GentleSecurity's Blog

Martin’s Keylogger is a passive keylogger or better to say key listener.
It polls the keyboard queue state in a loop and takes the keys pressed at poll snapshot. While this keylogger may not recognize a letter’s case and misses keys pressed too fast, it doesn’t interact with other system components, doesn’t load DLLs or drivers. This makes Martin’s keylogger usually undetectable by the solutions that aim keylogger prevention.

GeSWall’s access control policy prevents obtaining the keyboard state. Therefore, isolated applications cannot poll the state of pressed letters, digits and special symbols, while can receive non-critical information required for their functionality such as: Ctrl, Alt, arrows, mouse clicks.

Note: Martin’s Keylogger does not require administrative privileges and can log the keys pressed in the current session of any user, even restricted.

Link: http://www.gentlesecurity.com/download.html

The new version is more stable and faster. It has improved application rules engine to meet the performance, extended logging, enhanced support of the Microsoft Office Outlook, Word, Excel and PowerPoint. Now GeSWall blocks silent passive key loggers, e.g. Martin’s keylogger.

Additionally, the version fixes various GeSWall Management Console bugs and introduces GeSWall context button. The button makes easier access to GeSWall options such as restarting an application as non-isolated and customizing isolated window’s look.

There are two options. First, you may restart chosen isolated application as non-isolated by caption context menu.

Note, restart is required because an isolated application can not be merely switched to non-isolated state without security breach.

Second, you can enable pop-up dialogs again by following steps:
1) open GeSWall Console from Programs\GeSWall\GeSWall Console menu of
Start button
2) go to "Applications" folder
3) select the application for which you have disabled pop-up
4) Right button mouse click, properties menu item

5) set "Security Level" from "Trusted, auto-siolation" to Trusted and
press OK.

Trojan.KillXP stops and deletes Internet Connection Firewall, Windows Automatic Update, System Restore and some other services. GeSWall stops this attack by preventing an access to Service Control Manager.

GeSWall access control log entries:
xpkiller.exe DENY access to SERVICE OBJECT\SharedAccess (SystemObject)
xpkiller.exe READONLY access to SC_MANAGER OBJECT\ServicesActive (SystemObject)
xpkiller.exe DENY access to SERVICE OBJECT\ALG (SystemObject)
xpkiller.exe DENY access to SERVICE OBJECT\wuauserv (SystemObject)
xpkiller.exe DENY access to SERVICE OBJECT\srservice (SystemObject)

Note: Trojan.KillXP poses no threat when run on behalf of non-administrative user account

Link: http://wilderssecurity.com/showpost.php?p=755854&postcount=23

Trojun.KillDisk is a dangerous trojan that damages badly the disk content. GeSWall’s access control policy stops it by denying low-level write an access to the disk.

GeSWall access control log entries:
Test.exe REDIRECT access to \Device\Harddisk0\DR0 (File)

Note: Trojan.KillDisk poses no threat when run on behalf of non-administrative user account