Because TDS is dead, I thought about moving to BOClean which suppose to be second on the list of the best AT on the market.
However there is a rumor circulating that BOClean will follow the same path that TDS.

Does anyone heard about it?

{QUOTE-> Because TDS is dead, I thought about moving to BOClean which suppose to be second on the list of the best AT on the market.
However there is a rumor circulating that BOClean will follow the same path that TDS.

Does anyone heard about it? <-QUOTE}A884126,

Have you bothered to read the Kevin's posts in the TDS Software Line Discontinued (http://www.wilderssecurity.com/showthread.php?t=90017) thread? I assume you have since you posted in that thread. Personally, I thought that Kevin was quite clear on the matter.

On the other hand, I've not heard any mention of this rumor,anywhere. Care to provide a link to a site containing this information?

Blue

{QUOTE-> Because TDS is dead, I thought about moving to BOClean which suppose to be second on the list of the best AT on the market.
However there is a rumor circulating that BOClean will follow the same path that TDS.

Does anyone heard about it? <-QUOTE}
I use BOClean but Ewido users would probably disagree with the list to which you refer.

{QUOTE-> Because TDS is dead, I thought about moving to BOClean which suppose to be second on the list of the best AT on the market.
However there is a rumor circulating that BOClean will follow the same path that TDS.

Does anyone heard about it? <-QUOTE}

Wayne, (of DCS) apparently feels that all anti-trojan vendors have a tough hill to climb to find room to keep growing and subsisting.

{QUOTE-> If people are after an alternative anti-trojan scanner I'd tell them don't bother, other anti-trojan developers are in the same boat as us regardless of what they do or don't tell you, and from my skills and experience over the years the performance of all anti-trojan scanners is going downhill, as there are just far, far too many trojans being released for those one-man operations to keep up. Just get a good anti-virus scanner, they're as good as if not better than anti-trojan scanners at detecting trojans these days, especially packed and modified ones. <-QUOTE}

Rich

Blue expresses my feelings exactly ;)

{QUOTE-> Wayne, (of DCS) apparently feels that all anti-trojan vendors have a tough hill to climb to find room to keep growing and subsisting.



Rich <-QUOTE}
What do you think,time to dump your Ewido and BOClean then?

{QUOTE-> What do you think,time to dump your Ewido and BOClean then? <-QUOTE}

Personally, I would never "dump" a product for fear that it "may" not last. Even if it only lasts another 6 months, as long as you've paid for it, you may as well keep it and get as much use use out of it as possible for those 6 months.

{QUOTE-> Personally, I would never "dump" a product for fear that it "may" not last. Even if it only lasts another 6 months, as long as you've paid for it, you may as well keep it and get as much use use out of it as possible for those 6 months. <-QUOTE}
I agree. But since richrf owns TDS, BOClean, Ewido and Trojan Hunter. I was wondering what he is going to do after he quoted Wayne's comments. richrf's opinion is one I respect.

BOClean and Ewido have the advantage of being advanced anti-spyware applications as well as anti-trojans. BOClean mainly markets to businesses, and Ewido takes advantage of the fact that they're in the AS market as well. I doubt you will see AS scanners disappearing anytime soon, and likewise I doubt we will be seeing those two go anywhere soon either, although we may see their products and/or ways of advertising change some. Not being a part of that industry, that's only my opinion/observations, but I really don't think that just because their main focus is on trojans means they are entirely doomed.

{QUOTE-> What do you think,time to dump your Ewido and BOClean then? <-QUOTE}

It definitely seems like I am relying less and less on some of the original products that I purchased. Giant AS and TDS-3 has long since fallen into disuse, as has Ad-aware and Spybot - a couple of old standbys. I run BOClean once a week, just to do a process scan, but non unexpectedly it never finds anything.

I keep Ewido running, because I am curious if the process memory scan will detect something at some point that may get through KAV and ProcessGuard/WormGuard (also Online Armor which I am trialing). But I would say the chances of this are probably negligible. At some point, I am sure, I will stop running Ewido. Possibly when it begins to conflict with one of my other priority security programs.

I certainly feel more secure with HIPS-based products than I ever felt with signature-based scanning. HIPS protection seems to be more absolute and comprehensive. I also don't have to be concerned with the time-lag associated with "begin processing" and "detection". But only time will tell whether this was the right choice.

Rich

{QUOTE-> However there is a rumor circulating that BOClean will follow the same path that TDS <-QUOTE}

By "same path" do you mean have no real time scanning (ie effectiveness)? God I hope not.

Really from what I've read, it seems like there is at least a fews years left with BOClean - atleast. And with their current policy, thats a steal in comparison to todays "Malware catchalls" - Even if only good for a few years...IMO

{QUOTE-> I certainly feel more secure with HIPS-based products than I ever felt with signature-based scanning. <-QUOTE}Fo r those who might be interested: The strengths and weaknesses of HIPS based on the known vs. unknown: http://networkassociates.com/us/_local/promos/_media/wp_spire.pdf OR http://64.233.183.104/search?q=cache:BFl0PXbfSxsJ:networkassociates.com/us/_local/promos/_media/wp_spire.pdf+HIPS-based+security&hl=fr

{QUOTE-> Fo r those who might be interested: The strengths and weaknesses of HIPS based on the known vs. unknown: http://networkassociates.com/us/_local/promos/_media/wp_spire.pdf OR http://64.233.183.104/search?q=cache:BFl0PXbfSxsJ:networkassociates.com/us/_local/promos/_media/wp_spire.pdf+HIPS-based+security&hl=fr <-QUOTE}

Thank you A884126, interesting reading. :)

{QUOTE-> A884126,

Have you bothered to read the Kevin's posts in the TDS Software Line Discontinued (http://www.wilderssecurity.com/showthread.php?t=90017) thread? I assume you have since you posted in that thread. Personally, I thought that Kevin was quite clear on the matter.

On the other hand, I've not heard any mention of this rumor,anywhere. Care to provide a link to a site containing this information?

Blue <-QUOTE}Yes I did. But what people say is not always in alignment with what they do. This rumor is not from the web, then I got no link. I got the news from an IT friend yesterday.

All I saw was Kevin from BOclean trying to milk some sympathy by saying how tough life is in the AT industry, how hard they work etc etc, in the various 'TDS-3 is dead' thread.

How dare those 'newcomers' in the AT industry come in and muscle out the duopoly of TDS and BOclean! It's all their fault for ruining the industry by offering life time one off packages!

Of course, they were careful to stress that _UNLIKE_ DCS's TDS-3 they had corproate customers to fall back on, so they could surivive.

Of course, this was lost in the message and it seems to have back-fired upon them, since a lot of people took it as a sign that BO clean was dying too.

They posted to correct this view, but it seems this rumour still lives on..

Add the fashion trend these days (New paradigm according to Richrf) that HIPS is the future and KAV is sufficient to catch trojans, it seems logical that ATs are dying.

And so a rumor is born...

From what i've read in posts from Kevin(BOClean), he said he's committed for the next four years to keep BOClean going due to his Corporate & Government contracts. I get the impression that they have no choice than to keep BOClean running for the next four years unless they want to be taken to court(allegedly) and have their asses sued off. You may see BOClean 5 with some heuristic/pro-active type capabilities. I'd be surpised to see BOClean stay in it's current form for the whole duration of the next four years. It will either go to BOClean 5 or a new application which addresses the trend for HIPS application's will be created but with BOClean still being updated. I just hope that Kevin doesn't become bitter in having to keep it updated for the benefit of his Corporate & Government customers.

If BOClean needs to go to yearly subscription then i'd have no problem with that. But i would expect Kevin to announce this and give current customers a number of months before going ahead with it. I don't expect he'd be the type to drop it on you as of now!. He's got more integrity than that.

Yep, BOClean is a stayer. Well, for four years at least. Jmho.

muf

{QUOTE-> This rumor is not from the web, then I got no link. I got the news from an IT friend yesterday. <-QUOTE}A884126,

The reason I asked is that these rumors have a way of feeding upon themselves. As you realize, since BOClean does not have ongoing fees, continuing revenue is derived from new consumer level sales and corporate renewals (which do have a fixed term, 3 years being the standard according to the BOClean EULA). These types of rumors can drive reality by drying up the continuing revenue stream. That's a simple statement of reality.

As Kevin mentioned in the posts that I indicated above, a number of corporate clients apparently had committed funding for another cycle. I wonder whether your IT friend is working with firm information or simply performing an idle extrapolation based on some of Wayne's comments to the remainder of the industry or his/her personal analysis. Although I do generally agree with Wayne's comments in principle, the manner in which BOClean operates partially mitigates the some of the immediacy faced by vendors of classical AT scanners. As with any specific piece of software, it is not if it will be supplanted by something else, but when.

My basic belief is that casually tossing out unsupported rumors of this sort borders on irresponsible behavior. If it is backed up by a reference that users or potential customers can investigate on their own, everyone can make an assessment according to the trust they are willing to place in that primary source. In this case, we are left with nothing aside from rather vague speculation floating in thin air - vague speculation that I would dismiss out of hand for the present.

Blue

~snip....un-called for personal comments removed....Bubba~

{QUOTE-> I just hope that Kevin doesn't become bitter <-QUOTE}

Too late in that regard. I'm sure most casual readers like myself that read that thread lost a lot of or whatever respect they had for him - the way he reacted and treated others that weren't even addressing him. I know I did, and I was considering buying BOClean - but not after that.

{QUOTE-> .. the way he reacted and treated others that weren't even addressing him .. <-QUOTE}I want to avoid any harsh personal commentary but I have to agree with part of your statement --accusing and blaming a competitor {TH} for the demise of TDS was/is strange. That is like blaming General Motors or Toyota when Ford goes under ??? And referring to the author of TDS as "UNCA Wayne", what kind of rhetoric is that? {Hopefully not some form of cronyism being revealed}. There is way too much of this sort of rhetoric coming from the author of BOC, I surely would like to see such unnecessary and unprofessional {and to me, offensive} stuff to stop. Let's discuss facts, let's debate technical merits, civilly, but let's leave out the personal stuff, it is unbecoming and unprofessional and unnecessary .. IMHO. I do believe BOClean is a useful product and will survive for the foreseeable future, and there is no need for the author of BOC to make unnecessary and unwanted negative personal comments toward competitors. I held my tongue in the other thread, mainly because I felt the thread was about TDS and Wayne, not about competitors, but as a supporter of TH I hope this sort of thing won't happen again in the future. Personal disputes and criticisms of this nature are best handled privately and not in public; especially when they are out of context and basically irrelevant to the topic, which was, to discuss TDS and Wayne's announcement of its discontinuance -- not to discuss competitors. ;) Take Care, Warmly, Ran

BOClean was updated on my system today. They seem to be working hard not taking the weekend off anyway.

Ewido has heuristics now too...

{QUOTE-> A884126,
My basic belief is that casually tossing out unsupported rumors of this sort borders on irresponsible behavior. If it is backed up by a reference that users or potential customers can investigate on their own, everyone can make an assessment according to the trust they are willing to place in that primary source. In this case, we are left with nothing aside from rather vague speculation floating in thin air - vague speculation that I would dismiss out of hand for the present.

Blue <-QUOTE}

100% Agreed

{QUOTE-> Ewido has heuristics now too... <-QUOTE}

I'm sorry but is this thread titled Ewido same story that TDS ?

Where did you dream up the notion that anyone would be remotely interested in you chipping in with information about Ewido? Look mate, this thread is about BOClean. We're not interested in Ewido. Now run along and go "scan" your pc with your favourite toy...

muf

I also read Kevin stating that BOClean was 100% secure for at least the next 4 years, which is great news. So it's Not going the same way as TDS.

From what i gather BOClean seem to work round the clock 24/7/365. How many others put that kind of dedication and commitment into their products !


StevieO

{QUOTE-> I'm sorry but is this thread titled Ewido same story that TDS ?

Where did you dream up the notion that anyone would be remotely interested in you chipping in with information about Ewido? Look mate, this thread is about BOClean. We're not interested in Ewido. Now run along and go "scan" your pc with your favourite toy...

muf <-QUOTE}

Love u too...

And the note was because I think that programs can be saved by using heuristics. And I guess BoClean is a program too.

Last: you could have point your arrows on some other writers too, so why this crappy remark of you?!

{QUOTE-> ~snip....un-called for personal comments removed....Bubba~



Too late in that regard. I'm sure most casual readers like myself that read that thread lost a lot of or whatever respect they had for him - the way he reacted and treated others that weren't even addressing him. I know I did, and I was considering buying BOClean - but not after that. <-QUOTE}Oh please. ::) :P

{QUOTE-> I want to avoid any harsh personal commentary but I have to agree with part of your statement --accusing and blaming a competitor {TH} for the demise of TDS was/is strange. That is like blaming General Motors or Toyota when Ford goes under And referring to the author of TDS as "UNCA Wayne", what kind of rhetoric is that? {Hopefully not some form of cronyism being revealed}. There is way too much of this sort of rhetoric coming from the author of BOC, I surely would like to see such unnecessary and unprofessional {and to me, offensive} stuff to stop. Let's discuss facts, let's debate technical merits, civilly, but let's leave out the personal stuff, it is unbecoming and unprofessional and unnecessary .. IMHO. I do believe BOClean is a useful product and will survive for the foreseeable future, and there is no need for the author of BOC to make unnecessary and unwanted negative personal comments toward competitors. I held my tongue in the other thread, mainly because I felt the thread was about TDS and Wayne, not about competitors, but as a supporter of TH I hope this sort of thing won't happen again in the future. Personal disputes and criticisms of this nature are best handled privately and not in public; especially when they are out of context and basically irrelevant to the topic, which was, to discuss TDS and Wayne's announcement of its discontinuance -- not to discuss competitors. Take Care, Warmly, Ran <-QUOTE}I agree as well.. debate between peers is fun to watch (and learn), but when it gets to the point of being obviously personal then it's gone too far. Although this doesn't speak for the program itself, customer relations is something that does factor into decisions regarding where I'm going to spend my money.

Why doesn't everyone step back and chill...

@ all: Please focus your contributions on the posts, not those of us who have made them.

@ Edwin024: Your short comment provides absolutely no background context. None at all. Your expanded response puts it in a much clearer light. Clearly one approach to circumvent the immediate onslaught of the shear volume in malware is to go in a direction of generic signatures as a delaying action and heuristics - which are behavioral based - as a much longer term remedy. Naturally pure behavioral monitors don't depend on program details, only on what they do or sequences of what they do, which is a much more limited domain and hence somewhat more robust, in principle. I say in principle since this area remains a somewhat immature approach. There's a lot of activity underway, but whether or not this strategy pans out is still being fleshed out. I do feel that this is an attractive approach for a lot of reasons.

Blue

Yes Blue. I think I was a little short and out of line myself just above with justnoticed. :-[ :-[

Sorry about that.

{QUOTE-> Because TDS is dead, I thought about moving to BOClean which suppose to be second on the list of the best AT on the market.
However there is a rumor circulating that BOClean will follow the same path that TDS.

Does anyone heard about it? <-QUOTE}

Interesting rumor. Where'd ya hear that? This news of our demise is news to us. As we have a number of corporate customers whose support is contract based, we'll be around for the long haul.

Thanks For the info Nancy
appreciate it:)

My personal opinion is that the top ATs will be around for a while simply because they are still better at trojan detection (imv) than a lot of the AVs out there.Yes there are a few exceptions like kav , nod etc ,but how many people actually use these when comapred to the free avs such as avg,avast,and antivir?.It seems everyone and his dog seem to be using these ( in my area at least ), and while i would not dispute how good they are , i would still dispute them being as good as boclean , or TH etc in trojan detection.For the person that likes a free av , then paying once for AT protection and recieving free updates (of course this might change)is usually preferred (at least in my experience) , rather than buying something like kav or nod and paying yearly,for the better "trojan" detection.I guess everything evolves..maybe an operating system impervious to such threats (how are apple macs in that area?) may emerge and leave all security software obsolete :)
ellison

{QUOTE-> Love u too...

And the note was because I think that programs can be saved by using heuristics. And I guess BoClean is a program too.

Last: you could have point your arrows on some other writers too, so why this crappy remark of you?! <-QUOTE}

Well since you expanded on your original post and made it a little clearer what you were saying then i'll take back my comment. Sorry. I have no problem people posting about alternative products where their post is quantified and adds constructive advice to the thread. There are too many people in security forums these days who are just posting to advertise their own favourite programs. I do tend to tell those people that are doing it to stop brainwashing/converting. So it's not just you.

If someone starts a post that says "What's your favourite AT?" then fine everyone chip in with their favourite. But when someone starts a post titled "What do you think of Trojan Hunter?" and people chip in with 'I've never used it but BOClean is great' it's just meaningless pet product advertising.

Back to the topic.

I've no plans to ditch BOClean based on a 'rumour'. It's already been documented that BOClean is here to stay for a number of years. I'll carry on using it. If they want to change things(pricing, new product etc) then i'll review this at the time. But as things stand, it's here, it's good and it's a keeper.

muf

The only thing that keeping the AT alive now is the memory scanner. Most AV's have caught up in the on-demand detection part of the software but most AV's don't have a real memory scanner.

When and if AV's decide to develop good memory scanners then AT's are probably history because they have more resources to do things bigger and better than the AT's unless the AT's evolve to become much bigger operations than they are now......or change their method of operation so they might not be classified as a pure AT any more.


Why



{QUOTE-> My personal opinion is that the top ATs will be around for a while simply because they are still better at trojan detection (imv) than a lot of the AVs out there.Yes there are a few exceptions like kav , nod etc ,but how many people actually use these when comapred to the free avs such as avg,avast,and antivir?.It seems everyone and his dog seem to be using these ( in my area at least ), and while i would not dispute how good they are , i would still dispute them being as good as boclean , or TH etc in trojan detection.For the person that likes a free av , then paying once for AT protection and recieving free updates (of course this might change)is usually preferred (at least in my experience) , rather than buying something like kav or nod and paying yearly,for the better "trojan" detection.I guess everything evolves..maybe an operating system impervious to such threats (how are apple macs in that area?) may emerge and leave all security software obsolete :)
ellison <-QUOTE}

Hi all

Me thinks we need to look at the whole picture of what is going on today.

Why does some AT AND AV people think even memory scanners are to be a thing of the past?
To answer this question, I would say one word! ROOTKITS.
WHy would I say this? I am sure any of you that frequent root kit dot com would know the answer.
Look at what is being talked about over there. From reading the LATEST, you will see to detect a great rootkit, you need a rootkit itself. Example being Icesword.
Looking at what Johanna writes about hidding and not hiding files.
New detectors are looking for hidden files and AV's looking for not hidden files.
Johanna thinks the best detection would be at the lowest I/O level.
If I understand her, she is still recommending a driver for this (disk driver )

I could be wrong but it appears you do need to use a rootkit to find OR break a rootkit.

As I mentioned before, Kevin is bound by the government NOT to mess with kernel. If this also means NO driver, I don't know.
I do not see how you can make a rootkit based detector without a driver or drivers that can stop or break the rootkit.

My last brain cell tells me Kevin would therefore need to develope a new program for single users. I don't think he would do this since he said single user LIC's are not worth the effort. He deals in Corporate - Government.

Then who do we turn to? Will it be DCS? It could be. It could be another.

IMHO, I do not think the great detector of the future will be based on online offline file comparison.

controler

DCS, Ghost Security, Online Armour, Ewido, Kaspersky, NOD and a probably whole HOST of others are probably developing solutions for this.

It will be interesting to see who the marketplace thinks has the best percieved solutions.


Starrob

{QUOTE-> DCS, Ghost Security, Online Armour, Ewido, Kaspersky, NOD and a probably whole HOST of others are probably developing solutions for this.

It will be interesting to see who the marketplace thinks has the best percieved solutions.

Starrob <-QUOTE}

Right now though, anyone who thinks he can get away without a AV or AT merely because he uses 'HIPS', is a fool.

Of course, if you never ever felt the need for ATs even the first place, then that's different. ;0)

{QUOTE-> If someone starts a post that says "What's your favourite AT?" then fine everyone chip in with their favourite. But when someone starts a post titled "What do you think of Trojan Hunter?" and people chip in with 'I've never used it but BOClean is great' it's just meaningless pet product advertising.
<-QUOTE}

It has always being that way muf, nothing new.

I have Ewido and Online Armor plus Regdefend, Look 'n Stop firewall and NOD32. I feel pretty secure with this package. I hope most can agree :)

Edwin024, as Muf already told you this is not a thread about your own configuration, neither about your suggestion regarding ewido.

Then you will be nice if you could open your own thread if you have any personnal question or request. I am sure many people will help you.

No offense.
Thanks

{QUOTE-> I have Ewido and Online Armor plus Regdefend, Look 'n Stop firewall and NOD32. I feel pretty secure with this package. I hope most can agree :) <-QUOTE}And awaaaay we go yet again. PLEASE stay on-thread!

{QUOTE-> (with snippage)
Me thinks we need to look at the whole picture of what is going on today.
I could be wrong but it appears you do need to use a rootkit to find OR break a rootkit.

As I mentioned before, Kevin is bound by the government NOT to mess with kernel. If this also means NO driver, I don't know.
I do not see how you can make a rootkit based detector without a driver or drivers that can stop or break the rootkit.

My last brain cell tells me Kevin would therefore need to develope a new program for single users. I don't think he would do this since he said single user LIC's are not worth the effort. He deals in Corporate - Government.
controler <-QUOTE}

Greetings ... well ... looks like the old "telephone game" of rumors and "competitive posturing" has resulted in some interesting concepts and fears here, so I suppose I need to address them ...

So let's rewind back to Uncle Wayne's announcement about TDS. Why do I call him "Uncle Wayne?" Simply because he, the Otis Vigil brothers and a handful of us go all the way back to the beginning of the not-so-nice "wooden horsie" and back in the early days, though we were all "competitors," we SHARED, we COLLABORATED and worked together at finding, figuring out and defeating the little wooden horsies. If one of us spotted something that the others didn't, we emailed a copy to each other. We were all friendly with one another and everybody benefitted from that. No "collusion" but rather "professional courtesy." Interesting how that's been turned sideways since.

I felt as though one of my best friends fell by the wayside when the annoucement of "no more TDS" happened, and I felt compelled to explain what an overwhelming and EXPENSIVE job it is, how historically it was easily manageable and how it's gotten completely out of hand lately with so many "professional, organized-crime funded" nasties there are today. Certainly none of us saw the explosion of these which came to pass in the past two years. And the degree of difficulty has similarly ramped up. In my words, I was trying to explain simply that it takes a tremendous amount of resources and people to keep up and that I understood WHY Wayne saw the "point of diminishing returns" and that we'd been there too. I said it because I don't think many folks truly understand just how MUCH is involved in doing this.

I also explained that OUR situation is different in that because our main focus and design was "institutional" in nature, we had the benefit of being able to hire people to do a good amount of the work for us, and even more importantly had the continued revenue stream as a result to endure the added workload. Those depending on "home users" are saddled with a LOT more work on a basis of support which is also expensive and time consuming. At no time did I say we "don't want individual licensees," what I was saying is that because we primarily cater to large user bases, we're economically more stable and the licensing which we extend to individuals is covered by this situation. In other words, WE are going to survive unlike most others simply because the "expensive" parts of what we do are heavily diluted by major purchasers, and that keeps us "profitable." And that's a GOOD thing for "ordinary folks." Means we'll be here as our current funding is assured for AT LEAST 3-4 more years.

In the nearly ten years that BOClean has been around, those who have been with us for a while have seen BOClean expand and adapt in its capabilities and yet still retain that "set it and forget it" design despite so many new "needs" emerging over time. And for all those improvements and expansions, never has the "deal" changed. It's possible that we may need to either raise the price or go to a subscription basis at SOME FUTURE TIME, but there isn't the need to do so at THIS time. Those who are already customers are not due for any surprises, and like I said, we're not going anywhere. Can any OTHER vendor ASSURE that they'll still be around for the next 3-4 years? WE CAN. :)

Just as "file scanning" became obsolete in many ways back in 1998, resulting in BOClean becoming a "pure memory scanner," BOClean too is adapting under work already in progress for the next version and remains up to the job in its current incarnation. All the hoopla over "rootkits" is as amusing as all the hoopla over some trojans being called "spyware" in 2001 as though those too were something "new."

"Rootkits" have been around for YEARS now! The first "popular" rootkit was "Back Orifice 2000" (BO2K) back in 1999. And there's nothing new to any of the new incarnations either. Rootkits simply redirect kernel functions to somewhere else where they can be intercepted, filtered, and then whatever desired results by the malware author is returned to the "user level." Some of the latest trends actually patch the kernel itself in memory much like the usual "injection" trojans of recent years.

And a "rootkit to fight a rootkit" isn't actually necessary although that's what SOME vendors are doing. Rootkits can actually be spotted rather easily by looking for what is MISSING, but I won't go into the technical details of how we spot them or why a kernel driver isn't actually necessary at all to do so. Suffice it to say that any hook into any kernel function can be detected, and its "hook" removed as easily as stopping a process or unloading a rogue DLL. And from USER (ring 3) level. When "Vista" is released though, this will likely no longer work. For now though, it still does.

It's TRUE that demands have been made by our major customers NOT to tamper with the kernel, but there's a bit of a misunderstanding as to what that means. Some antiviruses and antitrojans attempt to "patch" the kernel addresses with various "libraries" compiled into their code by the very same people who make those same libraries available to trojan authors. Many of them are cob-jobs which can result in strange crashes and other misbehaviors. Since a number of systems which use BOClean are "mission-critical" types, then by definition we can't be patching the kernel on those machines because of that status. And any kernel drivers written for such situations must not only be flawless, but they must mesh properly with any other kernel drivers present. This is why you'll never see some highly popular commercial brand name software on machines of this particular class and situation.

That all said, there is in fact a BOClean kernel driver already being built for the next generation of BOClean with a rather interesting design to it owing to some truly stupid things that other vendors have been doing which necessitate our doing it. Additional "specialized" builds are also underway for specific needs of specific large customers and some of that will find its way into the "regular" BOClean around the end of the year.

But as I said before, we're not going ANYWHERE, and the best is yet to come because we actually HAVE people to do it. :)

Will the BoClean kernel driver in development also be able to work under Windows Vista?

I am fairly certain that some of your references to vendors "doing stupid things" are a reference to some programs that flag BoClean as being malware or create some type of incompatibility with BoClean.

I wish I knew more about how the kernel works because I would like to know the stupid things that some vendors are doing. I would like to know the rationale of why they are stupid, so I can make a determination of whether I should even consider using certain programs or not.

I know you might not be able to fully answer these questions on a open board but I wish you could. I personally have only found two vendors that answer questions fairly directly. There might be more than that but there are only two that I have found so far that I have talked to for any lenght of time.

In the past, I know zonealarm has been mentioned as a program by you that "does stupid things". I wish you could tell me why I should avoid a product like zonealarm 6.0. Just by reading around I see some people that have complaints about it and others that are already big fans.

Most of the people making these comments for and against zonealarm probably don't have much of a idea whether zonealarm 6.0 is really doing all that is says it can do or not.......but that is another story.

I am looking for answers from people that actually knows what security software does under the hood, although I doubt I will get a satisfactory answer.....at least in a public forum.



Starrob




{QUOTE->
That all said, there is in fact a BOClean kernel driver already being built for the next generation of BOClean with a rather interesting design to it owing to some truly stupid things that other vendors have been doing which necessitate our doing it. Additional "specialized" builds are also underway for specific needs of specific large customers and some of that will find its way into the "regular" BOClean around the end of the year.

<-QUOTE}

Her is a good read on rootkits that explains some of the ways to find rootkits if you have not read it yet.

4 levels. I think the third level deals with why a memory scanner is better.
file needs to go unencrypted-unpacked in memory to do it thang.

Then goes into the newest ways.

http://www.phrack.org/phrack/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt

Nother good read on Shadow Walker

Quote from the page:

"If we can control a scanner's memory reads, we can fool signature scanners and make a known rootkit, virus or worm's code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code," she added.

"The code will execute but scanners will receive incorrect information."

http://www.eweek.com/article2/0,1895,1841266,00.asp


controler

I wonder if BoClean would be able to detect this Fu-Shadow walker rootkit? For that matter, can any scanner whether AV or AT dtect this type of rootkit?


Starrob

I don't know if Boclean in it's current form can, I am sure the new version would.
Possiable with the use of a driver.

From what I gather, The next level would be to use a mem scanner off a extra circuit board containing it's own CPU.

The question we need to ask is, Do we expect AT's to find rootkits also?
Maybe if they are part of a trojan?

I also think we need to ask ourselves right now. I would be willing to pay a yearly subscription to Kevin. How about you? I think he is well worth it.

I dought he has the time with current work force but maybe he would code a special program for a price. It appears it is limited to huge LIC again.

How about Wilders form a corporation and gather enough people to make a special program woth it? Like say 4000 Wilders members.

controler

I am following the solutions that BoClean proposes, as well as the solutions that a few others are proposing.

I am fairly amused at all the differing opinions on how to prevent malware from entering the computer. Some believe HIPS is the answer. Some believe more in scanners. Some believe more in "common sense". Some believe more in "education" and some just believe in arguing....lol

I am sort of a agnostic....maybe some would call me a heretic because I am not a "True Believer" in any one particular method. I simply study them all
and will use different solutions in the situations in which they most apply.

I am very interested in BoClean's future development . I pay attention to Kevin's remarks..... just as I pay attention to remarks from all developers.

What really interests me is why Kevin feels that Zonealarm 6.0 does not make a good solution for the growing malware problem in his opinion.



Starrob


{QUOTE-> I don't know if Boclean in it's current form can, I am sure the new version would.
Possiable with the use of a driver.

From what I gather, The next level would be to use a mem scanner off a extra circuit board containing it's own CPU.

The question we need to ask is, Do we expect AT's to find rootkits also?
Maybe if they are part of a trojan?

I also think we need to ask ourselves right now. I would be willing to pay a yearly subscription to Kevin. How about you? I think he is well worth it.

I dought he has the time with current work force but maybe he would code a special program for a price. It appears it is limited to huge LIC again.

How about Wilders form a corporation and gather enough people to make a special program woth it? Like say 4000 Wilders members.

controler <-QUOTE}

One thing to keep in mind is the fact companies like Symantec have been around since the beginning and will probably stay. They have a tendency of gobbling up the competition.
They are also innovators. Look at e-mail scanning. I am pretty sure the first Av I remember that did this was Symantec.
I tried their latest beta not long ago and they still have good detection.
Now we are seeing Microsoft pulling part of Vista, knowing it would be a huge target for crackers. Microsoft is buying up all kinds of security companies.
Some I never heard of before.
Linux has come along ways but still isn't there as of yet for most common users needs.
But alais, as we know, competition is a good thing, not only between security companies but between black & white hats. Keeps things in balance.

controler

{QUOTE-> When "Vista" is released though, this will likely no longer work. For now though, it still does. <-QUOTE} This is what I find interesting. I am not technical enough to know exactly what this means. Except there will never be a dull moment. ;)

{QUOTE->
I am fairly amused at all the differing opinions on how to prevent malware from entering the computer. Some believe HIPS is the answer. Some believe more in scanners. Some believe more in "common sense". Some believe more in "education" and some just believe in arguing....lol

<-QUOTE}

Perhaps no words more true have been spoken in this forum (right, --- ?)

{QUOTE-> This is what I find interesting. I am not technical enough to know exactly what this means. Except there will never be a dull moment. ;) <-QUOTE}


I think what he means by that is that the methods of memory scanning that BoClean currently uses for detecting malware will no longer work in Vista.

I think Kevin also mentioned somewhere that many security programs might be "broken" in Vista. It will be interesting to see how things evolve.


Starrob

Wow ... you guys have been twirling OVERTIME. Heh.

OK ... right now, MSDN has released "Longhorn Beta 1" ("Vista" or "Blista" as some of us have called it) ... so far, everything we do works just fine. My ANTICIPATION is that when they do the final release based more on Microsoft's claims that "this will be the most secure windows ever" (we've also heard this about '98, MiniME, 2000 and XPee ... we'll see) I'm just being cautious as always and anticipating ahead under the rash assumption that they might actually close off some of our useful tricks. Or at least screw them up. :)

The final release of XP bore little resemblance to all of the previews and made QUITE a mess for a number of vendors, not so much for us. So far, so good though - no need for changes even with their current IA64/X64 mess and their "peekaboo WOW64 folder trick" ... but will it LAST? That's why I said that.

FU_ROOTKIT is VERY easy to spot, even more so from ring 3 than from ring 0. I'm not going to give away secrets beyond what I said before - you look for what's MISSING. Stands out like a lighthouse in the middle of the Pacific. I won't diss HIPS *too* deeply, but bear in mind that conceptually for it to WORK, your machine must ALREADY be squeaky clean. Snapshotting a system that has an infection protects that infection as it's put into the "happy database." HIPS is obviously a good thing *IF* you're absolutely positive that you've got a perfectly clean machine. Not so if you're not. But it still helps if anything *NEW* lands.

Memory scanning CAN be thrown off by a nasty if you use the general Microsoft functions to examine processes, threads and memory. ANYTHING that can hook any kernel function and send it on a sidetrip around the block is capable of returning spurious results. However, there are functions in NTDLL that can be gotten to for a CORRECT answer regardless if you know how to get at them and make sure that you've got a proper match.

When I talk about "stupid things" I won't name vendors, but there's a good number of them lately (used to be just one or two) and it seems as though everybody's jumping on the "patch the addresses of kernel functions and point at MY software instead" which is why things like "SDT RESTORE" would have been *THE* answer to all of the rootkit problems in the world were it not for other vendors deciding to "patch the kernel." There's dozens doing it now. So something USEFUL like "SDT RESTORE" now BREAKS errant security software that patches the kernel. See why that's a BAD thing? :(

Among other stupid things pioneered by the second tier antiviruses is a phenomenon known as "debug hook, suspend process" to let them have a wiffy-sniffy with their neato file scanner before letting a program run and being able to take all the time they need to do so. That's one of the reasons why WE didn't do that in BOClean simply because ONE proggie doing that works OK even if it slows things down quite a bit. But have two or more proggies suspending a process and "deadlock" ("system hang") becomes more and more inevitable. Nowadays, it's not unusual for four or more programs to be suspending threads. When we get up above 10,000 to 12,000 uniques, I foresee our need to do that also and like so many other "what if's" that we contemplate all the time, I just see the need to buy us more flexibility. But we're not at that point yet on any of these fronts, I just see it coming. And if WE step in there, we have to be prepared to clean up OTHER vendors' messes lest WE get blamed for the stupidity like we are with a certain firewall's new version. Last I checked, "mutation" was not a feature in BOClean.

I wish I could go into more detail, but I don't want to give away the store. I'll just say that there are other "private builds" of BOClean for special customers who don't want the GUI or want to tie it into something of their own, and once a new project is done, most of what we've done will find its way into the next version and it will be quite different "under the hood" and quite the same as far as the screen goes. Gotta leave it at that for now though or I'll probably get slapped. But like I said, the best is yet to come. And fairly soon. :)

{QUOTE->

When I talk about "stupid things" I won't name vendors, but there's a good number of them lately (used to be just one or two) and it seems as though everybody's jumping on the "patch the addresses of kernel functions and point at MY software instead" which is why things like "SDT RESTORE" would have been *THE* answer to all of the rootkit problems in the world were it not for other vendors deciding to "patch the kernel." There's dozens doing it now. So something USEFUL like "SDT RESTORE" now BREAKS errant security software that patches the kernel. See why that's a BAD thing? :(

<-QUOTE}


This I understand. I might be wrong but I think this is what the program Samurai does (With SDT RESTORE). This appears to be why Samurai "breaks" a lot of security related programs.

Thanks for your answers. I am not fully knowledable about security software but I do know a "few" security professionals on this board and usually by asking several pointed questions I am able to understand some of the things going on under the hood. It helps me make decisions about security arrangements on my computer.

I understand why you don't like to mention certain products names. I think sometimes in your "exuberance" you say some things that you maybe shouldn't.

I will take this away from what you are saying. Using too many security products that patch the Kernel or use the "debug hook, suspend process" could severely slow the computer down and/or cause lots of conflicts. Is that true?

I personally want my computer to speed up and not have conflicts. That is why I am looking for solutions that will keep my computer fast, not cause conflicts in the OS, provide good protection, and retain ease of use.

I am looking for those solutions on my own computer and that is why I ask these questions. I am avoiding putting software on my computer that I don't understand.

I might have more questions in the future as I digest what you have written.....I usually decipher things over time.


Starrob

Starrob - I believe you are right on regarding Samurai. It does what it says - some may not like the results but thats too bad.

If you'd like a good, head splitting read - i would recommend this pdf:
http://packetstorm.security-guide.de/hitb04/hitb04-chew-keong-tan.pdf
Includes very specific examples and techniques.

Yes, I am reading that article now. I just got down to the part that says:

Restoring Hooked Entries

Restoration of hooked entries can be done by

1. loading a driver

2. directly from user space by writing to device/physicalmemory

*Access to device/physical memory allows a user space program to read/write to physical memory, including kernel memory.



Starrob


{QUOTE-> Starrob - I believe you are right on regarding Samurai. It does what it says - some may not like the results but thats too bad.

If you'd like a good, head splitting read - i would recommend this pdf:
http://packetstorm.security-guide.de/hitb04/hitb04-chew-keong-tan.pdf
Includes very specific examples and techniques. <-QUOTE}

;) I thought you might find that part.

{QUOTE-> ;) I thought you might find that part. <-QUOTE}


Yes, articles like that help me decipher a lot of talk by a lot of developers. That article also helped me understand why DCS was in such a hurry to "protect physical memory" in PG.

I also see a little more why if PG is not configured properly then it can conflict with what BoClean is doing.

Not only PG....I can now see a little more about how and why there are a few companies doing things that might conflict with the way BoClean operates.

This is the type of information that helps me determine which software that I want on my computer or if some software is even necesarry at all.

Thanks for the info.....



Starrob

{QUOTE-> When I talk about "stupid things" I won't name vendors, but there's a good number of them lately (used to be just one or two) and it seems as though everybody's jumping on the "patch the addresses of kernel functions and point at MY software instead" <-QUOTE}

Developers are "patching the kernel" because it allows them to extend the features of Windows. First tier antiviruses do it, big name firewalls do it, nearly everyone is doing it. Except you of course... :)

{QUOTE-> which is why things like "SDT RESTORE" would have been *THE* answer to all of the rootkit problems in the world were it not for other vendors deciding to "patch the kernel." There's dozens doing it now. So something USEFUL like "SDT RESTORE" now BREAKS errant security software that patches the kernel. See why that's a BAD thing? :( <-QUOTE}

All the rootkit authors out there are taking advantage of features in Windows that Microsoft have provided (but mostly don't support), so why shouldn't security developers if it helps protect the system better? Security solutions should stay up to date with the current malware practice, regardless if they "share" certain attributes in technicality.

"Patching the kernel" , or specifically the Service Dispatch Table, used to be a "risky" thing to do 5 years ago, sometimes resulting in blue screens and other issues. With time, comes understanding. With proper care and understanding of the kernel you can write safe code to take advantage of everything it has to offer without risking end-user stability. This includes working with other SDT patchers.

Just so you know, firewalls are the biggest offenders of patching the kernel in even more non standard locations than your average SDT patching security application (with ZoneAlarm and a few others also patching the SDT).

In my opinion, constantly polling the system for updates (like what BOCLEAN and a lot of other software does), is not only insecure, but inefficient. A lot of other developers share my opinion which is why they are heading down the "interception" path rather than "reaction" one.

{QUOTE->
All the rootkit authors out there are taking advantage of features in Windows that Microsoft have provided (but mostly don't support), so why shouldn't security developers if it helps protect the system better? Security solutions should stay up to date with the current malware practice, regardless if they "share" certain attributes in technicality. <-QUOTE}

If Microsft leaves the gates open for the "bad guys" to come through, the only recourse for users and their security vendors is to try to close (or guard) the gates. Unfortunately, this requires working with the "kernal", but MS leaves no alternative. It is poor operating system design that essentially creates the problems to begin with - and I mean extremely poor design.

{QUOTE-> A lot of other developers share my opinion which is why they are heading down the "interception" path rather than "reaction" one. <-QUOTE}

This is also how I look at things. Reacting is already to late. The "bad guys" are in the house and ransacking it. The only long term approaches are to intercept the "bad guys" before they get in, or better yet for Microsoft to close the gates down tight (something they will not do, because it is not to their own interests).

Looking forward to your future products Jason.

Rich

Well said Jason and richrf. I agree with both of your statements. That is how I feel about security and how it should be handled in this day and age.

As for BOClean, it's good to hear from Kevin and that it will be around for at least another 3-4 years. I know that I am happy with mine, and have no plans what so ever to take it out of my arsenal of security related products.

Regards,

Jag

I agree, Jag, those were both very well stated posts by Jason and Rich. And while I can't speak for BOClean because I have never used the product, I do agree with Randy in his earlier post and Notok also when he said while it may very well be an excellent product, "customer relations is something that does factor into decisions regarding where I'm going to spend my money" as well.

@ Jason_R0

I always wondered..is that something they get away with in the Home User Market..or also in the Corporate and Business Market for their applications ?

{QUOTE-> I agree, Jag, those were both very well stated posts by Jason and Rich. And while I can't speak for BOClean because I have never used the product, I do agree with Randy in his earlier post and Notok also when he said while it may very well be an excellent product, "customer relations is something that does factor into decisions regarding where I'm going to spend my money" as well. <-QUOTE}
Kevin's relations with this customer have been excellent thus far. I consider my money well spent.

I don't really think I missed anything here except, some that posted keep forgetting Boclean is now more for corporate-government where patching is NOT allowed. I have no doughts Kevin can patch the kernel.
You need to reread his posts. He said he DOES make speciality versions also.

I would think though the Gov versions could stay the same & the public versions can have a patch. I wouldn't mind.

Since I have bought , Jasons, Waynes & Kevins software, That says alot !!!!

Kinda funny but seems like the only software I ever bought was software I was never allowed to Beta.

I will also say I never like Mcafee or Zone Alarm.

I think the next two years are going to be very interesting.

Yes I was excited about TDS-4 comming out and yes that was a factor in my decision to buy TDS-3 but I am not a hater and know that DCS with grow
if allowed. Only a fool would think PG was not a intime program.

controler

{QUOTE-> Kevin's relations with this customer have been excellent thus far. I consider my money well spent. <-QUOTE}

I wasn't talking about his relations with his current customer base......because I would imagine that is excellent. Rather, I was talking about the way he expressed and handled himself in the TDS thread in general and in relation with "potential" customers. Getting into a verbal altercation with a competing vendor in a thread simply because that competing vendor showed up to answer a question that somebody (Jaws) asked directly about TrojanHunter is both unacceptable and unprofessional. Granted I don't know the whole history there between these two, nor do I really care...that was irrelevant to the topic at hand. But even when the TrojanHunter author remained calm and tried to diffuse the situation by attempting to take it away from the thread altogether, that only seemed to encite Kevin to become even more belligerent. That's what I mean by "customer relations"....because I've seen quite a few people post that his outburst that day really didn't do him any favors by casting him in a somewhat negative light.

{QUOTE-> I wasn't talking about his relations with his current customer base......because I would imagine that is excellent. Rather, I was talking about the way he expressed and handled himself in the TDS thread in general and in relation with "potential" customers. Getting into a verbal altercation with a competing vendor in a thread simply because that competing vendor showed up to answer a question that somebody (Jaws) asked directly about TrojanHunter is both unacceptable and unprofessional. Granted I don't know the whole history there between these two, nor do I really care...that was irrelevant to the topic at hand. But even when the TrojanHunter author remained calm and tried to diffuse the situation by attempting to take it away from the thread altogether, that only seemed to encite Kevin to become even more belligerent. That's what I mean by "customer relations"....because I've seen quite a few people post that his outburst that day really didn't do him any favors by casting him in a somewhat negative light. <-QUOTE}
For me the approach has to be somewhat cold with the absence of emotion. Does the program do what I need it to do and do it well? The author could be a complete mad hatter not that I'm suggesting Kevin is. I'm looking for something to do a job and protect my computer thats all. A timely response to any problems I have would be nice though, and Kevin has provided that and some humour as well when I've had to email him.

kevin you said that you have corporate customers to "fall back on" so you have to keep boclean going but corporate customers still only pay once up front like everyone else does so how are they any different to regular customers?

{QUOTE-> Rather, I was talking about the way he expressed and handled himself in the TDS thread in general and in relation with "potential" customers. Getting into a verbal altercation with a competing vendor in a thread simply because that competing vendor showed up to answer a question that somebody (Jaws) asked directly about TrojanHunter is both unacceptable and unprofessional. <-QUOTE}

Yes, I'll have to agree that came off in unintended ways ... but the PROBLEM was that I *wasn't* talking about MAGNUS AT ALL! It was ANOTHER "vendor" I was referring to who has decided to light fires causing Magnus, Wayne and I to get all over each other for no good reason while they hid behind "guest." And while I may not have helped things, Magnus stepping in still thinking I was talking about HIM didn't help matters either. We were ALL being "gamed."

And Gavin ... the so-called "problem between BOClean and Process Guard" turned out to be NEITHER! That's why so many people who use BOClean and PG replied to all those messages with a humongous "huh?" if you think back. No, the actual problem turned out to be a few ANTIVIRUSES that those people were using that do unguarded thread suspends which naturally caused PG to say "wha?" and do one also.

I admit that we do some unusual things, but for VERY good reasons, and by NOT hooking the kernel to do so, we can usually stand clear of those unless somebody else decides to resniff too. My only complaint if any is that there are better ways to cover those things and what I was waved off on years ago was doing kernel hooks in that direct method of "patching addresses" in the first place, and if more than *ONE* entity does it, it's a "slippery slope into VXD hell" as was the case in the Win98 days. But the "problem" was never between PG and BOClean as it turned out.

And finally, as to BOClean's "intended user base" it was ALWAYS intended for institutional and government users, that's why it was designed as "set it and forget it and just back up Norton when it misses something or is unable to stop it." Most importantly to our original customers, the "desktop user" should NOT even know it's there (invisible running) or ever be asked what to do when a nasty was found - kill it, and move on QUIETLY. That the public wanted some of that for themselves is always welcome, but the original design until the end of our first 5 year contracts on what we built couldn't be changed during that time. When the "single owner" license was made available, even there it was more designed to put on "mom's computer" or those who kept calling you in the middle of the night to come over and fix their machine. That's what we've continued to focus on all these years.

There IS a "home version" in the works, but it's not a priority here because frankly we just don't sell enough copies to stop what we're doing which keeps us "alive" unless those sales are greater than they've been. The home version when it's released *WILL* have a thoroughly USELESS "file scanner" because people insist that they have to have it - I'd expect detection success however to be no better than any other file scanner, somewhere in the low single digits of all samples. But people want it, it will be there along with other toys to play with, a veritable "Fisher-Price busybox" if that's what folks want ... heh.

But we've got other things to do first ...

Hope this helps, but if folks would just take a few minutes and read what *I* type instead of putting other people's words into what my fingers leave behind as bread crumbs, maybe all of these misunderstandings would never have been painted. Have we had antagonistic relationships with others? You betcha. But none of that was ever OUR choice ... sometimes "competition" can be a BAD thing. Too many "experts," too few clues. :)

{QUOTE->

There IS a "home version" in the works, but it's not a priority here because frankly we just don't sell enough copies to stop what we're doing which keeps us "alive" unless those sales are greater than they've been. The home version when it's released *WILL* have a thoroughly USELESS "file scanner" because people insist that they have to have it - I'd expect detection success however to be no better than any other file scanner, somewhere in the low single digits of all samples. But people want it, it will be there along with other toys to play with, a veritable "Fisher-Price busybox" if that's what folks want ... heh.

:) <-QUOTE}
Just remember everyone that even the author of A2 said their scanner is something of a gimmick with the strength of the program being elsewhere and I've already got one AS program that only seems to turn up cookies because I've got a good AV, Nod. http://www.wilderssecurity.com/showthread.php?t=89620 post 11.

{QUOTE-> Yes, I'll have to agree that came off in unintended ways ... but the PROBLEM was that I *wasn't* talking about MAGNUS AT ALL! <-QUOTE}

{QUOTE->
No ... I'm going to wait for WAYNE on this one ... but MAGNUS is one of the REASONS why it ain't worth doing TDS anymore.
(http://www.wilderssecurity.com/showthread.php?p=516186#post516186)
<-QUOTE}

Kevin, it's one thing to publicly attack another vendor who wasn't even addressing you. In my view, however, denying you've ever attacked anyone in the first place is something most people would probably see through and find even more disturbing than the original post.

{QUOTE-> Kevin, it's one thing to publicly attack another vendor who wasn't even addressing you. In my view, however, denying you've ever attacked anyone in the first place is something most people would probably see through and find even more disturbing than the original post. <-QUOTE}

Oy ... and YOU just demonstrated my point. This gains this forum _what?_ Fast English lesson - if it was all about you, as you claim, I would have said "THE" reason, not "One of" which indicated that there were others of greater significance or you would have received the "top billing" you claim.

But if folks wonder where the animosity comes from, we have another "back and forth" to prove it. :(

{QUOTE-> I *wasn't* talking about MAGNUS AT ALL! <-QUOTE}

Ah, right - I must have misunderstood what "not talking about someone AT ALL" means.

To all:

This thread does have a nominal topic. Please stick to it and take any discussions of an unrelated personal nature offline. Thanks.

Blue

{QUOTE-> Ah, right - I must have misunderstood what "not talking about someone AT ALL" means. <-QUOTE}


Hi Magnus and all,
This be Primrose, Hunter, Name Game and a few other nick some of which not many know..with no particular AX to grind towards any programmer or vendor..I also do not personally use any of their products over the years. But over the course of those years, I carry lots of dirty laundry and dirty trick and keep them "in the closet" for a "few" of them , rather than airing them in public forums..that includes Wilders. I hate gossip since the real facts rarely come out or it takes just too long to get at the "truth" as people stand around guessing...or playing Public Relations or damage control.

I don't have to guess..or travel on an Airplane to get to the truth. I do like pizza and bier.. but not food frenzy fights.
Kevin at times talks in riddles that a few of us do understand ..even the "Guest" who chime in do understand..while chuckling in the background behind their puter screen. It confuses many regular members of forums since they can't understand the "double speak" or the fact there is a whole other conversation going on between various parties..but they are curious.

I ask you only now to bury the Hatchet..take care of your user base..continue to help the community with your Program(s) as we move into the next phase of Microsoft releases.

There is room for everyone..if they just stick to working on their own Products..rather than physically or literally attacking the other or his coding.

Be well and good luck,
John

{QUOTE-> Too many "experts," too few clues. :) <-QUOTE}


Well, I am not a expert. I am one that likes to learn. Most of the ones that I learn from on this board I prefer to call security "Professionals". I have a disdain for "security experts" because a "expert" in most cases thinks they know everything there is to know about a given subject and they don't have room to learn new things and innovate.

If the public had listened to the Whale Oil Industry then Edison would have given up and never have invented the light bulb.

By the way....I am not calling any one particular person a "expert" in this forum. Anyone that thinks I am has a unhealthy dose of paranaioa. The only "experts" I know is the ones that think they are.

It is easy to talk and make people feel "inferior". There are many people that tend to do that in this forum. Sometimes, I feel like I do that myself and I have to stop because I feel it is a weakness of mine. It is not my purpose in life to make people feel inferior but to try to help and teach others.

Most of the times I prefer to do this by asking questions because it is most of the time through questions that knowledge is revealed.

Yeah, there is no conflict between PG and BoClean. You are right about that. So I'll ask a question. If I protect physical memory in PG and do not allow BoClean access to physical memory would that interfere with the operation of BoClean?

There is one or two vendors I know that if I ask a similar type question about their product or products, then they would give me a yes or no answer either in public or private and many times both. Many vendors, however like to give long winding answers that sometimes sidetrack the issue. "Pay no attention to that man behind the curtain", it was once said.

For me, this is a new age. I am going to mostly stick with vendors that answer questions about their product. I doubt I can ask a question that would reveal all the inner workings of any product because I am not a "expert". I work as a ship engineer in real life. In September, I will leave for my ship and I won't even be thinking about security or Wilders for 4 months. Most of the questions that I ask come from readily available public knowledge. Any script kiddy or "other vendor" could go out there and find the things that I find on the internet. So why the secrecy?

There are certain government agencies that like classifying everything secret not so much to keep the "enemy" from knowing......for the enemy many times very easily obtains the "secret information" from publicly available sources but more so to keep the public in the dark. The politicians get out there with their long winding speeches to sidetrack people from the real issues.

I am not really directing this at you Kevin because I never really had the opportunity to ask you many questions about the operation of BoClean.....but I will say that if vendors choose to be indirect and evasive ....well, I can play that game too......by keeping my wallet in my pocket. We can play hide the wallet.....and I can be very evasive.....

I will wait to see what the next version of BoClean is like. I am observing many products now to find the correct security set-up on my own computer. I want to see the vendors that can truly innovate.

By the way...I am also waiting for the DCS products to come out because I have not given up totally on that company.



Starrob

I wonder what the governments and all other customers of mr BoClean do when they read his pieces here WITH all ThE STraNgE letter switches... Thank all that we have other companies with less irritating people leading it...

{QUOTE-> I wonder what the governments and all other customers of mr BoClean do when they read his pieces here WITH all ThE STraNgE letter switches... Thank all that we have other companies with less irritating people leading it... <-QUOTE}
What the market place demands are results and as long as Kevin delivers he'll be fine. I can tell you that if something unwanted invades my computer the last thing I will be thinking about is a product developers personality or lack thereof. Most of us don't really know Andreas, Magnus or Kevin. Most of us only know them from this forum and the public face they show us here. Which may or may not have much resemblance to the way they truly are. Business cares little if you are a "nice guy." Many of our "Captains of Industry" have been revealed to be real jerks. But we by their products and drive their cars because they have met the needs of the market place. If any of these three think they have invented a better mouse trap let them bring it to market and the market place will decide. Business cares little if you've won a Mr.Congeniality award. I have Kevin's product at present and he has been great when I have emailed support regarding a problem. So that is what I look at. I am sure others can say the same for Andreas and Magnus. It's game on guys. You are all developing new products or enhancing your existing one. Show us what ya got and bring your best stuff.

Hello,

First of all I hope anyone I mention here does not take my comments personally. I am not here to criticize anyone, and certainly not the way they do their business.

I haven’t been to Wilders for almost a year, until a few days ago when I was drawn back here after reading about HIPS test and very positive and strong positive opinion from richrf in a thread at Broadband Reports. It is interesting because I practically lived on Wilders a long before I joined and it was the only security forum I visited and dared to post. It is interesting that I stopped visiting right after they converted to vB. Isn’t it “marketed” as bulletin board that attracts members? Just a small comment and interesting observation – I use vB myself. :)

Anyhow, being interested in what is all this hype about HIPS here, since I didn’t see anyone on BBR discussing it, at least not on same magnitude as here, I started reading a several non-company related forums. So far, I’ve seen and read some interesting threads and posts. I’m usually highly impressed with posters. No matter if I (dis)agree. Even though there are several companies who have their official forums here, many regular posters are open minded towards other products.

The TDS-3 announcement shocked me enormously, believed it or not. I have not visited Wilders in a long time and I have not seen any talk or any indication in other forums I visit that something like that could happen soon. This also contributed in me paying attention to Wilders in past few days.

Kevin, I appreciate you taking time to talk to your customers and explaining them your company’s goals, why BOClean is the way it is, and what can we expect in the future from you. That is more than most people/companies are willing to share with their customers. Usually you have to sign loads of NDAs to find out that Norton will have a new icon in version 2006. However, I am fairly disappointed to read your posts in TDS-3 thread Magnus linked to. I know that you or anyone couldn’t care less what I think, especially since I’m not your customer, but outbursts like that don’t make anyone have positive opinion about a company. I know, because I went through same with Invision Power Services. Being their user from day one, with release of v2 and having new management, loving their product, I got, pardon my language, screwed over like millions (?) of others, made me switch to vB, not because their product is superior, more over, my users like IPB better, I find it easier to manage, and I miss some fairly important features I used daily, but it is rather the way they carried out their announcement to stop free service that made me bitter in every way. Their product is great, however the way they threat their customers is not! Banning their customers for positively criticizing their product and lying and trying to cover up things they said by purging thousands of threads and leaving their users dry, is what made me stay away from them. I like and I’m happy with vB. I’ve NEVER seen anything negative (nasty) being allowed to be said on vB forums regarding competition and seeing them providing info and being honest what their product can(not) do made me switch. What does IPS and vB have to do anything with what you? Well, I meant saying some things to your competition, no matter how your relation might be is not a good idea. While I understand you are just human and we all have bad days, it would be wise to just let it go in the future and cool off before replying. Saying as an administrator who got into fairly nasty discussions with members over some decisions made on forums. It could be interpreted in the same way, I believe. Having seen not a one bad comment about BOClean, I would hate to see anyone disliking it because of personal remarks being exchanged. While majority of your customers could not care less, some might.

Personally, I’m not amused by comments being exchanged and with “accusations being made”. I have nothing against you, Mischel, Wayne or anyone here. I just don’t understand your comment regarding TH being one of the reasons for TDS-3 discontinuation. With all do respect to all three of you, Wayne or anyone cannot say he (or should I say TDS?) made such crucial decision in one night! I myself am junior, hopefully senior by next month, who studies management with major in Finance and Accounting. While my limited (non-existent if you don’t count internships I do during summer) experience in corporate world cannot be compared in any way to Wayne’s 18 years and, your 10 (?), I am more than positive such decision should have been obvious to DCS a long time before it was announced. While I am not aware who manages DCS business, who’s who, what is your relation with them, what is relation between AT vendors, one cannot blame other for their business decisions. And I am speaking with highly limited knowledge of your personal relations and quarrels you have/had between you.

If you allow me to explain myself – While I have no idea who picked on who in AT business, it’s wrong to assume and blame other companies for one’s failure (company = TDS, sorry for equalling those), IMO. You guys run your own businesses, and blaming others for not sharing stuff, for being competitive, lowering/increasing prices, for having free version, for having different goals, different business model is not a valid fact. Noone stops anyone to whatever they want with their company/product. You are not a cartel, and even those who sign a contract, are known to break it. Having a market where everyone follows same model, offer same products is bad for customers, because they gain nothing. Then it would just be a matter of preference. AV market is somewhat different, they incorporate detection for trojans, spyware… and distinct themselves somehow – some have good heuristics, some strong signatures, some are light, some are popular brand names, some proudly emphasize they have the best response times (issuing new definitions), and so on, I have yet to see that sort of thing between AT products. While some are trying to focus on other things than trojans, majority does not.

Ideally, DSC (whoever is a manager) should have predicted what is going to happen with one of their products. They must have known the cost of having it and whether or not it is profitable. With all data and experience they have/had they must have known it’s going to happen “a long time before” it did. Saying (generally speaking) it is someone else’s fault they could not keep up with competition is not valid. It is someone’s fault – the management’s. I don’t wish to piss off anyone, if you see it that way I apologise, I am merely looking at things from business perspective rather than personal. It’s the management who runs the business, who makes decisions, who should know what long term goal is, what company can and cannot do/provide, what should they do after….not some third party. I am sorry to see such sudden decision. As I said, ideally, the management should have “see it coming” and stopped selling the product months ago, issue announcement where they would say they will be providing support/upgrades/definitions to a product until or for X months, after which users will have to find another solution. Saying this was sudden decision only makes me wonder about the people who run the company and have been in the business for almost as I am old. If you’re present for so long, you should have, and I’m aware that’s not always the case, more knowledge than a person/company who is new comer on the market. On the other hand, I understand Wayne completely, and he is correct with every point he made. Companies which are not afraid to make decisions which benefit them and their customers are survivors. I admire that. It takes a lot of courage to do it and I doubt I would be able to make one myself. While I made comparison with IPB, mostly due to fact it was carried out similarly, it is was not meant in a bad manner. Wayne did the right thing. He offered an apology (more than IPB customers/users were ever given), and a license to another product. He did not have to, but he did, and it speaks much about him. While we can debate on what should have been done and how, it’s over now and it’s too late to debate it, IMO.

Another thing I am not humoured about is starting a discussion that should have never taken place. As much as I said some things to Kevin, for which I hope he doesn’t take it (too) personal, I am not thrilled to see Mischel turning TDS-3 thread upside down, and now here. You both take it as you wish, however, I honestly think you should either respect each other, or take it in private. It does not make both of you look good. It takes two to tango.

There were some other things I wanted to clarify, however, I won’t. I apologise for being utterly long, talking about some maybe irrelevant things… My intention is not to start a discussion about TDS-3 all over again, nor is it to criticize anyone how to do/run their business. I have nothing against either of you. I’m just rather disappointed with scarce explanations given, and some facts being raised that should not matter.

I wish you all good luck with your products. While I tried all but BOClean, due to fact there is no trial (but heard nothing but positive), I hope your good reputation and of your programs should not be affected by recent/past events.

Excuse my bad English as well. I hope no people were put asleep by reading this.

Regards,

r.

8) A balanced and well thought out post richter.

Excuse me for another drunken stuper posts.

For those that wonder about the VENDERS, Be assured they know some of the blackhat programmers ;) as well as each other.

Here is what HaCkEr DeFeNdEr ( holy father ) has to say.

"available antivirus systems are KAV, Norton, AVG, Panda, McAfee, NOD32, Avast! and PC-cillin, if you need antidetection against any other antivirus it is not general problem, just ask

this is PER VERSION price, e.g. antidetection against Kernel PS 0.3, 0.4 and 1.0 is + € 90.00 not + € 30.00, but there are exceptions in this, these versions are for single price:
F-Secure BlackLight 1.0.1017.0, 1.2.1003.0
F-Secure BlackLight console 1.25.1006.0, 1.28.1006.0
Sysinternals RootkitRevealer v1.00, v1.01, v1.10, v1.20
Sysinternals RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
RootKit Shark 3.11, 3.22, 3.27
FHS 1.0, 1.1
UnHackMe 1.0, 2.0
UnHackMe 2.5 beta, 2.5 beta 2, 2.5
modGREPER 0.1, 0.2 "

I see no mention of Trojan Hunter, BoClean or TDS-4 ( oopsss) he he

If Kevin say Rootkits are no problem for him, I will go with that. Don't know he is talking the "private builds"

If the others ARE doing work for the GOV, then I am sure they have had intensive background checks as Kevin has. Um Duh?

controler

Thanks, but you summarized everything I wanted to say in a few sentences just above, lol.

Maybe Holy Father is not such a bad guy. What do you think?

From the hacdef blog:


anonym -

$$$ is at the root of all that is evil. There are also two sides to every coin.

As an example:
Imagine that there were no files that are to be marked as "viruses." Then there would be no need for Anti-Virus software; therefore, no more $$$ for the chosen professions of those working in Anti-Virus tech.

I can see how one who actually makes money off of viruses (anti-virus) would stand up as righteous and call those who support their jobs the "bad guys." An interesting marketing gimmick that is.

When there are people that make the jobs of anti-virus a difficult task by doing their own form of "anti" work (anti-anti-virus?)... I can see how these people could be labeled a collaborator to the "bad guys" (or girls).

What I can make of this is the anti-detection service offered here is quite possibly cutting into the almighty dollar of the detection services, and because of a hobby at best. So, yes, it is a very bad and evil thing depending on which side you're on...

{QUOTE->
{QUOTE-> A lot of other developers share my opinion which is why they are heading down the "interception" path rather than "reaction" one. <-QUOTE}

This is also how I look at things. Reacting is already to late. The "bad guys" are in the house and ransacking it. <-QUOTE}

i wasn't aware that Richrf was also a developer.

{QUOTE->

Well, I am not a expert. I am one that likes to learn. Most of the ones that I learn from on this board I prefer to call security "Professionals". I have a disdain for "security experts" because a "expert" in most cases thinks they know everything there is to know about a given subject and they don't have room to learn new things and innovate.
<-QUOTE}

Semantics . So if we switched from calling someone a professional instead of expert it makes things better? Whether you choose to use the tag expert or professional, it goes without saying there are precious few of them around here.

So am I a "professional" because I contributed to a security article you found enlightening? :)

Semantics can be important. It is all in the eye of the beholder. I have done a little studying as a "amateur" on the field of semantics and also hypnotism.

Apparently, people can be influenced by the labels they put on things. Label someone a "physician" and automatically people think they know more about health then they do and this may or may not be true....how do you know the person doesn't have a "fake" physician's license?

I choose not to be influenced by "experts" because I have chosen to attach certain meanings to that word that I have a disdain for.

The word "professsional" is different to me in that it also means having certain standards of conduct, like having a "real" physician's license rather than a "fake" one. To me, a person can have all the knowledge in the world and if they don't conduct themselves in a "proper" manner, then they don't carry as much weight with me.

I don't consider myself a professional in the software industry for two reasons. I don't have the knowledge level and I sometimes engage in needless ego "headbanging" with others when it really is not necesarry.

It is fairly easy for me to observe the "professionals" on here. They impart knowledge to others and don't have to go out of their way to make "amateurs" feel inferior......but all words are semantics any way, so none of what I said really matters.

The "experts" know who they are and the "professionals" know who they are too but all of this is neither here nor there....and off-topic....so I'll stop now.....and get up enjoy this beautiful day.



Starrob





{QUOTE->
Semantics . So if we switched from calling someone a professional instead of expert it makes things better? Whether you choose to use the tag expert or professional, it goes without saying there are precious few of them around here.

So am I a "professional" because I contributed to a security article you found enlightening? :) <-QUOTE}

{QUOTE-> Semantics can be important. It is all in the eye of the beholder. I have done a little studying as a "amateur" on the field of semantics and also hypnotism.

Apparently, people can be influenced by the labels they put on things. Label someone a "physician" and automatically people think they know more about health then they do and this may or may not be true....how do you know the person doesn't have a "fake" physician's license?

I choose not to be influenced by "experts" because I have chosen to attach certain meanings to that word that I have a disdain for.

The word "professsional" is different to me in that it also means having certain standards of conduct, like having a "real" physician's license rather than a "fake" one. To me, a person can have all the knowledge in the world and if they don't conduct themselves in a "proper" manner, then they don't carry as much weight with me.

I don't consider myself a professional in the software industry for two reasons. I don't have the knowledge level and I sometimes engage in needless ego "headbanging" with others when it really is not necesarry.

It is fairly easy for me to observe the "professionals" on here. They impart knowledge to others and don't have to go out of their way to make "amateurs" feel inferior......but all words are semantics any way, so none of what I said really matters.

The "experts" know who they are and the "professionals" know who they are too but all of this is neither here nor there....and off-topic....so I'll stop now.....and get up enjoy this beautiful day.

Starrob <-QUOTE}

Starrob -
A good post - As an "amateur", I personally agree with the emphasized part regarding "professionals". That is the primary reason I continue to visit WSF as compared to some other forums.

Rob

{QUOTE-> i wasn't aware that Richrf was also a developer.



Semantics . So if we switched from calling someone a professional instead of expert it makes things better? Whether you choose to use the tag expert or professional, it goes without saying there are precious few of them around here.

So am I a "professional" because I contributed to a security article you found enlightening? :) <-QUOTE}
The popcorns popping.