Keylogger detection

Posted on 2010-01-02
Last Modified: 2012-06-22
I'm now implementing full system encryption (Truecrypt) on all of my workstations and laptops.  All of this security is worthless if an adversary slips a hardware keylogger into my network.  Since the operating system registers key events they must be traceable.  Hardware key logging devices can connect to both PCI or USB plugs.  How to I block such an attack?
Question by:Phil5780
    LVL 12

    Expert Comment

    Some ideas to consier - I haven't used them myself, but I hope they will give you an idea of options available.
    1) If possible, disable installation of drivers on the PCs. This will block most hardware and low-level software keyloggers. This also disables USB drives and such as well, so just be aware of that.
    2) In a TPM environment, it may be possible to block unknown hardware. Similar to #1, but at a more hardware level block.
    3) Ensure antivirus and anti-malware software is installed and fully updated on all PCs.
    4) This URL has some information on tools that help detect keyloggers:
    LVL 31

    Expert Comment

    A hardware key logger is difficult to detect in software. If they do show up in device manager on the computer, they will appear as a fairly generic hardware such as a USB hub. Some hardware key loggers do not require drivers to be installed on the computer at all - they are self contained units which store the data on on-board memory. Of course the attacker would need to come back and retrieve the device later to view the logs.

    A visible inspection of the computer is the only reasonable way to prevent it. A hardware key logger will be a fairly obvious piece of hardware inline between the keyboard and the computer.

    Author Comment

    I've seen keyloggers that sit on a PCI or PCI-Mini slot.  Since any new piece of hardware is detectable in the device manager, it is detectable.  Is there a software solution that blocks or alerts to the presence of 'unapproved' hardware?
    LVL 31

    Accepted Solution

    This might be useful to you then:

    Managing Hardware Restrictions via Group Policies

    Just I don't think it's a 100% fool-proof solution, since it still wouldn't stop keyloggers that just sit inline with a PS/2 keyboard and sniff the keyboard signal.

    Author Closing Comment

    Good information provided but still does not offer a great solution.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now