Testing AntiKeyloggers with Real Keyloggers
To find the best anti-keylogger software and also to determine the effectiveness of Zemana AntiLogger, SpyShelter Premium and DataGuard AntiKeylogger, we’ve tested them against 12 different malwares (7 commercial keyloggers + 5 RAT Trojan) that are capable of logging keystrokes & the clipboard, taking screenshots, activating the webcam and capturing audio through a microphone.
- Invisible Keylogger Stealth
- Elite Keylogger
- REFOG Keylogger
- All in One Keylogger
- Revealer Keylogger Pro 2.0.8
- Advanced Keylogger 18.104.22.168
- Award Keylogger Pro 3.3
- Bozok 1.4
- DarkComet 5.3
- CyberGate Excel 22.214.171.124
- Lost Door 8.0.1
- NetWire 1.4c
Zemana AntiLogger and SpyShelter Premium are tested in Windows 8 Pro 32-bit while DataGuard AntiKeylogger in Windows 7 Ultimate 32-bit because it doesn’t support Windows 8. All Windows operating systems are fully updated during the time of testing.
In the interest of getting the fairest and most accurate results, we’ve used imaging to restore Windows back to the same state after each and every test that was conducted. This rules out possible conflicts and guarantees that each protection module is tested in the exact same Windows environment. For example, Zemana was installed, the keystroke test was performed for Invisible Keylogger Stealth, then the system was reset again for the next test and Zemana installed again for the Keylogger Stealth install test, and so on…
Test Notes for Zemana AntiLogger
1. Zemana seems to have a serious bug where all modules must be enabled for the protection to be active. For example, if the Anti-ScreenLogger is enabled but Anti-KeyLogger disabled, the hacker can still capture your screen. However when turning on Anti-KeyLogger, Zemana then detects the screen capture. The same thing happened when we only enabled System Defense but the rest of the protection modules were disabled, the keylogger is able to install without Zemana detecting any injection. So if you’re using Zemana AntiLogger, make sure that all protection modules are enabled.
2. There are some people claiming that Zemana AntiLogger doesn’t work on 64-bit (x64) Windows. We were curious to find out if it is true, so we activated the keystroke logging from Revealer Keylogger Pro on Windows 7 Ultimate 64-bit and Zemana AntiLogger instantly block the action and display the security alert popup.
3. Other than the behavior-based protection, Zemana AntiLogger offers an additional protection called IntelliGuard Cloud where it checks the files that you want to run with their servers to determine if it is safe or automatically blocking it if it is a known malicious file.
Test Notes for SpyShelter Premium
1. SpyShelter’s alert window hung a few times when detecting suspicious logging activity.
2. SpyShelter’s System Protection (HIPS) is very sensitive, notifying you of any activity with an alert popup. This is because the “High security level” option is selected by default to offer better protection rather than the medium security level with decreased alerts.
3. There is an option in Settings to allow/prevent SpyShelter from being terminated via Task Manager. Although it is not possible to terminate SpyShelter’s process from Task Manager after unchecking the checkbox, we were still able to kill the process using a third party task managing program called Process Explorer.
Test Notes for DataGuard AntiKeylogger
1. DataGuard AntiKeylogger was last updated on March 2011 and does not work on Windows 8. Even the links to purchase a license via Plimus are unavailable.
2. When DataGuard detects malicious activity such as keystroke logging, it will automatically add the process to the “Auto-detected modules” which will block other supported logging activities. However if the program is signed, the activity will be allowed. Certificate checking can be disabled in program’s Advanced Options.
3. DataGuard adds Explorer.exe to Auto-detected modules causing the Windows explorer to crash.
The table below shows the detection result of each logging behavior from all 12 keylogger program. The red colored “NO” means that the logging behavior is not detected while the blue colored “YES” means that it is detected by the antikeylogger.
* Unable to Test. Zemana kept on detecting injection.
** YES (Even without Install & Startup)
As you can see from the test results above, none of them are perfect in detecting every attack method but SpyShelter and Zemana came close.
We found that it’s possible to evade the detection from these anti keyloggers by not automatically adding the keylogger itself to Windows startup and making sure that the malware does not activate an offline keylogger. This will allow the hacker to gain a one time access to disable or tamper with any running security software and then followed up by manually adding a startup entry for the malware. During that time, the hacker can also download your files from your hard drive with a file manager found in most remote access tools. This is when you will need file encryption to keep your important files safe.