> Compiled and ran the code and immediately Bitdefender blocked the program and put up a "Keylogger detected" message.
Which is quite problematic because it was a false positive. You knew and wanted that program to log key presses.
That's the trouble with aggressive heuristics. Users are going to have a program that translates keyboard layouts by hooking the key presses. Or software that comes with some fancy input device.
Then the antivirus says it's a keylogger even though they know it isn't and the user is taught to expect good rather than bad things when they press "allow" against a something-is-wrong prompt.
I wouldn't call it a false positive, since it was definitely logging keys. I view it more like a sudo prompt.
From my experience there are very few legit reasons for intercepting keys, and the use cases you mentioned are better solved by implementing a device driver (which would be signed by MS).
Allowing non-elevated code to install system hooks also enlarges the attack surface, since now a malware piece can just infect your keyboard layout translator for getting keyboard access.
Me, I would like an Intent/Permission mechanism on Windows, where certain actions like keylogging or accessing other processes memory require explicit white-listing (like on Android/iOS). Currently some actions do require a certain privilege, but that privilege is granted per-user, not per-app, so it doesn't help that much.
> From my experience there are very few legit reasons for intercepting keys, and the use cases you mentioned are better solved by implementing a device driver (which would be signed by MS).
That's assuming you have control over what third parties who write the software have done, and needing to go through the expensive bureaucratic process to get a driver signed is a major reason why they wouldn't do it that way if there was any alternative.
> Allowing non-elevated code to install system hooks also enlarges the attack surface, since now a malware piece can just infect your keyboard layout translator for getting keyboard access.
But now you're not talking about antivirus anymore. Installing things is expected to require privileges. There is a huge difference between a password prompt that says "authenticate if you want to install" and a red alert that says "malware detected and blocked, override may cause fire and mayhem."
Which is especially problematic when it's done by third party antivirus because it means the vendor of whatever software is being misdetected as malware probably didn't encounter that in their testing.
> Me, I would like an Intent/Permission mechanism on Windows, where certain actions like keylogging or accessing other processes memory require explicit white-listing (like on Android/iOS). Currently some actions do require a certain privilege, but that privilege is granted per-user, not per-app, so it doesn't help that much.
Fundamentally non-technical people don't understand what they're authorizing. It doesn't matter how granular the choices you provide are if the person in front of the button doesn't understand the implications.
You have to be able to trust the software you run, which implies trusting the people who made it. And people keep trying to solve that problem centrally when it isn't a central problem. Microsoft can't tell you if you can trust your brother, or the girl you met at the computer club. They can't tell you if you can trust Lenovo or Sourceforge. Microsoft certainly can't tell you if you can trust Microsoft. You have to decide, or decide who to trust to decide for you. And if you aren't going to decide for yourself then the person you trust to decide can't be Apple or Microsoft, it needs to be someone you personally actually trust, because central gatekeepers can't be trusted not to act against your interest when it's in theirs.
That's not problematic at all. If I want the thing to run, I'll whitelist it and move on. Constant false positives would probably be a bad thing, sure, but any user advanced enough to be installing a keylogger deliberately is probably advanced enough to know the difference.
The alternative is that we don't see when a keylogger is being installed non-deliberately, and that would be worse IMO.
Which is quite problematic because it was a false positive. You knew and wanted that program to log key presses.
That's the trouble with aggressive heuristics. Users are going to have a program that translates keyboard layouts by hooking the key presses. Or software that comes with some fancy input device.
Then the antivirus says it's a keylogger even though they know it isn't and the user is taught to expect good rather than bad things when they press "allow" against a something-is-wrong prompt.