kbfilter.sys

  • 1
  • Question
  • Updated 2 years ago
We have Trend Micro Maximum Security installed and it doesn't indicate there are any problems when scanning.
Is the kbfilter.sys file supposed to be in the root folder (C:) of the PC? I saw the following post that makes me suspicious of it being located in the root folder and NOT just the Windows system folder. http://www.file.net/process/kbfilter.sys.html . 
Photo of snyounger

snyounger

  • 90 Points 75 badge 2x thumb

Posted 2 years ago

  • 1
Photo of TM_JimL

TM_JimL, Employee

  • 290 Points 250 badge 2x thumb
TM keystroke encryption is to encrypt your password whenever you attempt to log in to your credentials on your online accounts, primarily to prevent keyloggers. Its location should be on "C:\Windows\System32\drivers" folder otherwise, it could possibly be a malicious file pretending to be a filter driver.
Photo of snyounger

snyounger

  • 90 Points 75 badge 2x thumb
Why doesn't this show up as a threat on my machine when I scan with Trend Micro?
Photo of snyounger

snyounger

  • 90 Points 75 badge 2x thumb
It appears to have an install batch file that has the following instructions:
rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 c:\kbfilter.infsc start kbfilter

Does this appear to be the same as the keyboard filter install file used for Trend Micro?

There is also a text file named kbfilter that contains the following:
;;;;;; kbfilter
;;;
;;;
;;; Copyright (c) 2006, Trend Micro Inc.
;;;

[Version]
signature   = "$Windows NT$"
Class = "Keystroke protection" ;This is determined by the work this filter driver does
ClassGuid = {278848e5-fb3d-45ec-9517-821a82da58ce} ;This value is determined by the Class
Provider = %trend%
DriverVer=04/18/2013,2.0.0.1045
CatalogFile     = kbfilter.cat                                  ; A CatalogFile entry is required for a WHQL signature.
                                                                ; The actual catalog file will be provided by WHQL.  The
                                                                ; catalog file for this sample is not provided for use.
[Manufacturer]
%trend%=Trend Micro,NTamd64

[Trend]

[Trend.NTamd64]

[DestinationDirs]
DefaultDestDir         = 12
kbfilter.DriverFiles   = 12 ;%windir%\system32\drivers

[SourceDisksNames]
1 = %Disk1%

[SourceDisksFiles]
kbfilter.sys = 1

;;
;; Default install sections
;;

[DefaultInstall]
OptionDesc          = %kbfilterServiceDesc%
CopyFiles           = kbfilter.DriverFiles

[DefaultInstall.Services]
AddService          = %kbfilterServiceName%,,kbfilter.Service
;AddReg              = kbfilter.AddRegistry

;;
;; Default uninstall sections
;;

[DefaultUninstall]
DelFiles   = kbfilter.DriverFiles
;DelReg     = kbfilter.DelRegistry

[DefaultUninstall.Services]
DelService = kbfilter,0x200 ; Flag to stop the service before it is deleted

;
; Services Section
;

[kbfilter.Service]
DisplayName      = %kbfilterServiceName%
Description      = %kbfilterServiceDesc%
ServiceBinary    = %12%\kbfilter.sys ;%windir%\system32\drivers\kbfilter.sys
ServiceType      = 1    ;SERVICE_KERNEL_DRIVER
StartType        = 3    ;SERVICE_ON_DEMAND
ErrorControl     = 1    ;SERVICE_ERROR_NORMAL
Dependencies     = 
LoadOrderGroup   = "Extended Base"
;AddReg = kbfilter.AddRegistry

;
; Registry Modifications
;

[kbfilter.AddRegistry]
HKLM,%kbfilterRegistry%\Parameters,%kbfilterDebugFlags%,0x00000000 ,0


[kbfilter.DelRegistry]
HKLM,%kbfilterRegistry%\Parameters,%kbfilterDebugFlags%

;
; Copy Files
;

[kbfilter.DriverFiles]
kbfilter.sys

;;
;; String Section
;;

[Strings]
trend            = "Trend Micro Inc."
kbfilterServiceDesc  = "Trend Micro Keystroke Protection Driver"
kbfilterServiceName  = "kbfilter"
kbfilterRegistry     = "system\currentcontrolset\services\kbfilter"
kbfilterDebugFlags   = "DebugLogFlags"
Disk1                = "Trend Micro Kernel Driver Source Media"
Photo of TM_JimL

TM_JimL, Employee

  • 290 Points 250 badge 2x thumb
You may try to use our other Trend Micro Anti-Malware Tools:

Threats are not detected or cleaned by Trend Micro Security

These programs are more aggresive and would more likely to detect the malware in almost any location.