Need to Disable Automatic Program Control For Keylogger Detection?

Archive
1


The title I gave this really represents just one example of a broader question about Automatic Program Control (APC).

APC is turned on by default.  The help files talk about things you can do if you turn off APC, because that in turn allows Advanced Events Monitoring (AEM) to be configured for various items including Key Logger Monitor, Program Launch, Code Injection and six other elements.  But from the writeup it's not clear whether this means that certain kinds of detection (with keylogging being one of high interest to me) are completely inactive when APC is turned on...or whether such protections are still there, but without user customization options and  interaction requirements (e.g., response to alerts) that would be there when APC is turned off.

I assumed that, say, threats like malicious (or possibly mailicious) keylogging would probably still be detected and removed by NIS even with the default setting of APC turned on (and thus AEM turned off).  So I searched through the forum archive for threads about keyloggers.  Judging from the self-described level of expertise in threads where users cited a keylogger detection (with at least one case where there was specific reference to APC & AEM),  I doubt many of these people had turned off APC. This seemed to validate my assumption that it is NOT necessary to turn off APC and be bombarded with alerts to receive at least some level of automatic protection from, say, keylogging.

But just as I thought I had this issue put to bed, I ran across this 10-3-2008 comment from  Dieselman743  in the thread "Is ThreatFire Compatible with NIS 2009?" ( http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=10484&view=by_date_ascending&page=2 ):

"Norton is set at a default setting for newbie's and click happy people. Anyone who want full control of what your firewall is doing should select it to off. Also when its off all the other options such as keylogging are active."


After reading that, the question is back. This comment makes it sound as if NIS will not attempt to detect keyloggers unless the user turns off APC.  Is this correct?  And does the answer perhaps differ between realtime and on-demand-scan for some of the portections?

 

EDITED primarily for some instances where I reversed "Off" and "On" when talking about APC.  But it should have been clear from the context, anyway.

Message Edited by Ardmore on 05-18-2009 03:28 PM