Skip to main content

Keylogging Trusteer's Rapport

Let's get some perspective on this first: no security product is 100% secure and just because there may be an obscure way round a product doesn't mean you shouldn't use it and that it won't protect you against a lot of attacks. How secure is your Anti-Virus (AV) product? Certainly not 100%, so we need layers of security. Rapport is another layer of security and could help protect your machine.

I have said in my previous post about this issue how well Trusteer dealt with me. So, now to the method of keylogging Trusteer. It's quite simple really, but requires a special setup. Rapport hooks onto the keyboard driver to prevent keylogging. However, if you invoke the remote desktop feature in Windows then a different keyboard driver is invoked, which Rapport cannot hook onto. So, if you're using a remote desktop connection into your machine then Rapport will not be giving you the full protection (it still has other layers of protection that work in this scenario).

Is this such a special case that you don't need to worry about it? Well not necessarily. There are a plethora of remote access software solutions available to users who are increasingly using them to access their machines at home or at work. There is also another technology that can be leveraged to cause this effect whilst the user is at the actual machine. Microsoft have introduced RemoteApps to the Windows desktop environment to allow for legacy applications to appear to run seamlessly on Windows 7. This is done via Virtual PC running another OS and the RAIL QFE update to allow applications to be exposed from a desktop machine as RemoteApps. However, we can use this technique to look back at the machine and expose the web browser as a RemoteApp, which the user should not notice.

As I say, it's a special case and not one a user would normally encounter, but it is possible. There are other issues with Trusteer as well, being able to capture the screen of protected websites and information leakage as highlighted on here. It doesn't mean you shouldn't use Rapport though, just know and trust the machine that you're using. Basically, don't ever connect to any secure site or service from an untrusted machine, no matter what's installed on it.


  1. Stumbled across your site today doing a little research on this product because everytime I login to do my banking (HSBC) I am nagged to install Trusteer. (BTW: I must say your site is excellent!) I have an observation: Is it just me…or is Trusteer Rapport not just a form of Trojan itself??? We are being "asked" (how long until it is mandatory?) by our banks to install a piece of software with Admin privileges to our computers that will track our keystrokes, passwords and login details in order to "ensure" that we only access approved banking websites and get warnings about reusing our passwords and other "unsafe" practices...emmm kay! Thanks for that! Now how do I know when I read articles like this one: - that Trusteer is not logging my keystrokes, tracking my surfing behaviour and copying my passwords into their own database somewhere? Just because they assure me that they don't???
    - From what I can tell if I install Trusteer Rapport with the recommended settings and options (i.e. accept the defaults as most of us will) have I just handed over my machine and personal information to yet another entity. Isn't this the very thing that these Security Organisations should be trying to stop? Also, I assume the Trusteer application includes the facility to automatically update itself, the default settings that a user agrees to at installation time probably even includes an agreement to permit this without prompting (sorry I haven't had time to read the fine print to check)? Even if Trusteer don’t currently retain password information or keystrokes and leave them on the PC as claimed, what would stop Trusteer from sending down an update at any future time that captures all this information and more! Once they have attained market saturation and have their product installed on 100,000,000 UK and US PC’s… that is just too much control / risk to hand over to one company, especially one from a country with some dubious political practises (passports) of late. Somebody please tell me I am being overly paranoid!??!

  2. @Anonymous thanks for your support and comment. I can reassure you that Rapport doesn’t log your keystrokes and send them back to Trusteer (although I admit that it would be possible, but not in Trusteer’s interest). The keystroke mapping is only valid within a single page, any refresh or other navigation will remove the mapping from memory and start again. I have looked at this product quite a lot and no product can be 100% secure, but are you sure that you don’t have a Trojan keylogger on your machine? Remember that AV products can miss these polymorphic Trojans. Again, it could form a layer in your security arsenal. I wouldn’t necessarily write it off now (the product has changed a lot since my first posts on it), but use it knowing its limitations as with all security products.

  3. Good Screen monitoring software will help you to log and trace all your computer's activities and IP address even though you are away from your computer.


Post a comment

Popular Posts

You say it's 'Security Best Practice' - prove it!

Over the last few weeks I have had many conversations and even attended presentations where people talk about 'Security Best Practices' and how we should all follow them. However, 'Best Practice' is just another way of saying 'What everyone else does!' OK, so if everyone else does it and it's the right thing to do, you should be able to prove it. The trouble is that nobody ever measures best practice - why would you? If everyone's doing it, it must be right.

Well, I don't agree with this sentiment. Don't get me wrong, many of the so-called best practices are good for most organisations, but blindly following them without thought for your specific business could cause as many problems as you solve. I see best practice like buying an off-the-peg suit - it will fit most people acceptably well if they are a fairly 'normal' size and shape. However, it will never fit as well as a tailored suit and isn't an option for those of us who are ou…

Coventry Building Society Grid Card

Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication. It replaces memorable words in the login process. Now the idea is that you require something you know (i.e. your password) and something you have (i.e. the Grid Card) to log in - 2 things = 2 factors. For more about authentication see this post.

How does it work? Very simply is the answer. During the log in process, you will be asked to enter the digits at 3 co-ordinates. For example: c3, d2 and j5 would mean that you enter 5, 6 and 3 (this is the example Coventry give). Is this better than a secret word? Yes, is the short answer. How many people will choose a memorable word that someone close to them could guess? Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user. The problem is that users cannot remember lots of passwords, so remembering two would be difficult. Also, having two passwords isn't really…

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this.

Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most o…