windows own Snipping Tool but you can block them if you feel it's necessary but will protect you from Malicious Screen Grabbers.
Also read here from the Online Helpfile: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C6_IDProtection/CH6a_ManagingID.htm
HTH,
Daniel 😉
Hi Daniel,
Thanks for your response. I am using a keylogger that runs in the background, not the foreground. I made sure that they lock icon was over the Webroot icon as I was typing and it was the whole time. To be a little more specific about not all keystrokes being blocked, I mean I would go to my email (I have an address I use for testing) or Facebook and type in login information, and when I reviewed the keystroke log it would look like this "f E dax [Capslock] h . da" etc. All of those are keystrokes that I actually typed so I know it wasn't just my real keystrokes being scrambled. That's what I mean about most but not all being blocked. No, that is not enough for a keylogger user to be able to actually get any useful information, but I thought I should mention it. As for the screencapture, I was using an "Unknown" file, and I verified it was unknown by using Webroot's system control. I had it set to grab a screenshot every 60 seconds, also running silently in the background. Webroot allowed the screenshots even though it was an unknown file, and I verified that the padlock was on the Webroot icon in testing this as well. Interestingly though, Webroot did block the screenshots in one test case installation, but not in any of the others using the same program.
Thanks,
Shran
Thanks for your response. I am using a keylogger that runs in the background, not the foreground. I made sure that they lock icon was over the Webroot icon as I was typing and it was the whole time. To be a little more specific about not all keystrokes being blocked, I mean I would go to my email (I have an address I use for testing) or Facebook and type in login information, and when I reviewed the keystroke log it would look like this "f E dax [Capslock] h . da" etc. All of those are keystrokes that I actually typed so I know it wasn't just my real keystrokes being scrambled. That's what I mean about most but not all being blocked. No, that is not enough for a keylogger user to be able to actually get any useful information, but I thought I should mention it. As for the screencapture, I was using an "Unknown" file, and I verified it was unknown by using Webroot's system control. I had it set to grab a screenshot every 60 seconds, also running silently in the background. Webroot allowed the screenshots even though it was an unknown file, and I verified that the padlock was on the Webroot icon in testing this as well. Interestingly though, Webroot did block the screenshots in one test case installation, but not in any of the others using the same program.
Thanks,
Shran
Well...this isn't good..
Yes, I hate to be the bearer of bad news as the saying goes, and I really do love Webroot, so, Daniel, and all other's reading this, please do not think I don't like Webroot because of this; I really do like Webroot alot, but I just wanted to point this out. For all I know it could be a problem with my own computer.
Still have faith in Webroot!
Shran
Thanks,
Daniel
Hi Daniel,
As far as I know, it is not a "remote keylogger", meaning that it won't actually send my keystrokes off like a real piece of spyware, its more like a "spy tool" that you would put on your computer to see what people are doing on your own computer, but, it is not one of the reputable ones like "Net Nanny", it is one of those kind of shady ones that's like "free see what people are typing" if you know what I mean, so I don't think it's whitelisted either, for that reason and because I would type something like "StarTrek_DaxFan-1985" and the keylogger would pick up "S _ n 1 8". So, most of the password (that is not a real password by the way :P) was blocked, if it was whitelisted wouldn't it have picked up everything? I could be wrong though, please correct me if I am 🙂. As for the screen capture, what's interesting about that is that I tested it again last night, and for the most part, most screenshots were blocked, but after a reboot, all my Webroot settings were defaulted (not really related to the original topic but thought I should mention it) and the program was again able to grab screenshots, even though Webroot said in its Identity Protection settings that the file was set to "block". I'm thinking that perhaps it is Norton interfering? I know Webroot plays nice, but that doesn't mean Norton isn't being a butt-head 😛.
As far as I know, it is not a "remote keylogger", meaning that it won't actually send my keystrokes off like a real piece of spyware, its more like a "spy tool" that you would put on your computer to see what people are doing on your own computer, but, it is not one of the reputable ones like "Net Nanny", it is one of those kind of shady ones that's like "free see what people are typing" if you know what I mean, so I don't think it's whitelisted either, for that reason and because I would type something like "StarTrek_DaxFan-1985" and the keylogger would pick up "S _ n 1 8". So, most of the password (that is not a real password by the way :P) was blocked, if it was whitelisted wouldn't it have picked up everything? I could be wrong though, please correct me if I am 🙂. As for the screen capture, what's interesting about that is that I tested it again last night, and for the most part, most screenshots were blocked, but after a reboot, all my Webroot settings were defaulted (not really related to the original topic but thought I should mention it) and the program was again able to grab screenshots, even though Webroot said in its Identity Protection settings that the file was set to "block". I'm thinking that perhaps it is Norton interfering? I know Webroot plays nice, but that doesn't mean Norton isn't being a butt-head 😛.
1. Right Click on the Webroot Tray Icon and Save a Scan Log and look for the program that your using to see if it is marked good as a [g] will be in front of the line or lines if another let me know what is says and even post the lines.
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
HTH,
Daniel ;)
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
HTH,
Daniel ;)
1. Right Click on the Webroot Tray Icon and Save a Scan Log and look for the program that your using to see if it is marked good as a [g] will be in front of the line or lines if another let me know what is says and even post the lines.
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
HTH,
Daniel ;)
2. Setting going back to default have you set up your My Webroot Online Console? If not please do so if you have go in there and click on your PC and make sure it's set for User Configuration and if it is already set to that set to something else and save then go back and put it under User Configuration and wait 20 to 30 minutes and do a scan then set it up the way you like it Save then reboot to see if the settings stick this time.
HTH,
Daniel ;)
You're very welcome and thanks for the nice comment and we want it to be this way most of us are Volunteers and we help the Webroot Staff we get guidance from them and also I have been using Prevx since 2004 and Webroot Acquired them in Nov 2010 and they even made it better with more tools and options so some of us know it quite well from the Prevx days! We are a great bunch of Members and Staff Members it's great and you will not fine that also from any AV Support Forum!
Hey I see that your running Active Malware [b] and have some Unknowns [u] you can send them the lines via a Support Ticket and they will get those fixed up even if they FP's!
Cheers,
Daniel
Hey I see that your running Active Malware [b] and have some Unknowns [u] you can send them the lines via a Support Ticket and they will get those fixed up even if they FP's!
Cheers,
Daniel
Hey Daniel,
Those [b] and [u] files are just the monitoring files that I am using to test the ID shield. I am using them on a completely separate hard drive that I use for testing so it isn't my "main" system and I purposefully put those files there to test the ID shield so I don't need to send a help ticket 🙂 Thank you for the suggestion though, I just wipe this hard drive since it is only 100 GB when I'm done with testing 🙂 I've tested a lot of stuff on this hard drive as its isolated from my main system, Avast betas, Norton, Bitdefender, etc. and now Webroot :)
Shran
Those [b] and [u] files are just the monitoring files that I am using to test the ID shield. I am using them on a completely separate hard drive that I use for testing so it isn't my "main" system and I purposefully put those files there to test the ID shield so I don't need to send a help ticket 🙂 Thank you for the suggestion though, I just wipe this hard drive since it is only 100 GB when I'm done with testing 🙂 I've tested a lot of stuff on this hard drive as its isolated from my main system, Avast betas, Norton, Bitdefender, etc. and now Webroot :)
Shran
Well you have some Acronis files as unknown so that must be a new update! LOL
acronis rueimagehome
Daniel
acronis rueimagehome
Daniel
Yes, those are pretty recent, it's actually the "WD Edition" not the full version, since I can use the WD version for free because I bought a WD external hard drive. :P
Do you have any idea why the program might be taking screenshots still? It's listed as bad and unknown so it must not be whitelisted. All shields are turned on, keylogger protection still works (I view the keylogger logs and it doesn't pick up anything useful), but that [b] program is still able to pick up screenshots.
Edit: here is what the keystroke log looks like after I typed that message:
y e i o -Caps Lock- -Caps Lock- v ' -Back- i s -Back- -Back- -Back- , h { -Caps Lock- -Caps Lock- -Back- -Back- [ -Caps Lock- ] -Caps Lock- -Back- . -Back- -Back- -Back- -Back- -Back- -Back- -Back- r b k p s. -Enter-
-Caps Lock- -Caps Lock- -Back- -Back- -Back- : s eo g s -Caps Lock- -Caps Lock- e a e: -Enter-
Nothing that could really be used by a spyware user, but every once in a while it picks up a letter here and there.
Shran
Do you have any idea why the program might be taking screenshots still? It's listed as bad and unknown so it must not be whitelisted. All shields are turned on, keylogger protection still works (I view the keylogger logs and it doesn't pick up anything useful), but that [b] program is still able to pick up screenshots.
Edit: here is what the keystroke log looks like after I typed that message:
y e i o -Caps Lock- -Caps Lock- v ' -Back- i s -Back- -Back- -Back- , h { -Caps Lock- -Caps Lock- -Back- -Back- [ -Caps Lock- ] -Caps Lock- -Back- . -Back- -Back- -Back- -Back- -Back- -Back- -Back- r b k p s. -Enter-
-Caps Lock- -Caps Lock- -Back- -Back- -Back- : s eo g s -Caps Lock- -Caps Lock- e a e: -Enter-
Nothing that could really be used by a spyware user, but every once in a while it picks up a letter here and there.
Shran
What Browser are you using and is it 32bit or 64bit and version number? Supported Browsers are IE, Firefox, Chrome 32bit.
Here's a small video on the 2012 version but basically the same have a look: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202#.UpKL8-LZG_o
Also note that WSA protects both HTTPS & HTTP by default now!
Daniel
Here's a small video on the 2012 version but basically the same have a look: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202#.UpKL8-LZG_o
Also note that WSA protects both HTTPS & HTTP by default now!
Daniel
I am using Firefox x86 version 25.0.1.
I also added the explorer.exe process to Webroot's Identity Shield so that it protects not just the browsers but pretty much everything since explorer.exe is almost always running :P
Shran
I also added the explorer.exe process to Webroot's Identity Shield so that it protects not just the browsers but pretty much everything since explorer.exe is almost always running :P
Shran
He flashes it at me with great regularity 🙂
Yeppers my Buddy in crime! :D
Daniel
Daniel
Yup!
Good teamwork, and we have a lot of fun doing it 🙂
Good teamwork, and we have a lot of fun doing it 🙂
Hey Daniel,
I removed the "explorer.exe" process from the Identity Shield protected processes, as it kept glitching up, meaning it would not protect explorer.exe even when it was the only thing running (I didn't get the padlock) after a reboot. Now, it seems to be working better against the screengrabbers when I have my browsers open. Do you think it's possible that having "explorer.exe" protected was causing some interfearence with protecting the browsers?
Shran
I removed the "explorer.exe" process from the Identity Shield protected processes, as it kept glitching up, meaning it would not protect explorer.exe even when it was the only thing running (I didn't get the padlock) after a reboot. Now, it seems to be working better against the screengrabbers when I have my browsers open. Do you think it's possible that having "explorer.exe" protected was causing some interfearence with protecting the browsers?
Shran
I'm not sure but as you found it to be an issue and maybe someone from the Webroot Staff will chime in @ @ I just have my Browsers in the ID Shield I feel for me not to add anything else.
Daniel 😉
Daniel 😉
I suggest not configuring system applications like explorer.exe as protected applications - it will definitely cause odd system behavior as it will prevent other components of the system from communicating with Explorer. There is a considerable amount of logic in place to allow legitimate screen capturing but block malicious use of screen data. I've tested it here on Windows 7 x64 and XP 32bit right now and it is working properly, so I suspect the testing tools are not simulating malware accurately.
Control keys like capslock, backspace, shift, etc. will be allowed through as if they are blocked, the OS loses context. As for random keystrokes coming through, this could be due to if the foreground window loses focus or isn't being actively typed into.
In any event, screen grabbers and keyloggers are almost irrelevant these days when it comes to real malware. Threats are using much more advanced techniques which is what WSA focuses on protecting: man in the browser attacks, memory injection, system call hooking, and a myriad of other approaches. They tend to not use the obvious ones like screen capture/keylogging because they generate too much data and are too easy to detect as malicious behaviors. WSA excels at blocking the most advanced techniques and has been doing so for years without any threats bypassing it.
Control keys like capslock, backspace, shift, etc. will be allowed through as if they are blocked, the OS loses context. As for random keystrokes coming through, this could be due to if the foreground window loses focus or isn't being actively typed into.
In any event, screen grabbers and keyloggers are almost irrelevant these days when it comes to real malware. Threats are using much more advanced techniques which is what WSA focuses on protecting: man in the browser attacks, memory injection, system call hooking, and a myriad of other approaches. They tend to not use the obvious ones like screen capture/keylogging because they generate too much data and are too easy to detect as malicious behaviors. WSA excels at blocking the most advanced techniques and has been doing so for years without any threats bypassing it.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.