Spydex, Inc. Forum - AAK w/ RAID Disc Configs + Norton Ghost

Jan 7^th, 2009, 12:51am

Welcome, Guest. Please Login or Register.

   Spydex, Inc. Forum
   Spydex Software
   Advanced Anti Keylogger (Moderator: Eric)
   AAK w/ RAID Disc Configs + Norton Ghost

« Previous topic | Next topic »

Pages: 1

Notify of replies

Author

Topic: AAK w/ RAID Disc Configs + Norton Ghost (Read 993 times)

Brian
Spydex, Inc. Forum Newbie

Posts: 2

AAK w/ RAID Disc Configs + Norton Ghost
« on: Aug 31^st, 2006, 9:11pm »

Quote

Modify

Hello:

Has anyone tried the AAK product under a IDE RAID1 configuration?

I am trying to install AAK (trial version) under MS/XP Pro SP2 in a computer that is configured with a Promise Technology FastTrak TX4000 IDE RAID1 setup using four 250 GB drives configured as two mirrored arrays, and I've run into several install problems that others with similar configurations should review before attempting the install.

Here's my situation -- maybe someone can advise.

After installing the software and a reboot late last night, and as the OS was loading the various drivers, AAK began to automatically identify various drivers that monitor keyboard activities (such as Logitech's iTouch). It's behavior indicated that it was in high security mode and in this mode it didn't seem to be a way to bypass / defer its automatic classification of questionable drivers that AAK encountered. Therefore, I decided to reboot during mid-install and attempt to switch to Custom Security Mode so to be able to provide direction to AAK's driver classifications. I strongly recommend that AAK be modified so that it starts up during the intial install to Custom Security Mode, or at least an option flag be available to set this mode during invocation.

I was able to switch to Custom Security Mode successfully (although it was a real trick trying to bring up the login screen and enter in my way-to-long master password with AAK all the while attempting to classify newly discovered drivers....), and in this mode I was able to reclassify the drivers that AAK previously restricted as well as to provide guidance to AAK's alerts on how a newly discovered driver should be classified. Everything was going great until it questioned about an "unknown kernel driver" -- to which I instructed AAK to exclude.

My mistake! I guess I had been at the computer for too long and wasn't thinking straight. My recommendation to others is to initially classify all drivers / files that AAK discovers to be questionable as OK, and then to review the list and reclassify the files that one can not specifically identify.

At that point AAK informed me that the system required a reboot (because the file was a kernel level file). A reboot began, and the Promise RAID BIOS driver then notified me that the primary array was in CRITICAL status. A review of the array status indicated that drive 1 of array 1 was no longer part of the array.

At this point my choice are to:
1) proceed with the OS boot and boot using the drive 2 mirror of drive 1 in array 1.
2) rebuild drive 1 from the drive 2 mirror.

I've decided to rebuild. It should take about 2 hours. It should be interesting to see the state of the OS.

So I VERY interested in what has exactly happened to the kernel-level file when AAK was instructed to prohibit. Was the file deleted? Moved? A status bit changed?

Am I correct in thinking that AAK prohibit's only works at the file level rather than at the sector or cluster level? That AAK doesn't mess with the Master Boot Record (MBR) or other disc level attributes?

Here are some additional questions:

Assuming that I am able to successfully install AAK, would AAK allow me to clone the drive using Norton Ghost? I clone my RAID arrays to a set of spare drives as an additional data backup source. Norton Ghost can be run as either a Window App or as a DOS App. I would think that AAK shouldn't prevent Norton Ghost from working, but since these types of programs work at a low level, I thought I'd bring the question up for discussion.

Thanks,
-Brian-

IP Logged

Brian
Spydex, Inc. Forum Newbie

Posts: 2

Re: AAK w/ RAID Disc Configs + Norton Ghost
« Reply #1 on: Aug 31^st, 2006, 11:19pm »

Quote

Modify

Hi Everyone:

Status update:

The Rebuild worked, and I was able to invoke AAK and configure all alerts to accept. I'm actually surprised that it did boot -- I was expecting that the changes applied to the primary drive would have been immediately copied to the mirrorred drive.

Now on to the analysis of the questionable drivers. I am concerned about the unknown kernel module issue -- is it really an artifiact of the Promise RAID, or is it something else? I am particularly worried for I began this adventure with a spyware scan that indicated that my system was being keylogged. I've run PCTools Spyware Doctor and it found the trojan "Ikitek Key Logger" plus some other less nasty invasions. Might this kernel file have been influenced by or a remaining part of one of my nasties?

Without knowing more about what happens to a file or to the system when a user selects "Prohibit", I can't say what might have happened. All I know is that after AAK informed me that I needed to reboot, and I rebooted, that the primary drive wouldn't boot and was recognized as bad by the RAID BIOS boot driver. It could be the case that the kernel file is actually malware, and that when the kernel file was "Prohibited", that the malware trashed the drive somehow (it doesn't take much) before exiting.

Is detailed technical support available? I can send Spydex the reports from Spyware Doctor + snapshots of all the currently running processes and all the things that the system auto loads using some tools from SysInternals.

Unfortunately, AAK doesn't tell me where this unknown kernel module is located, or what its name is, or anything! Very hard to debug. Can you guys help?

Here's another little issue that I've found while working with your product: I have AAK in OFF mode with the GUI dialog box displayed and the preference options set & saved so that security protection is disabled and set to stay disabled upon reboot. I invoke an XML editor oXygen(www.oxygenxml.com) which seems to perform key mapping (one can specifiy key shortcuts, for example), and AAK alerts me that this program is questionable and (as I am in the Custom mode) offers for me to Allow or Prohibit. I was under the impression that AAK was truely "off" when OFF mode was selected, but this does not seem to the case; rather that AAK is reviewing in realtime any new file invocations. Thoughts?

Thanks,
-Brian-

IP Logged

Eric
Spydex, Inc. Forum Moderator
Spydex, Inc. Forum Senior Member

Posts: 263

Re: AAK w/ RAID Disc Configs + Norton Ghost
« Reply #2 on: Sep 1^st, 2006, 5:36am »

Quote

Modify

on Aug 31^st, 2006, 11:19pm, Brian wrote:

Is detailed technical support available? I can send Spydex the reports from Spyware Doctor + snapshots of all the currently running processes and all the things that the system auto loads using some tools from SysInternals.

Yes, sure you can email all available info to <support@spydex.com> for our examination.

About your unknown kernel driver:
--------------------------------
To examine this driver we need some info about installed drivers of other applications on your computer so can you do the following:

1) Download and unpack to some temporary folder below special utility. You have to get three files aakahl.sys, aakinfo.exe and start.bat.

http://www.anti-keylogger.net/aak_export/aak-info.zip

2) Run start.bat file within your temporary folder.

3) Utility will generate aakinfo.txt file where all installed drivers will be listed

4) Email us this aakinfo.txt file (as attachment) for our examination.

About alert from disabled AAK:
-----------------------------
Definitely that is program error. We will fix this error in the next program versions.

Thank you very much for feedback.

« Last Edit: Sep 1^st, 2006, 5:37am by Eric »

IP Logged

Eric Nilsson
Spydex Inc.
Security Software Developer
---------------------------
http://www.spydex.com

Pages: 1

Notify of replies


« Previous topic \| Next topic »

Spydex.com