?

I'll run down on the free ATs I know of.

1. Ewido. Never tried it. Might be good. They claim to have over 30,000 dynamic signatures. Here's the link http://www.ewido.net/en/

2. a2. It's still under development. I haven't really tried this either. Here's the link http://www.emsisoft.com/en/software/free/
This is the signatures from a2
Trojans ***19620
Dialer ***3129
Worms ***1524
Viruses ***0
Spyware ***9

There's another one but not worth mentioning it.It's slow and unreliable. HTH

Well, a2 free is probably the best one (I use it) in my opinion, some protection is better then none, plus a2 free ver2.0 is supposedly coming out later on? Which will include a background guard.

@Comp01: have you ever tried ewido? i guess not :(

Well if Ewido has over 30,000 dynamic signatures and a2 has only 24,282 signatures, looks like ewido might have the upper half. But I'm not sure if Ewido has over 30,000 signature.

yes, ewido has over 30k signatures....BUT:

you can not just compare two scanners by the amount of signatures!

what's about quality of signatures? or unpack engine?

Tobias, certainly agree with your assessment of the need for quality. Have you tested the two products? If so, please share your compared results: un-packing, engine speed, etc.
The jest of your statement leads one to believe that ewido is lacking in compare to A2 ?
My question is not in bias since nither product is on my machines. Thanks

-{ Quote: "
that ewido is lacking in compare to A2 ?...

nither product is on my machines.
" }-

i see that...

what is better...checksum or fuzzy signatures? generic unpacking or nothing?

-{ Quote: "
The jest of your statement leads one
" }-

then i must say that i developed the engine for ewido security suite;) and then read again

@tobias

You know and I know that a2 (v.1) is currently no match for ewido security suite. But the average user does not. Isn't it interesting what marketing can do?

I am wondering why ess has never been tested by a major German magazine like pcwelt or computerbild. Is it difficult to get tested by them?

Moreover, I am wondering whether you have ever considered writing an article about signature quality/scan engine technology/static & dynamic unpacking for Virus Bulletin magazine or the like? I'm sure such article would be pretty interesting.

Tobias, thanks for your response. An my compliments for helping bring a freeware scanner to the community. It is sorely needed.
Since you answered my question with a question which is no answer at all., please understand that in no way was a debate trying to be launched...mine was a sincere question. My use of Trogan Hunter and TDS meets my needs.
Will wish you the very best in the future.. and leave this subject alone. Had downloaded ewido before seeing your response and erased it without testing the product after seeing your response. It may become the very best but I'll never use it.

-{ Quote: "
Since you answered my question with a question which is no answer at all.
" }-

sorry, these questions were meant as rethorical questions:

if you want to have facts:

it's a fact that unpacking is necessary
it's a fact that signatures are better than checksums
it's a fact that fuzzy signatures are better than normal signatures


more facts:
ewido has unpacking an fuzzy signatures
TDS has text signatures but no file unpacking (but memory scan)

a² has no unpacking and most detection is done by checksums
trojan hunter has checksums and no real file unpacking (only some upx)

" Had downloaded ewido before seeing your response and erased it without testing the product after seeing your response. It may become the very best but I'll never use it. "

Sounds like a Trollish dialect to me ... Or is it just a misunderstanding?

TDS uses MANY MANY text-based signatures + heuristics which makes it relatively difficult to circumvent the scanner. Moreover, TDS has a huge signature database and, therefore, detects many less-known trojans.

Not only TDS but also TH has a memory scanner (even a resident mem scanner plus a module scanner both of which TDS has not). And moreover, Magnus claims that TH uses some fuzzy sigs. TH also seems to use additional sigs + advanced heuristics for some popular trojans.

In summary, I believe that TDS and TH will be a more difficult match for ess.

Sorry if I'm out of line here but this person asked about free ATs not ATs you have to pay for.

@notageek

That's correct. ESS is probably the best free AT scanner which is available at the moment.

(My last post merely added a few more "facts". I cannot always _bash_ TDS and TH ;-)

;) Sounds like Ewido can bat in the big leagues with the big boys! It's about time someone sponsored another freeware AT. Relative merits or demerits are not the issue here. The primary question has been answered with a resounding yes.

It's good to see a new player. I will give him a try-out. :)

Chameleon0, your following comment was totally un-called for:

" Sounds like a Trollish dialect to me ... Or is it just a misunderstanding"

Tobias is an obviously highly experienced person whom I have no reason to doubt so why waste my time testing a product he helped make and test? My satisfaction with TDS and Trogan Hunter leaves me with no desire to purchase other products. SIMPLE.
Guests are allowed to post at this forum an we are both guests an as such my intentions are to be respectful to everyone here, friendly and civil to the best of my abilty. You will not see me name-calling anyone ever.
Am not a newbes. Can think independently. An ask questions accordingly. My quest to seek better products is an open-minded approach.
There are real people behind computer screens an its not my place to judge anyone's reasons or motives. Such behavior can result in flame wars that disrupt forums, waste time and take away from the intent of seeking information in a pleasent enviorment
There was a time when no form of explanation would have been offered but its a beautiful day and my mood is exceptionally pleasent.
An may you also have a wonderful day

Chameleon0

On second thought have decided to leave the forum entirely. There is no time in my day for slanderous name calling by others
As a decent person you still are given my very best wishes.

@ShotgunGirl

It's great that you clarified this one. I also wish you happy day.

@ShotgunGirl

Aren't you overreacting a little bit? Please take into account my above reply and also the fact that I am just a guest (not a moderator or something like this).

Darn, I ask for info on a free anti-trojan software, and get a war started instead ??? Not exactly what I asked for, or intended to get as replies. So what is ESS as the one person replied? The Ewido one?

yes, ess = ewido security suite

I have used EWIDO and a2, in this moment only EWIDO found two trojans: Trojan.Win32.Fudor and Backdoor Clandestine. I think EWIDO is very good, because I have a free program, ON TOP, that includes this trojan and I have used many antitrojan softwares that never detected these two trojans. All I can say is that the two antitrojan mentioned are free, so that let's use them!!! ;D

Ladies and gents,

There's no need in any way to turn a discussion into a flame war - please respect different opinions. We wouldn't like to see this thread closed because of this discussion turning into something that even comes near to a flame war, but if it comes to that, we'll have no choice.

Back on subject:

Having tested Ewido briefly, as well as looking at the techniques used, it's for sure a very promising software indeed.

Tobias,

Looking forward to some licenses as soon as the on-freeware versions will be released ;)

regards.

paul

Thanks for all the replies, I am trying ESS out now, I just can't afford TDS-3 at this moment, but have used it for the trial period and will eventually end up purchasing it.

Well, i tried ESS.I must say it looks nice and scans fast.
But there is a problem for me.When i use it ,it get stuck (100% in taskmanager) when it reaches c:\Program Files\Skype\phone\Skype.exe.
When i uninstall Skype v.0.97 it works fine though.I emailed support and send the skypefolder, but they had no problem on their system with their Skype. ???
I don't have this problem when i scan with TDS-3,a squared2, Trojan Hunter,...
Does anyone has any suggestion?

PS:perhaps this should was not the right place to post this? Sorry.Could it be moved then?

ronny,

In fact the only one who can comment on this are the ESS software developers - and it looks like they have done so.

Although I'm pretty sure no one over here will be able to come up with a solution for your problem, your post is on topic - so there's no reason to move it ;)

regards.

paul

-{ Quote: " quoting: Paul Wilders link=board=25;threadid=24045;start=15#msg142599 date=1079008409]
In fact the only one who can comment on this are the ESS software developers - and it looks like they have done so.
" }-
Indeed ,they have and didn't found a solution (yet?).So i suppose one of them :Skype or ESS has to go :-\

Have you tried to disable skype in the task manager, or have you gone to the computer management, then services and tried to disable it in there temporarily while scanning? I am guessing you are running win2k or winxp.

Thank you very much for your reply :)
Skype is not in my taskmanager.
Sorry, i have XP-Nl (=Dutch version) and don't understand what you mean with "computermanagement" + "services".
Why didn't i bought XP-English... :'(

Right-click my computer icon, choose manage, then in the window that comes up under services and applications you will find services, and in there you will be able to atart and stop various different things.

Thank you again for being so patient with me,Slovak. I've should have known that the Dutch "computerbeheer" = computermanagement.
-{ Quote: " quoting: Slovak link=board=25;threadid=24045;start=15#msg142606 date=1079009374]
...the computer management, then services and tried to disable it in there temporarily while scanning? ." }-
I have .There is no Skype-thing there.I found a"telephony"service.( don't know what that is) When i tried to stop this,i get an error.I can interrupt it ,but this make no difference when i scan. ESS still get stucked when reaching Skype.exe.

Very ,very good news ! :) :)
The people from Ewido are working on it!

ESS is a nice one, and I ran it and was seeing the interface. Liked it till now, keeping it for sure and testing it. Ofcourse a great program it seems and hope it will just get better 8)

best wishes, tobias

That's high praise indeed!

As soon as I am done beta testing another AT product, I will definitely give ewido a whirl. Looks good, very good.

:)

I think EES isn't really finished and we should be very careful with it. See also this one:

http://www.wilderssecurity.com/showthread.php?t=24295

but i'm NOT saying it is a bad program!

It is a finished product! But all signatures had to be redone (32545 in total!) because of this: http://home.arcor.de/scheinsicherheit/rebasing.htm
False positives unfortunately never can be avoided completely, even KAV had one in winrar.exe today...

To everyone from Firefighter!

I think that the amount of Ewido's signatures are at the top level, because only TDS-3 has a very small bit more signs. than those 32 540 signs. in my Ewido.

In that Scheinsicherheit's newest test mentioned here before the fixed Ewido engine was best and only TDS-3 and NOD with AH were close to Ewido to detect rebased trojans (how important that really is, who knows?).

Personally, I thought that my DrWeb 4.31b resident scanner (SpIDer Guard) was capable to detect all Beast variants - 192, 202, 205 and 206 etc. - but just now my Ewido shows:

C:\Windows\Temp\tmp000012b4\tmp00000bb7
infected with Backdoor.Beastdoor

Some days ago I downloaded those zipped Beast variants and there may be some in exe format, I can't remember that anymore.

My DrWeb 4.31b was now able to detect that Beast with On-Demand scan and it was, BackDoor.Beast.202.


"The truth is out there, but it hurts!"

Best regards, Firefighter!

To everyone from Firefighter!

Actually the number of signatures in Ewido is just now 32 698, which is 70 signatures more than TDS-3 has yesterday!

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

-{ Quote: " quoting: Firefighter link=board=25;threadid=24045;start=30#msg143144 date=1079114992]
To everyone from Firefighter!

Actually the number of signatures in Ewido is just now 32 698, which is 70 signatures more than TDS-3 has yesterday!

"The truth is out there, but it hurts!"

Best regards,
Firefighter!
" }-

FF,

No offense intended - but it seems you don't grasp issues like these. "Signatures" in themselve are merely a small part of the overall picture.

Apart from that: ESS looks promising indeed.

regards.

paul

For whom it may concern, ESS website says it's(ESS) for window$ 2000/xp only.

To Paul Wilders from Firefighter!

I understood that the topic was, "Any good FREE trojan cleaners/detectors out there?". Because of that I only mentioned that signatures issue! I have a payed licence to BOClean and I personally newer thought that Ewido can compete with BOClean just now, but because of these 32 698 signatures we can have a hint of those real amount of primaries that Ewido has.

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

Slovak,

Just use any free AV - Computer associates offer one - this will detect mote trojans than any free AT - and probably more than most commercial ATs.

"Just use any free AV - Computer associates offer one - this will detect mote trojans than any free AT - and probably more than most commercial ATs."..ehm is this a joke ? aha an av scanner can detect more [b]trojan samples then an at scanner (ok for KAV maybe, but the others ??), but if this great master av scanner use just fingerprints, strings or something like that to detect malware..huuhuu..this becomes a nice target for a script kiddie.

-{ Quote: " quoting: ChrisP link=board=25;threadid=24045;start=30#msg145577 date=1079547523]
Slovak,

Just use any free AV - Computer associates offer one - this will detect mote trojans than any free AT - and probably more than most commercial ATs.
" }-

Now, just provide some solid facts to back up this statement ;)

regards.

paul

I would like to see those facts that back that up myself.

I'd like to see some hard data as well. Face it, if the AV programs did a good job on trojans, there'd be no need for anti-trojan progs, right?

There IS a real need for ATs because the AV companies do AV work, not AT. There is some overlap, but companies like Symantec and McAfee are not in the AT business and are not likely ever to be.

Personally, with all of the hazards online these days, I wouldn't dream of NOT running an AT in conjunction with my AV. I'm currently using the A2 AT in conjunction with Norton AV and am just about as safe as I can be - barring cutting the modem cable!

I would no underestimate McAfee's detection rate in respect of trojans. Sure ... JoJo will probably tell us that McAfee frequently uses weak signatures taken from the resource section. But still ... it's hard to find a trojan test archive were McAfee will not perform pretty well (even better than many dedicated AT scanners).

Just my 2 cents.

With regard to trojan test archives, you might wish to read this:

http://www.wilderssecurity.com/showthread.php?t=24607;start=msg145077#msg145077

As far as I know there are only 2 ATs which detect polymorphic trojans - whereas I believe all ATs do (all the major - including free ones) - so this puts them ahead.

Im sure most AVs detect more total No of trojans than any AT.

Thats not to say that some ATs detect trojans some AVs cant.

ATs and AVs detect Viri &Trojans in the same way - simply that ATs focus on Trojans.

The following link is not liked by many people here as it shows that the protection offered by ATs is minimal:

http://www.virus.gr/english/fullxml/default.asp?id=62&mnu=62

If u want an AT go for it but probably better off buying a good AV like Norton, f-Secure, KAV etc.

Didnt understand the comments someone made about "script kiddies" etc - but then clearly, neither did they!

-{ Quote: " quoting: ChrisP link=board=25;threadid=24045;start=45#msg145729 date=1079569540]
As far as I know there are only 2 ATs which detect polymorphic trojans
" }-

which are?

-{ Quote: " quoting: ChrisP link=board=25;threadid=24045;start=45#msg145729 date=1079569540]
ATs and AVs detect Viri &Trojans in the same way - simply that ATs focus on Trojans.
" }-

please do not generalize, this is absolutely not true for all scanners...

-{ Quote: " quoting: ChrisP link=board=25;threadid=24045;start=45#msg145729 date=1079569540]
The following link is not liked by many people here as it shows that the protection offered by ATs is minimal
" }-

what a really nice test... they testet ATs with the following testset:

* File = BeOS, FreeBSD, Linux, Palm, OS2, Unix, BinaryImage, BAS viruses.
* MS-DOS = MS-DOS and HLL*. viruses.
* Windows = Win.*.* viruses.
* Macro = Macro and Formula viruses.
* Malware = DoS, Constructors, Exploit, Flooders, Hoax, Jokes, Nukers, Sniffers, Spoofers, Virus Construction Tools, Virus Tools, Corrupted, Droppers, Intended, PolyEngines.
* Script = BAT, Corel, HTML, Java, Scripts, VBS, WBS, Worms, PHP, Perl viruses.
* Trojans-Backdoors = Trojan and Backdoor viruses.

why should an AT detect anything other than trojans and backdoors? you can't simply compare the results of AVs and ATs with the same testset, especially if there a lot of unmodified samples! and btw. an AT is ALWAYS supposed to be an addon, not as a primary scanner!

-{ Quote: "ATs and AVs detect Viri &Trojans in the same way - simply that ATs focus on Trojans.

please do not generalize, this is absolutely not true for all scanners..." }-

It is true of all scanners.

-{ Quote: "
It is true of all scanners.
" }-

then please tell me how they all do...

Chris,

Merely a statement without any factual back up won't go very far....

regards,

paul

Paul,

Whilst I believe you know more than I about these things, I find it beyond belief that Im asked to qualify the statement that they all use pattern matching since it is a fact that they do. Some also use heuristics also.

AVs and ATs do the same thing - that is look for specific files/bits of data etc - they do this by having a signature/image/pattern of what it is they are looking for - or in some cases a range of variations of a pattern - or heuristics. That is how all of them find what they are looking for.

Some also look for reg entries or open ports etc also.

Im sure there may be some ATs that may detect some trojans thatsome AVs dont - but given that most of the main AVs detect more trojans than most ATs (I have seen many tests to prove this - eg: http://www.claymania.com/tests-trojan.html - but not seen one test ever which showd that any AT detected more trojans than any AV) I simply suggest that if you are that concerned about trojans - simply install another AT.

How about someone supplying some proof that any AT can detect more trojans/trojan infections than any of the main ATs - like Norton, Kasperky, F-Secure etc?

In my view it is simply not a realistic view to believe that someone like Symantec cant produce a product that cant detect as many trojans as any AT.

Anyone who has seen TV news coverage of the recent worm outbreaks has probably sen footage of the command centres of places like Symantec - these are huge places staffed by hundreds of people that look like a cross between NASA headquarters and the bridge of the starship Enterprise - they have huge resources, almost unlimited finances etc and I find it impossible to believein the real world these guys products could be bettered by any AT manufacturer.

I would be interested if anyone can:

1) prove that all ATs/AVs dont essentally use pattern matching
2) give a qualified example of any AT that can detect more trojans than any of the MAIN AVs.(Giving numbers and proof)
3) Name any AT that has more regular updates to the scanning engine tahn the main AVs
4) Name ant AT that has more regular signature updates than any of the main AVs

Chris,

Before I will jump in, I'm looking forward to input from other quite knowledgeable people on this subject - as I'm pretty sure they will. One remark up front though: Clay has a nice site, but referring to tests outdated for 3 years doesn't hold up IMO ;)

regards.

paul

Notwithstanding Chris' argument that an AV does a better job than an AT, what does it hurt to run both? NOTHING!

As long as there is a chance that one will catch something that got past the other, I will continue to run both. This is the basic reason, I suspect, that most of us run both Spybot S&D and AdAware, right?

Hi,

It does not hurt to run both an AV and AT - but I would argue that rather than running an AT in paralell with an AV - you would be better off running another AV alongside - since as you know - I argue that ATs detect a wider spectrum of trojans than AVs.

Paul - yes that test is old - but proves at that time ATs (the puppose of which is to detect trojans after all!!!!)were of little or no use in detecting trojans - and were vastly inferior to AVs. Unless something has cahanged since then (and I want proof) then my point stands!


(Please dont feel you must reply to this - Im just being a bit argumentative as Im using this as a nice break from doing a rather dull business plan!!!)

I run spywareblaster, and spywareguard along with ad-aware and spybot.
I do question the accuracy of Clay's site myself as things have changed in the last three years, but one thing I did notice about it was that KAV was amongst the top spots then, and still is today.

hex a server and it's undetected by any av, or pack it with a special packer, or do those tricks used to make a server undetected. any av scan will fail... ok launch the server-> any anti trojan with a true memory scanner will instantly detect it

problem with those trojan tests is that they included non-dangerous trojan samples, like clients and editservers.
if i scan my trojan collection with kav or f-secure, i'll get some 30000 detections, if i scan with trojan hunter i get some 7000 identifications, ( plus warnings etc. you see trojan hunter only detects servers) on the filescan trojan hunter is not capable of battling with kav because of kasperskys superb unpackers.. but when kav fails( it happens, any filescanner can be fooled, for kav it usually takes longer), trojan hunter kicks in with it's memory scan..

ca's ez antivirus is btw one of the worst scanners against trojans... lacking many very common trojans from it's database, it's primarily a virus scanner, a good one against viruses..

kav on the other hand has people(a team) on it's payroll just for the sake of trojans, and it really is the scanner to beat when it comes to trojans

Ok did ANY other scanner besides TDS-3 detect SubSeven 2.1.5 within 0 minutes of release ? :) And modifications of the most popular trojans..

Tests are usually scans on simply numbers of ITW viruses and trojans, as many as they can gather (and hopefully verify and document), in the real world trojans are modified so tests like this dont mean anything to an attacker who wants to send you a trojan. Why would they send you one of the ITW trojans that all AV's have got/shared with each other ?

Its common knowledge in the trojan users scene that a large percentage of users are now experienced enough and modify their trojans to bypass any AV. They also obtain (even buy) private trojans, BETA and unreleased and own coded trojans, and use keyloggers like Perfect Keylogger which most AV's detect poorly. Why is it so easy ? because a single file scanning detection is the only thing someone has to get past to infect you.

Your AV is part of your layered defense. If you rely solely on it, then bypassing it is VERY easy..

-{ Quote: "Its common knowledge in the trojan users scene that a large percentage of users are now experienced enough and modify their trojans to bypass any AV" }-

Whereas they cant bypass your scanner.....?

I suggest if your scanning engine is so advanced that you licence it to Kaspersky or Symantec.

-{ Quote: "Ok did ANY other scanner besides TDS-3 detect SubSeven 2.1.5 within 0 minutes of release " }-

I dont know, but then I would guess since Kaspersky etc have much greater resources in terms of personnel and finances than you - they were better able to provide updates than you or any similar small company in the vast majority of cases.

-{ Quote: "Why is it so easy ? because a single file scanning detection is the only thing someone has to get past to infect you.
" }-

Not true with many AVs - F-Secure uses 3 engines.

Anyhow, this could go on forever. The key issue is having software to protect against Viri &trojans etc - and the only evidence I have ever seen published shows without any doubt that AVs protect many many times better against trojans than ATs.

If you have any independant evidence - based on a large sample of itw trojans which disproves this I think we would all like to see it.

Chris,

First, have another look at the answers provided - especially by for example Illuka.

As for:

-{ Quote: "I suggest if your scanning engine is so advanced that you licence it to Kaspersky or Symantec." }-

Sarcasm seems the worst way of defense - overall, and in regard to this topic as well.

-{ Quote: "I dont know, but then I would guess since Kaspersky etc have much greater resources in terms of personnel and finances than you - they were better able to provide updates than you or any similar small company in the vast majority of cases." }-

Indeed - you don't know, and you are guessing as you correctly stated. Let's keep it factual.

-{ Quote: "Not true with many AVs - F-Secure uses 3 engines." }-

It's actually beside the point. File scanning is the point - no matter how many engines in use.

-{ Quote: "Anyhow, this could go on forever." }-

Not necesseraly ;)

-{ Quote: "The key issue is having software to protect against Viri &trojans etc" }-

Fully agreed.

-{ Quote: "...and the only evidence I have ever seen published shows without any doubt that AVs protect many many times better against trojans than ATs." }-

No offense intended, but you didn't understood some of the vital answers and their contents posted. It's common knowledge in the black hat world, AVs - KAV, F-Secure, you name them - can be fooled as databases are concerned, at least as for signatures are concerned.

Other then that: Gavin's comment is - as usual - right on target.

-{ Quote: "If you have any independant evidence - based on a large sample of itw trojans which disproves this I think we would all like to see it." }-

I for one - and for sure I'm far from the only one - could you provide with the means to fool AVs in this context. We're not in the habit of providing these kind of info for obvious reasons.

Finally: it's no doubt your perogative to stick to your opinions and beliefs. In case you are happy and confident with those: so be it ;).

regards.

paul

true, f-secure has 3 engines, but the 2 other engines can't do s##t without the kav engine.. they rely on it for the unpacking and stuff..
the orion engine especially is dependant on kav engine, about the libra engine i don't know much

so basically bypassing f-secures filescan is as easy as kavs..

but to bypass a memory scanner you usually need the trojans source to recompile/modify it

@Illukka

"but to bypass a memory scanner you usually need the trojans source to recompile/modify it"

Wish you were right ...

AFAIK there are only three decent memory scanners available: BOC, TDS, TH. Memory scanners are good for detecting compressed malware (though some commercial protectors can still cause a problem). Unfortunately, memory scanners do not frequently use signatures which are both strong and hard to find/guess.

"there are only three decent memory scanners available: BOC, TDS, TH"

that's what i'm thinking too..

"Unfortunately, memory scanners do not frequently use signatures which are both strong and hard to find/guess."

how do you edit a file to make it undetected by memory scan if you don't hav the source? it's not as easy as hexing, packing whatever

those who have the skills will always have the undetected one, no matter what scanners are used against 'em

@Illukka

"how do you edit a file to make it undetected by memory scan if you don't hav the source?" ... " it's not as easy as hexing"

Well. It can indeed be done by so-called "hexing" (hacker slang).

Example 1: A memory scanner tries to detect the trojan "Roach" by searching for a text string called "Roach". You simply need to modify this text string with a hex editor and the trojan will not be detected anymore. (Btw. ... this example is less unrealistic than you may think.)

Example 2: A memory scanner uses very large signatures and does not encrypt its signature database which will make "hexing" very easy ...

Example 3: A memory scanner /w limited functionality uses text bases signatures and, moreover, its signature database was cracked. Again, "hexing" becomes possible.

In summary, I do not want to say that memory scanners are bad. They are definitely useful. But there is still much room for improvements.

i still think hexing is easier againt a filescanner than a mem scan

"Example 2: A memory scanner uses very large signatures and does not encrypt its signature database which will make "hexing" very easy ..."



with large signatures hexing is not that easy, even if you know the signature... could be that the signature is taken from such a spot that it is not possible to modify it without the source, not all sigs are text strings.. but parts of the code.. they can be hexed sometimes but it takes a lot of time and patience
like you i've hexed a fair amount of trojans, i remember hexing a server and editing a text string d.o.c.u.m.e.n.t to D.O.C.U.M.E.N.T and it was undetected by chris p's favourite scanner (and mine too){ no i won't say which trojan}

you're probably referring to trojan hunter on this one.. and if i remember right you took part in a discussion at gladiator forums about this subject.. even tataye himself admitted there( and at other forums too) that making beast undetectable against TH was very difficult(because of the size of the sig), and he has the source to work with..
anyway this is just one example

The fact remains - it is as easy to get round any ATs scanner as any AVs. - Dont keep replying by saying things like "you cant just say things you need proof" - since there is not a single person here who has provided a scrap of proof for anytinig they have said.

As for my "sarcastc" remarks - I was making a valid point - the KAV engine is used by quite a few AVs as it is possibly the best - its simple economics - how many AT engines are licenced in this way - none - as no one wants them - why - because they are no better than any other engine - thats why.

Not a single person here has addressed any of thge issues I raised concerning the relative performance of AT and AVs.

I use a "layered" protection system - I have F-Secure AV, Tauscan AT, Pest Patrol AT/Whatever, Spystopper, Blackice, Adaware Pro etc etc - but I dont believe having an AT running alongside an AV offers as much protection as having another AV running in paralell with an AV - eg - I think I would be better protected running say Norton in paralell with my F-secure - rather than running any AT.

I find it funny that people here keep making comments about me supplying proof - when Im the ONLY person here who has supplied any evidence concerning the TESTED performance of ATs and AVs (see links above) - and I have challenged anyone to provide data to disprove this - and no one has!

The TDS representative has not stated any facts as yet - only posited a question if you remember asking if there was any other AT/AV which detected Subseven before TDS - I answered that I dont know - the truth is that I dont - and neither does he.

I remember making a post here a few months ago concerning the detection of a new trojan (I believe the warning came from a post on BOClean) - I did a scan for this new trojan after updating Trojanhunter (which I was trying at the time) and F-Secure. F-Secure detected it immediatly - Trojanhunter did not - not for quite some time. When I posted my findings here, I was told by the AT lobby that I should not be concerned with which updated first or how quickly they were updated!!!! Its like you cant win.

Im a scientist and as such I try to look ant the evidence in front of me and make my decisions based on that. Good scientists should not have emotional investment in their theories or arguments. Theory should be based on facts and evidence - you would do well to remember that.

To chameleon1 from Firefighter!

U wrote: "AFAIK there are only three decent memory scanners available: BOC, TDS, TH".

I know that DrWeb 4.31b and Avast 4 have memory scanners too but how decent, that's up to u all Wilders visitors to decide.


"The truth is out there, but it hurts!"

Best regards,
Firefighter!

-{ Quote: "I use a "layered" protection system - I have F-Secure AV, Tauscan AT, Pest Patrol AT/Whatever, Spystopper, Blackice, Adaware Pro etc etc - but I dont believe having an AT running alongside an AV offers as much protection as having another AV running in paralell with an AV - eg - I think I would be better protected running say Norton in paralell with my F-secure - rather than running any AT." }-

If you believe so strongly that you would be better served by running multiple AVs in tandem rather than an AV/AT combination, then why don't you? The software you list as being running on your system belie the point you've been trying to make -- very poorly, by the way.

-{ Quote: "If you believe so strongly that you would be better served by running multiple AVs in tandem rather than an AV/AT combination, then why don't you?" }-

Because I was given one of the ATs and purchased the other before I realised it was useless. Sometimes I have them installed, sometimes I don’t. I only ever use them to play about with.

I can’t be bothered to install another AV as believe the added protection it would bring is about zero.

-{ Quote: "The software you list as being running on your system belie the point you've been trying to make -- very poorly, by the way" }-

Very poorly. I think not. I have proved my point with evidence and facts. Please, try doing the same, since so far you have not provided any facts or any evidence. You cant prove a point by just wishing it was true or making personal comments against the person who is providing an antithetical point of view.

Try being methodical and logical in arguments, present your argument backed up by research and documented facts. You cant criticise the logic or facts of my argument by pointing out that I run ATs. - By your logic, I guess if I didn’t run any ATs but instead had an AV running in parallel - then I would be proved right? Of course not.

I’m genuinely interested in getting to the bottom of all this and we wont get there by going the way we are.

I’m still waiting for some hard facts here. Show me:

1) An objective independent test of ATs VS AVs using a large No. of ITW trojans - where ANY single AT beats any single AV.

2) Show me independent proof that an AT cant be fooled as simply as an AV - Independent proof that is - using a large No. of trojans.

I would also be genuinely interested in the manufacturers of TDS and TrojanHunter letting me know:

1) What their turnover is
2) How many employees they have

This information (at least in the UK) is public domain and companies are required by law to publish this info - so there can be no reason I can see for them not to provide this data.

I ask this as I believe that whilst it is not a guarantee, the size of these companies relative to their competitors, will reflect their proportional ability to be able to research the malware out there and also develop new technologies to counter new threats.
***************

Although this information is not in the public domain, I would also like to know the following:
1) What is their R&D budget?
2) How many full time individuals they employ in R&D?
3) How many full time individuals they employ in researching new malware?

I would also like them to explain to me why they think it is that they are able to produce software which is unable to be bypassed by modified trojans - whereas the manufacturers of ATs cant.

Providing accurate answers to my questions backed up with proof is all I ask. Once I have recieved these, I will be a happy man.

this is starting to get hilarious ... omg

Yes it is.

Would be even funnier if someone came up with some answers!

Ho ho ho.

Hi Chris:

1.
I do not believe that your arguments are completely baseless (e.g., the argument relating to the bigger resources of AV companies is certainly true).

However, I am still convinced that the best AT scanners can easily compete with a good AV scanner like F-Secure. Therefore, I hold the view that it can indeed make sense to use an additional AT scanner.

2.
Since you have mentioned that you are a scientist I would like to invite you to a semi-scientifc experiment: the experiment shall demonstrate that it can be relatively easy (for an attacker) to modify a trojan so that F-Secure will fail to detect it. By contrast, a good AT scanner (with mem scanning) should not be affected.

In the course of the experiment we will try to compress a trojan and/or use a hex editor in order to outfox F-Secure.

(I will provide you with sufficient information so that you can verify my claims. However, I will not write a tutorial for hackers. Therefore, it is possible that certain sensitive information must be communicated via PM.)


3.
Please tell me whether you are interested in such experiment. If yes: please select a trojan of your choice. (You should be familiar with the trojan since you may want to execute it in order to verify what I will teach you.)

4.
Please note: the experiment will not tell you whether an AV scanner will detect more or less original (= unmodified) trojans than an AT scanner. Frankly, I do not think that the size of a signature database is of paramount importance. It is more likely to get infected with a well-known trojan that has been modified than with an exotic trojan of dubious reliabilty.

Hi chameleon1

Im happy to go with what you suggest as I believe it may serve SOME purpose. However I would still like to see a large scale test involving several thousand trojans with various modifications of each.

How do you suggest I conatct you as I guess Paul wont let us post contact details here and Im not happy to post my email here.

Regards,

ChrisP

Intressting discussion but the point is that AT don't compete against AV. They are simply designed to run in addition to AV software to cover a area of malware that most AV vendors ignored for some time: Backdoor trojans.

The truth is that some AV software is in terms of backdoor detection worse than some AT's and vice versa.

In the past most AV software simply ignored the backdoor trojan problem. This gave the opportunity for a lot of small companies to get into this business. Today the situation changed. Nearly all AV programs catch backdoor trojans as well. Sometimes AV programs offer already faster detection for a new backdoor trojan than trojans users realise that there is a new version of their favourite toy. ;)

This has again changed the situation again: The trojan users (script kiddies) now are more forced to manipulate the server to avoid detection. The most easiest way to do so is packing or crypting the trojan. And this is the case where most AV programs show again weakness. So as long as AV companies ignoring again this problem there is a case for AT programs but not for all.

If the AT scanner just offers file scanning (without unpacking) as the only detection method this kind of software can be considered as useless as AV software without offering an answer to the packing threat.

The future case for AT software is to offer additional feature mainly to help detecting unknown or modified trojans which get beyond the defense line of the AV software.

Another problem here is also that most tests where AV software is tested against backdoor trojans are maninly crap (even those from most big testing sites). Nearly all test have at least one of the following flaws:

a) none trojan files are included in the testset (client, edit servers, etc.)
b) 10 to 15 year old MS DOS trojan crap is included in the testset (ATs are designed to detect modern backdoor trojans and not historical DOS trojan which is something the AV software anyhow covers)
c) the testset does not include modified or packed files (mostly is just the unchanged files downloaded from a trojan site)
d) trojans are not executed - all good AT programs offer additional detection with a memory scan, so just testing file scanning

wizard

re: Wizard

I have nothing to add. You are simply right.


@ ChrisP

Just pick a trojan and make your choice. Possibly, I will not need your contact details at all.

Well, presumably you will find it a bit tricky to contact me.

Lets say subseven1

Which version of subseven?

I strongly suggest to use Subseven 2.15 since it will run under Windows XP.

Is this o.k. for you, Chris. Do you have this trojan?

Im happy with that.

Forgit to say - no I dont have it. May be able to download it this Sat PM

After reading most of this thread I tried to follow the link to download 'ewido' But the site does nothing, whichever download button I press, can anyone help? :'(

Hi ecordle :)

Did u try here,

http://www.ewido.net/en/?section=downloads

seems to be working ok for me. ;)




snowbound

Hi there Snowbound,

Sorry All, Problem was my end, any how, I used DLExpert and downloaded it no probs.
Just going offline to install, I'll let you know how it goes.

ED ;D

HI

Downloaded ewido And scanned. Found TrojanSpy Gologger 1.0
This was in Norton and in the system restore. Just wanted to check if this is a false +ve and something needed by Norton?

My guess is that having a name, it must be genuine.

Otherwise, happy that at least ewido seems user friendly for the beginner, i.e. you don't have to understand all the ins and outs to get started.

Thanks for the tip, I'm happy! ;D

Ed

Pardon me folks....off topic: but this may effect users of ewido and all scanners....

http://www.wilderssecurity.com/showthread.php?t=25140;start=new;boardseen=1

Again please pardon the ot.

@ChrisP

Sub7 is almost too easy ;-) But it will be a good example since it's probably the most well-known trojan in the world (i.e., ANY scanner should easily detect it).

Let's do the following:

instructions 1 -5 removed. Please take this to private mail or PM, since we do not allow instructions/info about handling trojans/backdoors over on this board - paul

6.
Voila ... F-Secure should not detect it anymore. Ewido, Kaspersky, NOD32 & Trojan Hunter's file scanner will also fail.

The TDS-3 file scanner will detect a "suspicious file" (an experienced hacker could easily find a work around but may forget to do so). That's why I always say ... never underestimate the MANY MANY weak signatures and other detection tricks used by TDS ;-)

By contrast, a dedicated memory scanner should catch it. Let's see what's happening ...

TDS will easily detect it. The same applies to BOClean. And Trojan Hunter ... well I invite everyone to try it out ;-)

pm ? ok can i have such a pm ;) ?

@Paul

Can you or someone else confirm that the instructions were correct? This should suffice in order to convince ChrisP that an AT scanner can be useful.

(For everybody who missed it: a well-known compressor (this time not Armadillo ;-) was mentioned. Alas, nothing spectacular. The main reason for the detailed step-by-step instructions was to demonstrate that it really takes no more than 10 seconds to make a trojan undetected.)

chamelion,

Since your "instructions"" have been up far too long before removing them (blame that one on us): I'm not going to comment on your question. Many have been reading, and I for one will not put them on track or tell them it's of no use. No offense intended, but I do hope yoy see my point of view ;).

regards,

paul

@Paul

I will not post any detailed instructions again. (Please note, however, that my instructions were not that dangerous since I did not post a crack for the commercial protector. I merely directed to the trial version which includes a compulsory pop-up window that will alert any potential victim.)

Moreover, have a look at what's going on ITW. There is a huge "how to make a trojan undetected" thread in one of the most popular RAT boards. Moreover, they have re-upped the crack for the TDS-3 signature database etc. Thousands of malevolent people are reading this.

Therefore, I believe that you can only help people if you to tell them the truth:

There is no perfect scanner. And it does make sense to use several scanners including innovative newcomers like ewido. And a firewall. And Process Guard.

Sometimes, it may even be necessary to shock people who are too focused on marketing. Everyone should bear in mind: the primary aim of every AV/AT producer is to make money. Your security is only a possible side-effect.

(But I won't post any detailed instructions again. ;-)

-{ Quote: " quoting: chameleon1 link=board=25;threadid=24045;start=90#msg147194 date=1079820464]
@Paul

I will not post any detailed instructions again. (Please note, however, that my instructions were not that dangerous since I did not post a crack for the commercial protector. I merely directed to the trial version which includes a compulsory pop-up window that will alert any potential victim.)" }-

Thanks. I'm perfectly aware of what you are saying ;)

-{ Quote: "Moreover, have a look at what's going on ITW. There is a huge "how to make a trojan undetected" thread in one of the most popular RAT boards." }-

I know ;)

-{ Quote: "Moreover, they have re-upped the crack for the TDS-3 signature database etc. Thousands of malevolent people are reading this." }-

Overall - not especially aimed at TDS - signature cracking is far from new, as you know for sure. Signatures are one flip side of the coin - as we both know.

-{ Quote: "Therefore, I believe that you can only help people if you to tell them the truth:

There is no perfect scanner. And it does make sense to use several scanners including innovative newcomers like ewido. And a firewall. And Process Guard." }-

In essence, personally I do agree: it's an everlasting ongoing battle - this includes newcomers as well. There's no such ting as a perfect solution. Although Process Guard as well as sandboxing comes close.

-{ Quote: "Sometimes, it may even be necessary to shock people who are too focused on marketing. Everyone should bear in mind: the primary aim of every AV/AT producer is to make money. Your security is only a possible side-effect." }-

Although I do agree marketing is an issue indeed: in the end the top notch security softwares will survive and be top of the bill, if only because of the fact they do the job. The primary aim from all AV/AT vendors for sure is making a profit. I for one applaud this. I disagree customers security is a side-effect (talking about the top notch ones). Making a profit and providing the best security can be a perfect combo. Depending on users' choices, both the user as well as the vendor can be happy campers - bearing in mind it's an ongoing battle indeed.

-{ Quote: "(But I won't post any detailed instructions again. ;-)" }-

Thanks once more. Time to register as a member over herem, don't you agree? ;)

regards.

paul

chameleon1: mhh no new pm :-[, but maybe i´m right and you mean a commercial protector, packer like armadillo or something like that, right ?

@JoJo

guests cannot access PM feature. your assumption is correct. the matter was not that exciting. an experienced person like you will know this stuff anyway.

Hi chameleon1,

I have not had a chance to try what you detailed (I did see it in time) but I WILL give it a go Tuesday.

I guess it is just packing the trojan in a way that F-Secure cant unpack.

As I have not done it yet, Im assuming that if the app was to be run the real time scanner fo F-Secure would detect it in memory?

I know all this is to counter my argument that AT are not as good as AVs - but from what I have seen, the method you describe not only outsmarts F-Secure, but Trojanhunter and TDS - so as far as I can see it has not helped in demonstrating that ATs have some mystical ability to detect that AVs dont.

Interesting though that it is that easy to modify a trojan so that TDS etc cant detect it.

No. The on-access-scanner of F-Secure should not detect it. This is because were are not talking about self-extracting archives (like WinZIP, WinRAR) but about run-time compression (--> this means that decompression will take place in memory only).

F-Secure does not have a real memory scanner. TDS and BOClean have one. TH has one as well but something went wrong with it ...

TDS was not outsmarted. Even it's file scanner detected it (with the help of a relatively cheap trick). But who cares? Detected is detected. Moreover, BOClean was not outsmarted.

AT scanner's abilities are not mystical at all. Their main advantage is a memory scanner. I know that some AV's claim to have a mem scanner, too. But this a lie. Plain and simple. Usually, they claim to have a mem scanner when they do the following: scan any processes running in memory with the file scanner. Nice joke, eh?

Some other ATs (ewido) feature a so-called emulation in connection with strong signatures. This may also be helpful if someone tries to bypass a scanner. (It would require a different example in order to demonstrate this. But I have promised Paul to not post any detailed instructions ;-)

really interesting thread! :)

@chameleon1
May I ask you one question? I've heard that Dr.Web has true process memory scan function. Have you ever tested Dr.Web? What do you think of Dr.Web's memory scan? Why I ask you this question is that I can purchase Virus Chaser(Dr.Web's clone) at a low price.
http://www.viruschaser.com/Eng/index.jsp

btw,I'm using ESS for a while, I don't know well about this product because I don't have many malicious programs like other Wilders' members, but I can say one thing ESS's support is really excellent. ;)

Best Regards

@Sumire

I just had a brief look at Dr. Web's "mem scanner". I was not really impressed (i.e., it's not a good replacement for a dedicated mem scanner). At the moment, I do not want to answer the question whether the Dr. Web mem scanner is a "fake" or not. This would require further examination.

chameleon1

Lets say, hypothetically (Ahem!) that I followed your instructions - and found that F-Secure did not detect the trojan (tauscan and pestpatrol also failed).

Lets also say, hypothetically, that I was a silly ba****d and managed to infect my PC!

Lets also say that I was 99% sure I had subseven running on my PC as BlackICE poped up an alert that Subseven was sending out its ICQ alert (BI application protection not on and no baseline done - my own fault!) AND the demo warning flashed up from that packer you mentioned.

Lets say all this and the fact that right now - F-secure is running so slow that I cant use it - HOW WOULD I GET RID OF SUBSEVEN FROM MY SYSTEM??????????????

Download TDS-3 trial version ... ;-))

I have. It finds subseven in memory (mutex) - or whatever it is called - but finds nothing else - even with a full system scan - ie - all it finds is evidence that the trojan is active - but it cant find the trojan itself.

As I have said, when I reboot, I get 2 warnings saying this file has been packed with xxxxx, (which I assume is the trojan loading).

F-secure is not working - runs so slowly - ie 4000 files scanned in 3 hours.

Tauscan finds nothing now also - but the little bug**r is running there in memory.

Help!

I still say try ESS, I have been using it for a week or so now and it has not let me down yet, I always check when and if it finds something to make sure it is not a false positive before deleting, but so far I have had nothing but good results. Compare this to the price of TDS 3 and it can't be beat for the price :) I am not knocking TDS 3, just saying that for a freebie ESS can't be beat IMHO

-{ Quote: " quoting: ChrisP link=board=25;threadid=24045;start=90#msg147734 date=1079914224]
I have. It finds subseven in memory (mutex) - or whatever it is called - but finds nothing else - even with a full system scan - ie - all it finds is evidence that the trojan is active - but it cant find the trojan itself." }-

I presume you have at least downloaded the latest radius. Apart from that: feel free to post screen shots coming with your statement.

-{ Quote: "As I have said, when I reboot, I get 2 warnings saying this file has been packed with xxxxx, (which I assume is the trojan loading)." }-

Disable System Restore and start up in the Safe Mode; perform a full system scan once more.

-{ Quote: "F-secure is not working - runs so slowly - ie 4000 files scanned in 3 hours." }-

A warning for all: don't mess with this kind of stuff, unless on a separate test system.

-{ Quote: "Tauscan finds nothing now also - but the little bug**r is running there in memory." }-

Tauscan as it is will never be able to cope with issues like these.

-{ Quote: "Help!" }-

Those involved no doubt will try to do so. That said: I'm perplexed; why putting your system at risk fooling around like this? No offense intended - but it surely doe beat me.

regards,

paul

-{ Quote: " quoting: Slovak link=board=25;threadid=24045;start=90#msg147738 date=1079914957]
I still say try ESS, I have been using it for a week or so now and it has not let me down yet, I always check when and if it finds something to make sure it is not a false positive before deleting, but so far I have had nothing but good results. Compare this to the price of TDS 3 and it can't be beat for the price :) I am not knocking TDS 3, just saying that for a freebie ESS can't be beat IMHO
" }-

No offense intended - but that's beside the point - apart from the fact, ESS is an on demand software - it will not prevent this from happening.

regards.

paul

-{ Quote: " quoting: Paul Wilders link=board=25;threadid=24045;start=105#msg147747 date=1079915760]
No offense intended - but that's beside the point - apart from the fact, ESS is an on demand software - it will not prevent this from happening.

regards.

paul
" }-

Totally agree - you can not place your computer in the hands of a totally un-tested, nearly brand-new application.

ewido as of this moment is only suitable as a "check-up" app - not a main-line defense.

The same holds true for any un-tested anti-trojan app. Pete

@ChrisP

TDS-3 file scanner will find it (--> suspicious file: Borland debugger, Microsoft tag). TDS-3 mem scanner will find it (--> the alert window will show the name and the path of trojan, moreover there is an option to kill process and (!) delete file)

Finally, you can post a hijackthis log. It is really basic stuff to remove this trojan.

apropos tds: Do somebody know a command to clear the alarm console window section of TDS-3 ?

TrojanHunter finds the trojan in memory a few seconds after startup - it cleanes it - but it is back when I restart.

TDS will find it in memory:

Live trojan found (in process memory): RAT.SubSeven 2.2
File: C:\WINDOWS\System32\rphf.exe

I have got TDS to delete it, even done a full system scan - but it does not fine the file you mention - and the trojan is there when I reboot.

Spooky

I have managed to remove the trojan - by using partition magic to format the drive!

I tried TDS - but although it found the trojan in memory and deleted the file itself - it was always running again on reboot.

I tried Trojanhunter - this gave the same result - though it was faster and easier to use.

I also tried trojanremover, tauscan and pestpatrol - none of these even found it in memory.

F-secure would not run - only slowly so I gave up.

I tried TDS several times - even starting in safe mode - 5 times - with a full system scan - but no joy.

I have learned several things from this:

1) Never infect yourself with a modified trojan!

2)F-Secure wont detect a trojan in memory - only the file itself - so if it is modified it may not find it....

3)TDS and trojanhunter have the advantage that they can detect trojans in memory.

4) TDS and TH cant remove subseven 2.2 if it is repacked with XXXXX.

5) Always do a baseline scan using BlackICE on a fresh install - As in my opinion this (on my system) is the only real security against trojans.

6) BlackICE detected and identified the trojan - even without application protection running.

7) It is too risky to run any unknown file - no software will protect you against a skilled hacker.

8) Layered defense is important - as I say, in my normal setup only BI would have alerted me to the trojan being there.

9) Never bugger about with trojans if you have not backed up your system using Acronis!!!!!! (4 Hours to go to complete the install now)

I may toy with the idea of buying Trojanhunter - even though it did not remove the infection it did alert me and probably would in more cases than BI - possibly...!!!!!

Hi Chris...

the formatting was certainly not required. Moreover, you forgot to mention another important rule:

Listen to me! ;-)

1.
I said: Use S7 2.15 not S7 2.2

2.
I said: Disable any autostart options when you configure the trojan. Apparently, you did not ;-)

3.
I said: Post a hijack this log. You did not but formatted your harddrive.

But don't worry. Life is an endless adventure. And everybody will learn his lesson ... sooner or later. ;-)

-{ Quote: "Layered defense is important - as I say, in my normal setup only BI would have alerted me to the trojan being there." }-

Yes, a layered defense system is important. I'm sorry that it took so much to bring you around to this realization -- but I will admit to having had a rather uncharitable giggle and snicker at your expense once you realized that you'd been nailed!

Please, next time, don't be quite so quick to rear back on your haunches in defense of a position. Listen ... at least a little bit. I haven't found many fools or idiots here as yet, and many of us speak from hard-won experience. As 'tis said, ChrisP, live and learn. ;)

I did a test with one (yes only one) common trojan and here's what happened. I put the packed program in a zip file.

Trojan name: Briss
Packed program: start.exe
Infected files: a.exe, bridge.dll

I use Total Uninstall in safe mode on a test machine to clean out any files or registry entries added. I always triple check with a number of programs and do a search for all files added or modified within the last day and back up the registry.

All programs are fully apdated.

My AV - F-Prot for Windows found it only when it was installed. Too late. The new version (3.14e) finds it now before it's executed. Pass.

AVG Free spots it immediately. - Pass
Panda Titanium doesn't recognize it. - Fail
KAV spots it, even in a zip file. - Pass
NOD32 spots it before it's fully extracted. - Pass
AdAware cleans it up. - Pass
Tauscan doesn't recognize it. - Fail
a2 doesn't recognize it. - Fail

Disappointing for programs MADE to identify these kind of files.

I trust KAV with extended definitions far more than any AT. Layered defense IS the only way to go.

Hi Ailric

Re:-
-{ Quote: "" }-Disappointing for programs MADE to identify these kind of files.

I trust KAV with extended definitions far more than any AT. Layered defense IS the only way to go.-{ Quote: "" }-

What do you recomend, and where can I find them??

Thanks Ed

The key point for me is that if I (and therefore any turkey) can rapack subseven 2.2 with XXX - no AT /AV will remove it. I guess there are 1000s of trojans out there that are worse.

Before anyone asks, yes I did update TDS and TH - but although they found the trojan in memory and also removed the file from wherever it was (cant remember right now) they did not remove whatever packed file was hiding - the one which started the trojan up again.

All I can sya again is I believe the only safety comes from taking a snapshot of your system - like with BI app protection / and or never using any downloaded file.

This is all a bit scary, Im thinking to myself - if it had been packed with a non evaluation packer that popped up a warning - just using F-Secure as I did (I only do a scan once a week if Im lucky) then I would not have known I was infected (Other than BlackICE warning me - But I guess other firewalls wouldnt have identified the trojan).

I would be interested to know the following:

Do you (chameleon1) think that the app protection of BI is useful in countering infections of this type?

Know of any AT/AV which unpack the XXXX you mentioned?

Have any other ideas which would make my system safer

Know why it is that my arrogant argumentative postings always stimulate such huge interest? (Just noticed the numberof views this and my Tauscan one have had!!!)


Respect to you all (within moderation)

Hi ecordle,

The extended definitions for Kaspersky and discussion can be found in this article:

[hr]
Hi,
Can you try to add a new address in the Updater:-

http://updates2.kaspersky-labs.com/updates_ext

This should download latest updates along with the additional updates.
Or for the paranoid user:

http://updates2.kaspersky-labs.com/updates_x/

http://forums.useice.com/cgi-bin/ikonboard.cgi?s=3fefd57117b3ffff;act=ST;f=1;t=202
[hr]
I'm paraniod. ;)

I purchased F-Prot for Windows for resident protection and KAV 3.5 for on-demand scanning. The combination of the F-Prot and KAV scanning engines along with a combined 190,000 definitions for all kinds of malware make me feel pretty safe. ::)

Thanks Ailric :)

This Thread (and others) has me prety paranoid too!!!! So, i'll take a look at your suggestions and just hope to stay one step ahead of the casual hacker.

I guess it's a bit like thieves, you'll only ever stop the casual thief, if a thief wants to break in he will!!

Any info on good FREE trojan defense systems would be welcome!!

Ed ;)

@Chris

I am almost certain that your problem had nothing to do with the packer. It seems to me that Sub7 2.2 simply created a "backup" server on your harddrive. After you removed the orginal the server the backup server was first copied and then started. (Just a guess.)

You may try this again with an unpacked version of the trojan. Or better not ... ;-)

In any case, a hijack this log would have solved the problem since it had shown you the autostart entries of the server AND the backup server.

Moreover, I wonder whether you have a program on your computer allowing you to control the execution of files. Many new firewalls like Kerio 4 can do this. A system firewall like SSM can do even more.

-{ Quote: "Know why it is that my arrogant argumentative postings always stimulate such huge interest?" }-

Possibly because arrogant argumentation catches people's attention and some, such as I, just can't let that go by without demonstrating that we're just as arrogant and argumentative! ;)

WOW ! 8) I asked for a simple free trojan cleaner and it turns into an 8 page debate on what is best and why.

You've really got to watch what you ask around here! And, for having turned such a seemingly simple question into a raging debate, your first cookie is on me!

well who edited the server, which startup method did you choose?

sub7 is the one with master password, so i'd suggest caution with it.. ChrisP be glad that you didn't choose a rootkit as the test server... LOL

Hi All, new to this site, and yes it is because i have / had a trojan using the executable access[1].exe which tries to hijack my browers. this lettle thing can with trojan adclicker, trogan download and a couple more. think i am almost free of it. and i am not firewalled upto the hilt as well as my normal A/V.

Read this and decided to get the Ewido program as well ( already have ad-aware). One question though. When i run Ewido if it detects a trojan you can clean it. but on the analysis there is a list of about 20 things that it can read like
localservice\ntuser.dat.log.
I know half of these arent bad - but do i need to worry about them not being readable?

Cheers

A² is pretty good for a free anti trojan. In fact it was previously known as Anti-Trojan and a payware, now a freeware and good for the community to protect itself.

That is normal as far as I know, I have about the same that can't be read.

tds-3 there is a free version

also trojan hunter 3.8 is good

there is a trial version but u cant update it

only the purchased version but its a great program

TDS is not free it has a free trial.

Trojan hunter free trial can be updated but manually. In other words you have to go to Trojan Hunters web page and download the update and unzip it to the trojan hunter folder.

Well,i have read before in a magazine a test with modified trojans (according to the article a 10 min job) where only KAV picked it,but this is even more scary...

I just re-installed Abtrusion Protector.This would have stopped it from executing,right?