Keeper Forcefield

Keeper Forcefield: Endpoint Protection for Sensitive Data

Overview

Keeper Forcefield is an advanced endpoint security product for Windows that protects sensitive applications and processes from unauthorized access. It is specifically designed to defend against threats such as memory scraping and credential harvesting from malicious software installed via phishing or other attacks.

Forcefield integrates directly with the Keeper Desktop application and operates silently in the background to ensure data protection without impacting performance or usability.

A standalone .msi installer is also available for usage without the Keeper Desktop application.

Installing Forcefield

Option 1: Installing Keeper Forcefield via Keeper Desktop

After installation:

• Navigate to Settings > Security in Keeper Desktop

• From the Forcefield screen, select "Activate Service".

Once enabled, Forcefield will install and immediately begin protecting your device. The system tray shows that Forcefield is activated.

To check for updates to the Forcefield service, right-click the icon and select "Check for Update".

The Keeper Desktop application will detect if Forcefield is running and display the status.

Option 2: Standalone Installation

The installation of the standalone version of Keeper Forcefield is available through an MSI installer at the below URL:

Business customers can install the MSI on end-user machines using your preferred deployment method, whether it’s Intune, an RMM tool, or Group Policy. Each solution supports silent installation of MSI packages and can push the software to your target devices automatically. Just follow your standard process for deploying software across your environment.

How Forcefield Works

On Windows, applications running under the same user account can access each other’s memory, creating a vulnerability that attackers often use to extract sensitive information like passwords and session data. Keeper Forcefield blocks this type of memory access at the kernel level, stopping even low-privilege malware from spying on protected applications while maintaining a seamless user experience.

• Kernel-Level Protection: Installs a lightweight driver that monitors and restricts memory access to protected applications.

• Selective Memory Restriction: Blocks unauthorized processes from reading memory of protected applications.

• Smart Process Validation: Only untrusted processes are blocked. Trusted system processes function normally.

• Seamless Integration: Works silently in the background without disrupting user experience.

Applications Protected by Forcefield

Forcefield is built to protect designated applications by verifying their process name, file name, and code signature. The following applications are secured using this validation approach:

Keeper Applications:

• keeperpasswordmanager.exe

• keeper-ksm.exe

• keeper-commander.exe

• keeper-gateway-service.exe

• KeeperBridgeClient.exe

• KeeperBridgeSvc.exe

• chat.UWP.exe

• keeperimport.exe

Web Browsers:

• chrome.exe

• msedge.exe

• firefox.exe

• brave.exe

• opera.exe

• vivaldi.exe

Key Benefits

• Enhanced Security: Prevents memory scraping and credential theft.

• Lightweight: Minimal impact on system performance.

• User Controlled: Toggle on/off from Keeper Desktop.

• Broad Compatibility: Supports Windows 10 and above.

Updates

Auto and Manual Updates

• Forcefield checks for updates 10 seconds after the client starts and every 24 hours.

• The update source is determined by %userprofile%\.keeper\forcefield.ini:

  • stable: https://download.keepersecurity.com/forcefield/version.txt

Update Installation

If an update is found, the system tray icon will indicate availability. Users must approve the update. Upon confirmation, Forcefield will download and launch the MSI installer.

• Install silently (admin required):

  Copy

  msiexec.exe /i keeperforcefield.msi /quiet

• Uninstall silently (admin required):

  Copy

  msiexec.exe /x keeperforcefield.msi /quiet

Update Verification

• MSI packages are code-signed with Keeper's EV certificate.

• The updater verifies the signature before launching.

How to Verify It’s Running

Run the following command:

sc.exe query keeperforcefield

If the state is RUNNING, Forcefield is active.

Quick Testing

To verify protection:

1. Open Task Manager.

2. Right-click on a protected process.

3. Choose Create memory dump file.

4. The .dmp file should be 0 bytes if blocked.

Component Overview

• Driver: %systemroot%\system32\drivers\keeperforcefield.sys

• Client: %programfiles%\Keeper Forcefield\keeperforcefield.exe

The client handles updates and communicates with the driver.

Network Requirements

Outbound HTTPS access is required to the following:

• https://download.keepersecurity.com/forcefield/

Update Control

• Updates are user-invoked from the system tray.

• Admins can manage updates using remote software distribution tools (e.g. RMM).

• Admins can test updates before rollout.

Silent Installation / Uninstallation

Install:

msiexec.exe /i keeperforcefield.msi /quiet

Uninstall:

msiexec.exe /x keeperforcefield.msi /quiet

To log installation or uninstallation:

msiexec.exe /i keeperforcefield.msi /quiet /l*v install.log

Troubleshooting

If an error occurs:

• Check for dump files in C:\Windows\Minidump

• If missing:

  • Crash dumps may be disabled

  • Power loss or insufficient permissions could be the cause

• Provide the .dmp file to Keeper support for analysis via windbg.exe

Known Issues

May 20, 2025:

• There are some known installation scenarios where the Keeper Desktop application is unable to query for Forcefield status. Forcefield is still running so the issue is purely visual. This is being addressed in our next Keeper Desktop release.

• Forcefield is embedded in the Keeper Desktop application available from the Keeper Security website. The Microsoft Store version is still under review.