Hi,

Given all of the discussion concerning the effectiveness/usefulness of anti-trojan software, I have a quick question:

Has anyone ever experienced a situation where their real-time anti-trojan software has actually detected some malicious software? If so, what other security packages were you using at the time, e.g anti-virus, host intrusion protection, firewall, etc.?

Hopefully, we get enough responses to make this question somewhat worthwhile. Personally, I have never had the situation occur. I have been using KAV 4.5. and KAV 5.

Thanks for your input.

Rich

Hi Rich,

Going back to the last paragraph of my last post in the, AT vs AV 12 round bout thread:

-{ Quote: "Someone should do an experiment with the various (one at a time) ATs on a PC and browse every porn site, questionable download site, hacker and cracker site and p2p. It may give some valuable insight into how long the AT holds up or how long before the PC becomes unusable. " }-

Of coarse what I mean is to use only an AT for protection and disable all other security software.
I'm talking here about real life browsing not someone with a teat bed of malware. Then at the end of each day, do a lot of scans with the top on-demand scanners, whether they're online scans or by re-enabling your AV of choice on your machine and see what was missed by the AT.

Maybe doing this would be a better indication of the effectiveness/usefulness of anti-trojan software.

Regards,
Jaws

-{ Quote: "Hi Rich,

Going back to the last paragraph of my last post in the, AT vs AV 12 round bout thread:



Of coarse what I mean is to use only an AT for protection and disable all other security software.
I'm talking here about real life browsing not someone with a teat bed of malware. Then at the end of each day, do a lot of scans with the top on-demand scanners, whether they're online scans or by re-enabling your AV of choice on your machine and see what was missed by the AT.

Regards,
Jaws" }-


This would be an excellent research project. It would be particularly interesting to me if a top-tier AV (such as KAV) was loaded, to check how many pieces of malware slipped by the AV and was caught by the AT - and of course, how many got through both. Some college computer science majors out there should do this for their term paper. :D

Regards,
Rich

It's interesting to note that a lot of the posts in the trojan and backdoors forum here at Wilders are from guests or new members that get hit with trojans that get through their AV.

Just an observation.

-{ Quote: "It's interesting to note that a lot of the posts in the trojan and backdoors forum here at Wilders are from guests or new members that get hit with trojans that get through their AV.

Just an observation." }-

Yes. It would be nice to know the full configuration of these incidences - e.g. firewall, AV in use, any AT, etc. This is useful information since sometimes it is possible to extrapolate patterns. For example, is the the free AVs that are more likely to be pierced, or is it the AVs that do not have frequent updates? All of this would be useful information.

Regards,
Rich

Hi rich,

No never ! But maybe that's because my PC etc is very securely locked down in the first place, plus i don't visit lots of places to get infected, or open every email etc.

Also my AV's AS's and online scans have caught the only 2 trojans i have ever experienced. And one of these is the TrojanSimulator test.

I still think they are worthwhile having, plus if we don't have/use them, how can we recommend them etc to others who are in greater need than us.


StevieO

Hi richrf,
No, never.I had TH set as real time and TDS-3 set as on demand and neither one ever caught anything... Now I removed both of them from my PC and I have "only" PG, RD, NOD32 and Ewido. And my firewall of course. :)

Does your experience always tell truth?

Not to spoil everyone, but such kinds of experiences may not be real, unfortunately.
It's especially true to trojans.

What does a trojan do?
Try to do witohut anyone's notice.

So if someone does not get any trojan, there may have 2 main reasons:
- you are really clean. Congratulations!
- sorry, the trojan is too insidious. You even don't know he has finished its task, and may remove its trace already.

is there any AV/At test available, man?
Hi, richrf:
In fact, there are such kinds of tests indeed. what they did is to try to compare different AV/AT comparison and to what exten AT could help.

The newest I have read seems to be about 8 months old.
I don't remember which AV and AT are tested, but I'm plenty sure they should be famous, used by many users (since they tested only a few combinations, so they choose the most famous)

if memory serves, with AV/AT, the result is boosted by about 1-2% (1XX-3XX more malware detected).

So since AV/AT can boost my protection, so should I do so?

Hmm... You can do so. Extra protection is always preferred although don't expect it can help much. Indeed it does little help only. :'(


If you wish to add much protection or other kinds of better protection, how about consider this alternative – process & system protection?

Instead of doing more or less the same as AV/AT does, it provides another way of protection, preventing us form both ITW malware and Zoo malware. AV/AT is weak at Zoo malware, so it is always worthwhile to add some other layers to your computer.

What it does is to add an extra layer to the system, which is similar to the case where Firewall add an extra layer between your computer and the Internet/Intranet.

There are several products available in the market, eg: Tiny Personal Firewall (not really a firewall!), ProcessGuard(PG), System Safety Monitor(SSM), Viguard.

For stronger protection, one may decide to choose Tiny Personal Firewall, System Safety Monitor(SSM), Viguard.

For strong protection bu still maintain the ease of use, choose ProcessGuard.
It seems to be a common mistake that people feel ProcessGuard is as difficult as using Firewall, prompting many alerts for you to choose. It is NOT the same. What makes it easy to use is "learning mode". To write a simple difficulty flow chart:
-{ Quote: "
"A < B" = A is difficult than B
Firewall like ZoneAlarm < ProcessGuard < AV/AT/AS
" }-

Further Reading
ProcessGuard (PG) VS System Safety Monitor (SSM) VS Viguard
http://kareldjag.over-blog.com/categorie-69553.html

The author says:
-{ Quote: "
ProcessGuard is my first choice: it does not take too much time to configure (very intuitive), and any user has just to check a box/option to get a strong protection.
" }-

-{ Quote: "Hi,

Given all of the discussion concerning the effectiveness/usefulness of anti-trojan software, I have a quick question:

Has anyone ever experienced a situation where their real-time anti-trojan software has actually detected some malicious software? If so, what other security packages were you using at the time, e.g anti-virus, host intrusion protection, firewall, etc.?

Hopefully, we get enough responses to make this question somewhat worthwhile. Personally, I have never had the situation occur. I have been using KAV 4.5. and KAV 5.

Thanks for your input.

Rich" }-
Boclean caught one of the "bluefish trojan variants". It slipped by nod32. This particular trojan was and is a real nasty. It's only purpose was to steal financial documentation. Here's the link with screenshot. Nod has added this trojan to their database.

I've also witnessed boclean catching a trojan that norton had missed. This was on a friends computer. I'm currently running kav, and nothing has gotten past it so far. http://www.wilderssecurity.com/showthread.php?t=69390

Hi Mr2cents, :)

I just visited your link on the " bluefish trojan " so thanks for posting that info with the screenshot.

I use AOL & have received suspicious emails claiming to be from AOL. When I contacted AOL they informed me that if the actual email envelope was NOT blue then the email was in fact .... NOT from them.

I am using Trojan Hunter & A2 presently .... both with their respective guards enabled. To date they have not detected any trojans.

My AV & Firewall are Norton 2005.

HR 8)

-{ Quote: "[b]

So if someone does not get any trojan, there may have 2 main reasons:
- you are really clean. Congratulations!
- sorry, the trojan is too insidious. You even don't know he has finished its task, and may remove its trace already." }-

In either case, the AT did not participate in the defense. I am simply trying to determine whether the AT ever participated in a defense.

Rich

-{ Quote: "Boclean caught one of the "bluefish trojan variants". It slipped by nod32. This particular trojan was and is a real nasty. It's only purpose was to steal financial documentation. Here's the link with screenshot. Nod has added this trojan to their database.

I've also witnessed boclean catching a trojan that norton had missed. This was on a friends computer. I'm currently running kav, and nothing has gotten past it so far. http://www.wilderssecurity.com/showthread.php?t=69390" }-

Thanks Mr2cents for the info. Do you remember approx. how long ago these incidents occured?

Rich

-{ Quote: "Thanks Mr2cents for the info. Do you remember approx. how long ago these incidents occured?

Rich" }- Hi richrf. The date was march 4, 2005. I had to follow my own link to see when I posted it. I made the post the same day this event occured.

-{ Quote: "is there any AV/At test available, man?
Hi, richrf:
In fact, there are such kinds of tests indeed. what they did is to try to compare different AV/AT comparison and to what exten AT could help.

The newest I have read seems to be about 8 months old.
I don't remember which AV and AT are tested, but I'm plenty sure they should be famous, used by many users (since they tested only a few combinations, so they choose the most famous)

if memory serves, with AV/AT, the result is boosted by about 1-2% (1XX-3XX more malware detected)." }-


The tests that you quote are flawed. You have not even read the links that people have given you that point out the flaws in the tests you quote. If you understood the flaws in those tests, you would understand why you can not use them to prove one way or another that a AV is better than a AT or at detecting trojans.

Similarly, kareldjag testing methods have weaknesses also and can't be used to prove that one security application is better than any other security application.

I think why you are not getting more people jumping on this thread and showing you the weaknesses is in your argument is that they can see that you are somewhat new. As one poster said before, you might want to do a little more research on these things.

Sincerely

No, I've never caught anything with my active realtime protection. I use NAV, Pest Patrol (which has a realtime memory scan), MSAS, WinPatrol etc... and nothing has ever been caught, except when I have done my own tests against malware.

But then I'm a very safe surfer and careful about what I open (email, always in plain script) and what I install (never use programs from untrusted sources) on my computer.

-{ Quote: "The tests that you quote are flawed. You have not even read the links that people have given you that point out the flaws in the tests you quote. If you understood the flaws in those tests, you would understand why you can not use them to prove one way or another that a AV is better than a AT or at detecting trojans.

Similarly, kareldjag testing methods have weaknesses also and can't be used to prove that one security application is better than any other security application.

I think why you are not getting more people jumping on this thread and showing you the weaknesses is in your argument is that they can see that you are somewhat new. As one poster said before, you might want to do a little more research on these things.

Sincerely" }-


No, the above test is not meant to be "AV vs AT".
Rather it is "AV vs AV/AT", and see how an extra AT can help an AV to catch missed trojans.

-{ Quote: "In either case, the AT did not participate in the defense. I am simply trying to determine whether the AT ever participated in a defense.

Rich" }-

I don't understand much about AT (since personally I don't use AT, plus AT looks uninteresting and not effective enough, I don't bother to understand in depth).
But it is sure that AT will participate in detection (NOT prevention).

Eg: When a trojan is planted in your computer and access to the pyhsical memory, if the AT can identify this trojan (from its signature base or some other heuristic methods, if any), it can successfully defend the trojans.

The similar case can hold true for AV since some AVs have simliar measusres to protect the physical memories.

Hope this helps.

both msas and teatimer notified me of a toolbar trying to download it was spysheriff/trojan and was blocked and caused no trouble
it did however let one file in i can't remember what just a bunch of numbers which i removed with hijackthis

-{ Quote: "No, the above test is not meant to be "AV vs AT".
Rather it is "AV vs AV/AT", and see how an extra AT can help an AV to catch missed trojans." }-


As has been stated before. The testing method is flawed and does not prove anything one way or another. To do the test in a manner in which could give someone a better idea of the effeciency of a AT would require a enormous amount of time.

So far, I have found no one that has tested the effectiveness of the AT memory scanner. Also you would need a test that checks for Trojan servers only and not trojan clients. The test you quote checks for both trojan servers and clients.

If you don't know the difference between a trojan server and a trojan client then you have a lot of researching to do about trojans but I will give you one clue. The server client is harmless.

You should really study trojans and trojan detection methods.



Why

-{ Quote: "But it is sure that AT will participate in detection (NOT prevention). " }-

Hi Wai_Wai,

"AV" (e.g. Kaspersky, NOD32, Norton) packages will normally catch the malware before the "AT" software (e.g. Ewido, BOClean, Trojan Hunter, A-squared), because the AVs scan "on-access" to any file. If the AV misses, then the AT may catch the malware while the malware is processing in memory (by doing a full memory scan on a frequent basis). So there is a temporal order to the detection.

If the AV catches all malware, then the AT will never have a chance to detect any malware.

1) Most forum members on this thread have so far reported that their AV has caught everything and that their AT has never caught anything that has gotten past their AV.

2) Some have reported that some malware has gotten past AV and either their AT or "anti-spyware software" (AS) has caught something.

This is a real-life survey on actual experiences with the usefulness of ATs and their corresponding AV. Hopefully we get enough reponses to make this survey somewhat useful to people who are trying to figure out whether an AT actually provides useful real-life protection when running an AV.

Regards,
Rich

-{ Quote: "Has anyone ever experienced a situation where their real-time anti-trojan software has actually detected some malicious software? " }-

Never. When I was running both TDS (with Exec Protection turned on) and NOD32, My AV numerous times notified me of suspicious files that were supposedly variants of specific trojans. TDS was always quiet. :(

After one ate my computer in about '98' i looked for help and found Wilders......this in turn led to proper protection..........have seen no trojan since..............no problems with anything....that i am aware of........... :)

-{ Quote: "
-{ Quote: "But it is sure that AT will participate in detection (NOT prevention)." }-
Hi Wai_Wai,

"AV" (e.g. Kaspersky, NOD32, Norton) packages will normally catch the malware before the "AT" software (e.g. Ewido, BOClean, Trojan Hunter, A-squared), because the AVs scan "on-access" to any file. If the AV misses, then the AT may catch the malware while the malware is processing in memory (by doing a full memory scan on a frequent basis). So there is a temporal order to the detection.

If the AV catches all malware, then the AT will never have a chance to detect any malware. " }-

Sorry for my ambiguity.
That statement is meant to say something similar than the above.
Nex time, I sohuld better say, if AV miss that intrusion of a trojan, AT has a chance to participate.

-{ Quote: "
1) Most forum members on this thread have so far reported that their AV has caught everything and that their AT has never caught anything that has gotten past their AV.

2) Some have reported that some malware has gotten past AV and either their AT or "anti-spyware software" (AS) has caught something.

This is a real-life survey on actual experiences with the usefulness of ATs and their corresponding AV. Hopefully we get enough reponses to make this survey somewhat useful to people who are trying to figure out whether an AT actually provides useful real-life protection when running an AV.
" }-

Good findings, Rich.
As to (1), it is also what I expect. Unlike doing test which an AV will face a whole lot of trojans (eg over 10,000), AT may give a jot of help. But in reality, I'm not going to be attacked by over 10,000 trojans at the same time. Otherwise I will scream [why pick me out? :( ]

As to (2), true that AS can catch trojans too. To AS, they are just the same baddies who trespass our "privacy land". Kill... kill... kill... they msut be killed.

-{ Quote: "As has been stated before. The testing method is flawed and does not prove anything one way or another. To do the test in a manner in which could give someone a better idea of the effeciency of a AT would require a enormous amount of time.

So far, I have found no one that has tested the effectiveness of the AT memory scanner. Also you would need a test that checks for Trojan servers only and not trojan clients. The test you quote checks for both trojan servers and clients.

If you don't know the difference between a trojan server and a trojan client then you have a lot of researching to do about trojans but I will give you one clue. The server client is harmless.

You should really study trojans and trojan detection methods.

Why" }-


No, the above test is not meant to be "AV vs AT".
Rather it is "AV vs AV/AT", and see how an extra AT can help an AV to catch missed trojans.
Best regards.

I know the intent of the survey but I don't think the results will have very much meaning one way or the other.

First I doubt enough people would respond to make the survey worthwhile and even if every wilders member and guest responded, it would only show you results from what has happened to those people that like coming to Wilders which is a extremely small part of the internet universe. Wilders members tend to be interested in security....most of the internet does not have as high a interest in security. You would also need to sample people that have no interest in security....like maybe people that work at corporate or government entities that have both a AV and AT installed.

Secondly, I think a sample size of at least 100,000 people from people located in all areas of the planet and varying degrees of knowledge and interest in the security would be needed to even begin having relevance.

I doubt a survey like this could be organized and done so that the results have relevance.

The intent of the survey is honorable but I doubt that anyone could extropolate meanings with any degree of accuracy from the 5, 10, 15, 50 or even 100 people that might respond to this thread.

I also doubt if anyone would conduct a scientific test that would be conclusive one way or the other either because there is too much involved.

This is how I believe such a test would have to be conducted. There would be two sets of tests that are each divided into two seperate steps.

The first test set would only include only unmodified trojans.

The second test set would include trojans that are modified in ways that are explained better here:

http://scheinsicherheit.sc.funpic.de/procedure2.htm


The two parts of the test that would be done with both modified trojans and unmodified trojans are as follows:


You would take a Windows computer with XP installed (either sp1 or sp2...this is a variable in the test). You would load a antivirus (another variable). You would then activate trojans from the test bed and see if the antivirus can stop the infection. If the antivirus stops the infection then it is taken out of the test bed that will be used in part 2. If the antivirus does not stop the infection then it WILL become part of the test bed for part 2 of the test.

Part 2 of the test will be taking a second computer with a anti-trojan (variable) on it. We will then activate the trojan and see if the anti-trojan stops it. (Of course what is meant by stopping it must be defined).

This testing method would give one a idea of how effective a AV is against modified and unmodified trojans and would show how many trojans that a AT would be able to catch when the AV misses it.

This is just a rough version of how I would conduct the test and I am sure I am missing some variables that might make the test give not relevant answers but I think this type of testing would probably yield more useful results to this question than all the tests mentioned that I have seen so far. It might even be more relevant than a survey, due to the difficulty of obtaining a accurate survey.

The only problem with this type of testing is that I doubt anyone has the time to do this type of testing. I think I once seen someone ask Nautilus about this and Nautilus replied that he does not have the time (or something to that effect) and I doubt many others do either.

The second problem is finding someone who is "independent". As a matter of fact, a independent tester might be harder to find than anything else. Every time I have ever seen a test talked about on a forum, arguments would break out concerning the independence of the tester.

I think this question of AV vs AT will firmly remain in the eye of the beholder. My opinion on the subject is that a AT can be relevant for either A) High risk user or B) Noob or someone that has absolutely no interest in security.

I have strong suspicions that the reason why BoClean is succesful in selling to corporations and certain governments is because there are many people working for government agencies and corporations that not only have no interest in security but also do insecure things on the corporate or government computer.

Maybe owning Boclean is a "insurance" policy against AV's failing for governments and corporations. Maybe these companies and governments had AV's fail in the past on them?? Who knows?

I do know that people that extrapolate their own personal situation on the rest of the world are often in error.

My personal opinion is that AT's are very relevant for some people and for others it is not relevant at all.

If you feel that you need a AT then by all means use one. If you don't feel you need a AT then by all means don't use one....BUT by all means THINK for yourself. There are many pied pipers in this world....they might lead you in a direction that is good for them but you might go over the cliff headed in the same direction. You must learn, educate yourself and do what is right for YOU...not what is right for other people. It might be that having a AT is wrong for 99% of the people in the world but you might be part of the 1% that it is right for (or vice versa). It won't matter if that 99% is right for themselves if you go over the cliff because you believed "them" and headed in the same direction.

THINK FOR YOURSELF



Starrob

-{ Quote: "Never. When I was running both TDS (with Exec Protection turned on) and NOD32, My AV numerous times notified me of suspicious files that were supposedly variants of specific trojans. TDS was always quiet. :(" }-Dazed, as Rich pointed out, that is probably because your AV "hooks" the O.S. at a lower level and gets first crack at the malware -- TDS {and every other process} was most likely denied access because your AV flagged the malware first. When your AV detects something, it instantly jumps in and denies access to the malware detected, effectively "freezing" your PC and not allowing any other process, even another scanner such as an AT like TDS, to access that file. We encounter this all the time at TH forum and tell folks to temporarily disable AV-RTM (the AV realtime monitor} in order to do a conclusive full scan with TH. {Then immediately reenable AV-RTM of course}.

Permit me to quote from illukka's post in another thread:
http://www.wilderssecurity.com/showpost.php?p=522349&postcount=25
-{ Quote: "kaspersky is also the av that is the most targeted by trojaners. they all want to make their rat undetected by kav, and it is possible to do so. thats where the AT's come in

ive had trojan hunter guard pop up warnings many times, even when my KAV remained silent. same goes for boclean, it has blocked something missed by my av's ( KAV; NOD32 and DrWeb) numerous times.. ut i collect trojans and my chances of seeing an undetected rat are really somewhat higher..and some of them are btw undetected by AT's too
" }-I can vouch for that: Just visit any hacker site and download a trojan package {I can't link to any here because it's against the rules}. Often in the "readme" for the package or kit, the author will state that he offers "undetected" variants for a price, usually small, like 20-30 bucks. Most often, in my experience {and I am not trying to target one product here}, it is KAV that is targeted for an undetected {modified} trojan, I assume because of its reputation for trojan detection. These kits usually include an editor or "editserver" as it is commonly called, which allow even a casual user to modify the server, so in some cases, even a casual user can create a modified server that will go undetected. However, because ATs scan memory, the process signature of a modified server may not be significantly different, and it may still be detected by an AT scanning memory. THIS, to me, is the big difference, and why I would still recommend an AT lilke TH or BOClean as a second-tier defense. Also, consider that all malware, once resident, immediately tries to kill your AV. But if you have a hardened AT running as well, that makes the malware's task more difficult because he has to kill both your AV and AT before they kill him. Two programs are harder to kill than one, given that he has probably only seconds to succeed or be killed himself. That is my take on it. Sorry I can't comment on any "poll" but I can say that, experimentally at least, I have in the past launched a few samples that my AT detected, but of course, that is more of a "laboratory" curiosity and not real-world or "ITW" {in-the-wild}. HTH .. ;)

-{ Quote: "Dazed, as Rich pointed out, that is probably because your AV "hooks" the O.S. at a lower level and gets first crack at the malware -- TDS {and every other process} was most likely denied access because your AV flagged the malware first. When your AV detects something, it instantly jumps in and denies access to the malware detected, effectively "freezing" your PC and not allowing any other process, even another scanner such as an AT like TDS, to access that file. We encounter this all the time at TH forum and tell folks to temporarily disable AV-RTM (the AV realtime monitor} in order to do a conclusive full scan with TH. {Then immediately reenable AV-RTM of course}." }-

Very informative, RB. Thanks. :D

Doesn't the above imply that my AV was good enough to catch anything that was suspicious? In other words, it appears my AT was unnecessary because my AV caught everything I came across before my AT got a swing at it.

-{ Quote: " it is KAV that is targeted for an undetected {modified} trojan, I assume because of its reputation for trojan detection. " }-

This may or may not be what is happening in real-life. If it is, then a couple of comments:

1) From a "sucess rate" perspective, it would not make sense to target an AV, such as KAV, that has about 1% of the market and is generally used by "hardened security users", as opposed to targeting products such as Norton or McAfee which have over 40% of the market and whose users are more likely to be new users who simply had these packages initially installed at purchase time.

2) The best way to lose any edge over a laboratory like KL, is to advertise the availability of a new trojan that can bypass KAV. Exactly how long will there be any value to this trojan once KAV (and every other lab that shares malware) obtains a copy of it. A malware developer may develop and advertise such a trojaon for one of two reasons: a) to advertise his/her own ability to be able to do such b) to get $20 from KAV. Neither is very lucrative, but it can possibly fulfill some personal needs.

In any case, the usefulness of AT, is still very much theortical. In this thread, on user has so far reported that a trojan was caught. Most have said otherwise. The "online man years" represented by even just a handful of people on this thread is quite substantial, so it remains to be seen how Yeas and Nays we get, keeping in mind that a safe surfer has a very low probability of encountering a trojan that one of the AVs cannot already handle.

But we'll see as the thread progresses. To all forum members who are reading this thread, a No, I have never had a real-time AT catch a trojan, is as important as a Yes, my AT has caught a trojan. So let us know. Also, when and how long you have been running ATs is also quite useful information.

Cya,
Rich

@Rich: Maybe trojan authors do that for "bragging rights", figuring if they can fool KAV, then they can fool any scanner. Surely if they can create a new variant undetected by KAV, there is 99.99% it will be {at the time of creation} undetected by everything else. ::) So I'm sure that must be the reason they "advertise" as such, in their "readme" text for the kit.

@Dazed: Who's to say your AV caught or cleaned everything? There can be remnants, hopefully nothing dangerous. That is why we often recommend that folks temporarily turnoff their AV-RTM and scan with TH to get a second opinion. {Then immediately turn the AV-RTM back on when done}. But sounds like in your case your primary protection {NOD32} caught everything so far.

I might add, I'm really sorry to see TDS-3 go, because it had excellent staff {Gavin was top notch analyst} and very good detection. I can't say I have had anything in-the-wild that was caught by my AT {and frankly I don't wish to play with fire, either} -- but I still see a place for dedicated ATs like ewido, TH, and BOClean.

I do recall others' making comments that ewido had caught some things missed by KAV but unfortunately don't have the links to those posts. Basically my philosophy is to promote multi-layered defense and not rely on one security program for protection; it could inexplicably fail, it could get killed by malware which became resident and killed it before it killed the malware; etc. Just my two cents, now I'm gone, heh .. ;)

-{ Quote: "@Dazed: Who's to say your AV caught or cleaned everything? There can be remnants, hopefully nothing dangerous. That is why we often recommend that folks temporarily turnoff their AV-RTM and scan with TH to get a second opinion. {Then immediately turn the AV-RTM back on when done}. But sounds like in your case your primary protection {NOD32} caught everything so far.

" }-

Understood.

-{ Quote: "...Just my two cents, now I'm gone, heh .. ;)" }-

I definately got my money's worth. Thanks, and don't go too far! :D

-{ Quote: "In any case, the usefulness of AT, is still very much theortical. In this thread, on user has so far reported that a trojan was caught. Most have said otherwise." }-Rich,

As with any aspect of security it comes down to risk incurred versus benefit achieved.

In my own case I have experienced a handful of instances (more than 3, less than 10) in which my AT (BOClean) has prevented trojans from executing.

All the scenarios were the same. A user at this or some other security site noted the occurrance of a malware infestation. For examples given at Wilders, I was typically testing whether a supplied link was to a malware source or not and in a number of cases it was. The AV in all these cases was either NOD32 or KAV - not sure of the split. Both AV's have been in use on this machine. For either, it would have been from a period of a little over a year or so ago until the present. Invariably, these all appeared to be reasonably new samples and generally received coverage quickly. I also recall one case in which NOD32 let a sample through, although it would have been flagged as a potentially dangerous program (according to Eset, and I did verify this).

This sounds a little more than theoretical to me. For both NOD32 and KAV, this is certainly a diminishing event. On the other hand, I'll keep BOClean at the ready for the foreseeable future.

Blue

Hi Blue,

So to re-iterated, so that I am sure I understand:

1) Some users reported some online malware which you decided to investigate
2) You investigated with either NOD32 or KAV running in real-time
3) These were relatively recent events
4) BOClean successfully caught the intruders

If this is correct, then my comment woulde be:

1) Investigative work is substantially more dangerous than normal browsing (since you are actually seeking out dangerous sites)
2) BOClean did provide extra protection during these "hunting expeditions"

One further question, if you do not mind commenting. Did any every get through both shields?

Thanks for the info.

Regards,
Rich

I bought both TDS & BOCLEAN within the last 3 months. I decided to leave BOCLEAN running all the time & use (the now discontinued) TDS for on demand stuff.

In the 1st month or 2 BOCLEAN detected 2 trojans that McAfee didn't catch.


There was a 3rd catch which Boclean later admitted was a false positive:
It said Notepad was a trojan:

07/02/2005 10:05:40: CONSUMERALERT5 TROJAN STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\NOTEPAD.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

Of the 2 valid trojan reports, I can only find this one: [The detection & removal all happens in the blink of an eye!].
------------------------------
07/03/2005 22:53:03: C:\WINDOWS\YHL.DLL
Trojan horse was found in above file
YHL TROJAN STOPPED by BOCLEAN!
Above file copied to evidence location for examination
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.

(***In mid July, I switched to ZoneAlarm's Security Suite--McAfee downloads its updates etc. using ActiveX & my WinXP Home w SP2 stopped playing nice with ActrveX with both McAfee & the MSN Photo Upload Tool despite all kinds of research and attempts at rectifcation on my part--including spyware-possibilities. [At least 'm not alone in this--the respective user forums for both have others in the same boat--Short of a XP reformat, I 've given up [I can no longer delete SP2 & thus reinstall it).


Chet

PS: In addition to BoClean, ZoneAlarm Security Suite, & Process Guard , I usually let Counterspy or Spysweeper run in realtime and use Spysbtract, Spybot, & Adaware & AOL's AntiSpyware Beta2 for ondemand scanning.

-{ Quote: "Hi,

Given all of the discussion concerning the effectiveness/usefulness of anti-trojan software, I have a quick question:

Has anyone ever experienced a situation where their real-time anti-trojan software has actually detected some malicious software? If so, what other security packages were you using at the time, e.g anti-virus, host intrusion protection, firewall, etc.?

Hopefully, we get enough responses to make this question somewhat worthwhile. Personally, I have never had the situation occur. I have been using KAV 4.5. and KAV 5.

Thanks for your input.

Rich" }-

-{ Quote: "Hi Blue,

So to re-iterated, so that I am sure I understand:

1) Some users reported some online malware which you decided to investigate
2) You investigated with either NOD32 or KAV running in real-time
3) These were relatively recent events
4) BOClean successfully caught the intruders" }-1) Yes
2) Yes
3) Well..., all are more than ~ 4 months old and none more than ~ 12 months old
4) Yes, the initial downloader was dealt with

-{ Quote: "If this is correct, then my comment woulde be:

1) Investigative work is substantially more dangerous than normal browsing (since you are actually seeking out dangerous sites)
2) BOClean did provide extra protection during these "hunting expeditions"" }-1) I agree, although not that much more dangerous than errant browsing. These weren't porn or warez sites. Typically, the enticement of free games, links to on-line gambling, and anti-spyware apps constituted the hook. Some of the sites looked reasonable from a casual aesthetic perspective.
2) Yes, it did. Of course, the original victims were not hunting, they fell prey during normal surfing. While I assume they considered their activities as fine since they avoided the obviously seedier side of the net, it's clear that their activities were, in fact, rather high risk.

-{ Quote: "One further question, if you do not mind commenting. Did any every get through both shields?" }-No, as verified by a complete on-demand scan from the boot partition that was not active during the hunt and manual inspection of running processes, startup applications and services.

Blue

-{ Quote: "
Chet

PS: In addition to BoClean, ZoneAlarm Security Suite, & Process Guard , I usually let Counterspy or Spysweeper run in realtime and use Spysbtract, Spybot, & Adaware & AOL's AntiSpyware Beta2 for ondemand scanning." }-

Thanks for sharing your experiences.

Regards,
Rich

-{ Quote: "
No, as verified by a complete on-demand scan from the boot partition that was not active during the hunt and manual inspection of running processes, startup applications and services.

Blue" }-


Hi Blue,

Thanks much for relating your experiences. Very interesting indeed.

Regards,
Rich

Trying to stay on topic...
-{ Quote: "Has anyone ever experienced a situation where their real-time anti-trojan software has actually detected some malicious software? If so, what other security packages were you using at the time, e.g anti-virus, host intrusion protection, firewall, etc.?" }-
Approximately 10-15 different malwares got through Symantec AV for me on my work computer. Most of them were caught by on-demand AT scanners, but I am convinced that they would have been caught by a real-time AT too, if it would have been running. At home AFAIK nothing got past KAV+Jetico, being the most important reason why I have switched to KAV. So my experience is that the usefulness of your AT depends on which AV you are using.
-hojtsy-

-{ Quote: "Trying to stay on topic...

Approximately 10-15 different malwares got through Symantec AV for me on my work computer. Most of them were caught by on-demand AT scanners, but I am convinced that they would have been caught by a real-time AT too, if it would have been running. At home AFAIK nothing got past KAV+Jetico, being the most important reason why I have switched to KAV. So my experience is that the usefulness of your AT depends on which AV you are using.
-hojtsy-" }-

Hi Hojtsy,

I too have found KAV much more resilient than Symantec Norton AV, which is why I switched. Since using KAV, nothing has gotten through, but I keep the AT (usually Ewido) running in real-time for old times sake. When I clean other machines, I always use Ewido and KAV (and use to use TDS-3), and had similar experiences as yours.

Thanks for sharing your experiences,

Regards,
Rich

Well I used Trojan Hunter and NOD32 and both has been very quite, have not found any that would damage my computer, any one want to send me something to make sure everything is working or not. ;)

-{ Quote: "Hi Hojtsy,

I too have found KAV much more resilient than Symantec Norton AV, which is why I switched. Since using KAV, nothing has gotten through, but I keep the AT (usually Ewido) running in real-time for old times sake. When I clean other machines, I always use Ewido and KAV (and use to use TDS-3), and had similar experiences as yours.

Thanks for sharing your experiences,

Regards,
Rich" }-Nothing has gotten by NAV 2005 on this box. Nor has NAV destroyed my box with any f.p. the way KAV 5.x did on BigC's box recently. ;)

-{ Quote: "Well I used Trojan Hunter and NOD32 and both has been very quite, have not found any that would damage my computer, any one want to send me something to make sure everything is working or not. ;)" }-
http://www.eicar.org/anti_virus_test_file.htm (scroll down) ;)

-{ Quote: "Nothing has gotten by NAV 2005 on this box. Nor has NAV destroyed my box with any f.p. the way KAV 5.x did on BigC's box recently. ;)" }-

;D Same thing here as well !!

HR 8)

I have not had my AT (TDS-3 until yesterday) detect a Trojan on-access, but then neither has my current AV, NOD32.

On the other hand, when I first installed TDS-3, it found a Trojan that had gotten past my then current AV, eSafe.

Just yesterday, my new AT, ewido, caught a spyware called Alexa during a scan, but did not find a Trojan after a full system scan.

What followed the detection of Alexa has me perplexed: after I clicked on ewido's option to delete the detected malware, ewido reported,
"+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup"

Since the above key is protected by RegDefend against modification of the key or value, RegDefend should have flagged ewido's intended action, but RegDefend did not. (?)

Following ewido's detection of Alexa, I opened the Registry and found that the value, {c95fe080-8f5d-11d2-a20b-00aa003c157a} continues to exist, but is now located at HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\. (Notice the addition of the subkey, CmdMapping.)

This event led me to wonder of the spyware was indeed removed. So I re scanned the Registry with ewido. This time, ewido reported that no infected files were found!

I don't understand what's going on; can anyone help?

-{ Quote: "This may or may not be what is happening in real-life. If it is, then a couple of comments:

1) From a "sucess rate" perspective, it would not make sense to target an AV, such as KAV, that has about 1% of the market and is generally used by "hardened security users", as opposed to targeting products such as Norton or McAfee which have over 40% of the market and whose users are more likely to be new users who simply had these packages initially installed at purchase time. " }-

Hi. I would like to add more points to your post.
- In the real world case, I think a hacker doesn't need to target on the weakness of one particular AV. the best is to try to find a weakness where most or all AVs share (eg there are different techniques one can use to terminate/nullify/hide themselves in fron of the AVs). Also don't rely on the GUI or any error will signify you of the problem. The hacker can make it that the icon of the system tray is still on, and hide the error if he wishes to.

- Also people generally don't install AV as their only security program. Nowdays AV+AS+Firewall is a basic security suite promoted by Microsoft, so hackers have to find ways to bypass all security products. And it is not hard for them to do so. What they simply need to do is to exploit fundamental weaknesses.

- There are several techiques one can use: buffer overflow, dll injection, code modification, rootkits, driver/service installation, covering/hiding, covert channels. Read the following for more info on how hackers can bypass the current security suite, or why the current security suite is not adequate:
http://engr.smu.edu/~tchen/papers/handbook2005.pdf
http://www.immunitysec.com/downloads/0days.pdf

- to protect ourselves against such kinds of common and advanced techniques, I think the best solution is to take back the power from Windows. There are many things we can do, from manually configure our Windows (eg apply for stricter security templates, don't use admin accounts, use strong passwords etc.) to adding a fundamental layer of security (eg using application firewall, system monitoring, memory restriction).

- They will provide much better and more effective protection instead of determining one AT to protect you from trojans-typed malware AND trojans idientifiable by its signature base.



-{ Quote: "
In any case, the usefulness of AT, is still very much theortical. In this thread, on user has so far reported that a trojan was caught. Most have said otherwise. The "online man years" represented by even just a handful of people on this thread is quite substantial, so it remains to be seen how Yeas and Nays we get, keeping in mind that a safe surfer has a very low probability of encountering a trojan that one of the AVs cannot already handle.
" }-

Also in the case if a hacker wishes to intrude a particular computer with its trojan, it may have considered to bypass the AT as well. The memory scan is not flawless. While providing limited extra protection, it has its own problems too. The AT itself is also subject to termination/modifiection/nullification like its AV counterparts.

Anyway installing one more AT may be desirable to some people who don't bother to learn a bit AND do not wish to use system baseline security products. To them, it does add a bit extra protection. ;D

Something is better than nothing.

-{ Quote: "http://www.eicar.org/anti_virus_test_file.htm (scroll down) ;)" }-Executable trojan/virus tests are not conclusive any more because your anti-intrusion protection will catch them and your AT would never see the file. A better test would be malware packed or embedded in a file.

Below, and next two posts:

1) attempt to download from the server is blocked

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "http://www.eicar.org/anti_virus_test_file.htm (scroll down) ;)" }-2) attempt to extract (Copy) from zip file is blocked

-{ Quote: "http://www.eicar.org/anti_virus_test_file.htm (scroll down) ;)" }-3) I gave permission for the file to download, and the attempt to run it (Open) is blocked.

Of course, you can argue that your good judgment would make you question whether or not you would permit the file to download in the first place, so even your anti-intrusion program wouldn't get a chance at it, and that these examples just show how someone can be prevented from unwittingly executing them, like your kids or other family members!

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "
Permit me to quote from illukka's post in another thread:
http://www.wilderssecurity.com/showpost.php?p=522349&postcount=25
I can vouch for that: Just visit any hacker site and download a trojan package {I can't link to any here because it's against the rules}. Often in the "readme" for the package or kit, the author will state that he offers "undetected" variants for a price, usually small, like 20-30 bucks. Most often, in my experience {and I am not trying to target one product here}, it is KAV that is targeted for an undetected {modified} trojan, I assume because of its reputation for trojan detection. These kits usually include an editor or "editserver" as it is commonly called, which allow even a casual user to modify the server, so in some cases, even a casual user can create a modified server that will go undetected. However, because ATs scan memory, the process signature of a modified server may not be significantly different, and it may still be detected by an AT scanning memory. THIS, to me, is the big difference, and why I would still recommend an AT lilke TH or BOClean as a second-tier defense. Also, consider that all malware, once resident, immediately tries to kill your AV. But if you have a hardened AT running as well, that makes the malware's task more difficult because he has to kill both your AV and AT before they kill him. Two programs are harder to kill than one, given that he has probably only seconds to succeed or be killed himself. That is my take on it. Sorry I can't comment on any "poll" but I can say that, experimentally at least, I have in the past launched a few samples that my AT detected, but of course, that is more of a "laboratory" curiosity and not real-world or "ITW" {in-the-wild}. HTH .. ;)" }-

Something worry me is AT itself has its own problems which can be bypassed by trojans too. One one side, it may be able to address a few problems which AV have. On the other hand, the memory scan is also problematic, and AV and AT themselves are also subject to intrusion/attacks.

Anyway, something is better than nothing. I agree with you at this point. If you don't like other solutions, at least AT can provide a bit extra protection.

-{ Quote: "...These kits usually include an editor or "editserver" as it is commonly called, which allow even a casual user to modify the server, so in some cases, even a casual user can create a modified server that will go undetected." }-
-{ Quote: "Something worry me is AT itself has its own problems which can be bypassed by trojans too. One one side, it may be able to address a few problems which AV have. On the other hand, the memory scan is also problematic, and AV and AT themselves are also subject to intrusion/attacks.

Anyway, something is better than nothing. I agree with you at this point. If you don't like other solutions, at least AT can provide a bit extra protection." }-By other solutions, if you mean Anti-intrusion/execution protection - it would prevent an editor or "editserver" from unpacking/executing, making moot the point of bypassing an AT program.

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Very informative, RB. Thanks. :D

Doesn't the above imply that my AV was good enough to catch anything that was suspicious? In other words, it appears my AT was unnecessary because my AV caught everything I came across before my AT got a swing at it." }-

Yes, you are right. Otherwise AT would have already alarmed you of an intrusion. Due to its limited scope (mainly deal with trojans*) and act as a supplement to AV only, it doesn't really help much, not to say any, in real circumstances.

Probably when someone would like to invade your system:
- either it get caught by your AV (this situation is what you can notify);
- or the malware can pass both AV & AT witohut your notification.

But in neither cases, AT proves its efficiency.

*AV and AS can handle more kinds effectively, not just limited to virus or spyware respectively.

-{ Quote: "Something worry me is AT itself has its own problems which can be bypassed by trojans too. One one side, it may be able to address a few problems which AV have. On the other hand, the memory scan is also problematic, and AV and AT themselves are also subject to intrusion/attacks." }-Hello Wai_Wai, thank you for your interest and comments my friend. ;) Basically all I have in mind is the common concept of layered security -- meaning, a malware might get by one layer {AV} but get caught by another {AT}. Yet another layer to add would be a resident antispyware {AS}. The more layers you have, the less the chance for success of the malware, because he has to: (1) avoid detection by several security programs, not just one; (2) terminate or kill several security monitors or processes {not just one} before they kill him first.

-{ Quote: "Anyway, something is better than nothing. I agree with you at this point. If you don't like other solutions, at least AT can provide a bit extra protection." }-That is why I run TH alongside NAV. ;) Permit me to clarify, I think trojan authors target KAV -- it has nothing to do with market share but with reputation and detection rate -- since if they can create modified trojan to elude detection by KAV, almost surely the same modified malware willl escape detection by all the other scanners. Really it is a "compliment" to KAV that trojan authors target it. ;) One gets the impression that it is a "trophy" of sorts, to be able to boast creation of malware variant which {at least temporarily} goes undetected by KAV. Now, if KL gets ther hands on a sample of said malware, chances are it will *not* go undetected for more than few hours, heh ;D -- KL responds *very* quickly to add sigs and KAV updates hourly. ;) Thanks again for your comments. ;)

-{ Quote: "Trying to stay on topic...

Approximately 10-15 different malwares got through Symantec AV for me on my work computer. Most of them were caught by on-demand AT scanners, but I am convinced that they would have been caught by a real-time AT too, if it would have been running. At home AFAIK nothing got past KAV+Jetico, being the most important reason why I have switched to KAV. So my experience is that the usefulness of your AT depends on which AV you are using.
-hojtsy-" }-

Norton, although established, is not really good. However it rebounces recently. See this test http://www.av-comparatives.org/seiten/ergebnisse_2005_02.php which is to test their capabilities to detect ITW malware:
- AVG.............86,03% (freebie)
- Avast...........90,81% (freebie)
- NOD32..........95,50%
- Norton..........98,31%
- Kaspersky......99,65%
(Test in 2005)

2 other products people may not notice is F-Secure and AntiVirenKit (AVK) (German only). They use multiple scanner, and is KAV-based. They are more or less as good as KAV. So for some people, if you don't like KAV for whatever reasons except its performance (eg ugly interface, your system is not happy with KAV), you may wish to try them out.

-{ Quote: "By other solutions, if you mean Anti-intrusion/execution protection - it would prevent an editor or "editserver" from unpacking/executing, making moot the point of bypassing an AT program.

regards,

-rich
________________
~~Be ALERT!!! ~~" }-
Yes it is one of them.
For some others, you may look at my signatures.
By the way, since I have run too many security programs, I don't bother running AT anymore.

-{ Quote: "Hello Wai_Wai, thank you for your interest and comments my friend. ;) Basically all I have in mind is the common concept of layered security -- meaning, a malware might get by one layer {AV} but get caught by another {AT}. Yet another layer to add would be a resident antispyware {AS}. The more layers you have, the less the chance for success of the malware, because he has to: (1) avoid detection by several security programs, not just one; (2) terminate or kill several security monitors or processes {not just one} before they kill him first." }-

Thanks for your reply too, buddy.
I very agree with your multi-layered protection approaches. I'm doing the same too. What security software have you installed?

I'm personally using 5 kinds of layers:
- Anti-virus
- Firewall
- Anti-spyware
- 2 kinds of System baseline programs (act as a safenet to take care anything missed by AV and Firewall and AS. If 1 program fails, another program can help too)

As you see, I don't bother the AT since I think I have run too many. AT is going to be my least choice.


-{ Quote: "
That is why I run TH alongside NAV. ;) Permit me to clarify, I think trojan authors target KAV -- it has nothing to do with market share but with reputation and detection rate -- since if they can create modified trojan to elude detection by KAV, almost surely the same modified malware willl escape detection by all the other scanners. Really it is a "compliment" to KAV that trojan authors target it. ;) One gets the impression that it is a "trophy" of sorts, to be able to boast creation of malware variant which {at least temporarily} goes undetected by KAV. Now, if KL gets ther hands on a sample of said malware, chances are it will *not* go undetected for more than few hours, heh ;D -- KL responds *very* quickly to add sigs and KAV updates hourly. ;) Thanks again for your comments. ;)" }-

But does an elusion from KAV guarantee an elusion from other AV too?
It seems there are a lot of possibilities before reaching this conclusion.

By the way, what I am sure what they tend to target is Windows-based, IE-based, &/or OE-based attacks.

-{ Quote: "Norton, although established, is not really good. However it rebounces recently. See this test http://www.av-comparatives.org/seiten/ergebnisse_2005_02.php which is to test their capabilities to detect ITW malware:
- AVG.............86,03% (freebie)
- Avast...........90,81% (freebie)
- NOD32..........95,50%
- Norton..........98,31%
- Kaspersky......99,65%
(Test in 2005)" }-Thank you for being fair; I don' t want to get OT but I have a Gigabyte of collected malware that I have tested NAV on, I have submitted thousands of samples to SARC, and I am confident that NAV, although not perfect, is a good scanner, as your numbers testify here. NAV does not quite have Kaspersky's detection but then again, it doesn't have as many f.p. either. My experience has been that many of the reported "misses" by NAV are due to: (1) old engine being used; (2) confusion of terms, forex only engine version 10.0 and higher {home edition} will detect expanded threats like spyware, adware, dialers & keyloggers, etc. Several times I have gotten folks to send me samples of things they *thought* were undetected, I tested with the latest engine and signatures, guess what, they were mistaken. I am not saying all such public claims are bogus, but I do take them with a "grain of salt" unless I can test a sample and see with my own eyes that it is undetected with latest engine and sigs. JMHO .. ;) And even in the case of samples truly undetected, {and plenty of them do exist, I know} -- let me encourage everyone to take a few seconds to submit malware samples to vendors, it's not that hard to do, and doesn't require too much of your time, and in so doing, you can add to all our security, since it is in all our interest to improve detection -- not just for NAV but for all scanners of all vendors, it is good for us to work to improve detection. Thanks again Wai_Wai, Lord Bless! ;)

-{ Quote: "But does an elusion from KAV guarantee an elusion from other AV too? It seems there are a lot of possibilities before reaching this conclusion." }-With rare exception, my thoughts would be *YES*, if they can elude KAV's detection they will probably be missed by the other scanners as well. Possibly McAfee, with strong generic sigs and good trojan detection, might flag some of them, but even McAfee doesn't keep up with KAV in trojan detection. ;)

Hi guys,

Maybe a new thread is needed regarding the overall usefulness of AV vs. ATs. I was hoping that this thread would concentrate on real-life experiences, so I and other forum members could quickly run down the thread and read other users' real-life experiences.

Regards,
Rich

-{ Quote: "3) I gave permission for the file to download, and the attempt to run it (Open) is blocked.


________________
~~Be ALERT!!! ~~" }-


I must have missed it but what program are you using to block the execution of the file?


Starrob

-{ Quote: "I must have missed it but what program are you using to block the execution of the file?" }-It's Anti-Executable, but Process Guard and other similar programs would do the same, I think.

We should start a new thread if you want to continue talking about other ways of stopping trojans/viruses since it's getting away from Rich's original topic.

-rich
________________
~~Be ALERT!!! ~~

Forget to tell me own experience.
The answer is still negative.

When I used to use AT (I tried several), they sat silently without producing any noise.
Should I be happy or sad about that?

For people who wish to disucss other more effective ways to stop trojans ans other malware, here's the new thread:
http://www.wilderssecurity.com/showthread.php?p=533727

-{ Quote: "Norton, although established, is not really good. However it rebounces recently. See this test http://www.av-comparatives.org/seiten/ergebnisse_2005_02.php which is to test their capabilities to detect ITW malware:
- AVG.............86,03% (freebie)
- Avast...........90,81% (freebie)
- NOD32..........95,50%
- Norton..........98,31%
- Kaspersky......99,65%
(Test in 2005)

" }-


I don't strictly believe those results, although many people quote them. I believe a large majority of malware is unknown and most can't be detected.

It is part of the reason that KAV must update every hour or so....so many new detections and I think even KAV realizes that one day they might have a hard time keeping up. I heard KAV 6.0 will have behavior blocker/hueristics.

There are even ways of evading heuristics, if one looks around enough. It is one of my beliefs that the best defense is education......but of course most people do not want to educate themselves on computer security.

Despite what some people say, there is still a market for AT software, even though it is small. If there were no market then companies like Boclean would not exist.

The reason why products like Anti-executable work for people like RMUS is that because he has appeared to have educated himself and even if he does make a mistake he has backed it up with Deep-Freeze? (It is deep-freeze right?)

Secondly I have seen no response to Chopper here: http://www.wilderssecurity.com/showthread.php?t=92178

the answser is no my friend !!! there are ways around this with the gold version !!!


ch0pper

hacker defender team"


Now is this a scare tactic? Or does the hacker defender team know something that you don't know???

I will say this I do know a theoretical weakness in PG that I will not elaborate on because I am searching to see if their is a defense against it and also I don't and won't expose PG weaknesses publicly.

I do know one thing....If a inexperienced amateur like me can go googling and find weaknesses in products then it is fairly easy for Hackers to find these weaknesses.

I know some people sit behind their defenses and think they are bulletproof but I have been told by more than a few vendors that nothing is bullet proof despite being advertised that way.

Some people argue against AT's. Well AT's are nothing more than another tool. It is a specialized tool that some find useful and others don't.

Some that think they are bulletproof because they use other tools might find a surprise one day if they are not using their head and they rely too much on their "tools" and not enough on their knowledge.

All these "tools" have weaknesses.

RMUS has a fairly strong set-up but even his set-up can be beaten if he does not use his head. Believe me....any security tool can be picked apart for it's weaknesses and said it is not necesarry.

Even AV's have big weaknesses. I heard Holy Father does not use a AV. He probably does not use a AV because he is aware of it's weaknesses. So, he probably never scans anything because he has enough specialized knowledge to dis-assemble programs and read their code and knows what is a danger and what is not. Perhaps he even uses Linux. Collecting that amount of specialized knowledge is a inconvenience for most people so most people opt to use Windows and AV's for convenience sake.

Some people opt to use AT's also for convenience sake. In fact if I owned a business I might use a product like BoClean for convenience sake. Maybe some of the HIPS products would cause too many "complications" with all of their alerts. A AT is a option and a viable option for some. For others it is not. If you feel you don't need it then don't use it but realize that for some people it might be a viable option....for one reason or another.



Starrob

Hello Starrob

You are trying to stay ontop a things. Seems only you and RMUS even respond to my posts anymore.

Yes Kevin does know the rootkit world as we know it.

Also, I hope you don't think even the Holy father is immune to a hack.

The basics tell me all you need is an IP address.

Like you say , he is not completly the enemy or he would broadcast his presence so much.

How bout we look at reformat on a weekly bases? LOL

con

Starrob

I am happy you are on the right tract.

We look at motives

Political

WAR

IGO

You need to look at who you are dealing with.

Is it GOV related?

WE here at Wilders look at everything.

Countries aside

BUT


YOU MUST REALIZE countries are at WAR!!!!!!!!!!!!!!!!!!

and so is what you see what is really happening?

PLease look at Broader pic.



DO NOT look at AV comparitives

USE UR GUT feelings

YOU have MS haters

YOu have UNIX haters

JUst understand it doesn't matter which OS you choose, it is about your ROOTS.

When all is said, it IS About your country and it's allies.


con

-{ Quote: "
The reason why products like Anti-executable work for people like RMUS is that because he has appeared to have educated himself and even if he does make a mistake he has backed it up with Deep-Freeze? (It is deep-freeze right?)

" }-

Irrelevant.

-{ Quote: "
Secondly I have seen no response to Chopper here: http://www.wilderssecurity.com/showthread.php?t=92178

the answser is no my friend !!! there are ways around this with the gold version !!!


Now is this a scare tactic? Or does the hacker defender team know something that you don't know???

" }-

There's a good reason why there is no reply.

-{ Quote: "
I will say this I do know a theoretical weakness in PG that I will not elaborate on because I am searching to see if their is a defense against it and also I don't and won't expose PG weaknesses publicly.
" }-

How considerate of you. So what is your purpose for saying this? Are you trying to scare people? Or show off your knowledge? Or just illustrate the point that nothing is bulletproof?

-{ Quote: "
I do know one thing....If a inexperienced amateur like me can go googling and find weaknesses in products then it is fairly easy for Hackers to find these weaknesses.

" }-

If an amateur like you can find it, you might as well just announce it. But you won't of course, because hinting that you know something the noobs here don't makes you feel powerful.

-{ Quote: "
I know some people sit behind their defenses and think they are bulletproof but I have been told by more than a few vendors that nothing is bullet proof despite being advertised that way.
" }-

Yes, we really need a Vendor (professional/expert whatever)to tell us nothing is bullet proof ! Has the standards here really dropped so low?

-{ Quote: "

Some that think they are bulletproof because they use other tools might find a surprise one day if they are not using their head and they rely too much on their "tools" and not enough on their knowledge.

All these "tools" have weaknesses.
" }-

In most places this would be stating the obvious , but in WSF this cannot be stated often enough. After all this is a place which gives users a false sense of security by praising all the virtues of security software and removes links to examples of tools that can defeat them.


-{ Quote: "
Even AV's have big weaknesses. I heard Holy Father does not use a AV. He probably does not use a AV because he is aware of it's weaknesses. So, he probably never scans anything because he has enough specialized knowledge to dis-assemble programs and read their code and knows what is a danger and what is not. Perhaps he even uses Linux." }-

Oh yes and linux makes you unhackable.. Oh yes indeed :) A vendor told me this isn't true btw.

-{ Quote: "
Oh yes and linux makes you unhackable.. Oh yes indeed :) A vendor told me this isn't true btw." }-

Ho-hum.

I am looking to learn what I don't know. Do you know why no one will provide a answer to Chopper's claim?

I sometimes suspect Controler might know but who really knows?


Starrob

-{ Quote: "Forget to tell me own experience.
The answer is still negative.

When I used to use AT (I tried several), they sat silently without producing any noise.
Should I be happy or sad about that?" }-

Well I am glad that my surfing habits and AV are working well. :) I keep Ewido and/or BOClean running for peace of mind.

Cya,
Rich

-{ Quote: "Ho-hum.

I am looking to learn what I don't know. Do you know why no one will provide a answer to Chopper's claim?

I sometimes suspect Controler might know but who really knows?


Starrob" }-
Starrob

Think for a second, if a vendor did respond to such a bold statement and maybe even saying that this particular vendor does in fact detect everything that this Hacker team sells.......

The next thing that happen is someone.....well probably you ;), would be asking how exact they do this!!!

This will never happen, an intelligent guy like you would of course know why. In other words some of the answers you are seeking will never be answerred.

OT. I have had trojan detections with an AT more than three times, less than 10, all with the same AV, and no it wasn't Kaspersky.

This is exactly what an AT should be bought for, a backup in case your AV fails. :)

Hi Don,

A couple of quick questions if you don't mind. Were these encounters with trojans recent events? Were you doing normal browsing or were you on a "trojan hunting expedition" a la Blue's. Thanks.

Rich

-{ Quote: "Hi Don,

A couple of quick questions if you don't mind. Were these encounters with trojans recent events? Were you doing normal browsing or were you on a "trojan hunting expedition" a la Blue's. Thanks.

Rich" }-
No, this was just "normal" internet activity, if i where to announce every encounter, it would be more or less daily. ;)

-{ Quote: "http://www.eicar.org/anti_virus_test_file.htm (scroll down) ;)" }-


Yeah, I've seen this before. So surprising how a couple of codes line can damage a computer. :o

Hi Rich,

To answer your question no. My choice of AT (BOClean) has never caught a *nasty* on my machine. However, I am a safe surfer and don't hang out on porn/warez sites so that could be why. However the very few times that I was surfing and was hit with a problem, my AV (NOD32) stopped it completely.

I still run BOClean as a backup, and plan to do so for the foreseeable future. It's there, it does it's thing in the background, and it gives me peace of mind while I am on the internet.

BTW, in just trying to dl the trojan simulator test, you can see how NOD32 reacted. ;) ;D

Jag

-{ Quote: "Starrob

Think for a second, if a vendor did respond to such a bold statement and maybe even saying that this particular vendor does in fact detect everything that this Hacker team sells.......

The next thing that happen is someone.....well probably you ;), would be asking how exact they do this!!!
" }-

He could ask, but the details would be beyond Starrob.

But more importantly than that, given that hack defender gold is essentially private [/b]And[b] constantly undergoing revision, trying to claim you can block it, is like the "bulletproof" claim that Starrob so wisely showed to be foolish.

ADMINISTRATION


be advised that the above post by Whereisthebeef is NOT by me.
For what ever reason that poster wants to use that "nic" its fine with me...the person have have it to enjoy......NO MORE POSTS WILL BE MADE BY ME USING THE "NIC" WHEREISTHEBEEF.......

-{ Quote: "He could ask, but the details would be beyond Starrob.

" }-


It is ok to comment on any claims made on this or that but commenting on whether I would know details or not is pure speculation.

No one on this board knows me or my background in computing. I could be clueless or I could be highly knowledgeable and faking clueless. I will say that I do probably know more than most people think. In real life, I often fake clueless in order to get knowledge out of people.

I believe these boards should be for information sharing but too often it goes into personal attacks and makes discussions useless for everyone becomes the expert and there is too little listening......and I do listen. I often reverse positions upon acquiring more knowledge about a subject.

One thing I will say about me is that not every subject I talk about, I believe in. Sometimes I point in certain directions to see what knowledge comes out of other people.

I have argued both for AT's and against AT's just to see what the competing considerations would be. I have in the past directly challenged vendors by name but I don't think I ever called out any one Wilders member by name and say they don't know what they are talking about.

Discuss the ideas....not the personality.....



Starrob

-{ Quote: "I don't strictly believe those results, although many people quote them. I believe a large majority of malware is unknown and most can't be detected." }-

As to the understanding on the result, sorry to tell you that it appears you misinterpret the result.
The result above is meant to test ITW virus too. (if you don't know what is "ITW", simply read it as "known")
To give you a general idea only, the performances of detecting Zoo (or simply unknown) virus are roughly as follows:
[I only compare good/famous AV only. Other rouge/crappy/underdevelopment AV are excluded:]
- **unsatisfied* famous AV: AVG (5%-)
- below-average famous AV: Avast, RAV, AntiVir (5-10%)
- about-average famous AV: Norton, Trend Micro, F-Prot, Panda, Sophos (10-20%)
- above-average famous AV: {not really} (20-30%)
- ****good**** famous AV: Dr.Web, BitDefender, McAfee (30-40%)
- ***excellent** famous AV: KAV, NOD32 (40%+)

IMPORTANT: Don't treat the above result absolutely. As I said previously, it is used to have a general idea about how different classes of AVs perform.

Ref: http://www.av-comparatives.org/

Anyway, don't feel guilty or unhappy about making a false statement. We, as a human, always make mistakes. What important is we learn from mistakes and avoid making the same mistakes again.


As to your attitude towards the results, yes you are right.
You shouldn't strictly believe those results. What you should hold in mind is they are for reference only. These kinds of results can never be representative enough to make well-solid conclusions.

By the way, it doesn't mean we should discard these results compeltely. We need to know:
- The world is never meant to be perfect
- Nothing is worse than something
- The world is full of uncertainty where we have to bet in many cases based on the limited info provided/available

We need to choose one AV anyway, right? And we wish to bet for the best possible AV. A wild guess is worse than an informed guess.
So if the above result is the only result we can obtain, we should try to pick one which is the best in the result, instead of discarding the result and make a wild guess.

Do you agree with me?
What do you think?


PS:
Note to the thread master/starter (richrf):
I'm not sure if I should reply since it is like I am hijacking the thread. If you do think so, tell me and I will reply to the posts by private messages (or some other ways) only.
Also I will delete the off-topic replies should you wish to.

-{ Quote: " It is part of the reason that KAV must update every hour or so....so many new detections and I think even KAV realizes that one day they might have a hard time keeping up. " }-

Just a reminder in case if people don't know.
It is a good thing that KAV manage to update every hour or so. However don't fall into the illusion of using this fact alone to conclude that you will get fastest protection on unknown virus, or get far better detection against new Zoo virus.

Their research power/speed matters too. Put it simply, when a new unknown virus come out, it needs to do search (Eg get that virus sample), analyse (eg look into its behaviour), making solution (eg add the signature of that virus) & updating (ie update the packs and make it avaliable to download).

What KAV promises to do is the last part: promise to update every hour or so (if updates are available) on a regular basis. It doesn't automatically mean the first 3 parts are speeded up too.
For some other AVs, it may happen that they have finished analysed that virus. Unless this virus is critical/dangeorus, it may not update its packs instantly. Rather they wait for their next update time to upload all newly-added stuff to their website.
Updating every hour or so (if available) is a good thing. However don't fall into hasty conclusion that it must mean you will get fastest protection on unknown virus, or get far better detection against new Zoo virus.

Hard facts:

Example: Mydoom.A
All AV updates which were released on 2004-01-26:
– F-Prot 22:30 W32/Mydoom.A@mm (the first one to release update!)
– Trend Micro 22:35 WORM_MIMAIL.R
– RAV 23:00 Win32/Novarg.A@mm
– Norman 23:05 MyDoom.A@mm
– F-Secure 23:05 W32/Mydoom.A@mm
– Virusbuster 23:05 I-Worm.Mydoom.A
– AVG 23:15 I-Worm/Mydoom
– Avast 23:15 Win32:Mydoom [Unp]
– Kaspersky 23:30 I-Worm.Novarg
– AntiVir 23:30 Worm/MyDoom.A2
– Symantec 00:05 W32.Novarg.A@mm
– eTrust (CA) 00:20 Win32/Shimg.Worm
– Command 00:20 W32/Mydoom.A@mm
– Sophos 00:40 W32/MyDoom-A
– eTrust (VET) 01:30 Win32.Mydoom.A
– Esafe 01:50 Win32.Mydoom.a
– Dr. Web 02:40 Win32.HLLM.Foo.32768
– McAfee 04:00 W32/Mydoom@MM
– Quickheal 04:00 W32.Novarg
– Bitdefender 04:00 Win32.Novarg.A@mm
– Panda 04:10 W32/Mydoom.A.worm
– Ikarus 08:35 I-Worm.Mydoom

Ref: http://www.av-test.org/



-{ Quote: "
I heard KAV 6.0 will have behavior blocker/hueristics.
" }-

Is it true that KAV have some kinds of behavior blocker/hueristics already?

-{ Quote: "With rare exception, my thoughts would be *YES*, if they can elude KAV's detection they will probably be missed by the other scanners as well. Possibly McAfee, with strong generic sigs and good trojan detection, might flag some of them, but even McAfee doesn't keep up with KAV in trojan detection. ;)" }-

I have researched a bit on this subject.
You may be interested to know.

Here's one of the common example where that malware can bypass KAV, but not others.
Code Permutation can bypass KAV, but not some others (eg NOD32)
-{ Quote: "
Analysis of Results

a) Kaspersky (AV/AT)
Kaspersky uses a static, signature-based unpacking engine. The unpacking engine is extremely powerful since it supports hundreds of different packers and crypters. However, it is also extremely vulnerable to code permutation.

The same applies to Kaspersky's single-point scanning technique in connection with the use of code-based signatures (i.e., the code permutation vulnerability does not merely apply to Kasperky's unpacking engine but also to the main scan engine which is responsible for the detection of uncompressed samples).

b) Dr. Web (AV/AT)
It seems that Dr. Web's also uses a static unpacking engine and, therefore, is affected in the same manner like Kaspersky.

The signatures used by Dr. Web for the detection of the Bionet trojan seem to be resistent to code permutation. However, we also performed internal tests with trojans like Lithium 1.03. Because Dr. Web did not detect permutated variants of other trojans we conclude that Dr. Web is partially affected by this vulnerability.

c) Ewido (AT/AS)
Ewido uses a generic unpacking engine that is less vulnerable to code permutation. On the other hand, Ewido's generic unpacking engine is less powerful than Kaspersky's static one (i.e., there are many compressors like Petite that are not (yet?) supported by Ewido). Fortunately, Ewido also supports memory scanning.

Like Kaspersky, Ewido's scan engine uses code-based signatures. In the light of the fact that Ewido claimed (and still claims?) to use "fuzzy", patch-proof signatures we expected that Ewido would be able to resolve the permutations and, therefore, be resistant to code permutation. However, the non-detected Bionet 4 sample and our internal tests with other samples (like Lithium 1.03 and Aphex FTP) show that Ewido's "fuzzy" code-based signatures are almost as vulnerable as Kaspersky's code based signatures.

d) NOD32 (AV/AT)
Not too bad ... the term "advanced heuristics" does not seem to be a mere marketing gag. It will require a more indepth analysis in order to figure out how NOD32 exactly works.

Ref: http://illusivesecurity.il.funpic.de/viewtopic.php?t=56
" }-

Based on my understanding and research, it is not true that one can bypass KAV means it can bypass other AV most of the cases. So it also implies:
- the more on-demand AV scanners you use, the higher percentage you are at detecting more malware missed by 1 AV.
- the above statements applies to AT & AS & its like too

-{ Quote: "
Anyway, don't feel guilty or unhappy about making a false statement. We, as a human, always make mistakes. What important is we learn from mistakes and avoid making the same mistakes again.

" }-


You are right we all make mistakes, which is why is why I don't trust those results or strictly trust the results of any tests.

All tests can be subject to manipulation (either intentional or unintentional) and also errors. The results of any tests can also be subjected to endless arguments.....

One argument that I have found is the endless argument appearing in the AV forum. Numerous examples of the definition of "In the Wild" can be found there.. It appears that one reason why so many people argue about AV tests results is that one persons definition of "In the Wild" means some determination by some organization while another person's definition is any malware that a person can find on the internet is "In the Wild". This is only just one example of what can cause a "different view" of test results.

Most people can not see the other person's point of view because they start off defining the tests differently on such things as what is meant by "In the Wild". There are many ways of percieving the results of any test and each different perception can give a person different conclusions.

There are many people that take their perceptions and then try to "preach" and convert others to their world view.....but there are many views in the world....some more valid than others at different points in time for a given individual.

Right now, the way you view security could be valid for you at this point in time but maybe not be valid tomorrow. Points of view vary with time, depth of knowledge and also the particular way one decides they want to view things.

I started to realize a long time ago that almost all my ways of viewing things hold elements of truth as well as elements of false....sort of like a ying-yang. This is why I don't feel guilty about most of my statements....I start off knowing that they have false in them.....but they hold elements of truth as well.

When it comes to security I believe that some people don't need a AV, some might only need one AV, and some might need multiple AV's. That also applies to AT's and AS's too. There are different people that might require all different types of combinations of security products and many of the considerations people use are not defined by some "test" that may or may not be accurate..

A test can be a tool but I don't take any one test as gospel.


Starrob

-{ Quote: "
I will say this I do know a theoretical weakness in PG that I will not elaborate on because I am searching to see if their is a defense against it and also I don't and won't expose PG weaknesses publicly." }-

Indeed there are quite a few weaknesses PG share and are known.
Eg: PG cannot protect itself from shutting down by means of registry edition.
(it is found on 25 Jul 2005)

Sidenote: Don't be scared & fall into hasty conclusion that this program craps. If you understand more, every security product has its own weaknesses (some may be quite serious). Generally speaking & in my own opinion ONLY, PG is good (suitable for beginners, and protect decent protection). But if you wish to have more decent protection (although harder ot learn), you may think of System Safety Monitor or Viguard.



-{ Quote: "
I do know one thing....If a inexperienced amateur like me can go googling and find weaknesses in products then it is fairly easy for Hackers to find these weaknesses." }-

If you read good product reviews, they will show you the weaknesses.
There are also many articles available which discuss security problems, product weaknesses and so on, so if you do wish to know, it is very easy.

But it doesn't mean you can hack easily. Knowing the weaknesses doesn't guarantee you the knowledge ot hack automatically (with some excepitons).


-{ Quote: "
I know some people sit behind their defenses and think they are bulletproof but I have been told by more than a few vendors that nothing is bullet proof despite being advertised that way." }-

Yes, I couldn't agree more.


-{ Quote: "
Some people argue against AT's. Well AT's are nothing more than another tool. It is a specialized tool that some find useful and others don't.

<snip>

Some people opt to use AT's also for convenience sake. In fact if I owned a business I might use a product like BoClean for convenience sake. Maybe some of the HIPS products would cause too many "complications" with all of their alerts. A AT is a option and a viable option for some. For others it is not. If you feel you don't need it then don't use it but realize that for some people it might be a viable option....for one reason or another.
" }-

Yes you are right.
AT, similar to AV, provide ease of use - alert-free :P
To users who favour intrusion portection systems, they have their own reasons why they prefer so.

Generally speaking:
- if you feel convenience and alert-free is of utmost important, you should choose AT.
- if you feel protection is of utmost importance, PG or other intrusion protection system is your pick.
- if you value both, PG is probably your choice since it is designed for beginners: easy to use. Apart from some exceptions, if you don't bother to spend some minutes to read the manual and use Google/forums, you have no problems when using PG most of the time. You don't really need to make any alerts but a few if you use its learning mode properly.

You may be interested to read this:
Comparison of anti-trojan programs and intrusion protection systems when dealing with trojans
http://www.wilderssecurity.com/showthread.php?p=537680

-{ Quote: "Well I am glad that my surfing habits and AV are working well. :) I keep Ewido and/or BOClean running for peace of mind.

Cya,
Rich" }-
I would like to use Ewido(AT/AS) since it can detect 80% of trojans, so it outperformance all remaining AT (the best being 50% only :( ) in the market in one test.
(Note: I realise anti-trojans are not decided to detect. It may become useful when the trojans are installed and invaded your system. Its memory may detect and stop its activity. But I prefer preventiion in the first place :P)

However it seems it is not good at anti-spyware (although it claims it can detect spyware, it's rather limited). Thus I can't replace my AS with it.

Also I'm worried about if conflicts occur among AV, Ewido and AS which it will lower my protection level (unknowingly).

-{ Quote: "Yeah, I've seen this before. So surprising how a couple of codes line can damage a computer. :o" }-
Even one code can be damanging. :P

Format {all drive letters}

Haha... :D

My T/A x 2 has never caught a thing!! NOD32 was always first to react to any Threats that I ever had!!


HTH Cheers,

-{ Quote: "I

If you read good product reviews, they will show you the weaknesses.
There are also many articles available which discuss security problems, product weaknesses and so on, so if you do wish to know, it is very easy.


" }-



The only problem with product reviews is that some times there is a heavy bias either for or against the product by the person doing the reviewing.

Some times it takes awhile to determine a reviewers bias and sometimes it can't be determined at all.

Even, if you can determine the bias, it does not mean that what the reviewer is saying is not true.

Personally, I try to look at as many sources as I can.....some biased for the point of view....others biased against the point of view and some "neutral" bias.

Personally, for me, the biggest danger is relying on only one source or one point of view. So, I look at things from many different ways and from many different points of view.....it helps my decision making process but it also makes me somewhat of a "heretic" to those that get stuck on looking at things from one point of view for the rest of their life.

It is good that you are out there doing a lot of reading....more power to you!!!



Starrob

-{ Quote: "The only problem with product reviews is that some times there is a heavy bias either for or against the product by the person doing the reviewing.

Some times it takes awhile to determine a reviewers bias and sometimes it can't be determined at all.

Even, if you can determine the bias, it does not mean that what the reviewer is saying is not true." }-

It seems you have problems when reading results/reports/reviews which may be biased (lightly or seriously). Even worse, you may feel people are biased everywhere and what they write are no longer trustworthy.

Here's what I think. Don't treat my ideas too seriously.

In fact, you don't need to worry too much about that. It is true biases occur everywhere in our daily lives (myself included). It's because we are emotional. Loyality, sense of belonging and so on make use biased in some sorts. But it doesn't hurt much when we know how to deal with biases.

Here's what I think:
- don't make "bias" to digress your logical thinking
- when direct evidence, direct reasoning, provable facts etc. are available, don't discard/distrust them simply because the person-in-charge are biased
- "bias" is one factor which affects the quality/truthfulness of one's claim, but this alone doesn't falsify what he claims (totally). He claims may be still valid (in some ways)
- Final word: Don't make "bias" or othe personal issues to take over your logical judgement!!

Consider this case. In the 1980s, there were very controversial arguments about high cholesterol contnet in foods and its relationhip with heart disease. Within this context, the National Food & Nutrition Board issued a report citing evidence that insufficient connection existed between cutting fat and cholesterol intake and heart disease to make a dietary recommendation. However many members in the medical community who were urging us to cut fat and cholesterol intake condemned this report.

But why did they condemn? It was because 2 scientists on the Board were found to be paid consultants to food companies with special interests in high-cholesterol foods. The chairman of the Nutrition Board received about 10% of his income from Kraft Inc. and Pillsbury, and another member was an adviser/speaker for the American Egg Board and the Dairy Council. Millions of dollars were at stake for these companies. The American Heart Association and other health groups claimed that the report was biased.

However, when someone concluded that the Board's report had no merit or they should discard the whole report completely since they were no longer trustworthy, it is very wrong. True that 2 scientists on the Board had a potential conflict of interest, but even if these scientists were biased, the evidence the report cited could still substantiate the report's conclusion that the connection between high cholesterol foods and heart disease is weaker than previously thought. If you look at the direct evidence in the repot, the relevant scientific studies cited in the report were available and could have been studied and analyzed. The conflict of interest of the two scientists was relevant to the charge of their being biased, but not relevant to the report's conclusion. They could have been right even if they were biased.

If everyone is going to discard any information provided by someone who may be or is biased, we are going to discard a lot of (in)valuable direct evidence, in which I hate to see in my opinion.



-{ Quote: "
It is good that you are out there doing a lot of reading....more power to you!!!" }-

Thanks, and I think you are "on the same boat" :P

-{ Quote: "It seems you have problems when reading results/reports/reviews which may be biased (lightly or seriously). " }-


I simply realize that a bias can influence the results. This is among the reasons why when drug companies test drugs they use "double blind tests" http://skepdic.com/control.html

Double blind tests are used to try to eliminate the factor of "bias" within a test. Many scientist's, over time, have discovered that a bias can distort the results of a test. Even tests that are "real".....tests that involve measuring physical things seem to be distorted by bias.

This is a really crazy subject because some "physical" tests might be even distorted to the point where people think "psychic" abilities are involved. Crazy to think that thoughts might possibly control things in the "physical" world but some believe they can.

That is why I like to know if the observer of the test is biased or not. I like to know because their bias might influence the results of the test and what is "true" for them might not necesarrily be true for me or true for the majority of people.

Sometimes two different testers can come up with two different results, even though they use the same methods.....the deciding factor can many times be their bias.

That is why I prefer to look at information from more than one source. I try not to become the "true" believer in any one source. I don't want to be the one that follows the pied piper over the cliff.....



Starrob

I've had BOClean catch 3 trojans that got onto my system. They started to run, it caught and deleted them.

Don't know if it's useful in this conversation but this weekend I was @ my friends house...complaining about his pc being slow...

I installed Ewido (trial) and it found immediately 150 pieces of spyware, aurora ****, nasty stuff...hidden dll's whatever...

in total her machine was cleaned in 15min. cleaned over 250 pieces of nasty...

how about that? Real enough?

grtz.

/edit: cleaning the rest with hjt was piece of cake...I realy consider Ewido as a pitbull...and after the first reboot (together with HJT) I had a nice eve with those guys 8)

A number of trolling\personal attack\OT posts removed.

Just a reminder of the threads intended subject matter....Has your real-time anti-trojan ever caught anything?

-{ Quote: "I would like to use Ewido(AT/AS) since it can detect 80% of trojans, so it outperformance all remaining AT (the best being 50% only :( ) in the market in one test.
(Note: I realise anti-trojans are not decided to detect. It may become useful when the trojans are installed and invaded your system. Its memory may detect and stop its activity. But I prefer preventiion in the first place :P)

However it seems it is not good at anti-spyware (although it claims it can detect spyware, it's rather limited). Thus I can't replace my AS with it.

Also I'm worried about if conflicts occur among AV, Ewido and AS which it will lower my protection level (unknowingly)." }-
What test are you referring to? Do you have a link?

-{ Quote: "What test are you referring to? Do you have a link?" }-
So sorry that I forget to provide the link.
It is from http://www.virus.gr/english/fullxml/default.asp?id=69&mnu=69 (the latest test)

To your reference, you may wish to read this as well:
AV List (from top to down) ==========Detection Rate for ITW Trojan
AntiVirenKit(Kaspersky-based, German)===99.80%
Kaspersky Personal Pro===============99.52%
F-Secure (Kaspersky-based)============99.40%
Kaspersky Personal==================99.24%
Panda============================86.92%
McAfee==========================86.56%
Norton Pro========================82.43%
Norton Corporate====================79.83%
PC-cillin==========================73.51%
AVAST===========================71.51%
Nod32============================71.37%
AVG=============================55.58%

AS List (from top to down)===========Detection Rate for ITW Trojan (%)
Digital Patrol=======================54.32
PestPatrol=========================31.52


AT List (from top to down)===========Detection Rate for ITW Trojan (%)
TDS(discontinued on 22 Jul 2005)========54.80
A squared 2========================53.59
AntiTrojan Shield===================30.16
PC Door Guard=====================30.06
Trojan Hunter======================23.65
Tauscan==========================19.22
The Cleaner=======================18.76
Trojan Remover====================18.29
IP Armor=========================10.92
Hacker Eliminator==================10.82
Anti-Hacker & Trojan Expert===========00.01 (how dare you call yourself expert!! You are crap!)

Ref: One test done on the same website (www.virus.gr) on 8 Aug 2004.

I cannot see Ewido in your test Wai Wai .. so your link is not valid since you said Ewido outperforms every other player...


anyway...such tests means nothing to me and should be reflecting real life however I cannot see a lot of tests reflecting real life...it's all laboratory stuff...

and I don't got a lab...

-{ Quote: "I've had BOClean catch 3 trojans that got onto my system. They started to run, it caught and deleted them." }-

Hi,

Thanks for replying. Was this relatively recent? Were you using an AV at the time? If so, would you mind saying which one?

Thanks for any additional info.

Rich

-{ Quote: "

I installed Ewido (trial) and it found immediately 150 pieces of spyware, aurora ****, nasty stuff...hidden dll's whatever...

grtz.

Hi Infinity,

Was your friend running a current and updated version of an AV? Thanks.

Rich

no kiddin' but it was norton systemworks 2005 brandnew...

he wouldn't uninstall it :D let him have it ;)

but it was a great eve after the cleaning...

-{ Quote: "no kiddin' but it was norton systemworks 2005 brandnew...

he wouldn't uninstall it :D let him have it ;)

but it was a great eve after the cleaning..." }-I'd be willing to bet your friend has an unpatched system, uses IE, and clicks on everything in sight; does not run a resident antispyware; etc. Not even KAV will protect a box from that, I can assure you, although you guys just love to do this with Norton.

Hi Randy,

I personally would hope that you will be respectful and allow each member responding to this thread to simply state the facts. If you have any additional questions then of course it is appropriate to ask . But I think that it would be most helpful if everyone felt free to specify what occurred with feeling that they have to defend their "motives". For example, Blue stated in his feedback that he was probably running NOD32 or KAV at the time BOClean detected and cleaned the trojans.

Rich

-{ Quote: "Hi Randy,

I personally would hope that you will be respectful and allow each member responding to this thread to simply state the facts. If you have any additional questions then of course it is appropriate to ask . But I think that it would be most helpful if everyone felt free to specify what occurred with feeling that they have to defend their "motives". For example, Blue stated in his feedback that he was probably running NOD32 or KAV at the time BOClean detected and cleaned the trojans.

Rich" }-Yes but Blue wasn't at all derogatory in his remarks concerning KAV or NOD. As SGT. Friday always said "Just the facts Maam." The post Randy Bell quoted was sarcastic not factual. Really richrf you should be more like a baseball umpire here. Warning both sides like when a pitcher throws at a batter.

-{ Quote: "Yes but Blue wasn't at all derogatory in his remarks concerning KAV or NOD. As SGT. Friday always said "Just the facts Maam." The post Randy Bell quoted was sarcastic not factual. Really richrf you should be more like a baseball umpire here. Warning both sides like when a pitcher throws at a batter." }-

Everyone be nice - especially to me. :D

Thanks for all of the responses so far.

Rich

-{ Quote: "I'd be willing to bet your friend has an unpatched system, uses IE, and clicks on everything in sight; does not run a resident antispyware; etc. Not even KAV will protect a box from that, I can assure you, although you guys just love to do this with Norton." }-


If you think that I'll throw away my free time just to bash Norton ... you're simply wrong...fact is that it was an updated version which they had paid for.

-{ Quote: "If you think that I'll throw away my free time just to bash Norton ... you're simply wrong...fact is that it was an updated version which they had paid for." }-Neither Norton nor any other AV will protect against spyware infestation if a PC-user is not careful in his/her surfing practices. I apologize for a "knee-jerk" reaction but that was my only point, the AV isn't to blame IMHO. One can have an up-to-date KAV with the supersecure {extended+x} bases but that still isn't designed to protect against spyware in realtime. One needs a fully patched IE and O.S., a resident antispyware {such as MSAS, CounterSpy, etc.} and sound surfing habits to stay away from spyware. An AV won't protect from that stuff. An AV is primarily a file scanner, not a memory scanner. This is an instance where one can argue for an AT such as BOClean which is a memory scanner, and more effective against spyware than any file scanner or AV alone. A memory scanner can intercept spyware in realtime whereas, generally, an AV that only scans and monitors the filesystem cannot. I supplement NAV with TH which also has a resident Guard that is a memory scanner. I believe the instance you cited is a good case for running an AT such as BOClean or Ewido in realtime, for added protection, because no AV is designed to protect in realtime against spyware attack -- even though an excellent file scanner such as KAV may detect the spyware, it will be too late to intercept it or clean it in realtime, IMHO. And spyware is notoriously more difficult to clean than 'classic' malware {trojan, virus, worm}; sometimes requiring HJT log analysis by experts to clean; etc. Again, I'm sorry for hurtful reaction but in some instances, I do think a person's habits can be responsible for problems, just as much or more so than any failure of AV or security programs. I do not have all the facts & details but from your description, I suspect NAV had nothing to do with the spyware problems you cited; nor would it have made any difference if a different AV was used. Nor is it appropriate to single out a good product like NSW Premier 2005 {which I run on this box} as defective when it fails to protect against things it really isn't designed to protect against. NAV, like most AVs, is primarily an AntiVirus app and not an AntiTrojan or AntiSpyware app. Granted we seem to want one product to protect against the Kitchen Sink these days but IMHO that is unrealistic. Anyway, my apology for the misunderstanding and the offense .. ;)

Hi Randy, I see your point.

yes, those guys I helped out .. they are not the smartest ones regarding Internet Security, hell I bet they click on everything but still .. if I sell a product that doesn't live up the expectations...

-{ Quote: "Detects spyware and certain non-virus threats such as adware and keystroke logging programs." }-

..this comes from Symantec website and I didn't felt Norton was protecting them against that.
when a someone wants to create an all in one app .. 99% of the time they loose direction.
grtz.

-{ Quote: "-{ Quote: "Detects spyware and certain non-virus threats such as adware and keystroke logging programs." }- ..this comes from Symantec website and I didn't felt Norton was protecting them against that.
when a someone wants to create an all in one app .. 99% of the time they loose direction. grtz." }-I agree that is deceptive advertising for any AntiVirus because an AV is primarily a file-scanner which monitors the filesystem -- the AV Realtime Monitor {RTM} scans all files copied, moved, touched in any way. But spyware often creeps in through trusted apps such as the browser {IE Browser Helper Objects}, through DLL injection, and other ways that may go undetected in realtime by a file-scanner. I certainly do not trust my AV to protect me against spyware; I run MSAS as my resident AntiSpyware shield. In closing, I don't wish to get O.T. here so I will attach this "ad" from ewido's website (http://www.ewido.net/en/) to illustrate my point, namely that ewido advertises itself as just such an app to "supplement" traditional AV Scanners; in their case I do think they have a huge database and can be a useful supplement to an AV like NAV. {I have already mentioned TH and BOClean in previous post, as other alternatives}. It does seem that several folks have posted here and mentioned finding things with BOClean and ewido that their AVs missed. And I agree, that is why I run TH resident and have ewido as manual backup {and used to also scan with TDS-3 before it went out-of-business}. Take Care, and Thanks, Sincerely .. Randy

No prbs Randy, you're right .. using an av without at is not recommended and the same works the other way around.

well, Ewido has a new customer now in conjunction with Norton Systemworks and together I am positive it makes a hell of a team!

best wishes,
Andy

2002

PC-cillin 2002 running resident. BoClean intercepted an attachment in e-mail after it passed through PCC's e-mail scanner as clean. Yes, I did double-click it, and yes, BC killed it.

-{ Quote: "I cannot see Ewido in your test Wai Wai .. so your link is not valid since you said Ewido outperforms every other player...

anyway...such tests means nothing to me and should be reflecting real life however I cannot see a lot of tests reflecting real life...it's all laboratory stuff...

and I don't got a lab..." }-

Go to the link and search for Ewido.
you will see sometihng like:
- 40. Ewido version 3.0 - 38.67%

But it is not enough. You need to click on its documentation to read its details in order to get the info.

As a note, it is all to do with detection only. So it has its limitation. But anyway, every test has limitations and limitations alone should not be a reason to ignore a test completely.

It doesn't mean much, but it has some meanings, in which you can possibly make use of. ;)

Orginally I would like to give you this link:
http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests.htm

This is about how well anti-virus and anti-trojan applications perform against well-known Remote Administration Trojans (server-based trojans). Unfortunately the link is broken now.

-{ Quote: "Hi Randy, I see your point.

yes, those guys I helped out .. they are not the smartest ones regarding Internet Security, hell I bet they click on everything but still .. if I sell a product that doesn't live up the expectations...



..this comes from Symantec website and I didn't felt Norton was protecting them against that.
when a someone wants to create an all in one app .. 99% of the time they loose direction.
grtz." }-

Don't rely on Norton to detect adware & spyware. I have to admit it does poorly. Why not use some freebies like (ad-aware Free, spybot S&D, Microsoft Antispyware) where they do much better jobs on AT/AS than the paid Norton couterparts?

Norton is good at AV/AT only, but not AS.

-{ Quote: "Don't rely on Norton to detect adware & spyware. I have to admit it does poorly. Why not use some freebies like (ad-aware Free, spybot S&D, Microsoft Antispyware) where they do much better jobs on AT/AS than the paid Norton couterparts? Norton is good at AV/AT only, but not AS." }- Thank you, that was my whole point to Infinity but I guess my initial approach was bad and blocked communication. ;D ;D Seriously, I like Norton products but agree with you {and was recommending such in my posts}, get a dedicated resident A.S. {MSAS or CounterSpy} for spyware prevention. Also BOClean is very good for intercepting spyware in realtime if people want to add BOC on top of that mix {AV+AS+AT}. And BOC will "catch" other nasties in realtime too. I use a resident NAV + MSAS + TH for my defense. ;) :) Finally, needless to say but I am active in updates here and admonish everyone to keep your Security Products religiously up-to-date! :) ;) Now we will get back on-topic before Rich gives us a spanking .. ;D 8)

Yes if a scanner has the defs for the spyware it will detect it.
I am wondering if the ad was for the AV only or the suite?
The suite does not only have to be a file scanner it can scan mem as well.

Mcafee's beta suite works well for spam, Nortons does also but KAV's has a ways to go.

There are claims that Boclean won't detect trojans that actualy use encrption during mem use and do not need to be decrypted to work.
I have not seen Kevins thoughts on this as of yet. Anybody for a link to
his rebuttle? After all every program uses RAm to run. can not run without it.
Guess looking for encrypted mem action would not be that hard noiw would it?


controler

-{ Quote: "There are claims that Boclean won't detect trojans that actualy use encrption during mem use and do not need to be decrypted to work." }-

Where did you hear that? I am not aware of any software that can be executed while still encrypted, nor anything that BOClean has been unable to detect for that reason. Sounds like an urban legend to me.

-{ Quote: "There are claims that Boclean won't detect trojans that actualy use encrption during mem use and do not need to be decrypted to work.
I have not seen Kevins thoughts on this as of yet. Anybody for a link to
his rebuttle? After all every program uses RAm to run. can not run without it.
Guess looking for encrypted mem action would not be that hard noiw would it?" }-controler,

Forgive the naivete on my part, but precisely do you mean by this?

Blue

rich, the only time I have catched a trojan was when I was scanning downloaded files, and that was with KAV. My general sec.sofware is: pg, regdefend, shadowuser, firefox + plugs, portexplorer, snoopfree, spywareblaster, Nod32 (active), KAV (passiv), ewido (passiv), ad-aware (passiv), a2 (passiv), spysweeper (passiv), ZA, Router + hardening some unsecure ports and win services...
If I wasnt so "paranoid", I would say that a router (inbound) + ZA (outbound) + Shadowuser is enough, considering the type of attacks that I have been exposed for and my "lack of common sense" web habits...