Should I use any anti-trojan(AT) program?
After doing a bit of investigation, I decide not to bother.
Why? Read the following. The result is shocking :o .

v0.3.1
========================================================
v0.3
- add a good article: anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?
- add a link: TDS (anti-trojan program) is discontinued due to the rise of anti-virus programs
- mistakes are corrected to include anti-spyware into the lists of anti-trojans.
- elaborate more, add more Q&A


v0.2
- elaborate more, add more Q&A

v0.1
- first release of this article
========================================================

The following are a bit long-winded. Scan for the bold/italic texts. If you find somewhere interesting, read that part.

++++++++++++++++++++++++++++++++++++
Q: I know people hear from users or from vendor websites that anti-virus(AV) program is not enough. You need anti-trojan(AT) programs to help you to catch much more trojans which AV program misses. Hmm... So should I use any anti-trojan(AT) program?

A:
(For AT program users, take a breath first before reading on!!)
As a short answer, you don't really need to install any AT program and you can be VERY VERY safe.
It may sound like crazy, but it's a common misconception that anti-trojan(AT) program is required to protect you form trojan infection.

To see why I made such a big or even ridiculous claim, it is due to my experiment and empirical observations.
Just to quote one test done on 8 Aug 2004:
AV List (from top to down) ==========Detection Rate for ITW Trojan
AntiVirenKit(Kaspersky-based, German)===99.80%
Kaspersky Personal Pro===============99.52%
F-Secure (Kaspersky-based)============99.40%
Kaspersky Personal==================99.24%
Panda============================86.92%
McAfee==========================86.56%
Norton Pro========================82.43%
Norton Corporate====================79.83%
PC-cillin==========================73.51%
AVAST===========================71.51%
Nod32============================71.37%
AVG=============================55.58%

AS List (from top to down)===========Detection Rate for ITW Trojan (%)
Digital Patrol=======================54.32
PestPatrol=========================31.52


AT List (from top to down)===========Detection Rate for ITW Trojan (%)
TDS(discontinued on 22 Jul 2005)========54.80
A squared 2========================53.59
AntiTrojan Shield===================30.16
PC Door Guard=====================30.06
Trojan Hunter======================23.65
Tauscan==========================19.22
The Cleaner=======================18.76
Trojan Remover====================18.29
IP Armor=========================10.92
Hacker Eliminator==================10.82
Anti-Hacker & Trojan Expert===========00.01 (how dare you call yourself expert!! You are crap!)

Analysis from the result

Comment on the performance of an anti-trojan program
As you see, anti-virus(AV) program is actually FAR better than ""ALL"" famous & non-famous anti-trojan(AT) programs.
AT doesn't really specialize in AT (as you can see from the result, even the worst AV program defeats the best AT program). It's a false claim!!

If you wish to get the details / complete result of the above test, email me at genuinem22-forum{.........}yahoo.com.hk [replace {.........} with @]

By the way, there's interesting news that TDS (anti-trojan program) is discontinued. One main reason is [b]the rise of anti-virus programs taking over the anti-trojan markets[/b].
[url]http://tds.diamondcs.com.au/[/url]


[b]Q: Hmm... so should I still use AT program to add extra protection?[/b]
A: I'm not going to give you a black-and-white answer, but I would like to raise several important factors, so you could consider before making your own decision:
[b]- what anti-virus program do you use? [/b]
- If you use Kaspersky-based anti-virus software, they help you to catch nearly all trojans, and so does all sorts of viruses/worms/mal-scripts.
- If you use something like AVG (the worst Anti-virus program on catching trojans), it may be worthwhile to install some AT program since they may help you to catch some extra trojans that your AV program misses.
-- However you may wish to consider other alternatives too (eg more anti-virus programs, anti-spyware, firewall, extra protection like process & registry protection). They all have their pros and cons which has been explained in [b]anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?[/b]

[b]- how much extra protection do you wish to add? [/b]
Provided you are using the best AV program, there's still a catch that they miss a few tricky trojans. Theoretically, when you add 1 more AT program, you raise your chance to catch the missed trojans.
Based the result I have presented to you, you can see how poorly they perform. If you ask me the chance of an extra AT program to catch a missed trojan, it may be less than 0.1% or even 0.01% or even much less.
In other words, what AT program CANNOT catch, AV program can manage to catch; reversely what AV program CANNOT catch, AT program has (nearly) no capability of catching them.

[b]- Possible Crash or Instability [/b]
Since AT program has its own real-time protection (so does AV program), it may crash with your AV program. The overlapping characteristics may create more problems than benefits.

Frankly I'm not sure, but you may risk:
- slow down your computer (Some AV is already resources-hogging. Imagining that you are adding 1 more)
- worsen your AV/AT capability (when your AV and AT conflicts, no matter explicitly or implicitly)
- crash your computer (they may compete for getting privileges to scan/detect virus. That causes problems!)

[b]- Other alternatives to boost your protection [/b]
Apart from adding "AT protection", you may consider other much better alternatives. This includes:
- adding 1 firewall (ZoneAlarm is good!)
- adding 1 anti-spyware (it mainly protect your privacy, rather than security) (eg MS Anti-spyware, Ad-aware)
- adding 1 process protection program (eg ProcessGuard )
- adding 1 registry protection program (eg RegGuard )
*: The programs I mentioned above is just an example. I don't know if they are excellent or not.

[b]Q: About the alternatives, it's true that your alternatives can also provide extra protection. But you miss the point that they have disadvantages too (eg anti-spyware is not good for detecting trojans; firewall, process & registry protection requires better computing knowledge), so anti-trojan (easy to use, using different signatures and scanning techniques) should be implemented instead to cover the above weaknesses.[/b]

A: Hi. You have made some good points.
Just to tell you in case if you don't know, you tend to point out only the advantages of anti-trojans over the other alternatives, but not vice versa. To get a better outlook, we need to look at both sides in order to make a better decision.

You will find this article useful:
[b]anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?[/b]
There are several things we can consider when we wish to protect our PCs (the more you implement, the better you are):
- firewall
- anti-spyware (it can detect some troajn or trojan-like spyware)
- process protection
- registry protection
- more anti-virus
- anti-trojan

OK, let me which is the best. To do so, there are several I'm going to analyze:
- effectiveness to stop trojans (*)
- effectiveness to stop non-trojans (*) (#)
- ability to remove the malware
- knowledge required to utilize this software
* The effectiveness rating ranges from 1-5. Bear in mind, it's just a rough indicator of their performance. Don't treat them as absolute.
# Non-trojan means any other malware which is not classified as trojan, including MS-DOS & Windows virus, macro, dialers, scripts, miscellaneous malware etc.
More Notes:
- common benefits and common weaknesses are not included in the analysis since they won't affect your decision anyway (all have the same extent of benefits/weaknesses, how can it affect your choice if you make a rational choice?)


- [b]firewall[/b]
[b]Effective rating - anti-trojan (1-5)[/b]: 3
[b]Effective rating - anti-[i]non-[/i]trojan (1-5)[/b]: 1-2
[b]Advantage[/b]:
1. I think it does little to prevent the installation of trojans, but it is great to paralyze trojans. There are some functions firewall can do to stop trojans:
-- stop them from sending info out
-- stop hackers to access to your computer (the trojans may not help!)
-- hijacking legitimate EXE
[b]Disadvantage[/b]:
1. you need some computing knowledge to utilize this program, or you may be stupid enough to allow a trojan to do its job :P
--> However "search engines" and "forums" are your friends. So even for dummies, if they realize the existence of these 2 "helpers", it's not really a problem (although you still need to spend some time and effort on it). For immediately and general help, use search engines like "Google". For special and detailed help, ask experts in various security forums.
2. It can't remove any malware. You need to seek help for other tools. Anyway it is normal since this kind of product is a pre-caution software. Removing malware is not their scope.
3. As to some other non-trojans malware, it may have some difficulties to stop them. (eg: I don't think it can do anything really to stop the damage done by virus)

- [b]anti-spyware[/b]
[b]Effective rating - anti-trojan (1-5)[/b]: 3-4 ([b]Yes, it is "3-4"!![/b])
[b]Effective rating - anti-[i]non-[/i]trojan (1-5)[/b]: 3
[b]Advantage[/b]:
1. Little knowledge is required to use this product.
2. If your anti-spyware has real-time protection, it helps more. Some anti-spyware like Microsoft Anti-spyware Beta can protect you from a wide range of things, including HOSTS, IE trusted zones, startup programs etc.
3. it not only detect/stop trojans but also other kinds of malware (mainly spyware and adware). It will help to remove them if found too.
4. one may that their disadvantage is that they are not specialised in trojan detection/removal. It's a [b]common misconception![/b] Digital Patrol (anti-spyware) can manage to get rid of ~55% ITW trojans. This result is already equal to the very best of anti-trojans (also ~55%). You know, Digital Patrol is not an excellent anti-spyware(AS) in the market. The best ones are Microsoft AS(308/425, based on the result of GAINT AS which has been purchased by Microsoft), Webroot Spy Sweeper(235/425), Ad-aware(231/425). Unfortunately I don't have authoritative third-party sources, but if you believe me, based on my experiences/observations, I would guess it can detect 80% or more trojans if it were run in the test. That's why I give "3-4" rating (if I can confirm my belief, I will give a "4")
-- Don't you feel it's too hard to believe the above? Well, it must be since it is contrast to your established belief. I will explain to you why later.

[b]Disadvantage[/b]:
- {no real disadvantage which is specific to anti-spyware}

- [b]process protection[/b]
[b]Effective rating - anti-trojan (1-5)[/b]: 4
[b]Effective rating - anti-[i]non-[/i]trojan (1-5)[/b]: 4
[b]Advantage[/b]:
1. a lot of malware needs *.exe, *.dll etc. to make them work
2. If you use some products like ProcessGuard, it provides even wider range of base-level protection including terminating/crashing/suspending legitimate programs, exe file execution, leak attacks, installation of roolkits & drivers & keyloggers & mouse/key hooks, dll injection, modification of physical memory.
(Note: I'm currently using it. It looks good but it's just mainly based on my estimation and the claims from the author, so it may not look as great as it looks)
3. it seems it's more likely that these products are kernel-based. A kernel-mode device driver is a 32-bit modular component that runs at a privileged level (known as Ring 0 to those familiar with Intel hardware) on the computer's CPU. As such, drivers run as trusted components of the kernel, virtually becoming a part of the operating system itself. It is good since malware is much harder to intrude these kinds of products.

[b]Disadvantage[/b]:
1. (= Firewall Disadvantage 1: knowledge required). By the way, it should be harder to learn this product than that of firewall.
2. (= Firewall Disadvantage 2: can't remove malware, only detect).

- [b]registry protection[/b]
[b]Effective rating - anti-trojan (1-5)[/b]: may be 3
[b]Effective rating - anti-[i]non-[/i]trojan (1-5)[/b]: may be 3
[b]Advantage[/b]:
1. malware still needs registry keys to make them work. Protecting these areas can surely affect their activities.
2. (= Process Protection Advantage 3: kernel-based protection)

[b]Disadvantage[/b]:
1. (= Firewall Disadvantage 1: knowledge required). By the way, it should be harder to learn this product than that of firewalls AND process protection software. Registry is more cryptic and hard to understand.
2. (= Firewall Disadvantage 2: can't remove malware, only detect)
3. Comparing with process protection, it tends to provide less protection - it only protects registry. It is less important. Comparing with anti-spyware programs, some anti-spyware has already provide some kinds (although limited) of registry protection. This further lowers its significance.

- more anti-virus
[b]Effective rating - anti-trojan (1-5)[/b]: 5
[b]Effective rating - anti-[i]non-[/i]trojan (1-5)[/b]: 5
[b]What is it about?[/b]
- I'm not suggesting you to install more than 1 anti-virus programs since it will lead to possible conflicts, no matter explicit or implicit (for details, please ask me).
- I'm going to suggest you to use [b]free online scan[/b]. You know, no single program can detect and remove all sorts of malware. There are many free online scans.
- If you download a file and suspect it contains malware, try this all-in-one scanner (have 14 major AV scan engines, including topmost ones):
[url]http://virusscan.jotti.org/[/url]
(Brilliant!! You are much much... safer than depending on your AT program to determine if it has attached a trojan.)
- For a complete system scan, a lot of major anti-virus program provider have these services for free. Thus please visit their website more frequently :P

[b]Advantage[/b]:
1. it is very excellent to deal with trojans (the best can be as high as 99.9X%) unless you are choosing some bad anti-virus programs
2. it's also excellent to deal with non-trojans (the best one can be as well as 99.XX%) unless you are choosing some bad anti-virus programs
3. Some anti-virus programs try to work on detecting spyware, hijackers, adware as well (although the performance is poor comparing with the best anti-spyware products)
4. Unlike other precaution software (eg firewall, process/registry protection), it will help to remove/fix them automatically if detected.
5. Little knowledge is required to use this product.
6. To sum up, both anti-virus(AV) & anti-trojan are misnomers. AV is in fact all-round anti-malware programs (except spyware); while anti-trojan is indeed [b]okay[/b] (NOT good!) at trojans only (the best being 5X%).

To get a clearer picture, let's make some comparisons. A good or excellent anti-virus can detect more than 90% ITW malware (including MS-DOS & Windows virus, macro, dialers, scripts, trojans, miscellaneous malware). As to anti-trojans, see this table:

Malware Type===[i]average[/i] anti-trojans===[b]best 5[/b] anti-trojans===[i]average[/i] anti-virus===[b]best 5[/b] anti-virus
trojans==========10-20%==============30%(*)===========about 70-90%======99.50-99.90%
Non-trojans=====2/3% to nearly 0%======less than 6%========about 70%-90%=====98-99%
* there are big difference even among the best: only 2 anti-trojans manage to get ~50%; then it suffers from a sudden drop of ~20%. The rest are poor (only 2X%, some being less than 10%)
Note:
- the percentage refers to the detection rate of that kind of programs, based on overall results of several tests (2003-2005)
- for the details of the data, feel free to ask me.

[b]Debatable point[/b]
1. the only problem is you cannot install more than 1 anti-virus program (it's no good to your computer due to possible conflicts!).
--> However you can use "online scan" to keep your computer in safe. What you need to do is to get online and get scanned. That's it.
2. What you only miss is real-time protection from the anti-virus. But getting it may not be a good thing:
--> you may risk getting conflicts if you use anti-trojan real-time scan as well as anti-virus real-time one (you know they try to fight for the same kinds of privileges for real-time scanning), no matter it is noticeable or not. Remember not all conflicts can be seen/felt. If you have installed an anti-trojan, it may not mean it is perfectly ok. It may mess up and slow your computer down already. you has to be careful about that if you really do so! (eg you should check if the anti-trojan is compatible with your anti-virus)
---> if conflicts exist, [b]getting 1 more real-time protection will in fact worsen your security, not improving![/b]
---> is there any real need for real-time protection? If you always scan suspicious files before installation, you get much less chances to get trojans.
---> I have found 1 website which uses 14 major scan engines to scan for viruses. I can't find such kinds of websites which combine plentiful engines in 1 site which is very excellent. If you get to use this online service frequently, it hardly get any kind of malware
---> If you frequently do online scan, your chance of getting virus/trojans is much lower than installing 1 more real-time scan (remember [b]1 more of [u]the same kind[/u] of real-time scan may sometimes worsen your security![/b])
3. Finally the above is just some short explanations. [b]I can explain much more about this topic if you wish to know more or you are doubting. Feel free to ask me if you need[/b].


[b]Disadvantage[/b]:
- {no real disadvantage which is specific to anti-spyware}


- [b]anti-trojan[/b]
[b]Effective rating - anti-trojan (1-5)[/b]: 3
[b]Effective rating - anti-[i]non-[/i]trojan (1-5)[/b]: 1 only :-(
[b]Advantage[/b]:
1. (~ Anti-spyware advantage 4). They are more or less equal to each other. That's why both anti-spyware and trojans get "3".
--> But they are far worse than anti-virus programs
2. Little knowledge is required to use this product.
[b]Disadvantage[/b]:
1. They are only okay (not good!) to deal with trojans
2. They becomes abysmal when dealing with non-trojans
3. you may risk getting conflicts if you use anti-trojan real-time scan as well as anti-virus real-time one (you know they try to fight for the same kinds of privileges for real-time scanning), no matter it is noticeable or not. Remember not all conflicts can be seen/felt. If you have installed an anti-trojan, it may not mean it is perfectly ok. It may mess up and slow your computer down already. you has to be careful about that if you really do so! (eg you should check if the anti-trojan is compatible with your anti-virus)


If I miss any point, please tell me and I will add them back.
Thanks for your kind attention.


[b]Q: Even if anti-virus program can hit 99%, this still leave 1% of trojans which have been caught. Better safe than sorry, we should use anti-trojans.[/b]

A:
Try to see if this makes things clearer.
First by installing 1 anti-trojan, it doesn't mean it will automatically close the 1% gap. Try to simplify the situation and illustrate it to you with an understandable analogy.

There are 6 grades in the school (A-F).
"Anti-virus" program is like an A-B grade student; while "anti-trojan" is a D-E grade student.

Surely A/B grade student cannot score full in the test (eg the best student can manage to get 99% only). How can the A-grade student get the remaining 1%?

"How about asking D/E grade student to help?" A-grade thought.

"Are you crazy? How come I will know how to solve this question? Too difficult to me." an E-grade student said, "There are surely chance I can do, but how big the chance is, you fool!?"

Surprisingly what he mentioned something which enlightened A-grade student?

"You'd better ask other A/B grade students help. They will know how to solve this difficult math" an E-grade student enlightened the A-grade student.

"Ar! So stupid I am! Why don' I seek help for other A grade students in the first place?" A-grade student grieved, "Now A-grade students have been left school. I have to wait for tomorrow."

Why does the software miss that 1%? Probably they may wish advanced technique which is hard to arrest, or the trojans are rather new, or they are less common. Simply, you may assume the remaining 1% is "super/special" trojans!!

Your anti-trojan is not designed to arrest this 1% gap. Instead it is said to specialize in arresting trojans-related threats. Unfortunately they even cannot do better than anti-virus programs.

You may feel anti-trojan is specialised in arresting trojan guys! You may feel so due to the fact that:
- it is true in very early stages of security program
- the name "anti-trojan" mislead you that they should be specialised in trojans. It's in fact a misnomer based on hard facts. Sad to say, hard to accept, but have to admit. :"(
- now it is the sunset market. Remember why TDS is dead?? To survive, either convert it into either "anti-virus" & "anti-spyware" (Ewido is a good example towards anti-spyware). Anyway these 3 products have some degree of overlapping.


So what you should do now if you are the A-grade student?
Here's lead to the second point. Anti-trojan is not the only option. We have other alternatives too. If you believe anti-virus can get 99% hit rate; and only 50% for anti-trojan, you are equal to asking an E-grade student a difficult math question which you, as an A-grade student, don't know how to answer.

Okay, so are you ready to ask other A-grade students now?

Hope this answers your question.
Feel free to discuss with me if you have further questions.


[b]- Okay, you are good at puzzling me! Simply tell me, if you were me, what would you choose? [/b]
I am not you. I cannot choose for you.
but if I simply give you such kinds of vague answer, you will definitely beat me up.

Okay, if you are being bombarded/confused by the whole lots of advantages/disadvantages, then just forget the above. Take my word for grant temporarily, I will guide you to the appropriate choices.

Now, the question: what is the best to protect me from trojans?
I assume you only get nothing on your computer.
I assume you protection capability is of utmost important to you.

First identify who you are (I have some descriptive texts for each group).
Then follow the steps each-by-each. Remember follow the first step first; the last step last. (Am I bullshxting?)
Stop at the point when you see you are secure enough, or you are fed up with getting more protection.

[b]1st group: If you are a noobie, or a beginner who don't wish to bother anything:[/b]
1. install 1 [b]excellent[/b] anti-virus program (so you get 99+% trojan protection & lots more)
2. install 1 more [b]excellent[/b] anti-virus program (now you get another 99+% trojan protection & lot more). Remember to turn off the real-time protection to avoid possible conflicts. [i]If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.[/i]
3. install 1 [b]excellent[/b] anti-spyware or more (now you may get 80+% trojan protection & some other benefits). [i]If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.[/i]
4. install 1 [b]excellent[/b] anti-trojan or more (now you get 50% trojan protection & only a jot of other benefits). Remember to turn off the real-time protection to avoid possible conflicts. [i]If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.[/i]


[b]2nd group: If you are noobie/beginner who is willing to bother, or you are an intermediate:[/b]
1. install 1 [b]excellent[/b] anti-virus program (so you get 99+% trojan protection & lots more)
2. Run as many FREE online virus scan (file + system scan) as possible until satisfied. You don't really need to install extra anti-virus programs: save space, save resources, save conflicts, save money, save problems...
3. install 1 [b]excellent[/b] firewall ONLY and no more unless you are ready for possible troubles. As I say before, firewall itself is difficult to use. But do you remember your friends - Google (search engines) and experts (forums)? If you meet them, you don't really need to be computing-knowledgeable. your friends will help you.
4. install 1 [b]excellent[/b] process protection. I temporarily recommend ProcessGuard. Really to learn how to use it, or you shouldn't bother. What you need is mainly to go through its manual once. That's it. The rest can be left for your friends. This product, once you are familiar, is no difference from firewall. You don't need to take care of them anymore except it will sometimes prompt you for decisions.
5. install 1 anti-spyware ONLY + utilize as many FREE online scan as possible until satisfied.
6. don't install any anti-trojan. Just utilize as many FREE online scan as possible until satisfied.

[b]3rd group: If you are someone who is willing to get into trouble :P, or you are an (semi-)expert:[/b]
1. (see 2nd group Point 1-4)
2. Install registry protection. I don't know really anything (seemingly) good to recommend. You may try Regdefend or ask Google. Good luck!
3. (see 2nd group Point 5 downwards)

Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


[b][i]Challenge &/or Criticism[/b][/i]

[b]Q: I saw a vendor website claiming their product is far better than some famous AV. It even lists the result and the result is the reverse (ie AT program can catch more trojans plus it can catch more AV too), so you must be wrong.[/b]
A: Hmm… I know which website you are talking about. (Maybe I guess wrong :-[) Anyway try to think about the following factors before making your own decision:
- vendor has strong motives to lie
- should we trust independent websites (although you don't know if they have insidious relationships with vendors, so that's why we should read at least more than 1) much more than vendors?
- does it display any technical info about the test? What database does it use? How does it test?

[b]Q: How about magazines? They claim XX program is The Best of This Year!![/b]
A: I would like to say something about magazine reviews (or its similar types). Try to consider the following factors and think if we should place too much trust on them:
- Most simply do not have enough resources to conduct effective and representative tests/reports. Unless the magazine is using the results from a big and independent testing organization, the reviews cannot reflect their true value.
- Some magazines receive money support from other programs (by advertisements etc.) So do you think they are will be impartial enough?
- Small magazines may rely on analyses or research data from big magazines. Then they make their reviews and comments based on these data. If what they comment is based on these reports, why don't we read the reports ourselves. Sometimes you may reach a different conclusion even if the magazine and you depend on the same report databases.

[b]Wait! Many users praise this anti-trojan program highly. It works to stop many trojans that NO SINGLE anti-virus program can. So you MSUT be wrong![/b]
Yes, I may be wrong, but I would like to point out some situations which falsify the above claim:
- Users comments may be based on the magazine reviews they have read. And magazine reviews are actually… so…
- Experiences may lie unfortunately. Consider this case. A virus bypassed your anti-virus program. They don't cause serious problems in your computer. You never notice of its existence. You still feel your anti-virus program is doing a great job.
- A security program generated a false positive, falsely claiming that the file is infected. You think it is great. Other security programs cannot detect that malware, but my program are. Excellent! There're one case (~10-12 Aug 2005) where none of the anti-spyware program can detect these 2 "so-called" spyware except CounterSpy. Finally they turned out to be false positives. One file is just a legitimate JPG compression functionality for Intel, but CounterSpy claims it's AB System Spy and the threat is rated "serious".
- "[b]Fallacy of popularity[/b]": I somewhat fall into teaching you logic. It is invalid to claim "something is popular or agreed by the majority CAN prove something is correct/good". Re-read the above cases. You should understand why. ;-D

Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


[b]Q: Hey man! How dare you deceive me? Your test is deadly old![/b]
A: I have to admit that this test is done on 8 August 2004, so it is 1 year old. Sorry to say, there are indeed newer 2005 tests but I haven't included them because I have no time to gather & present them. It needs some time to do. I will do if I get some time. If you are kind enough, feel free to give me a newer test.

Please try to consider the following factors before determining whether you should discredit/ignore this test completely:

[b]Relevancy[/b]
We don't really need to worry too much about the outdatedness. As a rule of thumb, 1 or even 2 years old is not really a problem if you ask me. Its relevancy still holds true for most cases. Based on my experience, for example, if a product can detect 50% malware 1 year ago, it is very rare it will catch 70% malware in this year. [Note: Surely you need to compare the results from the same series of tests (having no noticeable change in this series, eg methodology of testing) AND are done by the same company.]

If the normal situation goes, a good program should keep being good even after 1 year. If you haven't heard of any (major) bad news from the program within the year, it is quite safe to assume the program is still good. It shouldn't change dramatically in, say, 1 year. It holds true for bad programs.

However the world is not black-and-white. I have to admit there're some exceptions. For example, if you realise a product is subject to huge advancement in this 1 year (eg it introduces a brand new heuristic method to catch malware), the relevancy of the past test is questionable.

[b]Reliability[/b]
Surely I can choose to make my conclusions based on some magazine reviews. It should be more easily to find newer reviews. But as I said previously, they are not reliable. It is a good deal to get a more reliable and detailed report in cost of some time of outdated-ness, right?

Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


[b]Hmm… but why don't you manage to get the latest report?[/b]
It is impossible, but I think you should understand why. It's because a good and comprehensive report needs much time to produce - Half year is not unbelievable! It is never impossible to finish a report within a week or month unless you are going to read some magazine reviews, in which their credibility tends to low.

I rely on detailed reports to make most of my comments because they are more trustworthy and reliable than brief reports and magazine reviews. I can know what methodology they use, what database they use, how they reach their conclusions etc.

The only major price is I cannot get up-to-date information, and if you ask me, I don't think it is a really price. As I said, the outdated-ness is not really a problem. It is unlikely, not to say rare, to undergo big/huge performance difference in such a short period (eg 0.5-2 years).


[b][i]Miscellaneous[/i][/b]

[b]I would like to know more about anti-trojan program performance // I would like to investigate by myself. What can I do?[/b]
A good place to start is [url]http://www.virus.gr/english/fullxml/default.asp[/url]
[b]If you know more good websites about anti-trojan programs, please tell me!![/b]
By the way, Google is your friend. you can search more and more reports to read.

[b]- Thanks. You are really helpful! // You are a silly crap (like Anti-Hacker & Trojan Expert). Get lost![/b]
Good to hear if you find the above info useful.
Sorry if you feel I'm a crap. Don't be angry, please! All the above is my little advice anyway. You may disagree with me.

Hi Wai_Wai,

I think Wayne of DiamondCS also has a similar position - i.e., it is difficult for an AT to provide any significant additional protection on a machine, if the machine has a good AV.

However, the AT test that you are referring to is old, and some of the ATs (e.g. Ewido) have added significant protection in areas that may not necessarily be covered well by the AVs (e.g. malware that is hidden in cookies). Also, ATs approach the problem in a different way (e.g. memory process scanning) so that they may detect some malware that gets past the file scanning of an AV (I personally have never experienced this).

On balance, I would recommend that users install different type of protection before they purchase ATs nowadays (e.g. anti-executables, registry protection, script protection) and apparently Wayne also agrees with this position.

Cya around,
Rich

First of all, thanks so much for your reply.

-{ Quote: "However, the AT test that you are referring to is old" }-

Hmm... This test is from Aug 2004, so it is just 1 year old.
Also there are newer tests in site which I have no time to gather and present them there. The situation does not change. AT porgram still perform poorly. If you wish to find out yourself, read this (test: Apr 2005): http://www.virus.gr/english/fullxml/default.asp?id=69&mnu=69

And read this as well if you are interested in:
-{ Quote: "
Q: Hey man! How dare you deceive me? Your test is deadly old!
A: I have to admit that this test is done on 8 August 2004, so it is 1 year old. Sorry to say, there are indeed newer 2005 tests but I haven't included them because I have no time to gather & present them. It needs some time to do. I will do if I get some time. If you are kind enough, feel free to give me a newer test.

Please try to consider the following factors before determining whether you should discredit/ignore this test completely:

Relevancy
We don't really need to worry too much about the outdatedness. As a rule of thumb, 1 or even 2 years old is not really a problem if you ask me. Its relevancy still holds true for most cases. Based on my experience, for example, if a product can detect 50% malware 1 year ago, it is very rare it will catch 70% malware in this year. [Note: Surely you need to compare the results from the same series of tests (having no noticeable change in this series, eg methodology of testing) AND are done by the same company.]

If the normal situation goes, a good program should keep being good even after 1 year. If you haven't heard of any (major) bad news from the program within the year, it is quite safe to assume the program is still good. It shouldn't change dramatically in, say, 1 year. It holds true for bad programs.

However the world is not black-and-white. I have to admit there're some exceptions. For example, if you realise a product is subject to huge advancement in this 1 year (eg it introduces a brand new heuristic method to catch malware), the relevancy of the past test is questionable.

Reliability
Surely I can choose to make my conclusions based on some magazine reviews. It should be more easily to find newer reviews. But as I said previously, they are not reliable. It is a good deal to get a more reliable and detailed report in cost of some time of outdated-ness, right?

Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


Hmm… but why don't you manage to get the latest report?
It is impossible, but I think you should understand why. It's because a good and comprehensive report needs much time to produce - Half year is not unbelievable! It is never impossible to finish a report within a week or month unless you are going to read some magazine reviews, in which their credibility tends to low.

I rely on detailed reports to make most of my comments because they are more trustworthy and reliable than brief reports and magazine reviews. I can know what methodology they use, what database they use, how they reach their conclusions etc.

The only major price is I cannot get up-to-date information, and if you ask me, I don't think it is a really price. As I said, the outdated-ness is not really a problem. It is unlikely, not to say rare, to undergo big/huge performance difference in such a short period (eg 0.5-2 years).
" }-


-{ Quote: "and some of the ATs (e.g. Ewido) have added significant protection in areas that may not necessarily be covered well by the AVs (e.g. malware that is hidden in cookies). Also, ATs approach the problem in a different way (e.g. memory process scanning) so that they may detect some malware that gets past the file scanning of an AV (I personally have never experienced this)." }-

I understand they can add some protection.
But before deciding to purchase a AT program, think about these 3 factors which will afect the usefulness of adding 1 AT program:
- what AV do you use? (Take KAV as an example, it catchs about 97-99% trojans, so adding one is nearly useless)
- how big AT can protect us? (the better the AV you use, the more useless your AT is)
- is there any other alternatives which can provide more protection which AT achieves? (If I were to choose, I would prefer othe rkinds of protection against not only trojans, but also a lot of attacks, eg process/registry protection, firewall if you don't have now)

If you haven't read yet, spare some time to read the following:
-{ Quote: "
- what anti-virus program do you use?
If you use Kaspersky-based anti-virus software, they help you to catch nearly all trojans, and so does all sorts of viruses/worms/mal-scripts.
If you use something like AVG (the worst Anti-virus program on catching trojans), it is worthwhile to install some AT program since they may help you to catch some extra trojans that your AV program misses.

- how much extra protection do you wish to add?
Provided you are using the best AV program, there's still a catch that they miss a few tricky trojans. Theoretically, when you add 1 more AT program, you raise your chance to catch the missed trojans.
Based the result I have presented to you, you can see how poorly they perform. If you ask me the chance of an extra AT program to catch a missed trojan, it may be less than 0.1% or even 0.01% or even much less.
In other words, what AT program CANNOT catch, AV program can manage to catch; reversely what AV program CANNOT catch, AT program has (nearly) no capability of catching them.

- Other alternatives to boost your protection
Apart from adding "AT protection", you may consider other much better alternatives. This includes:
- adding 1 firewall (ZoneAlarm is good!)
- adding 1 anti-spyware (it mainly protect your privacy, rather than security) (eg MS Anti-spyware, Ad-aware)
- adding 1 process protection program (eg ProcessGuard )
- adding 1 registry protection program (eg RegGuard )
*: The programs I mentioned above is just an example. I don't know if they are excellent or not." }-

After all, thanks so much for your comments!

-{ Quote: "(e.g. malware that is hidden in cookies)." }-Hmm...care to expand on this RichRF? I've yet to hear of a cookie being used for anything other than holding data...

Wai wai,

The best AVs will provide good trojan detection - however the thing about trojans is that they tend to be "personalised" (i.e. altered by their distributor, via hex-editing, compression, rebasing or encryption) to avoid AV signature scanners.

If you are a "high risk" user (i.e. you download files from anonymous sources like P2P, IRC or Usenet) then you are much more likely to encounter something that may slip past your AV scanner (even Kaspersky AV has some weaknesses here) so an AT scanner (using different signatures and scanning techniques) may be a worthwhile addition. However process/registry/network software (firewalls, Process Guard, etc) can also provide extra security, provided that you know (or are prepared to learn) how to distinguish normal from malicious behaviour.

I appreciate that some AV's are much more capable of detecting/eliminating Trojans than ever before. But even with a 99% hit rate, that still leaves around 1000 undected out of say 100,000 ! A lot more if the hit rate is less.

It used to be that viruses were the things we needed to be concerned with mainly, but not anymore. The amount of Trojans in all their forms, including RK's, has increased dramatically in the last 6 - 12 months, as recent events with TDS3 have shown.

Why take the chance, even if as i do you surf safely, with all that it implies. Because s**t does happen.

I would be very interested to hear about the Cookie thing also.


StevieO

-{ Quote: " However process/registry/network software (firewalls, Process Guard, etc) can also provide extra security, provided that you know (or are prepared to learn) how to distinguish normal from malicious behaviour." }-How would you suggest the average user who wants to use these products, learn how to distinguish behavior?

-{ Quote: "... areas that may not necessarily be covered well by the AVs (e.g. malware that is hidden in cookies)" }-Can you give some examples you've found?

-rich
________________
~~Be ALERT!!! ~~

I don't bother. I've never had to remove a trojan from a computer protected with Deep Freeze, or found malware that could write itself to my Qualystem (FREE) Rescue CD

-{ Quote: "Hmm...care to expand on this RichRF? I've yet to hear of a cookie being used for anything other than holding data..." }-

Cookies should only cause privacy problems.


-{ Quote: "
The best AVs will provide good trojan detection - however the thing about trojans is that they tend to be "personalised" (i.e. altered by their distributor, via hex-editing, compression, rebasing or encryption) to avoid AV signature scanners." }-

But can AT does significantly better to solve this problem?
Why and how do they achieve?

-{ Quote: "
If you are a "high risk" user (i.e. you download files from anonymous sources like P2P, IRC or Usenet) then you are much more likely to encounter something that may slip past your AV scanner (even Kaspersky AV has some weaknesses here) so an AT scanner (using different signatures and scanning techniques) may be a worthwhile addition. However process/registry/network software (firewalls, Process Guard, etc) can also provide extra security, provided that you know (or are prepared to learn) how to distinguish normal from malicious behaviour." }-

You have made some good points.
Just to tell you in case if you don't know, you tend to point out only the advantages of anti-trojans over the other alternatives, but not vice versa. To get a better outlook, we need to look at both sides in order to make a better decision.

In short, provided that your aim is ONLY for better trojan protection:
(Note: You will probably not agree with most of my statemetns since I give no explanation. Skip this part and read Anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert? first in my first post for detailed reasonings)
1) use other anti-virus programs (FREE online scans) to detect trojans (they are best alteratives, especially to computer noobies/beginners)
2) firewall (noobies/beginners should use nowadays)
3) [optional] process protection (a bit more difficult to learn at start only)
4) [optional] registry protection (really quite difficult to make use of it)
5) anti-spware (surprisingly anti-spyware can have better detection rates than anti-trojans)
6) anti-trojans (the last alternative, install if you still feel insecure after going through the above 5 steps)

ATs were never meant to replace AVs, or provide superior file scanning. I like how Kevin, of NSClean, put it.. your AV will pick up 90% of trojans, it's the last 10% that the AT is concerned with (that's paraphrased, not a direct quote).

There are lots of ways that a trojan can evade file scanning, the AT is meant to supplement/fortify your existing scanner with real memory scanning and other things that a common AV may lack. An AT may not pick up all that much more than your AV, but a modified trojan can still be caught in memory.. if you have a real memory scanner. An AT is also generally more capable of keeping it from entering memory and/or removing it from memory if it's already there. I've seen all too many infections where the AV says "Hey, you're infected! Sorry, there's nothing I can do..." If you end up with the Beast trojan on your machine, an AV and an AT would probably both be able to detect it, but which do you think will be capable of removing it? You could always remove it yourself, but that may be a painstaking chore for many, and many may still end up needing to reformat. And what about the malware that uses exploits to inject themselves directly into memory without planting any files? Scanners like Ewido and BOClean will also pick up that last bit of stuff that is outside the scope of many AVs, and won't go through the same process of prioritizing when it will be added to the database, if at all. Some malware writers are writing tons of variants and releasing them in small numbers (per variant) so that the AV companies won't add detection (because it's not prevalant enough), but an AT will.

Sure, if you're a KAV user it may not be worth it to you to get an AT, depending on many factors.. but not everyone wants to use KAV. Just with file scanning alone, some may prefer to use an AV+AT to get an equal level of detection. There are also still plenty of things out there that the KAV team hasn't found yet, and many new ones can still infect a KAV protected system before they have a chance to update.. so again, which do you think will be the better at removing them without extra effort on the part of the user? The above test says nothing of this, and says nothing of the scope of what ATs are intended for.

There are plenty of ways that a user can go, an AT is just one option for a layered defense.. and I don't recall people here emphasizing otherwise to someone that's decided to choose another route.

-{ Quote: "Hmm...care to expand on this RichRF? I've yet to hear of a cookie being used for anything other than holding data..." }-

Hi P2000,

Merely talking about "tracking cookies", where privacy of the user is somewhat invaded. This is primarily the type of "problems" that Ewido has detected on my machine.

Rich

-{ Quote: "I appreciate that some AV's are much more capable of detecting/eliminating Trojans than ever before. But even with a 99% hit rate, that still leaves around 1000 undected out of say 100,000 ! A lot more if the hit rate is less." }-

Hi,

This is how I look at the issue.

Since I use KAV, there is, let's say, 1/100 chance that KAV will miss some malware. I estimate that, considering my surfing behavior, that I may encounter 4 malware in a year. That means, that KAV, on average, will miss some malware once every 25 years.

Now, suppose of the 1/100 that KAV misses, Ewido picks up 1/5 of those (I think I am being generous) with Ewido's added protection scheme. That means that Ewido will help me on average, once every 125 years. This is pretty negligible which is what I think Wai_Wai's point is.

My point is a bit different. That is, if one were to add additional protection, the user should be confident that the protection scheme is of such a nature that it would be able to add significantly to what KAV is currently offering. If one suggests (reasonable I think) that KAV's zero hour protection is "weak" at this point, then anything that enhances zero hour protection would substantially add to security by plugging this hole. For this reason, I believe that products such as ProcessGuard are quite reasonable additions to a KAV configuration.

One could make a case that NOD32 would be a good addition since it adds heuristics to signatures, but unfortunately, NOD32 cannot (should not?) run side-by-side with KAV. Lacking this, adding host intrusion protection to signature based protection would seem like a natural. Adding signature-based to signature-based (even if the scanning process is different) seems to me to be more problematic, unless it can be clearly demonstrated that ATs will have a much higher chance of picking up malware that KAV missed, than the number I suggested (i.e. 1/5).

Comments, as always are welcomed.

Rich

-{ Quote: "How would you suggest the average user who wants to use these products, learn how to distinguish behavior?" }-In the case of a firewall, simply take the time to know what programs are likely to have a legitimate need for network access (e.g. iexplore.exe for Internet Explorer, msimn.exe for Outlook Express, firefox.exe for Firefox, etc) and the basics of networking (the role of DHCP and DNS especially). For process control, understand what hooks and DLLs are.

Most importantly though, become familiar with the legitimate software on your system and its normal pattern of activity (which is why such products need to be installed on a clean system) then you will be aware of any changes and can scrutinise them more closely.-{ Quote: "Merely talking about "tracking cookies", where privacy of the user is somewhat invaded." }-I thought this was the case - perhaps the term "malware" is a bit of an overstatement here?

-{ Quote: "I thought this was the case - perhaps the term "malware" is a bit of an overstatement here?" }-

Possibly. I just call everything that Ewido picks up "malware" rather than try to differentiate viruses, trojans, spyware, tracking cookies, bots, etc. I've given up trying to differentiate types.

Cya,
Rich

-{ Quote: "I appreciate that some AV's are much more capable of detecting/eliminating Trojans than ever before. But even with a 99% hit rate, that still leaves around 1000 undected out of say 100,000 ! A lot more if the hit rate is less.

It used to be that viruses were the things we needed to be concerned with mainly, but not anymore. The amount of Trojans in all their forms, including RK's, has increased dramatically in the last 6 - 12 months, as recent events with TDS3 have shown.

Why take the chance, even if as i do you surf safely, with all that it implies. Because s**t does happen.
" }-

Some good questions are raised.
Q: Even if anti-virus porgram can hit 99%, this still leave 1% of trojans which have been caught. Better safe than sorry, we should use anti-trojans.

A:
Try to see if this makes things clearer.
First by installing 1 anti-trojan, it doesn't mean it willa automatically close the 1% gap. Try to simplfiy the situation and illustrate it to you with an understandable analogy.

There are 6 grades in the school (A-F).
"Anti-virus" program is like an A-B grade student; while "anti-trojan" is a D-E grade student.

Surely A/B grade student cannot score full in the test (eg the best student can manage to get 99% only). How can the A-grade student get the remaining 1%?

"How about asking D/E grade student to help?" A-grade thought.

"Are you crazy? How come I will know how to solve this question? Too difficult to me." an E-grade student said, "There are surely chance I can do, but how big the chance is, you fool!?"

Surprisingly what he mentioned something which enligthened A-grade student?

"You'd better ask other A/B grade students help. They will know how to solve this difficult math" an E-grade student enligthens the A-grade student.

"Ar! So stupid I am! Why don' I seek help for other A grade students in the first place?" A-grade student grieves, "Now A-grade students have been left school. I have to wait for tomorrow."

Why does the software misses that 1%? Probably they may wish advanced technique which is hard to arrest, or they are rather new, or they are less common. Simply, you may assume the remaining 1% is "super/special" trojans!!

Your anti-trojan is not designed to arrest this 1% gap. Instead it is said to specialise in arresting trojans-related threats. Unfortunately they even cannot do better than anti-virus porgrams.

You may feel anti-trojan is specialised in arresting trojan guys! You may feel so due to the fact that:
- it is true in very early stages of security program
- the name "anti-trojan" mislead you that they should be specialised in trojans. It's in fact a misnomer based on hard facts. Sad to say, hard to accept, but have to admit. :"(
- now it is the sunset market. Remember why TDS is dead?? To survive, either convert it into either "anti-virus" & "anti-spyware" (Ewido is a good example towards anti-spyware). Anyway these 3 products have some degree of overlapping.


So what you shoud do now if you are the A-grade student?
Here's lead to the seocnd point. Anti-trojan is not the only option. We have other alternatives too. If you believe anti-virus can get 99% hit rate; and only 50% for anti-trojan, you are euqal to asking an E-grade student a difficult math question which you, as an A-grade student, don't know how to answer.

Okay, so are you ready to ask other A-grade students now?

Hope this answers your question.
Feel free to discuss with me if you have further questions.

Since this topic has been discussed previously, a few links would seem a good idea: AT vs AV, a 12 round bout for control of your security (http://www.wilderssecurity.com/showthread.php?t=88736) and AT Software (http://illusivesecurity.il.funpic.de/viewtopic.php?t=91) (Scheinsicherheit forum). Also see Scheinsicherheit's Code Permutation -- Unpacking Methods / Signature Strength (http://illusivesecurity.il.funpic.de/viewtopic.php?t=56) for an example of AT vs. AV performance.

Actually, I do remember reading about a nasty sort of persistent flash cookie (I think it was a flash cookie) that had been developed, and was rather hard to remove, that didn't sound to pleasant.....sorry, read about it about 4 months back, and can't find the article on it.

-{ Quote: "Actually, I do remember reading about a nasty sort of persistent flash cookie (I think it was a flash cookie) that had been developed, and was rather hard to remove, that didn't sound to pleasant.....sorry, read about it about 4 months back, and can't find the article on it." }-
Interesting article and usefull links here (http://www.epic.org/privacy/cookies/flash.html)

-{ Quote: "How would you suggest the average user who wants to use these products, learn how to distinguish behavior?" }-

Does this somewhat answer your question?
-{ Quote: "
- Okay, you are good at puzzling me! Simply tell me, if you were me, what would you choose?
I am not you. I cannot choose for you.
but if I simply give you such kinds of vague answer, you will definitely beat me up.

Okay, if you are being bombarded/confused by the whole lots of advantages/disadvantages, then just forget the above. Take my word for grant temporarily, I will guide you to the appropriate choices.

Now, the question: what is the best to protect me from trojans?
I assume you only get nothing on your computer.
I assume you protection capability is of utmost important to you.

First identify who you are (I have some descriptive texts for each group).
Then follow the steps each-by-each. Remember follow the first step first; the last step last. (Am I bullshxting?)
Stop at the point when you see you are secure enough, or you are fed up with getting more protection.

1st group: If you are a noobie, or a beginner who don't wish to bother anything:
1. install 1 excellent anti-virus program (so you get 99+% trojan protection & lots more)
2. install 1 more excellent anti-virus program (now you get another 99+% trojan protection & lot more). Remember to turn off the real-time protection to avoid possible conflicts. If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.
3. install 1 excellent anti-spyware or more (now you may get 80+% trojan protection & some other benefits). If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.
4. install 1 excellent anti-trojan or more (now you get 50% trojan protection & only a jot of other benefits). Remember to turn off the real-time protection to avoid possible conflicts. If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.


2nd group: If you are noobie/beginner who is willing to bother, or you are an intermediate:
1. install 1 excellent anti-virus program (so you get 99+% trojan protection & lots more)
2. Run as many FREE online virus scan (file + system scan) as possible until satisfied. You don't really need to install extra anti-virus programs: save space, save resources, save conflicts, save money, save problems...
3. install 1 excellent firewall ONLY and no more unless you are ready for possible troubles. As I say before, firewall itself is difficult to use. But do you remember your friends - Google (search engines) and experts (forums)? If you meet them, you don't really need to be computing-knowledgeable. your friends will help you.
4. install 1 excellent process protection. I temporarily recommend ProcessGuard. Really to learn how to use it, or you shouldn't bother. What you need is mainly to go through its manual once. That's it. The rest can be left for your friends. This product, once you are familiar, is no difference from firewall. You don't need to take care of them anymore except it will sometimes prompt you for decisions.
5. install 1 anti-spyware ONLY + utilize as many FREE online scan as possible until satisfied.
6. don't install any anti-trojan. Just utilize as many FREE online scan as possible until satisfied.

3rd group: If you are someone who is willing to get into trouble :P, or you are an (semi-)expert:
1. (see 2nd group Point 1-4)
2. Install registry protection. I don't know really anything (seemingly) good to recommend. You may try Regdefend or ask Google. Good luck!
3. (see 2nd group Point 5 downwards)

Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.

" }-

If not, then you may wish to read this part in my first post:
anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?
I've discussd the difficulties issues, and I have explained how average users can still benefit from using firewalls / process protection.

-{ Quote: "Actually, I do remember reading about a nasty sort of persistent flash cookie (I think it was a flash cookie) that had been developed, and was rather hard to remove, that didn't sound to pleasant.....sorry, read about it about 4 months back, and can't find the article on it." }-This was using Flash's local storage feature - see Macromedia - Settings Manager (http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html) for details on how to restrict this.

-{ Quote: "ATs were never meant to replace AVs, or provide superior file scanning. I like how Kevin, of NSClean, put it.. your AV will pick up 90% of trojans, it's the last 10% that the AT is concerned with (that's paraphrased, not a direct quote).

There are lots of ways that a trojan can evade file scanning, the AT is meant to supplement/fortify your existing scanner with real memory scanning and other things that a common AV may lack. An AT may not pick up all that much more than your AV, but a modified trojan can still be caught in memory.. if you have a real memory scanner. An AT is also generally more capable of keeping it from entering memory and/or removing it from memory if it's already there. I've seen all too many infections where the AV says "Hey, you're infected! Sorry, there's nothing I can do..." If you end up with the Beast trojan on your machine, an AV and an AT would probably both be able to detect it, but which do you think will be capable of removing it? You could always remove it yourself, but that may be a painstaking chore for many, and many may still end up needing to reformat. And what about the malware that uses exploits to inject themselves directly into memory without planting any files? Scanners like Ewido and BOClean will also pick up that last bit of stuff that is outside the scope of many AVs, and won't go through the same process of prioritizing when it will be added to the database, if at all. Some malware writers are writing tons of variants and releasing them in small numbers (per variant) so that the AV companies won't add detection (because it's not prevalant enough), but an AT will." }-

So are you going to say anti-trojan is actually specialisied in detecting the remaining 1% which other AV won't detect?

But have you ever thought of using other AV or even AS free scanners to detect these trojans (remember both AV and AS can detect trojans)? You may wish to try "Ewido Security Suite" (now it tends to be anti-spyware-ise). It can detect decent amount of trojans (it gets ~80%, os it defeat every anti-trojans) plus some spyware.

How about locking the memory for unauthorized access in the first place? Will it be more effective than anti-trojan ones?

How about blocking the execution of trojans in the first place? Will it be more effective than anti-trojan ones?

Not sure why one gets a trojan. Mostly probably from an infected file. How aobut using a "super" scanner before installing any suspicious files/exe?


Surely AT is one alternative.
But have you considered some other greater alternatives which can supplement anti-virus plus do much more other things?
You may finally choose anti-trojans. It's perfectly fine. but what I wish to raise is - have you ever realise the existence of any alternatives? Have you considered them before making a deciosn that AT is the best supplement to AV. Have you tihnk of more effective ways to protect your computer form trojans? Have you weighed that anti-trojans approaches ot keep your computer away from trojans are not really effective than other candidtates?



-{ Quote: "
Sure, if you're a KAV user it may not be worth it to you to get an AT, depending on many factors.. but not everyone wants to use KAV. Just with file scanning alone, some may prefer to use an AV+AT to get an equal level of detection. There are also still plenty of things out there that the KAV team hasn't found yet, and many new ones can still infect a KAV protected system before they have a chance to update.. so again, which do you think will be the better at removing them without extra effort on the part of the user? The above test says nothing of this, and says nothing of the scope of what ATs are intended for." }-

Yes, you made a point.
I totally agree.
Read this:
-{ Quote: "
Q: Hmm... so should I still use AT program to add extra protection?
A: I'm not going to give you a black-and-white answer, but I would like to raise several important factors, so you could consider before making your own decision:
- what anti-virus program do you use?
- If you use Kaspersky-based anti-virus software, they help you to catch nearly all trojans, and so does all sorts of viruses/worms/mal-scripts.
- If you use something like AVG (the worst Anti-virus program on catching trojans), it may be worthwhile to install some AT program since they may help you to catch some extra trojans that your AV program misses.
-- However you may wish to consider other alternatives too (eg more anti-virus programs, anti-spyware, firewall, extra protection like process & registry protection). They all have their pros and cons which has been explained in anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?
...
" }-

-{ Quote: "Hi,

This is how I look at the issue.

Since I use KAV, there is, let's say, 1/100 chance that KAV will miss some malware. I estimate that, considering my surfing behavior, that I may encounter 4 malware in a year. That means, that KAV, on average, will miss some malware once every 25 years.

Now, suppose of the 1/100 that KAV misses, Ewido picks up 1/5 of those (I think I am being generous) with Ewido's added protection scheme. That means that Ewido will help me on average, once every 125 years. This is pretty negligible which is what I think Wai_Wai's point is.

My point is a bit different. That is, if one were to add additional protection, the user should be confident that the protection scheme is of such a nature that it would be able to add significantly to what KAV is currently offering. If one suggests (reasonable I think) that KAV's zero hour protection is "weak" at this point, then anything that enhances zero hour protection would substantially add to security by plugging this hole. For this reason, I believe that products such as ProcessGuard are quite reasonable additions to a KAV configuration.

One could make a case that NOD32 would be a good addition since it adds heuristics to signatures, but unfortunately, NOD32 cannot (should not?) run side-by-side with KAV. Lacking this, adding host intrusion protection to signature based protection would seem like a natural. Adding signature-based to signature-based (even if the scanning process is different) seems to me to be more problematic, unless it can be clearly demonstrated that ATs will have a much higher chance of picking up malware that KAV missed, than the number I suggested (i.e. 1/5).

Comments, as always are welcomed.

Rich" }-


Hi, Rich.
You have pointed out 2 points:
- AV can do it all (99%, don't you think is enough?) <-- you have said that
- 1% gap can be filled by:
-- common sense
-- safe browsing and safe computing
-- use "super" scan before executing/installing anything
-- use FREE online scan which can shoot trojans & other malware down (eg AV, AS [AS can shoot trojans & can be far better than AT!], AT)
-- don't forget your firewall
-- don't forget process protection (suitable for everyone who don't mind to learn a bit, or intermediate users)
-- don't forget registry protection (suitable for advanced purposes, for advanced users)

After implementing all the above, I see too little point why I need an AT?

One may ask, why don't you implement AT first, instead you implement other methods first?

The points are as follows:
- said by Rich, AT is not significantly different from AV. they share mroe or less the same problem as far as I know.
- after reading the performance done by anti-trojans (the best trojan specialists manage to get 50% only! With the death of TDS, only A squared 2 can. And don't forget, they are just best 2, others are much worse, get 30% performance off)

To get a clearer picture, let's make some comparisons (AV vs AT over trojans and non-trojans):
-{ Quote: "
A good or excellent anti-virus can detect more than 90% ITW malware (including MS-DOS & Windows virus, macro, dialers, scripts, trojans, miscellaneous malware). As to anti-trojans, see this table:

Malware Type===average anti-trojans===best 5 anti-trojans===average anti-virus===best 5 anti-virus
trojans==========10-20%==============30%(*)===========about 70-90%======99.50-99.90%
Non-trojans=====2/3% to nearly 0%======less than 6%========about 70%-90%=====98-99%
* there are big difference even among the best: only 2 anti-trojans manage to get ~50%; then it suffers from a sudden drop of ~20%. The rest are poor (only 2X%, some being less than 10%)
Note:
- the percentage refers to the detection rate of that kind of programs, based on overall results of several tests (2003-2005)
- for the details of the data, feel free to ask me.
" }-

- simply speaking, asking AT to supplement AV is analogous to "an A-grade student asking D/E grade student to help on a difficult Math question." I would rather asking other A-grade students, instead of D/E grade student.
Read Q: Even if anti-virus program can hit 99%, this still leave 1% of trojans which have been caught. Better safe than sorry, we should use anti-trojans in my first post for details.

- Surely you may not understand what I mean. It may be worthywhile to re-read my post since my post has been expanded by huge to clarify all my points made to treach my claims. We need time to understand each side, so we can find the "truth" :P

Thanks for your kind attentions.
And welcome for any comments.

-{ Quote: "


What super scanner?

-{ Quote: "What super scanner?" }-

Link for super duper scanner right here!

http://www.wilderssecurity.com/showthread.php?t=72131

Hello Wai Wai

Your numbers for AV's look a little whacky! When you look at the comparisons at:

www.av-comparatives.org

see: Retrospective\ProActive May 2005


Please explain, perhaps I'm the whacky one?

Thanks
rico

-{ Quote: "So are you going to say anti-trojan is actually specialisied in detecting the remaining 1% which other AV won't detect?" }-I don't agree with your 1% assertion, first of all, second of all it's not entirely about what the AV doesn't detect, it's about what the AV is not equipped to deal with should your system end up infected.

-{ Quote: "But have you ever thought of using other AV or even AS free scanners to detect these trojans (remember both AV and AS can detect trojans)? You may wish to try "Ewido Security Suite" (now it tends to be anti-spyware-ise). It can detect decent amount of trojans (it gets ~80%, os it defeat every anti-trojans) plus some spyware." }-If my AV is ill-equipped to remove a trojan infection, I'm not going to go to another ill-eqiupped AV. However, the trojans that an AT may miss are most likely ones easily, and quite possibly better, handled by an AV.. Scanning a bunch of files on your drive is kind of contrary to the entire point of an AT, and IME does not reflect it's real-world application.

And yes, Ewido is, IMO, currently the best anti-trojan.. my AT of choice. My assertions about AVs also apply to ASs, which why I use Ewido over a resident AS. Ewido is still, however, an AT, and falls under the same catagory as your original post.. so I'm not entirely sure why you would put down ATs in general and ammend it by saying "Maybe you should look at Ewido".

-{ Quote: "How about locking the memory for unauthorized access in the first place? Will it be more effective than anti-trojan ones?" }-What are you reffering to here?

-{ Quote: "How about blocking the execution of trojans in the first place? Will it be more effective than anti-trojan ones?" }-Sure, provided you're saavy enough to make the correct decision. Problem is that most of these things make themselves look like legitimate system processes. The other problem is that if you just intentionally installed some software, you're probably going to allow any new executables it's installed run. Prevx had to overhaul the way their product worked because the majority of users were allowing their systems to be infected.. for that majority, an AT would have been far superior.

-{ Quote: "Not sure why one gets a trojan. Mostly probably from an infected file. How aobut using a "super" scanner before installing any suspicious files/exe?" }-Trojans are software in and of themselves, they don't infect other files as virii do. You may also want to define "super scanner".. do you mean KAV? KAV is ill-equipped to handle modified trojans until it updates.. NOD32 and Ewido are my personal choice, together they're about as good as it gets. On top of that I have other behavior blockers, most of which include more signatures, although most of them don't use strong signatures, but it can still help. I would also never recommend installing more and more AVs, unless you're installing something like BitDefender Free that is made to work only on demand.. installing more than one AV (that is made to run resident) is likely to cause problems.


-{ Quote: "Surely AT is one alternative.
But have you considered some other greater alternatives which can supplement anti-virus plus do much more other things?
You may finally choose anti-trojans. It's perfectly fine. but what I wish to raise is - have you ever realise the existence of any alternatives? Have you considered them before making a deciosn that AT is the best supplement to AV. Have you tihnk of more effective ways to protect your computer form trojans? Have you weighed that anti-trojans approaches ot keep your computer away from trojans are not really effective than other candidtates?" }-Lol, you may want to take a look in the pages in my sig.. there are plenty of alternatives there ;) There are many discussions around Wilders about HIPS and who they are and are not appropriate for. Rather than reiterate my opinion here, I will just recommend looking around a bit, there's lots of information available around here :) (including my own "weighing" of options ;) )

There is no doubt that some antivirus programs detect more trojans than most AT apps. the difference I have noticed reading and trying to keep up with the technology is that an AT might not detect as many trojans but they are usually able to handle them better than an av. There are several cases here on wilders where an AV detected a trojan but couldn't delete it where as an AT was able to get rid of the malware. I realize that this is not always the case, but in most cases the AT will do a better job. So in my opinion it would be wise to have an AT if only to get rid of malware found by your AV.

Yes, what he said ;D ;D

-{ Quote: "What super scanner?" }-

Read this:
-{ Quote: "
- If you download a file and suspect it contains malware, try this all-in-one scanner (have 14 major AV scan engines, including topmost ones):
http://virusscan.jotti.org/
" }-

-{ Quote: "Hello Wai Wai

Your numbers for AV's look a little whacky! When you look at the comparisons at:

www.av-comparatives.org

see: Retrospective\ProActive May 2005


Please explain, perhaps I'm the whacky one?

Thanks
rico" }-

It seems you are asking about my signature :P
The number is just a rough indicator, so you don't need to treat it seriously.
It comes from a test at www.virus.gr, or arther it is from http://www.virus.gr/english/fullxml/default.asp?id=69&mnu=69
[PS: as you notice, I ignore the second one AVK, it is because this is a German porduct.]

More questions are always welcome.

-{ Quote: "There is no doubt that some antivirus programs detect more trojans than most AT apps." }-

Yes, you are right. AV is outperform AT.
If you read the list, even the worst antivirus program (AVG) still defeats the best anti-trojan.


-{ Quote: "the difference I have noticed reading and trying to keep up with the technology is that an AT might not detect as many trojans but they are usually able to handle them better than an av. There are several cases here on wilders where an AV detected a trojan but couldn't delete it where as an AT was able to get rid of the malware. I realize that this is not always the case, but in most cases the AT will do a better job. So in my opinion it would be wise to have an AT if only to get rid of malware found by your AV." }-

You raise a good point.
So AT, although it is far worse at detecting trojans, once they are detected, they can remove them easily. And AV seemingly don't handle these trojans well.

So here comes my another question. Say I install an AV in my computer, and later I found XYZ trojan, instead of getting an AT program, how about getting a removal tool which is aimed at that trojan? Will the removal tool do much better jobs than AT (since you know, this tool aims at that trojan)?

What do you think?

There is some serious doubt as to the reliability of that test..
http://www.wilderssecurity.com/showthread.php?t=46810&highlight=virus.gr
http://www.wilderssecurity.com/showthread.php?t=77033&highlight=virus.gr

-{ Quote: "So AT, although it is far worse at detecting trojans" }-See above

-{ Quote: "instead of getting an AT program, how about getting a removal tool which is aimed at that trojan? Will the removal tool do much better jobs than AT (since you know, this tool aims at that trojan)?" }-Everyone decides their defense setup to their own liking, of course, but some would rather have something that deals with it properly to begin with, rather than having to hunt. What if the trojan blocks you from getting to the site with the removal tool, as some will do? What if the trojan is one of the real nasties, as the AT is designed to stop, in which you may not even want to be online until it's gone?

-{ Quote: "Read this:" }-


I am aware of jotti's. I would not really call jotti's a super scanner. Here is a quote from the jotti scanner:

"This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service."

Jotti's can and does miss malware.....some days it misses a lot for various different reasons. The types of private build trojans that are built to be undetectable would most likely not be picked up on a jotti's scan.

They would more likely be picked up as they unpack in memory by a AT such as Ewido or Boclean. All on-demand file scanners have weaknesses. I know a website that you can go to right now and download some software that has all types of malware in it and it would not be detected in a jotti's scan but more likely than not Boclean and Ewido would pick it up.




Why

-{ Quote: "I don't agree with your 1% assertion, first of all, second of all it's not entirely about what the AV doesn't detect, it's about what the AV is not equipped to deal with should your system end up infected." }-

1% assertion is doesn't matter. It's just a rough indicator. Don't treat it seriously.

If you are going to use the best anti-virus program (eg KAV, F-Secure, AVK), you will miss ~1% of trojans. Wait... 1% itself is also an over-simplification even if the product is KAV. So we need to talk about what this 1% really comprises. KAV, for exmaple, does not detect 99% for evey kind of malware. there are variation...
And if you are going...

See! If I'm going to elaborate every point I have made in my post. The article will become lengthy and lengthy.
In order to keep our disucssion into focus, so I will simplify anything which is not really the core of the argument, or the arugment can fall into a forever loop.

Can you see my point?
Surely if you feel the agreement of 1% is important (eg only 1% difference can influence the whole diecison) when talking about why we should bother using AT, as the best solution, to supplement that AV. Surely I can explain the "1% myth" if you wish to know more why I take this for grant.


-{ Quote: "
If my AV is ill-equipped to remove a trojan infection, I'm not going to go to another ill-eqiupped AV. However, the trojans that an AT may miss are most likely ones easily, and quite possibly better, handled by an AV.. Scanning a bunch of files on your drive is kind of contrary to the entire point of an AT, and IME does not reflect it's real-world application." }-

I would like to hear more from you.
It seems you understand something which I don't know. :D
At the same time, it seems you still cannot understand all my points raised in my first post. Have you read it through yet?

Here's my questions:
First, what is IME?
Second why do you think if your first AV is ill-equipped, the second AV must also be ill-equipped?
Third, if your first AV is ill-equipped, why do you think your AT must be able to cover the holes/flaws AV has?
Finally, as I have already said, "AT is better at something than AV" doesn't prove "I shoud choose AT" or "it is the best alternatives", would you mind explaining why you feel AT is the best solution (if you tihnk so) comparing with all other possible solutions (eg AV, AS, firewall, process portection, registry protection)?



-{ Quote: "
And yes, Ewido is, IMO, currently the best anti-trojan.. my AT of choice. My assertions about AVs also apply to ASs, which why I use Ewido over a resident AS. Ewido is still, however, an AT, and falls under the same catagory as your original post.. so I'm not entirely sure why you would put down ATs in general and ammend it by saying "Maybe you should look at Ewido"." }-

Hmm...
So we have difficulties in agreeing what Ewido belongs to.

Ok, first let's talk about the labels AV, AT, AS.
You know, these labels are rather misleading. you should know why.
AV = NOT only just for anti-virus, it is capable of getting trojans.
AT = this one is really mainly deal with trojan-related software.
AS = NOT just for spyware & adware. AS also take care of trojans, keyloggers, dialers etc.

So ignore the misleading labels and try to re-delimit their scopes.
I try to outline the scope of each type of program is focusing (ie wht aspects of malware do they mainly handle):
(Methodoloy: First, look at all programs of the same kind. Second, mark what type of malware each program of the same type can handle. Third delimit their scope based on the the results.)
AV: pre-requisite: must focus on virus(-related) threats. Also focus on macro, worms, scripts, trojans, keyloggers, dialers, and miscellaneous (harmeful**) malware.
AT: pre-requisite: must focus on trojan(-related) threats. And that's it! For other aspects, they do (very) little.
AS: pre-requisite: must focus on spyware(-related) threats. Also focus on adware, hijackers, trojans, keyloggers, dialers miscellaneous (harmeless**) malware.
** here "harmful/harmless" refers to the (intentional) damage done on the computer. Some malware may aim to screw the computer (similar to virus but the behaviour is not the same as virus). I call them as harmful malware. to the contrary, harmles malware is more to do with privacy intrusion, advertising, tracking (simliar to spyware/adware but the behaviour is different). I call them as harmless malware.

Do you understanding more aobut the "real" meaning of the behind labels?

If so, then we can see how Ewido sohuld be defined. The authority should lie on the author. Unfortunately it claims that it is a "security suite" (?) Call itself as security suite?!? It's again a misnomer. I expect this kind of "security suite"
include at least AV, firewall, and AS. Anyway simply leave this point apart if you don't agree. We wish to keep our disucssion into focus.

Now we analyse what Ewido can do:
In its website, the author tells us the product will detect:
- Hijackers (AS)
- Spyware (AS)
- Worms (AV)
- Dialers (AV)
- Trojan (AV, AT, AS)
- Keylogger (AV, AT, AS)
() indicates the areas which that most of that kind of programs focus on.

This product covers 4 areas of AV aspects and 4 areas of As aspects.
However it is required to cover virus in order to be qualified as AV. So I rule it is AS now. :-)

If you agree on how I delimit the scopes of AV, AT, AS. you can Ewido is not really an AT now. It used to be (surely you won't feel suppose simply Ewido was AT in the first place, it must be AT all the time).

{see next post}

So now it's up to you to make your own claissification and definition.
In fact, how one classify products does not matter. The main point is you should understand the behind reasons why I tihnk AT is not the best alternatives to stop trojans.

For exmaple, if KAV turns out to claim it as AT (surely it can do so, it has the best detection rate in AT), then I will agree KAV is the only AT we should use.

Now back to Ewido. What do you classify now?

If you think it is still an AT (which I tihnk it's a misnomer, since it can now deal with more spyware-related threats), then the statement may be:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help a lot, the best AT being ewido of course.

If you think it is indeed an AT (2nd generation) or super-AT, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but it's not an optimal solution. I recommend you using this super-AT (2nd generation) Ewido.

If you think it is AS, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but don't bother snce they don't do well. Try to use As instead. you may try Ewido in this regard.


What I wish to say in the above is,
- apparently we are not agreeing with each other, we are just not agreeing with each of our wordings.
- in fact, we have the same idea (Ewido being a good program, no matter ti s called AT or super-At, or AS). Just we use different wordings to express.

If you ask me, I will surely like the AS label since it reflect more accuratly about the scope of this program (spyware+adware+trojans etc.) You know, AS are wokring hard to deal with trojans too since trojans are somewhat a kind of privacy intrudsion, right? :P
If I say it is AT, it will distory its scope (you know AT only focus on AT really)
If I say super-AT, since this is a new label, I need to explain. Why not use an existing label, AS?



-{ Quote: "What are you reffering to here?" }-
There are some products which can guard the physical memory.
ProcessGuard is the one.
You know, the creator of Process Guard actually comes from TDS developers.
So they know well on how to stop trojans.
Is that clear now?


-{ Quote: "Sure, provided you're saavy enough to make the correct decision. Problem is that most of these things make themselves look like legitimate system processes. The other problem is that if you just intentionally installed some software, you're probably going to allow any new executables it's installed run. " }-

Hmm... It's another big topic to discuss.
I just take ProcessGuard as an example since I am familiar with this product.
In order to protect yourself against possible trojans. you read to go thorugh the following steps:
- read the manual; (the best) make sure your system is clean
- let RocessGuard learn your system (see below for explanation)
- every time you install a new program, do the folowing step:
-- turn ProcessGuard in learning mode. It will record the behaviour of the system and learn what to allow
-- run the program at least once, so it can learn your new program too
-- you need to restart at least once, so ProcessGuard will know which programs should load up at start
- Do you remember that I say your system needs to be clean? Why? Because if it is infected by viruses, trojans etc. ProcessGuard may wrongly record these behaviours as legitimate, and you are ruined.

After all, you don't need to decide which program is legitimate. ProcessGuard learns to distinguish them. And you are protected by a layer which can even stop the newest/unknown malware.

For advanced users, if you are interested to know how exactly it protects you, read the following:
-{ Quote: "
Known Attacks - Introduction

It is quite amazing how many different types of attacks processes can launch against other processes. Many can be fatal, allowing the attacking process to completely bypass all security put forward by another. In this chapter we explain some of the main attacks, as briefly described here.

Termination - The attacking process attempts to terminate or otherwise fatally kill the target process. This is the most common attack and can be accomplished easily by a number of ways, but the most common method is to call the TerminateProcess function, located in the kernel32.dll module.

Crashing - The attacking process attempts to forcibly crash the target process. This is just as effective as termination, but often results in visual giveaways on-screen such as error messages from the operating system. Termination is usually preferred for this reason, but crash susceptibility is still a security concern, and error messages can easily be hidden by the trojan if its author wants it to do so.

Modification - The attacking process attempts to modify or inject code in the target process, usually with the intent of changing the behaviour of the target process, or hiding its own code in the context of the target process. The target process remains resident and active, but in a modified state. For example, an attacking process could modify an anti-virus scanner so that nothing is ever detected, or modify a firewall so that all traffic is allowed in and out.

Suspension - The attacking process attempts to suspend the target process (usually by suspending all threads belonging to the target process), leaving it resident but in an inactive, frozen state. Often this can still leave the visual impression that the program is ok, especially if it's only visible in the system tray or taskbar.

Leaktests - Leaktests are demonstration programs that test various methods of bypassing firewalls often used by trojans. The attacking process (in this case the Leaktest program) attempts to transmit data to the Internet, usually using advanced techniques such as hooking and thread activation in order to bypass firewalls. Although never designed to be an anti-leaktest program, ProcessGuard has been demonstrated in real-world tests to have remarkable results against many firewall bypass techniques due to it's process-protecting nature, making it possibly the strongest program available today for securing firewalls.

Rootkits & Drivers - Kernel-mode drivers (.sys files) have the power to perform very low-level system functions, and in the case of rootkits (advanced trojans that modify operating system functions to try to gain stealth) they can actually modify the behaviour of critical operating system functions and security processes.

Hooks & Injections - The attacking process attempts to inject a DLL (the hook) into all processes on the system, allowing it to then perform functions on behalf of other processes. When an application has been hooked it can make termination attacks a lot easier, as well as open up certain firewall leak-tests.

Physical Memory - It's possible for user-mode applications to read and even write to kernel regions of memory by using the "\Device\PhysicalMemory" object. This opens the door for a plethora of attacks against other processes.

User Imitation - Malicious programs can generate the same key strokes and mouse clicks that human users use to shut down programs. The attacks are program-specific but nonetheless very effective and fairly easy to execute. ProcessGuard is able to protect against such attacks by combining its advanced Secure Message Handling and Human Verification techniques.

Process Execution - You'd be surprised how many programs execute on your system without your knowledge, and there have also been various operating system and software exploits discovered over the years that allow attackers to execute programs on a target system. Controlling which programs can and can't run on your system is one of the strongest ways you can prevent the above attacks from occurring in the first place, so by allowing you to control program executions ProcessGuard provides you with two layers of security in one.


All of the attacks above represent a very serious and very real threat to local system security, particularly because the majority of people execute programs on their system without actually knowing exactly what all of the code in the program does, but all of these attacks can be easily protected against by DiamondCS ProcessGuard, as demonstrated in further detail in this section.

Please note that due to functionality restrictions not all attacks can be prevented by the free version of Process Guard. Please upgrade to the full version for complete protection.
" }-



Arguable disadvantage:
"you need some computing knowledge to utilize this program, or you may be stupid enough to allow a trojan to do its job :P"
--> However "search engines" and "forums" are your friends. So even for dummies, if they realize the existence of these 2 "helpers", it's not really a problem (although you still need to spend some time and effort on it). For immediately and general help, use search engines like "Google". For special and detailed help, ask experts in various security forums.
--> if you follow my step, ProcessGuard will not alert anymore. When it does aleart (which is something you haven't ever run before), it is really suspicious. Do the following:
1) Search to see if the *.exe is evil.
-> if found, follow what the website suggests
-> If you can't find it, it is likely to be evil
2) Ask the forum
-> Experts will tell you the answer hopefully. At that time, quarantine that evil until you get an answer


Now the decision is yours.
It's about all of what you need to do to utilize ProcessGuard.
To me, you just need to do some extra work, you don't need to have good computing knowledge. For some people, these steps may be already scarce them away.

By the way, as I have talked to you for a while, it seems you are also a computer expert. I would personally recommend you to try it out. I think the concept and the design is great, not ot say it adds a lot of basic technique to stop hackers' advanced technique.

Tell you one thing. I once tried to test the firewall alone in a small leaktest. About half of the leak attacks could bypass the friewall. With the help of ProcessGuard, it can block all leak atacks (including very advanced ones). It's really inspiring. :D


-{ Quote: "Prevx had to overhaul the way their product worked because the majority of users were allowing their systems to be infected.. for that majority, an AT would have been far superior.-{ Quote: "

Would you mind telling me what Prevx can actually do?

-{ Quote: "
Trojans are software in and of themselves, they don't infect other files as virii do. You may also want to define "super scanner".. do you mean KAV? KAV is ill-equipped to handle modified trojans until it updates.. NOD32 and Ewido are my personal choice, together they're about as good as it gets. On top of that I have other behavior blockers, most of which include more signatures, although most of them don't use strong signatures, but it can still help. I would also never recommend installing more and more AVs, unless you're installing something like BitDefender Free that is made to work only on demand.. installing more than one AV (that is made to run resident) is likely to cause problems.
" }-

These has been answered in my first post and some of my replies.
Feel free to ask me if you don't know where to read the answers.

By the way, NOD32 is good in that it uses an advanced heuristic method. But beware of the following:
- false psoitives (it tends to generate more, not suitable for beginners)
- is relatively good at detecting Zoo virus (rated advanced+ at http://www.av-comparatives.org/seiten/overview.html) but relatively poor at detecting ITW virus (rated advanced only :( }.

Again it's another big topic.
If you use to kow how exactly different anti-virus programs are performed (instead of relying on biased/inexperenced magazines, user comments, and your own experiences), read the following:

Reports, Analysis
http://www.av-test.org/ (highly recommended!)
http://agn-www.informatik.uni-hamburg.de/vtc/ (highly recommended!)
http://www.av-comparatives.org/ (recommended!)
http://www.virus.gr/english/fullxml/default.asp

Benchmark
http://www.virusbtn.com/
http://www.icsalabs.com/



-{ Quote: "
Lol, you may want to take a look in the pages in my sig.. [q/uote]

Lol...
Why do you laugh at me?
Do I look silly? :P

-{ Quote: "
there are plenty of alternatives there ;) There are many discussions around Wilders about HIPS and who they are and are not appropriate for. Rather than reiterate my opinion here, I will just recommend looking around a bit, there's lots of information available around here :) (including my own "weighing" of options ;) )" }-

What's HIPS?
Sory, I am not good at acronym.

-{ Quote: "Jotti's can and does miss malware.....some days it misses a lot for various different reasons. The types of private build trojans that are built to be undetectable would most likely not be picked up on a jotti's scan.

They would more likely be picked up as they unpack in memory by a AT such as Ewido or Boclean. All on-demand file scanners have weaknesses. I know a website that you can go to right now and download some software that has all types of malware in it and it would not be detected in a jotti's scan but more likely than not Boclean and Ewido would pick it up." }-I think that sums it up quite nicely. For further information reffer to the links in my last post. :)

IME = In My Experience

-{ Quote: "

If you agree on how I delimit the scopes of AV, AT, AS. you can Ewido is not really an AT now. It used to be (surely you won't feel suppose simply Ewido was AT in the first place, it must be AT all the time).

{see next post}" }-


Then what is Boclean? BoClean detects just as much spyware as Ewido, if not more. What about Trojanhunter and A-squared? I remember reading somewhere that Magnus had hired someone to concentrate on adding spyware signatures and I am sure if you look in both programs databases that you would find lots of spyware also.

Almost all of the Anti-trojans are on the way to becoming hybrid anti-trojan and anti-spyware scanners. All of this classification nonsense is just obscuring the debate.

Why don't we call anti-trojans another name? How about anti-malware scanners. Do we need anti-malware scanners that were formerly classified anti-trojans to supplement anti-malware scanners that were formerly classified as antivrus? That is a better question.



Why

-{ Quote: "



Arguable disadvantage:
"you need some computing knowledge to utilize this program, or you may be stupid enough to allow a trojan to do its job :P"
--> However "search engines" and "forums" are your friends. So even for dummies, if they realize the existence of these 2 "helpers", it's not really a problem (although you still need to spend some time and effort on it). For immediately and general help, use search engines like "Google". For special and detailed help, ask experts in various security forums.
--> if you follow my step, ProcessGuard will not alert anymore. When it does aleart (which is something you haven't ever run before), it is really suspicious. Do the following:
1) Search to see if the *.exe is evil.
-> if found, follow what the website suggests
-> If you can't find it, it is likely to be evil
2) Ask the forum
-> Experts will tell you the answer hopefully. At that time, quarantine that evil until you get an answer


Now the decision is yours.
It's about all of what you need to do to utilize ProcessGuard.
To me, you just need to do some extra work, you don't need to have good computing knowledge. For some people, these steps may be already scarce them away.

By the way, as I have talked to you for a while, it seems you are also a computer expert. I would personally recommend you to try it out. I think the concept and the design is great, not ot say it adds a lot of basic technique to stop hackers' advanced technique.

Tell you one thing. I once tried to test the firewall alone in a small leaktest. About half of the leak attacks could bypass the friewall. With the help of ProcessGuard, it can block all leak atacks (including very advanced ones). It's really inspiring. :D

." }-


The decisions that need to be made when it concerns PG is a little more involved than that. It involves making the correct decision on every alert. Sometimes, those answers are not found on google and sometimes forums can not give you answers either.

One of PG weaknesses is that if you like installing freeware, that you might willingingly allow a driver to install. Many software these days install drivers so how do you know what to allow and not allow when PG has no signatures?

Plus, PG is not foolproof. There are weaknesses that PG might not protect against. Some of those threats might be theoretical in nature and others are not.

Now there are some companies that are doing things to try to take the guessing game out of the equation. One such program is Online Armor. Online Armor creates a database of allowed programs and disallowed programs.

The disadvantage of Online Armor is that it is a reletavily new program and probably not at this point in time as good as PG is in protecting against certain threats.

What about A squared? It does not claim to have a great scanner. It's strength is it's IDS. A squared is more a behavior blocker than it is a scanner. You should look into what A squared is doing. You might actually like their concept.



Why

normally wont waste my time on topics such as this one due to the subject having been beaten to death over the years.

Classification: clearly one very long winded poster needs to learn what is and what is not a trojan before even attempting to enter into a debate on the subject.
So, whats it going to be: is a stored cookie a trojan? Is spyware a trojan? Is a trojan actually a virus? Are AV's suppose to detect trojans and AT's suppose to detect viruses? If a person really wants to confuse the issue just throw in a few questions like that. An that displays a persons true lack of knowledge on the subject.
No, I have no intention of entering into this subject. It was just beginning to get alittle embrassing reading some of confusing posting. There are a few very knowledgeable posters in this thread offering nice comments. An there is also at least one poster who really needs to start over in the learing process. Cause you just aint very computer savy.
No offense intended towards anyone. Its just that posting alot of links of other people's tests and results don't prove you personally know anything about the subject other than you know how to copy and paste links. An when it becomes clear that a poster can't make up their mind what is and what is not a trojan then its time to halt the debate.
Learn what a trojan is. Thats the best place to begin.

-{ Quote: "I am aware of jotti's. I would not really call jotti's a super scanner. " }-

It is called "super" simply because I can scan a file with 14 engines at one-stop, but not because it can 100% detect malware.

-{ Quote: "
Here is a quote from the jotti scanner:

"This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service."

Jotti's can and does miss malware.....some days it misses a lot for various different reasons. The types of private build trojans that are built to be undetectable would most likely not be picked up on a jotti's scan.
" }-

You you are right. It is still not 100% safe.
Anyway, nothing is 100% safe, so does AT.

For people who says they need to share files in p2p (high-risk groups), one can use the online all-in-one scanner (14 engines) to see if it has any malware before installing the file. Surely I'm not going to say it is 100% accurate, it holds true for AT too.

So I don't know why this can be a point to disfavor the use of all-in-one scanner. If it was the point, we shouldn't use AT either.

Think about the chance. I do think using all-in-one engine (which some engines have 99% hit rates) is far easier to detect a malware than that of one AT engine.

Feel free to tell me why if I am wrong.


-{ Quote: "
They would more likely be picked up as they unpack in memory by a AT such as Ewido or Boclean. All on-demand file scanners have weaknesses. I know a website that you can go to right now and download some software that has all types of malware in it and it would not be detected in a jotti's scan but more likely than not Boclean and Ewido would pick it up.
" }-

If I can detect the trojan in the first place, how come I need to have this protection?
It is already a bit bad when they have been infected in your system.

And as I said, although AT can supplement AV, it is in a limited way. There are far better alternatives which can supplement the AV and lots more, including AS (remember AS can detect torjans, keyloggers etc.), firewall, process protection, registry protection, or even another AV scan.

-{ Quote: "And as I said, although AT can supplement AV, it is in a limited way. There are far better alternatives which can supplement the AV and lots more, including AS (remember AS can detect torjans, keyloggers etc.), firewall, process protection, registry protection, or even another AV scan." }-

I believe this is the main point. There are certainly "custom malware" that can slip past signature-based and heuristics-based anti-malware packages that are either scanning on-demand or in memory (btw - believe that this may be a better way of classifying anti-malware packages). So the question is, what method of protection will provide the most incremental gain. I believe there are these courses of action:

1) Add heuristics based anti-malware to supplement signature based.
2) Add in-memory scanning anti-malware to supplement on-access.
3) Add behavioral-based anti-malware to supplement signatures and heuristics.

In real-time, right now I have strong signatures (KAV), in-memory (Ewido), and behavioral-based (ProcessGuard, RegDefend). I use online scanning now and then, in the form of BitDefend, to add some heuristics-based scanning. I believe that each addition, over and above KAV, provides very little incremental protection on a probability basis (I just don't run into any malware all that often), but it is comfortable for me.

Rich

-{ Quote: "



If I can detect the trojan in the first place, how come I need to have this help?
It is already a bit bad when they have been infected in your system.

And as I said, although AT can supplement AV, it is in a limited way. There are far better alternatives which can supplement the AV and lots more, including AS (remember AS can detect torjans, keyloggers etc.), firewall, process protection, registry protection, or even another AV scan." }-


Because you might not detect the trojan in the first place with a on-demand scan. You should read up on trojans and trojan detection methods. Super scanners are really not that super at all. Most of the reason all of those scanners are at jottis is so they can collect samples of malware that they can not detect.

About the site that has the malware that I mentioned before. I have sent the sample into Kaspersky and they still can't detect it weeks after submission with their on-demand scan!!! I suspect that the malware is using some packer that KAV can't unpack like maybe Armidillo.

That is a good science project. Everyone research how many AV's can unpack the latest Armidillo reliably.

AT's are not perfect either but some of the better AT's can catch the trojan before as it enters memory but before it has a chance to infect. You should read up on how Boclean works. Ask someone like Mercurie. I am sure he will enlighten you to how effective it is on detecting and removing trojans.

AT's are not the first line of defense. They are there in case something beats the AV scanner. Whether someone uses a AT or not should probably depend on their risk level.



Why

-{ Quote: "Then what is Boclean? BoClean detects just as much spyware as Ewido, if not more. What about Trojanhunter and A-squared? I remember reading somewhere that Magnus had hired someone to concentrate on adding spyware signatures and I am sure if you look in both programs databases that you would find lots of spyware also." }-

In fact, based on my way of classification, TrojanHunter & A-sqaueard is cearly AT. I tihnk your should understand why if you have read what I wrote. I have explained before, so I save it.

Boclean... I don't have info about this product. Again like Ewido, the authors do not claim its product as AT too.


-{ Quote: "
Almost all of the Anti-trojans are on the way to becoming hybrid anti-trojan and anti-spyware scanners. All of this classification nonsense is just obscuring the debate.
" }-

Hmm...
My main delimitation line is what they mainly focus. If a program can detect a few or some numbers of that kind of malware (Eg spyware), should we still classify it as anti-spyware too?

If it is so, then a whole lot of security products are called anit-malware. AV, AT, AS are suddenly classified as anti-malware.

So what do yout think?
How should you define products like Norton, KAv, McAfee, Spybot, BOClean, Ewido? AV? AT? AS?

Anyway, we do need to settle on this matter since it is just a problem of definition or naming issue. No matter what definition, it doesn't really affect the essence of the claim. What I wish to find out is should we bother to use these-and-these products like A squared 2, Hacker Eliminator 1.2, the cleaner (whose their authors call them as AT), not how to classify a product.

Keep the discussion into focus is my point.


-{ Quote: "
Why don't we call anti-trojans another name? " }-
I have already said that the label of AV, AT, As are all problematic.
So I agree they'd better make some other labels.


-{ Quote: "
How about anti-malware scanners. Do we need anti-malware scanners that were formerly classified anti-trojans to supplement anti-malware scanners that were formerly classified as antivrus? That is a better question.
" }-

That's again a debate of wording only.
The essence of the answer reamins unchanged, but just the wording is different.

It's up to you to make your own claissification and definition.
In fact, how one classify products does not matter. The main point is you should understand the behind reasons why I tihnk AT is not the best alternatives to stop trojans.

For example, if KAV turns out to claim it as AT (surely it can do so, it has the best detection rate in AT), then I will agree KAV is the only AT we should use.

Now back to Ewido. What do you classify now?

If you think it is still an AT (which I tihnk it's a misnomer, since it can now deal with more spyware-related threats), then the statement may be:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help a lot, the best AT being ewido of course.

If you think it is indeed an AT (2nd generation) or super-AT, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but it's not an optimal solution. I recommend you using this super-AT (2nd generation) Ewido.

If you think it is AS, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but don't bother snce they don't do well. Try to use As instead. you may try Ewido in this regard.

So if you ask this question, the answer is it is (indirectly) answered already.
If you don't think so, I may re-word my claim, so you can see my point. :)

-{ Quote: "They would more likely be picked up as they unpack in memory by a AT such as Ewido or Boclean. All on-demand file scanners have weaknesses. I know a website that you can go to right now and download some software that has all types of malware in it and it would not be detected in a jotti's scan but more likely than not Boclean and Ewido would pick it up.
Why" }-

Did you load up Ewido, BOClean, Trojan Hunter, or A-squared (trial or licensed of any of these) to check whether they were able to detect? This would be a really nice test of these product backup capabilities.

Rich

-{ Quote: "The decisions that need to be made when it concerns PG is a little more involved than that. It involves making the correct decision on every alert. Sometimes, those answers are not found on google and sometimes forums can not give you answers either.

One of PG weaknesses is that if you like installing freeware, that you might willingingly allow a driver to install. Many software these days install drivers so how do you know what to allow and not allow when PG has no signatures?

Plus, PG is not foolproof. There are weaknesses that PG might not protect against. Some of those threats might be theoretical in nature and others are not.

Now there are some companies that are doing things to try to take the guessing game out of the equation. One such program is Online Armor. Online Armor creates a database of allowed programs and disallowed programs.

The disadvantage of Online Armor is that it is a reletavily new program and probably not at this point in time as good as PG is in protecting against certain threats.

What about A squared? It does not claim to have a great scanner. It's strength is it's IDS. A squared is more a behavior blocker than it is a scanner. You should look into what A squared is doing. You might actually like their concept.

Why" }-

Before continuing the discusion, I woud like to raise one point.
I do not intend to offend you. Just wish to amke you understand one point.

In your post, you talked about the problems of PG and Online Armor. Yes I agree that they have their own disadvantages. I have also explained their disadvantages as well in my first post. Have you read?

Then you point out AT is using IDS which is a behaviour blocker. From your flow and wording, I guess you are supporting AT since it has IDS and it is better than what I suggest, right?

That's the whole logic of your article. However you have committed fallacies in reaching your main conclusion. Not to beocme long-winded, I just briefly point out your fallacies:

"Since XX has disadvantages, XX is not recommended."
This reasoning is wrong. In order to prove we should NOT choose A over B, ou should prove A is overall LESS advantageous than B.

"Since YY has advantages, YY is recommended."
This reasoning is wrong. In order to prove we should choose A over B, you should prove A is overall MORE advantageous than B.

If you understand what I mean above, here's what I would lie to learn more.
How can we compare among AT and:
- firewall
- AV & AS
- Process protection
- Registry protection

Why do you feel AT (& its concept of IDS) is more beneficial to most people in general situations than other alternatives?

I would like hear, if you don't mind, how you weigh the pros and cons of different alternatives. Then weigh their advantages and disadvantages, and make your final conclusion.

to see how I weigh different options, see the heading "anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?" in my first post

-{ Quote: "

to see how I weigh different options, see the heading "anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?" in my first post" }-


Before the discussion can continue, you will have to research Trojans and Anti-Trojan methods. No one is going to be able to teach you these things in one afternoon and in one small thread.

In your research you will probably discover things that will give you greater understanding and might make you question some of your original assumptions.

You can start here:

http://scheinsicherheit.sc.funpic.de/procedure2.htm

and here:

http://illusivesecurity.il.funpic.de/index.php

but don't just stop there. There is a whole world full of information beyond those starting points.



Why

Wai_Wai, I must say your english is much better than my chinese. I have/do look/ed at those two links, illusive/scheinsicherheit, you gave in your post, which are good resources, amongst others.


Back to (Xfocus)ing on things.

I was going to suggest calling them anti-malware scanners as Why has already done. I do think in principle it's a nice idea. The trouble is the market place in particular, and also consumers need clear deliniation for obvious reasons.

On top of that we have a situation where the purveyors or Adware etc etc are resiting and challenging, even through the courts, our guardians descriptions of their (products/services).

So AM as accurate as it is for us, won't hold up probably legally anyway, as a description for an App etc. It just wouldn't be worth the hassle. We are free to call it AM generally in references though.

I still prefer to know i'm reading/talking about AV, AT, AS etc for clarity.

About the 1% issue. I think that missing 1% etc could be covered to some extent by another App that the other one/s overlooked. I doubt if two or more databases from different Apps would match exactly.


StevieO

Here's what "why" said in another thread:

-{ Quote: "
Even Ewido won't detect it on the on-demand scan but if you click on it, I am certain the memory scanner will identify it and block it. Software such as PG might not help you with that particular malware. PG is dumb, in that it can not make decisions on what is good or bad. If you are installing something that you already think is innocent software, you might click through all the alerts and then find out the software is not so innocent and by then it is too late. You will then probably have to use Ewido or Boclean to remove it.
" }-

It seems your ProcessGaurd(PG) has problems.
Because your situation shouldn't happen unless you have messed it up.
It sohuldn't have any alert.
For the above method, what the trojan does is to rewrite the physical memory. Instead of giving an alert, ProcessGuard will block it. If you wish to allow it, you have to do it in the GUI.

And your case is applicable to stupid noobies. For people who has read the manual and remember to use "learning mode", you are very safe. Don't think the situation is the same as firewall, you will have even have fewer alerts when you use process guard (eg I can have no alart in the whole day).

One protection it offers is to lock the access rights of physical memory. In fact, ony a few system file needs to access to the memory. It is uncommon a program needs such kinds of access. So you don't really need to open the access rights (it's like the case in ports. It's stupid to open so many ports). So why not lock it up? It's much safer than relying on an AT to identify trojans, in which trojans still have good ways to hide themselves in front of an AT memory scan.

To have a clearer picture, I should really compare the pros and cons of ProcessGuard and AT, instead of just showing the positive sides of ProcessGuard.

This is a good comparison which tells you why PG is better than AT:
(If you don't have time, jump to the conclusion)

-{ Quote: "
Case 1: Noobie
Draw or AT slightly wins
PG
If the noobie is so stupid (don't bother to read the manual), he thinks PG is install-and-forget, then he amy be in trouble. Anyway it seems PG also has automatic way to turn on learning mode and turn off when it first set up. So he may still be protected.

AT
The same stupid thing can apply to AT. The most common problem is he doesn't update its signature. One may be stupid enough to misconfigure the AT.


Case 2: Beginner who is willing to learn/bother, not no need to have good computing knowledge
ProcessGuard will win
PG
As I say, you don't really need to try hard to learn PG. What you need to do is:
1) read manual - know how to use learning mode
2) use your friends "search engine" and "forums"

- It can help you in most of the cases.
(again remember, there're still chances that you may not get helped in a few cases does not disfavor you to use PG. Only if the chance of PG coudln't not helping you < that of AT, then PG is not worthwhile. It's a common invalid argument which is used to disfavour a product)
- Really few alerts (ulnike firewalls).
- Much higher protection. (Take it for grant at this stage)

AT
- A bit easier to learn is not an advantage for someone who are willing to spend some minutes to learn, when the former cna protect more advantages.


Protection method
PG largely wins
PG
One protection it offers is to lock the access rights of physical memory. In fact, ony a few system file needs to access to the memory. It is uncommon a program needs such kinds of access. So you don't really need to open the access rights (it's like the case in ports. It's stupid to open so many ports). So why not lock it up? It's much safer than relying on an AT to identify trojans. I know trojans still have good ways to hide themselves in front of a memory scan.


AT
You don't need to make any decision (to protect yourself), At will do it for you, but so does PG.

However the problem is you depends on its signature base to identify trojans. the shortcomings are:
1) its signature base is far weaker than AV (I don't expect it can detect wide range of trojans alone)
2) It will become vulnerable when it faces Zoo trojans. ProcessGuard are still solid strong to prevent ITW and Zoo trojans.
- Incidentally, remember a lot of AT is really bad. If you use AT, you need to know how to choose.


security design of the product itself
PG largely wins
PG
ProcessGuard is a kernel-based product. It is much harder for a trojan to attack/modify/terminate/nullify this product.

AT
I don't think AT is kernel-based, so they are subject to invasion by malware. A malware can simply nullify your AT AND deceives you that it keeps working fine.

Extra benefits
PG largely wins
PG
Surely it doesn't only design for anti-trojan only. It has many benefits.
Just to name a few:
- supplement AV/AT/AS, firewall
- stop trojans to rewrite memory
- stop malware to install drivers/services
- help firewall to pass (nearly) all leak attacks (without it, your firewall may pass from 0-10% to 50% only)
- prevent insidous execution of files (if you use learning mode, any execution which is not expected/triggered by you are very likely to be evil. Block it.) Simple!)
- prevent you from: termination/crashing/modifing/nullifiyng system or security programs, dll injection, suspension, memory leak/overflow, rolkits/driver/keylogger, mosue&keyboard hooks, user imitation
- and so on

AT
- It only help you to add small portection for trojan protection (you know AT is only used as a supplement over AV, so that's why it's just a small protection). That's it.


Resource usage
PG wins or it depends
PG
The author claims it uses few resources due to its way of design (kernel-based, using driver etc.). The meory usage is 13,XXX K only in my computer.

AT
It depend son what program you use.
But I may guess it generally use more reosurce due to its way on how to hav real-time protection. (remember I say generally only!)
" }-

Conclusion
To me, after this comparison, I can't see why I should use AT instead of PG. First I'm not a stupid noobie. I'm willing to learn. If you are willing to learn, the product is not difficult to use due to its great feature - ProcessGuard. Surely you should not misuse your product. But if you read the manual and are willing to follow, it is easy to use it properly.
Second it provides far more better protection which AT cannot offer. The knowledge requirement is no higher than a beginner, at least in most of the cases.
Third, I am not security freak, I will not try to max. security by any inch. so I don't bother to add any AT. I don't wish to run so many security porducts and waste my resources.

-{ Quote: "They would more likely be picked up as they unpack in memory by a AT such as Ewido or Boclean. All on-demand file scanners have weaknesses. I know a website that you can go to right now and download some software that has all types of malware in it and it would not be detected in a jotti's scan but more likely than not Boclean and Ewido would pick it up.
Why
" }-

Indeed I doubt if it is true.
"Why (the author)" did state that an all-in-one engine can fail to detect a malware, but it is true for AT, right?

Also it seems he don't know memory scan is unreliable too.
1) It depends on your signatures
2) troajns can bypass the scan
3) troajns can modify your AT.

So if you ask me, both AV and AT have their own problems.

A memory lock (offered by PG) is a far better solution. And don't get it wrong that you need to have good knwoledge to use this feature well. You don't!
Its secure structure (kernel-based) can solve my abovesaid problems too. A trojan can't modify it, or at least very difficult to do.

If you still don't understand why, read the above post before making other claims.

By the way, "why" seems to claim "I have excessive misplaced trust in the capabilities of heuristics."
It seems it feel it is rather useless. Indeed AV have good designs and the heuristics can work to stop malware which is not in their signature bases

See some hard facts:
KAV managed to stop 43% of Zoo malware, while NOD32 got 49%.
(http://www.av-comparatives.org)

I don't think AT can do much better than them when facing with Zoo malware.

If you are still in doubt, more hard facts can be quoted.

-{ Quote: "Here's what "why" said in another thread:



It seems your ProcessGaurd(PG) has problems.." }-

Your engaging in speculation now. Once the conversation veers off into speculation then I must leave the discussion because speculation only brings confusion.

It is not PG that has problems. It is the decisions that the end user must make that is the potential problem.

PG is still a fairly new program and it's user guide is well, incomplete. I am sure DCS will expand the user manual as they also update the program.

Also you might seem to think PG is 100% bullet proof but it is not. If you search far enough, you can find it's weaknesses.

Have a good day.



Why

-{ Quote: "Your engaging in speculation now. Once the conversation veers off into speculation then I must leave the discussion because speculation only brings confusion." }-

Some hard facts have been provided indeed.
but since I am too long-winded, so the info is buried in the deep sea.


-{ Quote: "
It is not PG that has problems. It is the decisions that the end user must make that is the potential problem." }-

It's not really true.
You don't really need to make decisions.
PG will do it for you.

Again I have explained prevously.



-{ Quote: "
Also you might seem to think PG is 100% bullet proof but it is not. If you search far enough, you can find it's weaknesses.
" }-

I have never made such a claim.
It is common to you that you usually use "A is not 100%, so you should use B." method to prove your statement.

Think about it. Memory scan method is flawy too.
I have list 3 of them which is explained previosuly.



-{ Quote: "
Have a good day.
" }-

Thanks. :P

Wai_Wai, it's obvious that you're new to this forum, and I think everyone here respects that, however what you're missing in a lot of what's being said here is that many/most of the points you raise have been debated thoroughly and endlessly, for days and weeks on end, throughout the rest of the forum. I would really recommend that you look around for a little while.. there's a lot of information that would make sense of what's being said. A lot of people here simply don't want to get into a long winded discussion all over again, so things are being stated simply in an effort to help you understand without getting into another new debate.

Secondly.. honenestly.. you're confusing a lot of issues and seem to be selectively paying attention to points raised, and in some cases it would almost seem intentional, if I didn't know better (which, I suppose, I really don't). You really should go back and read the links about the virusp.gr tests.. the reality of the statistics you're basing your presumptions on make for a lot of confusion with your arguments. One main indicator of that tests innacuracy is that different scanners using the same scanning engine are showing wildly different results, and the AT scores were obviously done without any real knowledge of what ATs are for or how they work. Much of that information is also quite outdated (things have changed considerably in the past year), or completely backwards.. take this, for example:

-{ Quote: "By the way, NOD32 is good in that it uses an advanced heuristic method. But beware of the following:
- false psoitives (it tends to generate more, not suitable for beginners)
- is relatively good at detecting Zoo virus (rated advanced+ at http://www.av-comparatives.org/seiten/overview.html) but relatively poor at detecting ITW virus (rated advanced only }.
" }-NOD32 has a track record for detecting the most ITW malware, with the least fasle positives. It used to be bad at detecting "zoo" samples and trojans, but that has changed quite a bit in the past year.

Using this as just one example, I hope you can go back and see more clearly some of the points that have been rasied. Yes, you have made mention of the points in your original post, but with a little effort it should be clear why many disagree with your conslusions.

I'll wrap this up by saying that many here, including myself, feel that the "classification" of different programs is, in fact, somethig that should be paid attention to. If someone comes to the forum looking for help with adware, and you recommend Ewido over a dedicated AS (because, hey, they're all spyware scanners, right?), that person is likely to continue to have problems. I personally chose Ewido and NOD32 because they will pick up the worst of stuff, and my HIPS (behavior blockers) will take care of the rest, and I don't mind spending the time to clean up if I make a mistake. The problem is that many people simply don't have the patience to hunt around on Google, forums, etc., to find out what this cryptic alert means.. many wouldn't even know where to start. For those people having a few different scanners is probably the best way to go, but these things are generally taken on a case-by-case basis.

Hopefully that helps make sense of some of the responses in this thread.

-{ Quote: "Wai_Wai, I must say your english is much better than my chinese. I have/do look/ed at those two links, illusive/scheinsicherheit, you gave in your post, which are good resources, amongst others." }-

You English is not bad either.

-{ Quote: "
Back to (Xfocus)ing on things.

I was going to suggest calling them anti-malware scanners as Why has already done. I do think in principle it's a nice idea. The trouble is the market place in particular, and also consumers need clear deliniation for obvious reasons." }-

Yes, it may be a better label.
However all security software suddenly becomes the same (in label description) (ie all are anti-malware in the eye of customers).

Hmm... maybe a better way is to add each label if some requirements reach.
Eg: For AV, if you can get decent number of virus, you can call yourself AV.
The same holds true for others.

So for example:
McAfee is qualified as AV/AT
KAV is also qualified as AV/AT
Spybot S&D is qualified as AT/AS

What do you think?

-{ Quote: "
StevieO" }-

Nice to hear your comment, StevieO.

-{ Quote: "
About the 1% issue. I think that missing 1% etc could be covered to some extent by another App that the other one/s overlooked. I doubt if two or more databases from different Apps would match exactly.
" }-

True.
Have you read my analogy:

By installing 1 anti-trojan, it doesn't mean it will automatically close the 1% gap. Try to simplify the situation and illustrate it to you with an understandable analogy.

There are 6 grades in the school (A-F).
"Anti-virus" program is like an A-B grade student; while "anti-trojan" is a D-E grade student.

Surely A/B grade student cannot score full in the test (eg the best student can manage to get 99% only). How can the A-grade student get the remaining 1%?

"How about asking D/E grade student to help?" A-grade thought.

"Are you crazy? How come I will know how to solve this question? Too difficult to me." an E-grade student said, "There are surely chance I can do, but how big the chance is, you fool!?"

Surprisingly what he mentioned something which enlightened A-grade student?

"You'd better ask other A/B grade students help. They will know how to solve this difficult math" an E-grade student enlightened the A-grade student.

"Ar! So stupid I am! Why don' I seek help for other A grade students in the first place?" A-grade student grieved, "Now A-grade students have been left school. I have to wait for tomorrow."

Why does the software miss that 1%? Probably they may wish advanced technique which is hard to arrest, or the trojans are rather new, or they are less common. Simply, you may assume the remaining 1% is "super/special" trojans!!

Your anti-trojan is not designed to arrest this 1% gap. Instead it is said to specialize in arresting trojans-related threats. Unfortunately they even cannot do better than anti-virus programs.

You may feel anti-trojan is specialised in arresting trojan guys! You may feel so due to the fact that:
- it is true in very early stages of security program
- the name "anti-trojan" mislead you that they should be specialised in trojans. It's in fact a misnomer based on hard facts. Sad to say, hard to accept, but have to admit. :"(
- now it is the sunset market. Remember why TDS is dead?? To survive, either convert it into either "anti-virus" & "anti-spyware" (Ewido is a good example towards anti-spyware). Anyway these 3 products have some degree of overlapping.


So what you should do now if you are the A-grade student?
Here's lead to the second point. Anti-trojan is not the only option. We have other alternatives too. If you believe anti-virus can get 99% hit rate; and only 50% for anti-trojan, you are equal to asking an E-grade student a difficult math question which you, as an A-grade student, don't know how to answer.

-{ Quote: "Wai_Wai, it's obvious that you're new to this forum, and I think everyone here respects that, however what you're missing in a lot of what's being said here is that many/most of the points you raise have been debated thoroughly and endlessly, for days and weeks on end, throughout the rest of the forum. I would really recommend that you look around for a little while.. there's a lot of information that would make sense of what's being said. A lot of people here simply don't want to get into a long winded discussion all over again, so things are being stated simply in an effort to help you understand without getting into another new debate." }-

Yes I agree the debate can keep around and aorund wtihout stop.
In fact, I'm still reading while replying.


-{ Quote: "
-{ Quote: "
By the way, NOD32 is good in that it uses an advanced heuristic method. But beware of the following:
- false psoitives (it tends to generate more, not suitable for beginners)
- is relatively good at detecting Zoo virus (rated advanced+ at http://www.av-comparatives.org/seiten/overview.html) but relatively poor at detecting ITW virus (rated advanced only }.
" }-

NOD32 has a track record for detecting the most ITW malware, with the least fasle positives. It used to be bad at detecting "zoo" samples and trojans, but that has changed quite a bit in the past year.
" }-

Hmm... No offense, but it seems you have misread the above statement.

I have to say, I have spent considerable time on investigating different anti-virus programs, so these statements (unlike some others which may only express my ideas) are not taken easily.

Just like you said, "used to be bad at detecting "zoo" samples and trojans". But I have already said it IS good at zoo malware. (among best 3 if you ask me)

Also you said "has a track record for detecting the most ITW malware", it is hard to say since I don't know what you deifne as "most". But to me, it is not. (fall outside of best 5/6 at least if you ask me)

As to false positive, it again depends on what situations and how you compare. But I have to admit info about false positive is 1 year old (since the newest reports don't include this category). If you ask you, no better than McAfee.

You said "changed quite a bit in the past year", however some of my claims are revisied just a few months ago.

Finally, what are your claims based on? Are your claims reliable too (eg not just your own experience, said by somone etc.)?

-{ Quote: "
...
Hopefully that helps make sense of some of the responses in this thread." }-

It does make sense.
But... hmm... how to put? Sometimes I just feel tired to explain the same thing over and over again.


The problem is that many people simply don't have the patience to hunt around on Google, forums, etc., to find out what this cryptic alert means.. many wouldn't even know where to start. For those people having a few different scanners is probably the best way to go, but these things are generally taken on a case-by-case basis.


Take this as an example, I have already said:
- the above holds true for people who are willing to bother, or rather do these steps.
- so the decision is yours. If you bother, go ahead; otherwsie don't.
[PS: By the way. the situation you describe is rather inaccurate, wich is explained previously]

Quite many points have been clarified, but the same argument is raised.
Probably I have explained too much in depth, so people have ignored my comments. However if I don't explain in depth, people may keep challenging the same thing or ask the same question over and over again. What a dilemma! :'(

I just don't know what I should do. :-\
It seems my ideas cannot be passed on to them.
If you know, better advice me. I am ready to listen. :-*

-{ Quote: "
Hmm... No offense, but it seems you have misread the above statement.

I have to say, I have spent considerable time on investigating different anti-virus programs, so these statements (unlike some others which may only express my ideas) are not taken easily.

Just like you said, "used to be bad at detecting "zoo" samples and trojans". But I have already said it IS good at zoo malware. (among best 3 if you ask me)" }-What I was saying is that you had your facts backwards. NOD32's track record is that it's the best for ITW detection (with least false positives) but not zoo (however that has changed). My source is the forums here and Virus Bulliten, which is are professional independant testers, rather than hobbiests like virus.gr (who hasn't provided throrough tests and has not been open to suggestions). In order to get a VB award you have to catch ALL ITW samples with NO false positives, and NOD32 has the most.. never having missed an ITW sample in all the years tested. You will also find very few false positives in the forum, and hear about very few from users (I've experienced 1 in the past two years, both NOD32 and the software mis-identified were both beta). But that was just one example that I chose because I knew about it specifically off the top of my head, it was not my intention to bring up how good NOD32 is or isn't.

Perhaps you would like to provide additonal sources for your information? (prefferably reliable sources that can be easily verified, professional sources are best.) Have you had real-world experiences with all mentioned software, or are you just going based on what you've read at places like VirusP.gr? (again, already having been shown to be completely flawed, and not a good foundation for forming presumptions)

-{ Quote: "Take this as an example, I have already said:
- the above holds true for people who are willing to bother, or rather do these steps.
- so the decision is yours. If you bother, go ahead; otherwsie don't.
[PS: By the way. the situation you describe is rather inaccurate, wich is explained previously]" }-Yes, but then you turn around and put emphasis on it not being a big deal, and that anyone can use them, which pretty much negates the initial disclaimer for most readers. You state "sure, go ahead if you want to" but then try to give a dozen reasons why ATs are essentially not worth it, including implying it in the thread subject.

Inaccurate according to whom? That may be your opinion, but many here would differ.. many that may have invested even more time and research on the same subject. My opinion as to behavior blocking being innappropriate is based on trial and error with many users that were not able to use them effecitvly, and got exceedingly frustrated. While doing work for people fixing their computers, you come face to face with that lack of patience every time, sometimes justified, sometimes not. Unless they seek it out themselves, most users simply don't have patience for any computer issue.. they just want to get in, check their email, surf the web, and leave, without any hassles. There are also many professionals in other areas that literally do not have the time to sit down and learn these things, and interrupting their work-flow is unnaceptable.

If someone is responding to a particular comment, offering a reason that your reasoning may be lacking, it's not really appropriate to reffer back to the initial comment that's in question. Like I say, most of us here have also invested quite a bit of time and effort into researching these things as well, and also don't make these claims lightly. It doesn't matter who you are around here, there are always people that know more and have more experience on any given topic. The process of learning is never ending with computers, including security.

-{ Quote: "But... hmm... how to put? Sometimes I just feel tired to explain the same thing over and over again." }-Indeed. Unless you have anything new to add, I think I've said my piece.. we kind of seem to be going in circles here.

thanks for your detailed reply.
Here's my reply.

-{ Quote: "What I was saying is that you had your facts backwards. NOD32's track record is that it's the best for ITW detection (with least false positives) but not zoo (however that has changed). My source is the forums here and Virus Bulliten, which is are professional independant testers, rather than hobbiests like virus.gr (who hasn't provided throrough tests and has not been open to suggestions). In order to get a VB award you have to catch ALL ITW samples with NO false positives, and NOD32 has the most.. never having missed an ITW sample in all the years tested. You will also find very few false positives in the forum, and hear about very few from users (I've experienced 1 in the past two years, both NOD32 and the software mis-identified were both beta). But that was just one example that I chose because I knew about it specifically off the top of my head, it was not my intention to bring up how good NOD32 is or isn't.

Perhaps you would like to provide additonal sources for your information? (prefferably reliable sources that can be easily verified, professional sources are best.) Have you had real-world experiences with all mentioned software, or are you just going based on what you've read at places like VirusP.gr? (again, already having been shown to be completely flawed, and not a good foundation for forming presumptions)" }-

Are the following what you want:
http://www.av-test.org/ (recommended!)
http://agn-www.informatik.uni-hamburg.de/vtc/ (recommended!)
http://www.av-comparatives.org/ (recommended!)
http://www.virus.gr/english/fullxml/default.asp
http://www.westcoastlabs.org/default.asp
http://www.virusbtn.com/
http://www.icsalabs.com/
??

EDIT: There're just some of them, but still spend you many days to read and investigate.

After all, points taken.
Thanks for your comments. :)
And I'm going to research more in these days.