Does Malwarebytes report all keyloggers ?

[BillDietrich]

Including the ones in some HP trackpad drivers, I think ?  MWB should report all keyloggers as PUPs.  If the user knows they're using a keylogger for work purposes or something, they can ignore the report.

[mrnr1]

I too, am curious.  I recently had a keyboard who's driver was "allegedly"  reporting back to a server, which turned out to be (in my opinion)  standard diagnostic information. It would be awfully convenient to see when a local program  wishes to communicate out, unusually. For example, a driver.  Despite how reputable supposed destination server or protocol.  

[dcollins]

Some keyloggers are not "Potentially Unwanted" as they can be installed by administrators on machines they manage, so we don't want to report "all of them". I'm doing some research around the HP keyloggers to see if we detect them or not, I'll follow up when I have more details.

[David H. Lipman]

In the USA, it is legal for an employer to install software such as key-logging software on the company furnished automated data processing equipment ( aka; ADPE ).  No employee using employer provided systems should have any expectation of privacy.  It also may be legal, albeit with many questions on its application, for a parent to install said software on a dependent child's computer.

However it is illegal to install said software on a rival, boyfriend/girlfriend or other non-family relationship where there is not a parent/guardian relationship.

It is also illegal for a Rental company to install such software as noted in a case again Aarons and other settled by the FTC.

Aaron's Rent-To-Own Chain Settles FTC Charges That it Enabled Computer Spying by Franchisees

 

 

 

Edited December 24, 2017 by David H. Lipman
Spelling, Grammar and Clarification

[dcollins]

Just talked with our researchers, and we don't flag the HP driver as a PUP as it wasn't something malicious. It was simply a driver that got released with debug printing on. The proper solution there is to update the driver to a newer version.

[BillDietrich]

Every case cited here qualifies as POTENTIALLY unwanted.  Report it to the user, and let them decide if this keylogger is legal, authorized by their work IT, not malicious, just a debug driver that got released accidentally, etc.  Report ALL of them to the user.

[biomembrain]

I would like the option of removing the 'legal employer keyloggers' in the options panel. Just because it's legal doesn't mean it's good. The employer should disclose this anyways not to remove these keyloggers, and leave them on the computer as mandatory.

What's the hold up?

[biomembrain]

On 12/14/2017 at 2:56 AM, BillDietrich said:

Including the ones in some HP trackpad drivers, I think ?  MWB should report all keyloggers as PUPs.  If the user knows they're using a keylogger for work purposes or something, they can ignore the report.

Thank you for starting this topic. Lots of people care about this more than you think.

Edited December 31, 2017 by biomembrain

[biomembrain]

On 12/23/2017 at 7:36 PM, dcollins said:

Just talked with our researchers, and we don't flag the HP driver as a PUP as it wasn't something malicious. It was simply a driver that got released with debug printing on. The proper solution there is to update the driver to a newer version.

I would like all keyloggers you know to show up in our quarantine in 2018. That's plain ridiculous. At least as a PuP... give a warning message that it may violate company policy to remove the keylogger. There's many ways of solving these issues. 

[exile360]

I'd prefer all keyloggers be detected as a threat/security risk (not even just PUP) on the grounds that even a legit keylogger, or in the case of the HP issue, an 'accidental' keylogger may at any time be exploited by the bad guys for malicious purposes, and in fact there have been many times in the past where legit keyloggers (commercial keylogging sofware) has been used by malware for this purpose.  An antimalware application should report all threats, regardless of their intended purpose, even if that purpose is supposedly legal/legitimate or benign because what a keylogger does by its very design and nature is a risk to security and privacy for the system and the user no matter who installed it on the system or why.

For scenarios where the IT admin of a business has installed the keylogger, they would likely be the ones who installed Malwarebytes as well so it would be up to them to have already configured their exclusions appropriately to have Malwarebytes ignore any threats/non-default/potentially insecure settings (keyloggers, PUMs etc.), not for Malwarebytes to assume that it might be legitimate use of a keylogger.

Always err on the side of security and privacy, at least that's how I believe it should be.  Let the administrator of the installed Malwarebytes product make the determination of what is 'safe' or benign and what should be detected; do not make assumptions based on specific scenarios or circumstances which might or might not apply to any given situation or user.

At least that's my opinion anyway.

[biomembrain]

10 hours ago, exile360 said:

I'd prefer all keyloggers be detected as a threat/security risk (not even just PUP) on the grounds that even a legit keylogger, or in the case of the HP issue, an 'accidental' keylogger may at any time be exploited by the bad guys for malicious purposes, and in fact there have been many times in the past where legit keyloggers (commercial keylogging sofware) has been used by malware for this purpose.  An antimalware application should report all threats, regardless of their intended purpose, even if that purpose is supposedly legal/legitimate or benign because what a keylogger does by its very design and nature is a risk to security and privacy for the system and the user no matter who installed it on the system or why.

For scenarios where the IT admin of a business has installed the keylogger, they would likely be the ones who installed Malwarebytes as well so it would be up to them to have already configured their exclusions appropriately to have Malwarebytes ignore any threats/non-default/potentially insecure settings (keyloggers, PUMs etc.), not for Malwarebytes to assume that it might be legitimate use of a keylogger.

Always err on the side of security and privacy, at least that's how I believe it should be.  Let the administrator of the installed Malwarebytes product make the determination of what is 'safe' or benign and what should be detected; do not make assumptions based on specific scenarios or circumstances which might or might not apply to any given situation or user.

At least that's my opinion anyway.

I agree with you exile360!

It looks like you really know what you are talking about. I also think that these 'legit keyloggers' can be used by malware too to use this as 'face mask' to cover up the blackhat persona. 

[biomembrain]

I actually see why Malwarebytes doesn't want Keystroke Encryption. They purposely allow 'acceptable keyloggers' to remain wild on your device.

dcollins: 'Some keyloggers are not "Potentially Unwanted" as they can be installed by administrators on machines they manage, so we don't want to report "all of them". I'm doing some research around the HP keyloggers to see if we detect them or not, I'll follow up when I have more details."

I hope no journalists that have certain secrets use this program. The whole structure of the concept of Keyloggers in Malwarebytes is foul.

Edited January 15, 2018 by biomembrain

[Cleatus]

you might as well figure that ANY med-lg place you work at is logging something.  be it  internet, screen shots, how much you use a certain program, etc.

Of course they should have this set in their MWB exclusions so the average user never gets notified.

on the other hand, the HOME version may want to flag more of these to the user.

[biomembrain]

I only wished that the every Malwarebytes staff member cares about this issue about 'allowable keyloggers.' 

This very topic questions the very integrity and trust we can give Malwarebytes as an Anti-Malware provider. 

I am still using Malwarebytes and I am waiting for them to give a good response to this issue. My goodness. 

 

(๑◕︵◕๑)

 

 

[Porthos]

On 1/15/2018 at 8:30 AM, biomembrain said:

I hope no journalists that have certain secrets use this program.

Thet get their news from Twitter nowadays.  No secrets there. 

[dcollins]

33 minutes ago, biomembrain said:

I only wished that the every Malwarebytes staff member cares about this issue about 'allowable keyloggers.' 

This very topic questions the very integrity and trust we can give Malwarebytes as an Anti-Malware provider. 

I am still using Malwarebytes and I am waiting for them to give a good response to this issue. My goodness. 

 

(๑◕︵◕๑)

 

 

Our response has not changed from what was stated earlier in this thread. At this time, we have no plans to change our stance on how we identify keyloggers. If they are malicious, or part of a malicious package, they will be called out as such but legitimate software that functions as a keylogger won't be called out.

[biomembrain]

Please take in account exile360's reply on this topic with the ranking of (exile - 17,355 posts). He / or she seems very knowledgeable of these topics.

At least we have this for open discussion. I really don't agree with Malwarebytes current stance right now, and I hope that Marcin Kleczynski sees this thread. I really admired his Ted talk and made a nice topic about him on these forums.

I see great importance of this topic to keep continuing on.

[David H. Lipman]

Actually Samuel ( exile360 ) is a former Malwarebytes employee.  But not as a Malware Researcher.  I was also a Malwarebytes employee but I was a Malware Researcher.

Keyloggers are in a class of software that is greyware and it is not a Black and white case.  Malwarebytes stance is appropriate.

Everyone has their "opinions" on greyware and HackTools.

[BillDietrich]

33 minutes ago, dcollins said:

legitimate software that functions as a keylogger won't be called out

Only the user can make a judgement about whether a keylogger on their system is "legitimate".  If a keylogger commonly used in many call-centers is present on my computer, but I do not work in a call-center and this is my home computer, the keylogger is not "legitimate".

[biomembrain]

It maybe Greyware but if you think about it, it is an unnecessary possible, 'trojan horse.'

Why would the average home user want a possible trojan horse on their computer when they don't need it? If businesses are using this, what's the point of Malwarebytes business suite of products. I guess that Malwarebytes endpoint protection is not as good as the home edition? 

Why do we want a possible trojan horse. This is such a big vulnerability to exploit. Did you hear about HP laptops that have hidden keyloggers. Does Malwarebytes report this as safe, or is it just a successful trojan horse that HP is only patching and no one else is? 

HP laptops found to have hidden keylogger

http://www.bbc.com/news/technology-42309371

 

Wow.

[dcollins]

I'll follow up with our researchers on that specific issue. However if it's the issue I think it is, we can't remove that "keylogger", because it's the actual keyboard driver. So if we removed it, your keyboard would just stop working entirely until you reinstalled that driver. Which is obviously not ideal.

I'm not saying we won't ever detect more keyloggers, just that right now, we don't specifically target all of them. What we do target is the malware that would drop the keylogger on your machine and prevent the malware from doing that in the first place.

[biomembrain]

45 minutes ago, dcollins said:

I'll follow up with our researchers on that specific issue. However if it's the issue I think it is, we can't remove that "keylogger", because it's the actual keyboard driver. So if we removed it, your keyboard would just stop working entirely until you reinstalled that driver. Which is obviously not ideal.

I'm not saying we won't ever detect more keyloggers, just that right now, we don't specifically target all of them. What we do target is the malware that would drop the keylogger on your machine and prevent the malware from doing that in the first place.

Thank you dcollins. That is a good point that you can't and shouldn't remove the keyboard driver, but maybe Malwarebytes can point out that driver has a vulnerability and tell you the directions of how to fix it... hmm. 

Thanks for clarifying that you still want to detect the dropped keyloggers, and Malwarebytes really cares about those. It is nice that the Malwarebytes team is now following up on that specific issue. 

Thanks for listening to us  

[BillDietrich]

3 hours ago, dcollins said:

What we do target is the malware that would drop the keylogger on your machine and prevent the malware from doing that in the first place.

So, if a user is just using Malwarebytes for occasional scans, not using real-time protection, MB gives them no protection ?  A malware could execute, install a keylogger, then delete the installation/malware package, and later scans with MB would never report the existence of the keylogger ?  This seems wrong.

[Cleatus]

On ‎1‎/‎19‎/‎2018 at 1:56 PM, Porthos said:

Thet get their news from Twitter nowadays.  No secrets there. 

Truth. 

"xxxxxxxxxxxx destroys xxxxxxxx with one, clap back, annihilating tweet..."

Edited January 23, 2018 by Cleatus

[dcollins]

On 1/19/2018 at 11:35 PM, BillDietrich said:

So, if a user is just using Malwarebytes for occasional scans, not using real-time protection, MB gives them no protection ?  A malware could execute, install a keylogger, then delete the installation/malware package, and later scans with MB would never report the existence of the keylogger ?  This seems wrong.

Our remediation technology doesn't just target the infection that's on your machine, it looks for files that were put in place by the infection as well, so we should be able to removed keyloggers that were put in place from an infection after the fact.