Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: GuardedID

26 Sep 2009   #1
TOF

Microsoft Windows 7 Professional X64
 
 
GuardedID

Anyone try out this software yet? I like the fact that it works well with most desktop applications and browsers. It even works with Roboform when typing the master password. I know that Roboform has a virtual keyboard, but with this application you can just use a regular keyboard and your password is encrypted. I just got it and it seems to work very well. Anyone else tried it?

GuardedID® – Next Generation Security - Keylogger Protection, Keystroke Encryption, Anti Keylogger


My System SpecsSystem Spec
.
26 Sep 2009   #2
H2SO4

Win7x64
 
 

It must be good! Armand Assante says "I wouldn't use my computer without GuardedID", and he's doing Blue Steel while he says it

First, I don't work for that company, its competitors, or anybody in that industry. Hence, my comments will be free from commercial bias, if not free from personal prejudice. I've never used the product, and up until 90sec ago I'd never heard of it either.

Having said that, in my opinion the product is far more marketing than substance. This is based on their architecture diagram: http://www.guardedid.com/images/GID_Graphic_r2.gif

As presented, the operation of the product can be summarised as replacement of the standard keyboard driver with an alternative which communicates with an in-app plug-in via a secure 128-bit SSL channel. Good enough. No malware is going to bother doing on-the-fly brute force crypto attacks to compromise that secure link.

What they don't mention is that just as they've replaced the keyboard driver and/or "layered" themselves above or below it in the keyboard hierarchy, so too can any malicious driver that finds itself on the system do the same to the GuardedID driver. In kernel-mode, all drivers are equal in terms of privilege. Each of them can implant itself in such a way as to inspect info being passed to or from any other driver. Hence, assuming an infected machine (why else use the product?), it is relatively trivial for the malware driver do simply go through this decision:

IF ( GuardedID detected ) THEN { layer myself underneath it }

The malware driver gets each stroke first, records it, then dutifully passes it on to the GuardedID driver so the (by now utterly pointless) work of spending processor cycles on keystroke encryption and decryption can commence.

Up at the application layer, their driver's encrypted messages are received and processed by the driver's counterpart component whose job is decryption. Should any malware manage to infiltrate the (say) browser process, it can simply wait until after the keystroke is decrypted to grab it in plain text.

Some of their other marketing "heifer dust" comments are downright misleading too:

- "Eliminates time-consuming hard disk or memory scans." No, it does nothing of the sort, given it does not replace anti-virus software or make it redundant.

- "Protects against 'NEW' and 'EXISTING' keyloggers." No, as per the rant above, a GuardedID-aware keylogger would make mincemeat of it.

- "CryptoColor - visually displays all browser ecrypted fields." It cannot do that, for the simple reason that it really has no idea what happened to the data within the browser process after it was decrypted, or underneath its driver.

The fundamental problem is that they're aiming to fight against malware which is already on the machine and running with administrative privileges - as a driver no less. From a security theory standpoint, that's a nonsense.

Still, it's relatively cheap, and if you don't mind sacrificing a bit of performance (for its SSL tunnel), it'll probably make the box a little more secure against some forms of malware which are not aware of its presence. It is certainly not the security panacea touted by the marketing department.
My System SpecsSystem Spec
26 Sep 2009   #3
TOF

Microsoft Windows 7 Professional X64
 
 

The product is endorsed and used with Trend Micro Internet Security Pro 2010. They have a free "standard" version that can be upgraded to a fully featured version with a subscription. I chose to get it through the Strikeforce website though because they offer two licences for one key for only a few more bucks. Trend Micro's offer is only good for one computer.

The "white page" as they call it will dispel some of your ideas about the product. http://www.guardedid.com/pdf/Guarded...e%20paper4.pdf

The idea around this product is to create a secure separate path so that key loggers cannot capture any text that can compromise security. The software self monitors itself for unauthorized changes as well. The product doesn't attempt to detect key loggers. It leaves that to the security software to do. Security software can't remove a keylogger until it is discovered so GuardID prevents the key logger from being successful in the mean time.
My System SpecsSystem Spec
.

26 Sep 2009   #4
H2SO4

Win7x64
 
 

I'm happy that you're happy with your purchase.

Quote   Quote: Originally Posted by TOF View Post

The "white page" as they call it will dispel some of your ideas about the product. http://www.guardedid.com/pdf/Guarded...e%20paper4.pdf

The idea around this product is to create a secure separate path so that key loggers cannot capture any text that can compromise security. The software self monitors itself for unauthorized changes as well. The product doesn't attempt to detect key loggers. It leaves that to the security software to do. Security software can't remove a keylogger until it is discovered so GuardID prevents the key logger from being successful in the mean time.
A keylogger which was GuardedID-aware wouldn't need to crack the SSL tunnel, nor would it need to somehow modify the GuardedID modules. It would simply insert itself below or above the new tunnel, and thus grab the keystrokes in clear text.

This falls into a particular class of "wishful thinking" security software which aims to do battle with malware that is already on the machine with full admin rights. Sometimes it'll work, and sometimes it won't - mostly against newer malware which is aware of the obstacle and knows how to avoid it. Hence, it's a small improvement on no keylogger protection at all, but it's not nearly as good as focusing all efforts on staying malware-free in the first place.

Once a box has been pwned, all bets are off. A full nuke+reinstall is the only way to be sure that no backdoors have been left behind. You're a braver person than I if you'd contemplate accessing your internet banking site, confident in the knowledge that GuardedID will manage to defeat that malware driver down in kernel-mode.

Happy slightly-more-secure-but-slower computing
My System SpecsSystem Spec
26 Sep 2009   #5
TOF

Microsoft Windows 7 Professional X64
 
 

Not all computers are laced with malware. However, strikeforce claims that no key logger can get personal info with their technology so a compromised computer is guarded against key loggers at the kernel level. This software is being sold in an enterprise package for deployment into corporate facilities such as banks and the government as well so it must be an effective tool when it comes down to identity theft.

Here is another interesting read that I found from GuardedID
It is the top 10 secrets that hackers don't want you to know.http://www.sftnj.com/products/pdf/toptensc.pdf
My System SpecsSystem Spec
26 Sep 2009   #6
TOF

Microsoft Windows 7 Professional X64
 
 

Quote:
Protects against 'NEW' and 'EXISTING' keyloggers." No, as per the rant above, a GuardedID-aware keylogger would make mincemeat of it.
It seems that they are already aware of this and have this as they, "GuardedID constantly monitors the keyboard device driver stack to detect un-trusted drivers (which could potentially be keyloggers). If an un-trusted driver is discovered, GuardedID warns the user by showing the "Unknown Driver Warning" dialog. The name of the suspect driver is displayed in the dialog. The GuardedID state indicator will turn orange instead of green to indicate warning. Details are logged into the event log which can be viewed." So not only does GuardedID monitor the keyboard device driver stack, but it monitors itself as well as a defense.
My System SpecsSystem Spec
26 Sep 2009   #7
TOF

Microsoft Windows 7 Professional X64
 
 

Here is a link to Trend Micro Freebies where anyone can try the standard version out.

Trend Micro Free Tool Center
My System SpecsSystem Spec
26 Sep 2009   #8
H2SO4

Win7x64
 
 

Quote   Quote: Originally Posted by TOF View Post
Quote:
Protects against 'NEW' and 'EXISTING' keyloggers." No, as per the rant above, a GuardedID-aware keylogger would make mincemeat of it.
It seems that they are already aware of this and have this as they, "GuardedID constantly monitors the keyboard device driver stack to detect un-trusted drivers (which could potentially be keyloggers). If an un-trusted driver is discovered, GuardedID warns the user by showing the "Unknown Driver Warning" dialog. The name of the suspect driver is displayed in the dialog. The GuardedID state indicator will turn orange instead of green to indicate warning. Details are logged into the event log which can be viewed." So not only does GuardedID monitor the keyboard device driver stack, but it monitors itself as well as a defense.
Thanks for an interesting discussion.

So GuardedID (GID from now on) "constantly monitors the keyboard device driver stack to detect un-trusted drivers"? Do you believe that statement is compatible with this previous one: "Eliminates time-consuming hard disk or memory scans"?

Also, how effective do you think GID's "monitoring" is going to be, given it has no regularly-updated definitions database? It might be effective against known keyloggers the day it's released, but what about a week later? How will it detect a new, GID-aware keylogger driver which was made after GID with full knowledge of how GID "monitors"?

How will it detect user-mode malware which grabs the keystrokes after they've been decrypted?

I'm not questioning the integrity of their SSL tunnel. No malware author in their right mind is going to try to attack that "secure pipe" between the kernel-mode and user-mode GID components. What they'll do is to simply bypass it, "Maginot Line" style. Once you're aware of a static and immutable obstacle, you can go around it

Without intending to sound cynical, just because something is being "sold in an enterprise package for deployment into corporate facilities" doesn't necessarily mean it's effective.
My System SpecsSystem Spec
26 Sep 2009   #9
Mercurial

Windows 7 32bit RTM
 
 

lawl @ this
My System SpecsSystem Spec
26 Sep 2009   #10
TOF

Microsoft Windows 7 Professional X64
 
 

Why would it need to be updated on a regular basis? It's a patented encrypted tunnel from the keyboard to the application. The software doesn't need to update any definition list because all it has to do is check and see if the drivers are signed by Microsoft or not. If it's not signed, it will send out a warning.

I read an old review from 2007 from an editor who stated that it didn't protect information on the clip board so I don't know if that has changed since. But what security software is 100% This software toghether with good security suite will go a long way.
My System SpecsSystem Spec
Reply

 GuardedID




Thread Tools



Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:38.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App