Ok. I have sort of read through the forum and get an impression that BOClean and TDS are two of the better AT. Now I would like to list out my needs and see how both AT handles them. What I need is just yes or no.

1. super low resource usage (2MB to 4MB)?
2. frequent update (at least once a day)?
3. if possible, replace firewall all together. All I want is to block a trojan horse or trusted software to hijack another trusted software to send data out, i.e. outbound protection or other injection methods. ;D

Outbound detection that comes with the software firewall is a pain to use. Now, i have to delete the trusted list on every logout just in case I accidentally enable some trusted software which can be hijacked by the untrusted software. I thought that will be safe but may be it isn't. ???

I am now using NOD32 and ZoneAlarm Pro (I know this one is probably not a good choice, but I did a test and installed many firewalls and this was the only one that passed all my test) with a backup KAV. But, as I have said, it is a pain to use. :P

Downripper - Welcome to the forum.

Can't address the techie stuff, but I can say that TDS offers the best AT protection around. Not long ago I was using TDS with a 333Mhz box without a problem. Regarding updates, I see them almost daily (exclusing weekends). I would not recommend bundling an AT with a firewall. Strange combination in my opinion. Give TDS a try - you'll be impressed! :D

Hi,

No offence intended !!!
But in my humble opinion this question should have been asked in the forum-section "Other Anti-Trojan software".

May I please ask the mods/admins to move this thread to that forum-section.

sorry...i thought there is no BOClean forum here and there is one for TDS...so i put it here...

-{ Quote: "sorry...i thought there is no BOClean forum here and there is one for TDS...so i put it here..." }-


Hey Downripper,

No problem ! :)

I leave the decision (whether or not to move the thread) to the Wilders-staff ;)

Regards, Jan.

both are great and i recomend useing both side by side

im a newbie and i can say this TDS is hard cor and boclean is so easy id actualy say you need both

a fire wall so easy to use is za pro im lazy i hate reading but after 10 minutes geting the jest of zap im a darn security guru lol

thats how easy it is lol

look like a pro buy a zone alarm pro let them people think you know what your doing lol

thats perty much it that 3 part combo kicks but

if you have e-mail threw microsoft i sugest worm gurd to its for really lazy people like myself lol

Actually, you know... I think most "comparison" threads probably do belong in a generic forum section versus the official product support forum for one of the two products involved.

You see, while I have every confidence that we all can treat a topic fairly regardless of where it is, the main issue might well be "who sees the topic" and "who feels free to respond fully" to that topic...

A specific vendor forum section is generally visited by a larger ratio of people that use and support that specific product, while a generic forum is more likely to get a mix of people. Further, people with strong BOClean opinions, for this topic in particular, might feel upcomfortable posting those thoughts in a TDS-3 forum.

So, we'll move it as recommended. :)

My answer is almost the same as my buddy Blaze posted:
Use both !
BOClean for on-access and TDS-3 for on-demand.
Many users use them both that way.
And, if you like, you can use both at the same time: no problem at all !!!!!

But that all is my strictly personal opinion !

As regards you need ...

"3. if possible, replace firewall all together. All I want is to block a trojan horse or trusted software to hijack another trusted software to send data out, i.e. outbound protection or other injection methods. "

... neither BOC nor TDS will make you completely happy. You should try Process Guard or System Safety Monitor if you want to prevent "injections".

Yes attackers are more "clever" these days, its more a real battle between them and US - a battle where traditional defences are too easily bypassed by their very nature

ok..I have got the basic idea.

My next question is to DiamondCS, will the next version aka TDS-4 include some of features from Process Guard? Or Process Guard will be sold as it is. :P

Do you have a list of processes suggested to put under protection for each Windows version? Without it I would need to include every running process and those that are potentially started to the list. That will not be practical. Correct me if I am wrong. ;D

The idea is basically what process need to be protected to prevent sending data out of the PC? ::)

Thank you.

Obviously, any internet application (for which an allow rule has been created) needs to be protected. It goes without saying that the use of a personal firewall is not redundant ... layered security.

--?-- hmmmmm that name looks familiar. Your style of writing sounds somewhat familiar too. But how do you pronounce it?

I wonder if that very low on resources is the first issue?
I must admit TDS-3 uses more then BOClean, but both are worth every penny, there are bunches of people using them both together.
With the TDS-4 around the corner and ActiveGuard as part of that new generation software as resident part and protection and more.......
The Execution Protection enables TDS to stop nasty code to be detected and stopped before it can even run at all, so no live trojan needed to be detected in a scan.
The ActiveGuard will build forward on this concept (resident) and offer lots more on very new technologies.
WormGuard has this kind of resident protection too for malicious scripts and worms, among others, while you can add more to your blocklist yourself.
It saved me several times where even the email scanner said a file was all clear to open, WormGuard thought differently, fortunately.
Process Guard is a standalone separate product which runs on the nt/2000/xp systems, not on the 9X series, the TDS family runs on every.
Registered TDS-3 users can upgrade for free.
To keep an eye on and manipulate both inbound and outbound traffic Port Explorer will be a very nice combination.
But no matter which combination you choose, you'll always need some kind of firewall, software, hardware, build in the router, anything.
So in fact you're looking for a kind of outbound firewall?
Or would the protection Process Guard gives you suit your current needs?

yes. low resource usage is the number 1 concern. ::)

ok. Let me put it simple. Goto http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/software.htm :P

and test out leaktest 1-14. Just let me know which software gets 14/14 then that's what I want. But, I tried the free version of Process Guard, it failed on WB and dnstester. ::)

I am only interested whether the AT out there is aware of the methods these test utilities use. I don't want the AT to just get the signature of them and block them when it sees them. This is not real protection because a trojan can use the same exploit and do harm on my pc. ;D

Cheers!

I use both on a 98se system.Boclean is enabled all the time and uses little resources.I like the fact that it just sits there and i dont have to mess with it or think about it ,but that it protects when needs be.TDS3 is much more than just an anti trojan and you can spend hours just messing with the tools included with it (string extractor etc)I use TDS3 more as a second opinion to boclean and as a reliable scrutiny tool.Support for both and updates are excellent.Personally i like to use both.Boclean as resident and TDS3 to play with :)
ellison

I use both as well. To be honest, TDS rarely gets used as I have never really had a trojan problem. My McAfee Virus Scan actually is the first to stop anything anyways...its probably all I need. I run BoClean all the time but it has yet to catch a single thing. The question of which to use however was answered when BoClean decided to charge users for their next upgrade...TDS-4 will be free to current users. I will probably just stop using BoClean and go completely TDS-4 when it comes out...I understand it will have resident protection which is all I really want anyways.

The best protection I ever purchased was my Linksys firewall router. I would imagine that it along with a good AV is all you really need.

Where do you peeps get these trojans from anyways? EMail? Any good AV should catch that. The point is, I think all this is overkill...and some of you still get trojans? I guess I am lucky.

-{ Quote: "Where do you peeps get these trojans from anyways? EMail? Any good AV should catch that. The point is, I think all this is overkill...and some of you still get trojans? I guess I am lucky." }-Since trojans do not (usually) replicate automatically, the ones you see will usually be planted by a cracker who (being smarter than the average virus) may use run-time compression software or hex editing to get by any AV/AT signature scanners. This could then be emailed to a prospective victim - but a far more likely use is to plant it somewhere where tracing the source is difficult. So Usenet, IRC and P2P are prime sources and people using these are the ones who should consider AT software along with AV.

Just to confuse matters a little more ;D - TrojanHunter (http://www.trojanhunter.com/) is a well-regarded AT with frequent updates and has an easy-to-use interface. I can't comment any further on it though.

Finally please note that no AT can currently replace a software firewall (with the possible exception of Tiny - which is a software firewall). To do so would mean hooking into Windows' network stack and keeping track of all current connections as well as intercepting network packets with illegal or corrupted headers intended to cause a Denial of Service. Not only can a software firewall cover these situations, it can also advise you of "legitimate" applications making network connections you may prefer to block - like for example Windows Media Player (http://www.computerbytesman.com/privacy/wmp8dvd.htm) or Windows Update (this applies to rules-based firewalls like Kerio and Outpost rather than simple permission-based ones like ZoneAlarm or Look'n Stop though).

A firewall is a MUST, and many methods of firewall bypassing will be blocked now by the best firewalls. ProcessGuard is intended to assist the firewall but most importantly, to block forced code-injection at the kernel level, and to block rootkits. If your firewall and AV fail, a rootkit could then hide forever. If it cant root itself into the OS, it wont EVER be able to hide and can easily be spotted by the firewall when it tries to open a port or connect OUT

TDS-4 will not include ProcessGuard, but we will provide a way for users to put our layered security programs together - and when we do, they will become even more powerful due to working together :)

Is my Linksys good enough? If I go to Shields Up! on S. Gibsons site, it shows ALL my ports as stealthed. I would rather not run a software firewall. I figure if something tries to call out, BoClean should zap it. Besides, I run full virus and trojan scans weekly with McAfee and TDS-3.

Hardware is great.. but outbound blocking is ONLY accomplished by running a software firewall. Thats a firewall's job, not BOClean or TDS

Why not ? :) Try Kerio 2.1.5 if you dont like resource hogs.. very light

OK I'll give it a try. The only thing on Kerios site though is version 4. Where can I get the v2? I really dont want the added bulk v4 appears to have...I dont need a popup stopper or anything else. All I need (i guess ;) ) is an outbound connection monitor. Is there anyhting else that would serve the same purpose because I really dont need all these features....only outbound connection monitoring.

On another note...just a question. I also run Total Net Shield....a proxy (port forwarding). When I go to steve gibsons shields up! test, it shows a few of my ports open....this is with the proxy running. If I run without, all my ports are stealthed. Is it scanning the proxy server and not my PC when I test with the proxy running? Does this pose a security risk? I assume that my PC is safe with or without the proxy server....my linksys firewall router is always on.

Why do they call it a Firewall router anyways...arent ALL routers firewalls? Strange because they make a point in calling it a firewall router....its the BEFSX41.

Try this link:
http://www.kerio.com/dwn/kpf2-en-win.exe

-{ Quote: "
ok. Let me put it simple. Goto http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/software.htm :P

and test out leaktest 1-14. Just let me know which software gets 14/14 then that's what I want. " }-

Then you need Tiny Personal Firewall 5.5.1332.
-hojtsy-

Does it really pass all 14? I've tried them with Zone Alarm Pro and with security set on medium it fails some of them. If I set program controls to full I am inundated with alerts and after a while my connection dies. I might have to give a Tiny demo a go.

I am a registered user of both (BoClean & TDS-3).
I remember that once BoClean responded immediately when i installed AIM (the Wild Tangent stuff caused the alarm), and TDS-3 did not.BUT !! it could be that i hadn't yet exec protection on , on TDS-3 ( now i do have it on).
I have noticed that BoClean updates Daily (somtimes more than once a day) and that TDS-3 updates every day in the week but not on saturday + sunday.
BoClean is much lighter on my system but you can't do a full scan and TDS-3 has more options.
I am very satisfied and feel secure with both products.
The makers also both take the time to answer your e-mails when you have a problem.
I use also ZoneAlarm Pro and have no compatibility problems with these 2 antitrojans.

-{ Quote: "Does it really pass all 14? I've tried them with Zone Alarm Pro and with security set on medium it fails some of them. If I set program controls to full I am inundated with alerts and after a while my connection dies. I might have to give a Tiny demo a go." }-

OK. TPF is very nice. I could not decide between TPF and ZoneAlarm. TPF could not catch all 14 (dns tester failed) but ZoneAlarm Pro could with some tuning. TPF probably could as well with some expert tuning but I can't do it. So, I finally settled down with ZoneAlarm Pro. [setting Program Control to HIGH and delete all trusted program list during shutdown] ::)

Simple question:

The BOClean is also an AntiWorms, or just an AntiTrojan?

http://www.nsclean.com/trolist.html

(also includes several ITW worms)

-{ Quote: "OK. TPF is very nice. I could not decide between TPF and ZoneAlarm. TPF could not catch all 14 (dns tester failed) but ZoneAlarm Pro could with some tuning. TPF probably could as well with some expert tuning but I can't do it. So, I finally settled down with ZoneAlarm Pro. [setting Program Control to HIGH and delete all trusted program list during shutdown] ::)" }-

Tiny Personal Firewall 5.5.1332. claims to protect from dns tester too. (14/14) Tiny software describes that the success message printed by dns tester is invalid, and if you check the actual outgoing packets on the wire, nothing escapes.Even if TPF claim is false it has 13/14 instead of the 8/14 points of ZaPro. Quite a difference isn't it.

Something else: I found a *mighty* informative review of boclean at http://scheinsicherheit.funpic.de/boclean.htm
-hojtsy-

-{ Quote: "Tiny Personal Firewall 5.5.1332. claims to protect from dns tester too. (14/14) Tiny software describes that the success message printed by dns tester is invalid, and if you check the actual outgoing packets on the wire, nothing escapes.Even if TPF claim is false it has 13/14 instead of the 8/14 points of ZaPro. Quite a difference isn't it.

Something else: I found a *mighty* informative review of boclean at http://scheinsicherheit.funpic.de/boclean.htm
-hojtsy-" }-

I am just curious. How do you get 8/14 for ZaPro and what does it miss?

that was a good link for that review on boclean hojtsy.
it seems they might also have reviews for tds3 and trojan hunter.
i tried to look for them but everything else appeared to be in german.

anyuser,
8/14 is the number of passed test for ZaPro on the site http://www.firewallleaktester.com/tests.htm
By contacting the author of that site it turned out that I misinterpreted the results. He has very strict rules for putting the check mark into that table: a firewall only passes if it alarms only at connection attempt time and can identify the real initiator of the connection. ZaPro should alarm already at code injection time so it does not get the checkmark on that site for those tests. The same goes for TPF, it catches the code injection itself. It turned out that correctly configured ZaPro can actually defend from all the 14 listed leaktests, and a correctly configured TPF from 13 or 14. I know of no other single software which can provide that level of protection against these leaktests.

blabhead,
I used google translate tool to get a crude translation of the germain reviews for TDS and TH. Both of those reviews are in very critical tone, but finaly somebody who looks under the hood, and cuts the marketing. Unfortunately the TH review is very outdated. Note that the malware database used on the site is a special one: custom modified, hexedited, encrypted or repacked versions of existing trojans. Most of the "new" trojans are of this kind: only variants. This way they can evaluate how would the scanner handle a treat which is not yet directly in it's database. I find this a very good idea.

-hojtsy-

ok thanks for the info

Please forgive me, but I thought the topic was "BOClean vs. TDS".
IMHO postings/questions about firewalls do not belong in this thread and in this forum-section.
This is NOT meant to be rude !

Returning to BoClean:
Does anybody have any thoughs on what on earth could be meant by
-{ Quote: "
BOClean will protect itself from trojan horse tampering or shutdown, so there's no worry about being left unprotected. Most "modern" trojans will disable either your antivirus or firewall, or sometimes both. Not BOClean." }-

Task Manager kills BoClean (http://forum.gladiator-antivirus.com/index.php?showtopic=12706)
APT kills BoClean (http://forum.gladiator-antivirus.com/index.php?showtopic=9954)

-hojtsy-

Guess what it means is:

The Universe favours least effort path.

1. If a trojan wants to kill BOClean, it must be known that BOClean detects this trojan otherwise why the effort? In that case, BOClean will nail it before it gets running. No problem

2. If a trojan will just kill all AT, AV and firewall on a pc, how does the trojan know the presence of BOClean? The list cannot go on forever, so the trojan writer has to choose the most likely protection present on a victim pc. BOClean will not be on the list because user base is not that big, i.e. not worth the effort. No trial version means even less user base. As a matter of fact, most average user do not even have a AT. No problem again.

3. Finally, if the trojan does target to kill BOClean and BOClean do not recognise it, it can easily kill BOClean. The watchdog thingy may help. But, if a trojan writer puts into enough effort, any anti-termination will be useless because you are targetted. In this stage, all you can count on is a layered protection and hope that trojan won't kill all of them.

BTW, how big is the trojan going to be if it tries to kill every protection layer of a pc?

just my humble opinion.

-{ Quote: "
1. If a trojan wants to kill BOClean, it must be known that BOClean detects this trojan otherwise why the effort? In that case, BOClean will nail it before it gets running. No problem
" }-

Isn't BOClean a memory scanner? So the trojan should be already running -> who is faster?


-{ Quote: "
2. If a trojan will just kill all AT, AV and firewall on a pc, how does the trojan know the presence of BOClean? The list cannot go on forever, so the trojan writer has to choose the most likely protection present on a victim pc. BOClean will not be on the list because user base is not that big, i.e. not worth the effort. No trial version means even less user base. As a matter of fact, most average user do not even have a AT. No problem again.
" }-

It's just another entry on the big kill-list and if remember correctly it's already on most lists ;(


-{ Quote: "
3. Finally, if the trojan does target to kill BOClean and BOClean do not recognise it, it can easily kill BOClean. The watchdog thingy may help. But, if a trojan writer puts into enough effort, any anti-termination will be useless because you are targetted. In this stage, all you can count on is a layered protection and hope that trojan won't kill all of them.
" }-

There ARE ways to secure a process against termination!


-{ Quote: "
BTW, how big is the trojan going to be if it tries to kill every protection layer of a pc?
" }-

Not big? Can be even very small...

-{ Quote: "Isn't BOClean a memory scanner? So the trojan should be already running -> who is faster?" }-

This is a question of trusting memory scanner or file scanner or only if both presence. I believe in memory scanner and think it will run faster than the trojan. file scanner is pretty useless as in the case of AV industry. We have been fighting virus for how many years? Why do we still miss some? I believe AV has a root in file scanner. That's the reason!

-{ Quote: "It's just another entry on the big kill-list and if remember correctly it's already on most lists ;(" }-

Just curious to know, where do you get the info?

-{ Quote: "There ARE ways to secure a process against termination!" }-

But it is useless. Lots of ways to break it. Many people choose to believe that it is possible to disable termination, but I choose not to. If your AT has to act like trojan/rootkit and penetrate into the system kernel, it would defeat the purpose because your AT is also a trojan. You just choose to trust that "trojan/rootkit". That alone is a no because Windows is flawed and a patched kernel may introduce more flaws. BTW, why do you trust AT guy while it may actually be a trojan writer himself? I am paranoid, I admit.

-{ Quote: "Not big? Can be even very small..." }-

Any example?

-{ Quote: "This is a question of trusting memory scanner or file scanner or only if both presence. I believe in memory scanner and think it will run faster than the trojan.
" }-
What stops a trojan from setting it's own process priority to realtime with the first few instructions? After that no other user level process will have time slice to scan the trojan.

-{ Quote: "

Just curious to know, where do you get the info?
" }-
Search Google for the Beast. Download, start, you see the process list it tries to terminate. Current BoClean defeats the Beast, but not because BoClean is not put into the list. One should avoid that naive thinking about self-defense. The memory scanners are obviously the software which are first put into the kill lists. And what will happen with a new variant of the Beast? It will not match the memory signature, and left alone to kill anyone.

-{ Quote: "
[Termination protection] is useless. Lots of ways to break it. Many people choose to believe that it is possible to disable termination, but I choose not to. If your AT has to act like trojan/rootkit and penetrate into the system kernel, it would defeat the purpose because your AT is also a trojan. You just choose to trust that "trojan/rootkit". That alone is a no because Windows is flawed and a patched kernel may introduce more flaws. BTW, why do you trust AT guy while it may actually be a trojan writer himself? I am paranoid, I admit.
" }-

OK. Some food for a real paranoid: If you don't install kernel protection [b]you are trusting everyone. If you install kernel protection you only need to trust the author of the protection. :P

-{ Quote: "
Any example [for a small trojan killing several layers?]" }-

It depends on what you call small. Actually size is not really important in my opinion. Ahh for example, Phatbot searches and kills 600 processes: http://www.lurhq.com/phatbot.html , and it is approx 100Kb. Is that small? Maybe not. Why is that important?

Please understand that I am not talking against BoClean. It seems quite professional, but not ultimate. I am just saying that you also need termination protection.

-hojtsy-

>BTW, why do you trust AT guy while it may actually be a trojan writer himself?

I'm sure you know you are not talking about TDS nor BOClean developers here?!
Know the sources, companies, their vision, products.

well woman say size dont matter but i think it a lie :'(

well boclean vs tds

its hard to decide one over the other

but tds has a bigger data base and more goodys but it slow as hell and the exe protection only seems to work after you do a full scan and then you identifie the nasty then if you purposely excute thenasty the exe protection kicks in?

i donr this alot on purpose

boclean has smaller data base but extreamly fast also its hook works imidiatly after excuting a nasty done this to many times by acident lol

thats why i use both tds for a major scan of hidden trojans and boclean for fast ecution protiction

problem with me posting such things is i have both frinds in both products so telling it how it is is hard to do cause there quick to defend there product even if its personal experince in my opnione

if you want one over the other it depends

if you have money and fast ass 3.ghz p4 processor buy tds

if you have littile money but want fast protection easy to use and have a smaller pc of 700mhz processor and very littile ram get boclean

That’s exactly the trust, Mr Blaze. A person chooses to buy an AT not because it can do everything and is bulletproof but the performance of the AT is within his comfort zone.

hojtsy:
I admire your knowledge in AT :0)

Your answer on "which is faster" essentially claimed that all memory resident module is a joke. The only thing we can trust is the file scanner. But, I think all good AT vendors have already count in that factor in and I trust them, period. I believe these people have more knowledge in the inner working of Windows and thus they are AT vendors.

Just another curious, how does BOClean kill Beast?

Ok. About the anti-termination, I believe that if your AT does not patch the kernel, a potential trojan won't have to go to kernel to kill it and hence less damage. The next question is who is going to win on the race of digging the kernel? Or the trojan will use other methods and ignore the patched kernel?

Of course size does matter sometimes. If you have a huge unknown process running on your pc and you will straightaway notice the difference in response time. 100kb is not really that big :0), so less of a issue.

-{ Quote: "
Ok. About the anti-termination, I believe that if your AT does not patch the kernel, a potential trojan won't have to go to kernel to kill it and hence less damage. " }-
No termination protection -> AT, AV, FW killed -> spreading, leaking, destroying. You may need to reformat the drive. Is this the "less damage"? What could be more devastating then this? You could as well say: increase security by not wearing a bulletproof jacket, and then attackers may not try to shot you in the head, and you may survive a chest shot. Should suggest it to military: it would cut down on military cost, and certainly be whitin the "comfort level" of soldiers.

-{ Quote: "
The next question is who is going to win on the race of digging the kernel? " }-
Nobody, it is a race withouth an end line. The only thing you can do is to always stay ahead of the level of most current threats.

-{ Quote: "
Or the trojan will use other methods and ignore the patched kernel?
" }-
Some trojan will surely emerge which uses some new unprotected termination methods. And termination protection will follow for that of course. But the same goes for AV and AT signatures: The possibility of being successfully attacked does not justify complete lack of protection.

-hojtsy-