Protection against keylogging
Keylogging makes it possible for a hacker to capture all of a user’s keystrokes in order to steal passwords, confidential data, etc. These are targeted applications.
SES Evolution prevents foreground applications from sending their keystrokes to other applications. However, it can receive its own keystrokes.
For more global protection against any use of the SetWindowsHookEx API, enable protection against application hooking instead. For more information, refer to Protection against various threats and Configuring threat protection.
EXAMPLE
You can use this protection to block keylogging on web browsers, password managers, and the Windows file explorer. Allow them only for legitimate applications such as virtualization and remote control tools.
An application identifier must be created beforehand for every application to be protected and for every application allowed to log keystrokes. For more information, refer to the section Creating application identifiers.
- Select the Security > Policies menu and click on your policy.
- Select a rule set.
- Click on the Application > Keylogging tab.
- If you are in read-only mode, click on Edit in the upper banner.
- Click on Add a rule (Keylogging).
A new row appears. - Click on in the application ID area and select the application(s) to protect.
Add Internet Explorer, Windows Explorer and password manager for example. - In the Status field in the Default behavior area, choose what you want the protection rule to do:
- Allow to allow the action by default,
- Block to block the action by default,
- Block and kill to block the action by default, and shut down the process that launched the action.
- Block, kill and quarantine to block the action by default, kill the process that triggered the action, and quarantine suspicious files. For more information, see the section Managing file quarantine.
- Click on + Add a specific behavior and choose the application(s) that you want to allow.
Add applications that legitimately log keystrokes, e.g., remote control tools, and in the Status, select Allow so that the protection will allow these applications.
- In the upper banner in the rule, you can:
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies. - Indicate whether the rule must generate a context when it is applied. By default, if a rule generates Emergency or Alert logs, it will generate a context, but you can disable this feature.
- Select the log settings that this rule will send.
- Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
- Enter a description to explain what this rule aims to achieve.
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
- The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
- Click on Save at the top right of the window to save changes.