Having responded to a thread poster's  issues with a suspected keylogger, I thought I would test out NIS 2011 keylogger blocking capability myself. I also downloaded and installed Zemana's product for comparison.

Next I downloaded AKLT and renamed it. I didn't want to be responded to again that since Norton's Insight allowed the download, it's leaktest results would be allowed.

I fired up the renamed AKLT and tested what Zemana would catch. Zemana stopped AKLT dead in it's tracks. It wouldn't even allow the program tests to start. Impressive indeed.

Next, I disable Zemana and started NIS 2011 tests with the renamed AKLT program. Guess what? It failed every test; the 6 keylogger test plus the two screen capture tests.

BTW - I did use the correct methodology here. I minimized AKLT and opened IE8 for each test thereby giving separate window focus and proceeded to enter data in my browser's search bar..

Based on this test, I would have to say NIS 2011 doesn't protect you at all against keyloggers.

As SendOfJive says, it's not a malicious program.  It's a testing tool.

Do you think that an AV should detect every single tool?

And how could you draw a conclusion that NIS does not protect you because it does not block a tool from running?

If you upload the file to VirusTotal you will see that 70% of the AV products do not detect it as a problem.

6 out of 43 detect it as a "leaktest" and 6 detect it as either a "suspicious" file or a false positive.

Out of all the AV's testing this file do you feel that 70% of them are wrong?

Dave

edit- here is the test result.

http://www.virustotal.com/file-scan/report.html?id=fdbb91d383615b64e6abaf327d1ec5567f3289657197faacbc57ced90f975b7f-1299074867

Having responded to a thread poster's  issues with a suspected keylogger, I thought I would test out NIS 2011 keylogger blocking capability myself. I also downloaded and installed Zemana's product for comparison.

Next I downloaded AKLT and renamed it. I didn't want to be responded to again that since Norton's Insight allowed the download, it's leaktest results would be allowed.

I fired up the renamed AKLT and tested what Zemana would catch. Zemana stopped AKLT dead in it's tracks. It wouldn't even allow the program tests to start. Impressive indeed.

Next, I disable Zemana and started NIS 2011 tests with the renamed AKLT program. Guess what? It failed every test; the 6 keylogger test plus the two screen capture tests.

BTW - I did use the correct methodology here. I minimized AKLT and opened IE8 for each test thereby giving separate window focus and proceeded to enter data in my browser's search bar..

Based on this test, I would have to say NIS 2011 doesn't protect you at all against keyloggers.

SendofJive,

Yes, turning off Automatic Program Control and turning on Advanced Events Monitoring allowed NIS 2011 to catch it. However, Automatic mode is the normal method to run NIS is it not? I am not convinced that Auto mode allowed the renamed AKLT to execute because it considered it a "safe" application.

Also going through my settings in Advanced Events Monitoring gave me something else to worry about. I saw that code injection was allowed there for csrss.exe?

Hi donziehm,

Various firewall tests, including leak tests, are allowed through when Automatic Program Control is enabled.  They are basically demonstrations with no actual malicious content and so, yes, they are permitted.  This is why you need to use Advanced Events Monitoring for testing purposes.  Note that programs that are known to be threats, or that otherwise appear to be engaged in malicious activity are blocked by Automatic Program Control.  The fact that this mode recognizes tests and does not respond to them is not indicative of how the firewall reacts when dealing with the real thing.

Kind of like the Devil saying, "Believe me son, I will take care of you."