Jump to content
BillDietrich

Does Malwarebytes report all keyloggers ?

Recommended Posts

Including the ones in some HP trackpad drivers, I think ?  MWB should report all keyloggers as PUPs.  If the user knows they're using a keylogger for work purposes or something, they can ignore the report.

Share this post


Link to post
Share on other sites

I too, am curious. <_< I recently had a keyboard who's driver was "allegedly" :ph34r: reporting back to a server, which turned out to be (in my opinion) ;) standard diagnostic information. It would be awfully convenient to see when a local program :excl: wishes to communicate out, unusually. For example, a driver. :rolleyes: Despite how reputable supposed destination server or protocol. :ph34r: 

Share this post


Link to post
Share on other sites

Some keyloggers are not "Potentially Unwanted" as they can be installed by administrators on machines they manage, so we don't want to report "all of them". I'm doing some research around the HP keyloggers to see if we detect them or not, I'll follow up when I have more details.

Share this post


Link to post
Share on other sites

In the USA, it is legal for an employer to install software such as key-logging software on the company furnished automated data processing equipment ( aka; ADPE ).  No employee using employer provided systems should have any expectation of privacy.  It also may be legal, albeit with many questions on its application, for a parent to install said software on a dependent child's computer.

However it is illegal to install said software on a rival, boyfriend/girlfriend or other non-family relationship where there is not a parent/guardian relationship.

It is also illegal for a Rental company to install such software as noted in a case again Aarons and other settled by the FTC.

Aaron's Rent-To-Own Chain Settles FTC Charges That it Enabled Computer Spying by Franchisees

 

 

 

Edited by David H. Lipman
Spelling, Grammar and Clarification

Share this post


Link to post
Share on other sites

Just talked with our researchers, and we don't flag the HP driver as a PUP as it wasn't something malicious. It was simply a driver that got released with debug printing on. The proper solution there is to update the driver to a newer version.

Share this post


Link to post
Share on other sites

Every case cited here qualifies as POTENTIALLY unwanted.  Report it to the user, and let them decide if this keylogger is legal, authorized by their work IT, not malicious, just a debug driver that got released accidentally, etc.  Report ALL of them to the user.

Share this post


Link to post
Share on other sites

I would like the option of removing the 'legal employer keyloggers' in the options panel. Just because it's legal doesn't mean it's good. The employer should disclose this anyways not to remove these keyloggers, and leave them on the computer as mandatory.

What's the hold up?

Share this post


Link to post
Share on other sites
On 12/14/2017 at 2:56 AM, BillDietrich said:

Including the ones in some HP trackpad drivers, I think ?  MWB should report all keyloggers as PUPs.  If the user knows they're using a keylogger for work purposes or something, they can ignore the report.

Thank you for starting this topic. Lots of people care about this more than you think.

Edited by biomembrain

Share this post


Link to post
Share on other sites
On 12/23/2017 at 7:36 PM, dcollins said:

Just talked with our researchers, and we don't flag the HP driver as a PUP as it wasn't something malicious. It was simply a driver that got released with debug printing on. The proper solution there is to update the driver to a newer version.

I would like all keyloggers you know to show up in our quarantine in 2018. That's plain ridiculous. At least as a PuP... give a warning message that it may violate company policy to remove the keylogger. There's many ways of solving these issues. 

Share this post


Link to post
Share on other sites

I'd prefer all keyloggers be detected as a threat/security risk (not even just PUP) on the grounds that even a legit keylogger, or in the case of the HP issue, an 'accidental' keylogger may at any time be exploited by the bad guys for malicious purposes, and in fact there have been many times in the past where legit keyloggers (commercial keylogging sofware) has been used by malware for this purpose.  An antimalware application should report all threats, regardless of their intended purpose, even if that purpose is supposedly legal/legitimate or benign because what a keylogger does by its very design and nature is a risk to security and privacy for the system and the user no matter who installed it on the system or why.

For scenarios where the IT admin of a business has installed the keylogger, they would likely be the ones who installed Malwarebytes as well so it would be up to them to have already configured their exclusions appropriately to have Malwarebytes ignore any threats/non-default/potentially insecure settings (keyloggers, PUMs etc.), not for Malwarebytes to assume that it might be legitimate use of a keylogger.

Always err on the side of security and privacy, at least that's how I believe it should be.  Let the administrator of the installed Malwarebytes product make the determination of what is 'safe' or benign and what should be detected; do not make assumptions based on specific scenarios or circumstances which might or might not apply to any given situation or user.

At least that's my opinion anyway.

Share this post


Link to post
Share on other sites
10 hours ago, exile360 said:

I'd prefer all keyloggers be detected as a threat/security risk (not even just PUP) on the grounds that even a legit keylogger, or in the case of the HP issue, an 'accidental' keylogger may at any time be exploited by the bad guys for malicious purposes, and in fact there have been many times in the past where legit keyloggers (commercial keylogging sofware) has been used by malware for this purpose.  An antimalware application should report all threats, regardless of their intended purpose, even if that purpose is supposedly legal/legitimate or benign because what a keylogger does by its very design and nature is a risk to security and privacy for the system and the user no matter who installed it on the system or why.

For scenarios where the IT admin of a business has installed the keylogger, they would likely be the ones who installed Malwarebytes as well so it would be up to them to have already configured their exclusions appropriately to have Malwarebytes ignore any threats/non-default/potentially insecure settings (keyloggers, PUMs etc.), not for Malwarebytes to assume that it might be legitimate use of a keylogger.

Always err on the side of security and privacy, at least that's how I believe it should be.  Let the administrator of the installed Malwarebytes product make the determination of what is 'safe' or benign and what should be detected; do not make assumptions based on specific scenarios or circumstances which might or might not apply to any given situation or user.

At least that's my opinion anyway.

I agree with you exile360!

It looks like you really know what you are talking about. I also think that these 'legit keyloggers' can be used by malware too to use this as 'face mask' to cover up the blackhat persona. 

Share this post


Link to post
Share on other sites

I actually see why Malwarebytes doesn't want Keystroke Encryption. They purposely allow 'acceptable keyloggers' to remain wild on your device.

dcollins: 'Some keyloggers are not "Potentially Unwanted" as they can be installed by administrators on machines they manage, so we don't want to report "all of them". I'm doing some research around the HP keyloggers to see if we detect them or not, I'll follow up when I have more details."

I hope no journalists that have certain secrets use this program. The whole structure of the concept of Keyloggers in Malwarebytes is foul.

Edited by biomembrain

Share this post


Link to post
Share on other sites

you might as well figure that ANY med-lg place you work at is logging something.  be it  internet, screen shots, how much you use a certain program, etc.

Of course they should have this set in their MWB exclusions so the average user never gets notified.

on the other hand, the HOME version may want to flag more of these to the user.

Share this post


Link to post
Share on other sites

I only wished that the every Malwarebytes staff member cares about this issue about 'allowable keyloggers.' 

This very topic questions the very integrity and trust we can give Malwarebytes as an Anti-Malware provider. 

I am still using Malwarebytes and I am waiting for them to give a good response to this issue. My goodness. 

 

(๑◕︵◕๑)

 

 

Share this post


Link to post
Share on other sites
On 1/15/2018 at 8:30 AM, biomembrain said:

I hope no journalists that have certain secrets use this program.

Thet get their news from Twitter nowadays.  No secrets:rolleyes: there. 

Share this post


Link to post
Share on other sites
33 minutes ago, biomembrain said:

I only wished that the every Malwarebytes staff member cares about this issue about 'allowable keyloggers.' 

This very topic questions the very integrity and trust we can give Malwarebytes as an Anti-Malware provider. 

I am still using Malwarebytes and I am waiting for them to give a good response to this issue. My goodness. 

 

(๑◕︵◕๑)

 

 

Our response has not changed from what was stated earlier in this thread. At this time, we have no plans to change our stance on how we identify keyloggers. If they are malicious, or part of a malicious package, they will be called out as such but legitimate software that functions as a keylogger won't be called out.

Share this post


Link to post
Share on other sites

Please take in account exile360's reply on this topic with the ranking of (exile - 17,355 posts). He / or she seems very knowledgeable of these topics.

At least we have this for open discussion. I really don't agree with Malwarebytes current stance right now, and I hope that Marcin Kleczynski sees this thread. I really admired his Ted talk and made a nice topic about him on these forums.

I see great importance of this topic to keep continuing on.

Share this post


Link to post
Share on other sites

Actually Samuel ( exile360 ) is a former Malwarebytes employee.  But not as a Malware Researcher.  I was also a Malwarebytes employee but I was a Malware Researcher.

Keyloggers are in a class of software that is greyware and it is not a Black and white case.  Malwarebytes stance is appropriate.

Everyone has their "opinions" on greyware and HackTools.

Share this post


Link to post
Share on other sites
33 minutes ago, dcollins said:

legitimate software that functions as a keylogger won't be called out

Only the user can make a judgement about whether a keylogger on their system is "legitimate".  If a keylogger commonly used in many call-centers is present on my computer, but I do not work in a call-center and this is my home computer, the keylogger is not "legitimate".

Share this post


Link to post
Share on other sites

It maybe Greyware but if you think about it, it is an unnecessary possible, 'trojan horse.'

Why would the average home user want a possible trojan horse on their computer when they don't need it? If businesses are using this, what's the point of Malwarebytes business suite of products. I guess that Malwarebytes endpoint protection is not as good as the home edition? 

Why do we want a possible trojan horse. This is such a big vulnerability to exploit. Did you hear about HP laptops that have hidden keyloggers. Does Malwarebytes report this as safe, or is it just a successful trojan horse that HP is only patching and no one else is? 

HP laptops found to have hidden keylogger

http://www.bbc.com/news/technology-42309371

 

Wow.

Share this post


Link to post
Share on other sites

I'll follow up with our researchers on that specific issue. However if it's the issue I think it is, we can't remove that "keylogger", because it's the actual keyboard driver. So if we removed it, your keyboard would just stop working entirely until you reinstalled that driver. Which is obviously not ideal.

I'm not saying we won't ever detect more keyloggers, just that right now, we don't specifically target all of them. What we do target is the malware that would drop the keylogger on your machine and prevent the malware from doing that in the first place.

Share this post


Link to post
Share on other sites
45 minutes ago, dcollins said:

I'll follow up with our researchers on that specific issue. However if it's the issue I think it is, we can't remove that "keylogger", because it's the actual keyboard driver. So if we removed it, your keyboard would just stop working entirely until you reinstalled that driver. Which is obviously not ideal.

I'm not saying we won't ever detect more keyloggers, just that right now, we don't specifically target all of them. What we do target is the malware that would drop the keylogger on your machine and prevent the malware from doing that in the first place.

Thank you dcollins. That is a good point that you can't and shouldn't remove the keyboard driver, but maybe Malwarebytes can point out that driver has a vulnerability and tell you the directions of how to fix it... hmm. 

Thanks for clarifying that you still want to detect the dropped keyloggers, and Malwarebytes really cares about those. It is nice that the Malwarebytes team is now following up on that specific issue. 

Thanks for listening to us :) 

Share this post


Link to post
Share on other sites
3 hours ago, dcollins said:

What we do target is the malware that would drop the keylogger on your machine and prevent the malware from doing that in the first place.

So, if a user is just using Malwarebytes for occasional scans, not using real-time protection, MB gives them no protection ?  A malware could execute, install a keylogger, then delete the installation/malware package, and later scans with MB would never report the existence of the keylogger ?  This seems wrong.

Share this post


Link to post
Share on other sites
On ‎1‎/‎19‎/‎2018 at 1:56 PM, Porthos said:

Thet get their news from Twitter nowadays.  No secrets:rolleyes: there. 

Truth. 

"xxxxxxxxxxxx destroys xxxxxxxx with one, clap back, annihilating tweet..."

Edited by Cleatus

Share this post


Link to post
Share on other sites
On 1/19/2018 at 11:35 PM, BillDietrich said:

So, if a user is just using Malwarebytes for occasional scans, not using real-time protection, MB gives them no protection ?  A malware could execute, install a keylogger, then delete the installation/malware package, and later scans with MB would never report the existence of the keylogger ?  This seems wrong.

Our remediation technology doesn't just target the infection that's on your machine, it looks for files that were put in place by the infection as well, so we should be able to removed keyloggers that were put in place from an infection after the fact.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.