Whilst looking at the new TrustWare AntiMalware App mentioned here http://www.wilderssecurity.com/showthread.php?t=98468&highlight=AntiMalware, i DL'd and tried the Trojan Demo exe. It launched Calc, but i passed the test as in my Screen Shot ! You might like to try it too and see if it gets through your defences.

http://img389.imageshack.us/img389/4650/trustwaredemo11zp.png (http://imageshack.us)

. . .


Caution – by agreeing to perform the security test below you will become subject to our cyber attack:

Of course we will do no harm to your PC or network

We will however simulate an internet download similar to what your network users may perform. Similarly this installation attempt may also simulate an execution of a zip file received via an email, installation from a memory stick or any other form through which an .exe file may enter your corporation.

We will attempt to prove that none of your security systems will alert or identify our intrusion attempt. As you run the .exe file you we will launch your calculator and scan your documents' names. We will then place your document names on our server and provide you with a link so that you can see what files we accessed.

During the process your Firewall may notify you of our demo trying to access the network. This means our demo has successfuly accessed your files and is trying to report its findings to our server. If you allow our program to connect to the network you will receive a link to view the test results on line. After you referesh the web page the information we were able to collect from your PC will be lost .

I read the above and I want to perform the security test.

http://www.trustware.com/home.php

. . .


StevieO

Firefox presents a "Save As" dialog with no option to run the file. I suspect the demo is aimed at unpatched IE users...

Hi Magnus,

Actually it's not aimed at any IE vulnerabilites, as i found this TrojDemo.txt file after i had posted, which shows what it tries to make use of to phone home with a report.

As i'm locked down with all these and more disabled, it clearly didn't effect me. Other people would have probably failed the test i'm afraid to say.


------ Files Attack test ------<br>
Attacking C:\WINDOWS\SYSTEM\TASKMGR.EXE: Failed!<br>
Attacking C:\WINDOWS\SYSTEM\TELNET.EXE: Failed!<br>
Attacking C:\WINDOWS\SYSTEM\FTP.EXE: Failed!<br>
Attack test Done<br>
<br>
<br>


StevieO

ProcessGuard Stops it for me!!

Cheers, ;D

I couldn`t get it to download.

Dagolag what part of PG stops it?

BeetleJuice do you get an error or something else stops it? What browser are you using?

Thanks,

Chris

-{ Quote: "Dagolag what part of PG stops it?

BeetleJuice do you get an error or something else stops it? What browser are you using?

Thanks,

Chris" }-

I click on the button here!! And>>

-{ Quote: "Dagolag what part of PG stops it?

BeetleJuice do you get an error or something else stops it? What browser are you using?

Thanks,

Chris" }-

I was using Opera. No error when I went to dwl it would only flash on the screen for a second. I think it might have been NOD that wouldn`t let me dwl...but that`s only a guess.

-{ Quote: "I click on the button here!! And>>" }-

And I get a Pop up from ProcessGuard Here!! Opera here Also!!

HTH,

cheers,

Dagolag,

So the execution protection blocked it? Thats good but what if you allow the program to run does PG stop it anywhere else?

Beetlejuice,

It doesn't appear to be NOD unless our setup is different I am using IE but have IMON enabled and I can still download. Maybe something with opera?

Thanks,

Chris

I tried again with Firefox. I got to download the "disable AV" test. Online Armor stopped that one. I didn`t try the other two.

-{ Quote: "I tried again with Firefox. I got to download the "disable AV" test. Online Armor stopped that one. I didn`t try the other two." }-

hmmm...Strange. I know the active x test link does not work but I'm not sure what would be causing the other issues. Well at least if you can't D/L it I guess your protected :)

Thanks,

Chris

Well with this one this is what happened!!

And Click allow and pcIp stops it here!! And I don't let it go any further!! Same with the trojan check!!

cheers,

The old layered security approach. Good one!

I am using ViGuard and of course it detects the trojan test and since I use ViGuard I am not using an antivirus the diable AV test can not find one to terminate. Of course I also understand that the authors for both programs are the same.

Thanks,

Chris

No AV Wow!! :o :o It does not shut down NOD if I let go through!!

Cheers, ;D ;D ;D

-{ Quote: "No AV Wow!! :o :o

Cheers, ;D ;D ;D" }-

Well I am normally a NOD user but since installing ViGuard I am tempting fate. I'm doing this based on several things including reviews, authors own claims and my own testing. I of course haven't tested everything but so far so good. Let's just hope it stays this way....

Thanks,

Chris

Out of boredom, tried the new trojan test. And ...

Yup, NOD32 locked and held up the file (partially downloaded into desktop). It won't let me delete the partial file either.

Note: If you have Unlocker, you can see the file being held up by NOD32 (nod32kui.exe and nod32krn.exe).

Reboot, and deleted the file. Suffice to say, NOD32 managed to protect me from harm.

-{ Quote: "Out of boredom, tried the new trojan test. And ...

Yup, NOD32 locked and held up the file (partially downloaded into desktop). It won't let me delete the partial file either.

Note: If you have Unlocker, you can see the file being held up by NOD32 (nod32kui.exe and nod32krn.exe).

Reboot, and deleted the file. Suffice to say, NOD32 managed to protect me from harm." }-
I wonder why NOD on my other system is not stopping it like yours? I have latest NOD32 program with most recent updates with highest settings and it does not stop it at all. Ideas?

Thanks,

Chris

Well jotti says nothing found!! Could that be Why?;)

And this one!!;)

I also tried the AV test, but it threw up an error box and failed to run, maybe a 98SE issue, but at least it failed to even try and disable it !

It's good to see that many here are protected against the AT test through various different means.


StevieO

-{ Quote: "I wonder why NOD on my other system is not stopping it like yours? I have latest NOD32 program with most recent updates with highest settings and it does not stop it at all. Ideas?

Thanks,

Chris" }-


Scratching head. No idea, Chris.

Just a hunch, anything to do with IMON download setting, something like switch to passive mode (size)?

-{ Quote: "Scratching head. No idea, Chris.

Just a hunch, anything to do with IMON download setting, something like switch to passive mode (size)?" }-

Not sure but Dagolag just had it scanned at Jotti's and none of the scanners there including NOD detects it...Just one of those things that make you go hmmmm...

Thanks,

Chris

A2 Spots something but Trojanhunter does not!! :-\

Blocked from downloading by Anti-Executable.

Then I gave it permission to download and run - the file executed successfully according to the text file created, and Kerio Firewall blocked the outbound connection to send to the web site.

-rich
________________
~~Be ALERT!!! ~~

Downloaded the antivirus disable test and the file was blocked from extracting.

-rich
________________
~~Be ALERT!!! ~~

I Failed

I'm using Trojan Hunter and Ewido and neither detected it )-:

Just out of curiousity I checked the Anti-virus attack and failed that as well.

I'm ready to give up )-:

-{ Quote: "Just out of curiousity I checked the Anti-virus attack and failed that as well.

I'm ready to give up )-:" }-

Don't give up :) Maybe Ewido and Trojan hunter know this is just a simulated attack and do not include it in the defs. Although if it was an real active trojan then you could be in trouble. You should try Anti Malware or Viguard or any of the above programs that passed this test if you feel your security is lacking. Did your firewall detect it though?

Thanks,

Chris

FYI, I submitted all files to Ewido and all AV companies that I know of, informing them that these files are test files just like eicar and trojan simulator.

I'm guessing all of them would like to pass this test, so expect these files to be detected by most of them in the near future...

Good work Brian. Yes I am sure they all do want to pass. Wonder who will pass first...


Edited: Did I just sound like a schoolteacher? Sorry if I did.


Thanks,

Chris

Don't know, I haven't been in school for ages ;D

TrojanHunter will not be detecting this as it is not a real trojan. The only entry in TrojanHunter's database used for testing purposes is for Trojan Simulator (http://www.misec.net/trojansimulator/), which is what you should use if you want to verify that TrojanHunter is operating properly.

Thanks for your time to communicate this Magnus.

Thanks,

Chris

-{ Quote: "The only entry in TrojanHunter's database used for testing purposes is for Trojan Simulator (http://www.misec.net/trojansimulator/), which is what you should use if you want to verify that TrojanHunter is operating properly." }-

NOD32 stops that one Flat!!

Cheers,

I tried Anti-Executable as Rmus uses and I find it to Invasive for what I need!!


Cheers,

-{ Quote: "I tried Anti-Executable as Rmus uses and I find it to Invasive for what I need!!


Cheers," }-
You could try Viguard if you want (it blocks the trojan test as well as Trojan Hunters trojan simulator). You can use default rules and still be pretty secure. You can not use antivirus software with it though. Process Guard blocks it but does not block trojan simulator from what I remember. Not sure what else would detect them.

Thanks,

Chris

Seems to me that this test is not meant for antiviruses, as it's basically harmless, so whether it is added to a signature database or not is not citical.

Neither is it a test for firewalls, the notice, mentions that it doesnt attempt any firewall evasion.

I also don't think execution monitoring is being tested, at least the results I see, indicate PG fail.

The only way to beat this test appears to be monitoring of the specific area being changed (Prevx does this), or restriction of previlages of the test.exe.

-{ Quote: "Seems to me that this test is not meant for antiviruses, as it's basically harmless, so whether it is added to a signature database or not is not citical.

Neither is it a test for firewalls, the notice, mentions that it doesnt attempt any firewall evasion.

I also don't think execution monitoring is being tested, at least the results I see, indicate PG fail.

The only way to beat this test appears to be monitoring of the specific area being changed (Prevx does this), or restriction of previlages of the test.exe." }-
The alert that I get from Viguard is that the program is trying to modify the executables.

Thanks,

Chris

Eicar and trojan simulator are harmless too, none the less they still are detected as 'test malware'.

one1111,

Can i suggest that you do as i have done and disable the following.

TELNET.EXE

FTP.EXE

You can very easily do this by doing a Windows Search on your C Drive for them. Once you have found them, right click on both of them and choose Rename. Very CAREFULLY left click after EXE and add OLD, ( TELNET.EXEOLD ) This is in case you ever need either of them again, so you can Rename them back exactly as they were. 99% of people don't have Any use for these, or lots of other stuff too !

You can also do the same with TASKMGR.EXE if you don't use it.

This might help enable you to pass the test.

. . .

Some interesting results being thrown up with this test by everyone.


StevieO

Thanks to all those who responded with solid advice and especially to Magnus
for clarifying the issue in regards to Trojan Hunter.

To Chris, yes my Firewall did detect it.

-{ Quote: "Eicar and trojan simulator are harmless too, none the less they still are detected as 'test malware'." }-

Eicar is an industry wise standard. Trojan stimulator is Magnu's baby and supposed to be the counterpart to Eicar, I'm not surprised TH detects it.

But I think all this is missing the point. Adding stock detection of such "malware" adds zero to your protection. Not unless the detection is more 'generic'.

-{ Quote: "The alert that I get from Viguard is that the program is trying to modify the executables.

Thanks,

Chris" }-

Yes. Yes, that's a fair pass then. But as you said, it's not suprrise.

-{ Quote: "Eicar is an industry wise standard. Trojan stimulator is Magnu's baby and supposed to be the counterpart to Eicar, I'm not surprised TH detects it.

But I think all this is missing the point. Adding stock detection of such "malware" adds zero to your protection. Not unless the detection is more 'generic'." }-
I agree - But a 'new/unknown' test should count as much as an 'industry standard' test - Even I could make an AV and detect eicar, but thats not the point.

If any test (standard or not) fails to be detected or stopped by a users program(s), it brings up some concern for the 'less experienced'. And also, these test files mimic the routine of a trojan/worm/virus .. whatever, so one would expect your defense programs to catch it (unless it's 100% signature based).

So to make this story short: Companies gain reputation and trust if they detect these non-standard test files, no matter how 'friendly' they are.

-{ Quote: "I agree - But a 'new/unknown' test should count as much as an 'industry standard' test - Even I could make an AV and detect eicar, but thats not the point." }-

Not sure what you are arguing here. Any test that some guy comes up with does not automatically become a standard.

-{ Quote: "
If any test (standard or not) fails to be detected or stopped by a users program(s), it brings up some concern for the 'less experienced'.
" }-

-{ Quote: "
So to make this story short: Companies gain reputation and trust if they detect these non-standard test files, no matter how 'friendly' they are.
" }-

Are we talking about the issue or real protection or Public relations among noobs? I personally care about real protection, rather than image.


-{ Quote: "
And also, these test files mimic the routine of a trojan/worm/virus .. whatever, so one would expect your defense programs to catch it (unless it's 100% signature based).
" }-

Yes, and unless someone corrects me, the detection put in by AVs if they borther is 100% signature based so no real protection is accrued.

I only expect the AV to catch malicious software. I rather they spend their time on that, rather than wasting time adding signatures for harmless tests, just so some noob can feel safe or boast that his AV passes a certain test.
Which seems to be your argument.

The time spent adding doing this can be spent more productively .

Hi,

The first goal of this trojan demonstrator tool is to show that data can be stolen.
Then blocking the executable or internet access is not the most interesting.
It would be more interesting if the SPY.txt is empty for instance.
I don't think that an arsenal is required against this test: Windows file permission or free tools like Trust-no-Exe can easily prevent such attack tools (see image).

I'm totally agree with Poll2 about AVs.
TrojanDemo is available since months and months, has been discussed earlier in this forum ( http://www.wilderssecurity.com/showthread.php?t=77696 ), and it's only at this automn that scanners actors and partisans are interested in...
Does it means that scanners come often too late?
If this test tool is in scanners signatures database, it's a good news.
Unfortunately, there's some trojans which use more advanced methods (API hooking in the browser, Man-in-the-Middle etc), and these trojans are not detected by any scanner (AT or AV).
That's a bad news.

Such trojans are really dangerous (can stole any data like ID bank account for instance) and are not proof-of-concept/demonstration tools as a scandal related it in Israel : http://www.pcworld.com/news/article/0,aid,121081,00.asp

(...)

For anyone who could be inerested, i attached process requests made at the beggining of trojan demo test.

Regards

Trust-no-exe block automatically unknown executable:

-{ Quote: "Are we talking about the issue or real protection or Public relations among noobs? I personally care about real protection, rather than image." }-
'Noobs' as you call them, buy security software too :) And I wouldn't be surprised if they were responsible for 95% of the profit for each company.

If every Internet user was an expert in security, some companies would never be as big as they are today.

So, if these non-standard tests are detected, it will strengthen the trust in the company, meaning: 'standard' people talk about it = 'standard' people buy it.

This does not include 'security oriented persons' because they simply know better, and has probably already tested numerous security software..


I could be wrong though, I'm just telling my view on this ;)

-{ Quote: "Hi,

The first goal of this trojan demonstrator tool is to show that data can be stolen.
Then blocking the executable or internet access is not the most interesting.

Regards" }-Greetings, kareldjag from this side of the Atlantic!

Well, blocking may not be the most interesting, but it is the most effective.

What a trojan does -- listing all of the files it loads, viewing the process requests -- this may be very interesting to some, but of no real importance to those who are just interested in protecting the system from attacks.

This demo is like firewall leaktests and even the feared rootkits (which are also just trojans) - they all have to install before they can execute anything.

So, blocking from installing should be of great interest!

regards,

-rich
________________
~~Be ALERT!!! ~~

Blocking is the easiest but what if this was an unknown program that didn't look suspoicious. Most people would just let it install. This is where you need an app that tells you what it's really doing. I mean you can block every new .exe but then what? Never download anything from freeware/shareware sites? Maybe I'm missing something?

Thanks,

Chris

-{ Quote: "Trust-no-exe block automatically unknown executable:" }-

hi Kareldjag - as i understand it trust-no-exe will allow any exe to run if it comes from your allow list - e.g windows directory, program files directory etc etc - so if the trojan.exe installed itself in one of the trusted directories presumably it would run and trust-no-exe would not stop it?

-{ Quote: "Greetings, kareldjag from this side of the Atlantic!

Well, blocking may not be the most interesting, but it is the most effective.

What a trojan does -- listing all of the files it loads, viewing the process requests -- this may be very interesting to some, but of no real importance to those who are just interested in protecting the system from attacks.

This demo is like firewall leaktests and even the feared rootkits (which are also just trojans) - they all have to install before they can execute anything.

So, blocking from installing should be of great interest!

regards,

-rich
" }-

hi Rich - may i ask what HIPS program you are using to test this sim trojan? (the one with beware of the dog)

-{ Quote: "Blocking is the easiest but what if this was an unknown program that didn't look suspoicious. Most people would just let it install. This is where you need an app that tells you what it's really doing. I mean you can block every new .exe but then what? Never download anything from freeware/shareware sites? Maybe I'm missing something?" }-I don't think people should download and run whatever they see on the Internet or they get by mail. The Internet is not a trusted place; you should only download software from trusted sources, and possibly check the GPG/PGP sign or the MD5/Sha-1/Sha-256 checksum if they provide it. "Downloading and running a free little desktop game I saw" is not an option; it shouldn't be done, period. If you're suspicious about a software you want to run (and that does NOT mean "you want to run a suspicious software") you can test what it does on the filesystem by running something like sandboxie (http://www.sandboxie.com), both during installation and during the execution; that adds a little extra knowledge about the software's behaviour, but it's not perfect as it's not continuous monitoring. In my opinion, if you think you need continuos monitoring on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

processguard does alert to the trojan demo

-{ Quote: "hi Rich - may i ask what HIPS program you are using to test this sim trojan? (the one with beware of the dog)" }-Greetings, Toploader, it's Anti-Executable from Faronics. It's not a HIPS program (as I understand the definition) - only anti-execution protection.

I meant to ask kareldjag about "Trust-no-exe" which he showed also blocked the trojan - whether it blocked the downloading, or it downloaded and was blocked from running.

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Blocking is the easiest but what if this was an unknown program that didn't look suspoicious. Most people would just let it install." }-Hi Chris,

I wish I had a formula answer for that, but I just depend on my own judgment in each case.

-{ Quote: "This is where you need an app that tells you what it's really doing. I mean you can block every new .exe but then what? Never download anything from freeware/shareware sites? Maybe I'm missing something?" }-I keep the install.exe/Zip file of every program I've downloaded - most of which I just try out and later discard. My current Zip folder has 247 programs - about 3 years worth. Recently, I previewed 4 music writing programs. I've never felt insecure about the sites I download from, nor from websites of people who develop freeware, probably because I've read about the site/ person and feel confident that it is a secure site and/or trusted person.

regards,

-rich
________________
~~Be ALERT!!! ~~

thanks Rich - looks interesting - is it equivalent to process guard (free version) do you think?

it seems to be marketed to major organisations the price calculator does not offer a home version.

-{ Quote: " I meant to ask kareldjag about "Trust-no-exe" which he showed also blocked the trojan - whether it blocked the downloading, or it downloaded and was blocked from running. " }-

my limited understanding indicates that it stops execution (if executing from an unauthorised directory) i don't think it would stop downloading?

-{ Quote: "I don't think people should download and run whatever they see on the Internet or they get by mail. The Internet is not a trusted place; you should only download software from trusted sources, and possibly check the GPG/PGP sign or the MD5/Sha-1/Sha-256 checksum if they provide it. "Downloading and running a free little desktop game I saw" is not an option; it shouldn't be done, period. If you're suspicious about a software you want to run (and that does NOT mean "you want to run a suspicious software") you can test what it does on the filesystem by running something like sandboxie (http://www.sandboxie.com), both during installation and during the execution; that adds a little extra knowledge about the software's behaviour, but it's not perfect as it's not continuous monitoring. In my opinion, if you think you need continuos monitoring on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place." }-
So based on what your saying we don't even need security software besides maybe a firewall since no one should download anything that they think might be suspicious? I doubt this is likely to happen and besides that there are some very well known software that can be infected. This story is old but you get the point http://www.sophos.com/virusinfo/articles/nimda_korea.html. Maybe 1 out of 100,000 users (if that) will preview their documents with sandboxie type software. That is why we need addidional software.

Thanks,

Chris

-{ Quote: "thanks Rich - looks interesting - is it equivalent to process guard (free version) do you think?

it seems to be marketed to major organisations the price calculator does not offer a home version." }-There is a home version for 29 dollars. http://www.faronics.com/html/orderFS.asp
That said, I like Process Guard much better. It looks to me like Anti-Executable is more suited for something like Internet Cafes (associated with Deep Freeze) than a home user; it is MUCH more restrictive than Process Guard: it won't ask you if you want to run a new application: you won't run it, period. If I'm not mistaken you'll have to rebuild the whole "allowed applications" database if you want to execute the new application.

-{ Quote: "There is a home version for 29 dollars. http://www.faronics.com/html/orderFS.asp
That said, I like Process Guard much better. It looks to me like Anti-Executable is more suited for something like Internet Cafes (associated with Deep Freeze) than a home user; it is MUCH more restrictive than Process Guard: it won't ask you if you want to run a new application: you won't run it, period. If I'm not mistaken you'll have to rebuild the whole "allowed applications" database if you want to execute the new application." }-

thanks TNT - some of the user reviews on download.com state there are a number of restrictions in the free version of PG that effectively make it demoware is that true? (see below)

*********************************************************
This is NOT free. It is a max "50 attacks max protection" after = defense less

11-Jun-2005 12:27:24 AM
Reviewer: gonebythebay

Pros: Hard to say what the pros might be as only 5 minutes into surfing a message came up saying this will only protect against 50 intrusions, and to cough up the money if i want unlimited protections

Hey, this might be good, but no chance to trial it. (Unless you want to compromise your security)

Cons: -Do you think an attacker is going to stop and say, "ooh, im sorry, ill stop trying to get into your system, as i am feeling generous and pulll back from my 30 rounds this minute while you are trialing your software."

(I have in the past used software, which indicates the "attempt patterns of hackers. Some of them just fire of a succession of intrusion attemps)

-software is NOT FREE- but a 50 attack limited version. WHICH WILL ABSOLUTELY COMPROMISE YOUR SYSTEM IN THAT TIME IT TAKES YOU TO REALISE THIS,, DISCONNECT THE MODEM,,, AND THEN PUT UP SOMETHING IN ITS PLACE.- So i just turned it off.

-As i said this may be good, but i dont know, and would not advise trialing, but to buy if you want to try it.
*********************************************************

A must have security tool

07-Aug-2005 10:10:43 AM
Reviewer: darui_br

Pros: It's a incredible tool for all Windows users! Protect from unauthorized applications to run without your knowledgement - Astalavista spywares (-:

Cons: Supports only 256 applications. But I think in next version this problem will be corrected
*********************************************************

-{ Quote: "So based on what your saying we don't even need security software besides maybe a firewall since no one should download anything that they think might be suspicious? I doubt this is likely to happen and besides that there are some very well known software that can be infected." }-(a) for well known software, it's unlikely that it would happen without the problem being pointed out very soon, and (b) digital signatures like PGP and file checksums like sha-1 and the like prevent it, and personally I always check those if they are available (it's theoretically possible to overcome them by cracking many mirror sites, replacing the signatures, building fake public keys, etc... but in real world that would so extremely hard that malware distributors just wouldn't be able to).

Anybody has its own view on how much 'trust' you can put in a software; I'm not saying you should only run what you KNOW FOR SURE WITHOUT ANY POSSIBLE DOUBT WHATSOEVER to be 100% safe, 'cause that's simply not possible. What I'm saying is that users should be always very careful, not sloppy, about the software they get. That's all.

-{ Quote: "thanks Rich - looks interesting - is it equivalent to process guard (free version) do you think?" }-No, PG does more things than AE. I see that posts above have explained pretty well.

regards,

-rich
________________
~~Be ALERT!!! ~~

hi Rich - the reason i asked is that the free version seems to be very restricted (see above post to tnt)

-{ Quote: "hi Rich - the reason i asked is that the free version seems to be very restricted (see above post to tnt)" }-AE is anti-execution prevention only. See here:

http://www.faronics.com/html/AntiExec.asp

http://www.diamondcs.com.au/processguard/index.php?page=download

regards,

-rich
________________
~~Be ALERT!!! ~~

Also another good execution prevention app EXE Lockdown http://www.horizondatasys.com/product_page.html?page_id=4 and I'm not sure if you have to rebuild the database on anti-executable but with EXE Lockdown you can easily add apps to the whitelist.

Thanks,

Chris

-{ Quote: "I'm not sure if you have to rebuild the database on anti-executable" }-When you turn off AE to install a program and then turn AE back on, the program is auto-added to the database (whitelist).

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "When you turn off AE to install a program and then turn AE back on, the program is auto-added to the database (whitelist)." }-Thanks for clarifying. :) I wasn't sure you had to rebuild the whole db; you don't have to reboot (like in Deep Freeze) right?

-{ Quote: "Thanks for clarifying. :) I wasn't sure you had to rebuild the whole db; you don't have to reboot (like in Deep Freeze) right?" }-No rebooting necessary with AE to add to the database.

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Also another good execution prevention app EXE Lockdown http://www.horizondatasys.com/product_page.html?page_id=4 and I'm not sure if you have to rebuild the database on anti-executable but with EXE Lockdown you can easily add apps to the whitelist.

Thanks,

Chris" }-This is the old Exe Vaccine program, one of several *vaccine products. Very impressive product. It works a little differently than Anti-Executable. Both let you easily add to the whitelist.

Again, these are not "HIPS" products, since they provide just anti-execution prevention, but are useful in certain situations and setups.

For purposes of these trojan tests that seem to be appearing as of late, these types of anti-execution protection prevent the demo.exe from running, so if you want to test your system, you have to disable the anti-exe program.

As such, those who don't run other AV/AT that detect/block the demo from running are said to flunk the test because the spy.txt file the demo creates contains information about your system. This in view of the fact that a properly configured firewall blocks the demo from sending out that information to their web site, as I demonstrated.

Spy1's comment in the earlier "TrojDemo.exe" thread referenced by kareldjag is food for thought:
--------------------------------------------
IMO, no "vulnerability test" where one has to purposely and knowingly DROP a defense or "Allow" something that one wouldn't normally allow is valid - period. Because it's not a "real environment" test.
---------------------------------------------

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "When you turn off AE to install a program and then turn AE back on, the program is auto-added to the database (whitelist).

regards,

-rich
________________
~~Be ALERT!!! ~~" }-
Doesn't this mean you are dropping a defense? If you thought the program you were installing was a trusted app and you were unaware that the program was actually a trojan?

Thanks,

Chris

-{ Quote: "Doesn't this mean you are dropping a defense? If you thought the program you were installing was a trusted app and you were unaware that the program was actually a trojan?

Thanks,

Chris" }-The "dropping a defense" comment by Spy1 was in reference to running a trojan test, where you have to permit the demo.exe file to run.

But your point is well taken with reference to the real world, where you have to permit a program to install - yes, you drop your defense.

As far as being unaware that a program was actually a trojan, I can only speak for myself that it's never happened and I don't worry about it. I'm just careful, as I indicated in a previous post.

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "'Noobs' as you call them, buy security software too :) And I wouldn't be surprised if they were responsible for 95% of the profit for each company.

If every Internet user was an expert in security, some companies would never be as big as they are today.

So, if these non-standard tests are detected, it will strengthen the trust in the company, meaning: 'standard' people talk about it = 'standard' people buy it." }-

'Standard' people don't hang out here. 'Standard' people don't randomly run trojans tests they see. Anyone who is curious enough to do this by defintion doesn't fall into the 'standard' people group.

And these people should at least take the time to understand what they are doing, sadly if this thread and past posts on this forum is any evidence at all, they don't.

And if you do fall into the knowledgable group, your duty is to explain what is going on to the less knowledgable instead of going with the crowd , just to 'strengthen trust'.

As i wrote before, do you want antivirus vendors to spend time on something that provides real protection or do you want them to waste time on useless stuff? Do you want illusionary protection just to pass tests and fool the guilible and the naive?

Sure, the noobs don't get it, but that's what the so called "Experts" are here for. Pandering to the crowd is the last thing anyone should do.


-{ Quote: "
This does not include 'security oriented persons' because they simply know better, and has probably already tested numerous security software..
" }-

I'm not sure whether they know better. There's a group of people who just run tests, run software without any understanding, their aim is just to say they pass the test. The 'feel good' factor.


-{ Quote: "
I could be wrong though, I'm just telling my view on this ;)" }-

Of course, by invoking "it's just my view on it" defense you can't be wrong.
But it seems you don't have any good arguement to support why antiviruses should detect every harmless test that people come up with.

-{ Quote: " In my opinion, if you think you need continuos monitoring on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place." }-

This might be slightly overstating it.

In my opinion, if you think you need virus or trojan scanning on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

What's the difference between this argument and the one you are making? The only difference is the method used.

Using a simple execution blocker, which does nothing more than alerting you if you execute an (unknown) application, is a bit rediculous, imho. I mean, you double-click something, and your exec blocker says 'hey, you just double-clicked something'... thank you, great information...
That is a bit like always driving with a speed limiter, instead of driving at the allowed speed by yourself. I don't see any real benefit in it...

Thorough system firewalls (with injection blocking etc.), AV programms, network firewalls etc. is a whole different story, as they can give you something, that you can't get that easily by yourself.

-{ Quote: "Using a simple execution blocker, which does nothing more than alerting you if you execute an (unknown) application, is a bit rediculous, imho. I mean, you double-click something, and your exec blocker says 'hey, you just double-clicked something'... thank you, great information..." }-I don't know what application you're talking about, because Process Guard certainly doesn't do this.

-{ Quote: "I don't know what application you're talking about, because Process Guard certainly doesn't do this." }-

Sure it does. It's one among several functions though.

Of course all these exe blockers might become useful , if say you are surfing along happily and some guy hits you with some exploit that is totally new, and causing the download and more importantly execution of this new process.

Those exe blockers will then pounce!

-{ Quote: "Sure it does. It's one among several functions though." }-Yes, I know (I use it). :) What I meant is that if it only worked like that, it sure wouldn't have been very useful (and sure I wouldn't have used it).

-{ Quote: "Yes, I know (I use it). :) What I meant is that if it only worked like that, it sure wouldn't have been very useful (and sure I wouldn't have used it)." }-

Of course, there's a whitelist and learning modes But otherwise I don't know why you object to that description...........

-{ Quote: "Of course, there's a whitelist and learning modes But otherwise I don't know why you object to that description..........." }-That's right... there's whitelist and learning modes... and it recognizes the hashes of the executables so you can choose to be prompted again only if they change; this alone (not including the many various other features, i.e. protecting applications from reading/termination, protecting physical memory, blocking global hooks, etc) means it's TOTALLY different from a silly "are you sure prompt".

Hi,


*Rmus, just to cross over the Atlantic again to clarify my point of view ;) .
I don't discuss about real trojans protection: in this case, a white list protection (as AntiMalware, AntiExecutable etc) is certainly one the most effective to deploy.
Th subject is TrojanDemo.
This file is a test demonstration tool.
It's not a leaktest because it was not designed to bypass a firewall (by dll injection etc).
A test/proof-of-concept/malware demonstration tool is intended to illustrate "in vivo" some features, abilities, theories, exploits, methods and so on.
In our case, TrojanDemo demonstrates how some data can be stolen or exfiltrated from an user local host to the Trustware remote server.

Therefore, since this is a test tool, it 's a piece of nonsens to block the .exe!
If i want to audit my firewall with a leaktest like Ghost, should i block the executable?
-By blocking the .exe, the user just demonstrates the efficiency of his execution protection (HIPS etc);
-by blocking connections attempts with the firewall, the user just demonstrates the well functioning of his firewall.
Nothing else.

The primary interest of TrojanDemo is its ability to record usr's documents, to create a SPY.TXT file and to report the document to Trustware servers.
Then a result like this one http://idata.over-blog.com/0/03/91/26/abtrupro/softclan/softclan4/vstrojandemo250.jpg
is much more interesting for me.
But as usual, each user his own point of view.

But i'm not sure that this "marketing" tool (marketing like Regtest, KeyHook etc) could be effective as a real malware/attack.
For a data theft, the most efective methods are SQL injection (on MST SQL servers), XSS/Cross-site-scripting, java exploit, or a Man-In-The-Middle: none AV/AT/HIPS listed on this forum will be able to detect such attacks.

*TopLoader, Trust-no-exe (the same product as Exe-Vaccine without passwoard protection) is an executable filter: then if the user keeps rules (white/access list) by default (windows and Program files folders), and if TrojanDemo is run from one of this folder, the executable won't be blocked.
Since it is an .Exe filter, the rules must be composed of .Exe , and not by folders (logical)!

Regards

-{ Quote: "Hi,

*Rmus, just to cross over the Atlantic again to clarify my point of view ;)

Th subject is TrojanDemo.
This file is a test demonstration tool.

Therefore, since this is a test tool, it 's a piece of nonsens to block the .exe!" }-Hi kareldjag,

Point conceded!

-{ Quote: ""The primary interest of TrojanDemo is its ability to record usr's documents, to create a SPY.TXT file and to report the document to Trustware servers."" }-Does it count that when I allowed the test to run, that my firewall blocked the outbound attempt tosend the document to Trustware servers? :D

Hope your trip to Spain was lots of fun.

regards,

-rich

-{ Quote: "'Standard' people don't hang out here. 'Standard' people don't randomly run trojans tests they see. Anyone who is curious enough to do this by defintion doesn't fall into the 'standard' people group." }-

Yes they do, believe it or not.

-{ Quote: "And these people should at least take the time to understand what they are doing, sadly if this thread and past posts on this forum is any evidence at all, they don't. As I wrote before, do you want antivirus vendors to spend time on something that provides real protection or do you want them to waste time on useless stuff? Do you want illusionary protection just to pass tests and fool the guilible and the naive?" }-

Sadly not all of them do, but they do run these tests to see if their security programs can catch it.
These 2 'useless' tests take 10 minutes tops to analyze.

-{ Quote: "Sure, the noobs don't get it, but that's what the so called "Experts" are here for. Pandering to the crowd is the last thing anyone should do." }-

Your the one calling people noobs, so you tell me. ?


-{ Quote: "I'm not sure whether they know better. There's a group of people who just run tests, run software without any understanding, their aim is just to say they pass the test. The 'feel good' factor." }-

Experts know better yes, because they should analyze the file themselfes before scanning them with an AV.


-{ Quote: "Of course, by invoking "it's just my view on it" defense you can't be wrong.
But it seems you don't have any good arguement to support why antiviruses should detect every harmless test that people come up with." }-

No, it's simply my view on this. If you can't respect that, so be it - I think it bothers you more than it does me.

-{ Quote: "Yes they do, believe it or not.

Sadly not all of them do, but they do run these tests to see if their security programs can catch it.
These 2 'useless' tests take 10 minutes tops to analyze.
" }-

I expect less time actually. That's why it's so useless.
But 10 minutes can be the difference between someone getting infected by something that should have being analysed instead of time spent on harmless stuff.

-{ Quote: "
No, it's simply my view on this. If you can't respect that, so be it - I think it bothers you more than it does me." }-

Sure you can have any view you want. Even a wrong one. That doesn't borther me the least. And as i predicted , you don't have any good reasons to support your view.

-{ Quote: "But 10 minutes can be the difference between someone getting infected by something that should have being analysed instead of time spent on harmless stuff." }-
Oh your one of them who want's an update everyone second. Well good luck with that...

-{ Quote: "Oh your one of them who want's an update everyone second. Well good luck with that..." }-

Someone needs a lesson on logic badly.

-{ Quote: "Using a simple execution blocker, which does nothing more than alerting you if you execute an (unknown) application, is a bit rediculous, imho. I mean, you double-click something, and your exec blocker says 'hey, you just double-clicked something'... thank you, great information...
That is a bit like always driving with a speed limiter, instead of driving at the allowed speed by yourself. I don't see any real benefit in it..." }-

To me, that implies no knowledge of the program or security. I've only been using it for a couple of weeks, and its GREAT. Want an example ? ok ;-)

What happens when you execute game.exe and it is a self extractor or a trojandropper ? It puts svch0st.exe (trojan) and game.exe in the TEMP folder and runs both? Without a EXE protector you wouldnt know crap. Your game.exe is running and away you go.. have fun ;-)

Task Manager just shows game.exe running, maybe you miss the svch0st.exe. Or svch0st.exe is named svchost.exe so you can't kill it in Task Manager, thats even if you can guess which one was the bad one. Task Manager doesn't even show me the path of the file.

Even better ? svchost.exe is a DLL injector trojan and is now inside a trusted process ? even PG free blocks that. What if svchost.exe was a rootkit? well you could just buy PG like me ;D but the free version or any exe blocker told you it had put those files in the temp folder and run them.

I tried the disable antivirus test. ProcessGuard asked if I want to block it. To test i let it run and it did disnable Norton antivirus. Where does that leave me?

Couldnt help myself.

Bufferzone test: All downloaded and run from within the DW Sandbox.

AntivirusDisable.exe; ProcessGuard alerted - permit - nothing happened - is that a passed test?

TrojanDemo1test; PG alerted-permit-PG alerted for something else - permit -
calculator starts in DW box - window confirms test fails - OP component control at the same instent warns that trojdemo "one or more components are changed" do you want to allow? So I suppose its a passed test.

After that I pressed the button for the third test several times - nothing happened.

How do I get rid of these exe-files - just delete them?

Best Regards

Hi every one, Probably after I post this message I will get busted from many of the securities products fans.

initially a couple month ago I test all the securities product fire walls, anti virusses and the hardest one are anti trojan

there are there trojan sites that I used. before I test these security products I deliberately open my self, barely without any security system

backdoor trojan ~snip~ only a couple of firewall product that pasa and report an outgoing activity kerio, zone, look( perfect) visnetic Outpost(perfect). the remaining product like sygate is only a hoax commercial program whereas tiny is completelyy tiny and unable to perform a big job corectly

down loadr: ~Edit: Links removed to conform to TOS.
Please do not post links to trojans, virus or other malware....Bubba~ """spy sherif infection""" on your desktop will appear a filei.e. ibm

these are the hardest test the only AV product that pass the test only kaspersky and NOD32(even detect the tracking cookies file)


from the AT product trojan hunter is being hunted by the accute spy detective file. only a squared can detect and remove a apart of the trojan files. I havent completed the test so these all I can said

hypersteroid2ooo,

Please do not link to possible malware sites here. It is a TOS violation.



snowbound

I looked but couldn't find where anyone who uses DrWeb tried this test, so I did. DrWeb blocked the download quicker than the blink of an eye. ZZZZZZZZap!!!

@ StevieO,

Your post was removed given the fact you posted the same links commented to above by Snowbound concerning TOS violation.

It matters not that you made the links unclickable.

-{ Quote: "these are the hardest test the only AV product that pass the test only kaspersky and NOD32(even detect the tracking cookies file) " }- ??? ??? ???

-{ Quote: "I looked but couldn't find where anyone who uses DrWeb tried this test, so I did. DrWeb blocked the download quicker than the blink of an eye. ZZZZZZZZap!!!" }-Cool! 8)

::) ::) ::)

Best regards,
Firefighter!

This is another trojan test of sorts. If this is already been mentioned i apologize for the redundancy. Like you, i fancy putting these type tests up against our current setups.

http://www.morgud.com/interests/security/dfk-threat-simulator.asp

Very interesting read. Thanks.

It appears it would try to disable three of my resident security apps. There are still a few i use that are not in it's list. Still, it's pretty scarey.

muf

-{ Quote: "Very interesting read. Thanks.

It appears it would try to disable three of my resident security apps. There are still a few i use that are not in it's list. Still, it's pretty scarey.

muf" }-Yes, the morgud test is quite scary, BUT executing it in something like Sandboxie shows that it basically can't do MUCH when it's sandboxed; when I execute it in Sandboxie + Process Guard full is active + Core Force is active (and set up properly), it basically can't do anything at all and can be flushed without any problems. :)

Hi,

This is a very good and comprehensive test, the likes of which i've rarely seen anywhere ! We had a full shake down of this test before though, and you can see the results etc in this thread.

New security test: DFK Threat Simulator (DFKTS)

http://www.wilderssecurity.com/showthread.php?t=103492

I think that you will find it very interesting as i did.


StevieO

-{ Quote: "Yes, the morgud test is quite scary, BUT executing it in something like Sandboxie shows that it basically can't do MUCH when it's sandboxed; when I execute it in Sandboxie + Process Guard full is active + Core Force is active (and set up properly), it basically can't do anything at all and can be flushed without any problems. :)" }-

Sandboxie+ PG full + Core Force?

Wow, talk about layers!! Very solid.

-{ Quote: "Hi,

This is a very good and comprehensive test, the likes of which i've rarely seen anywhere ! We had a full shake down of this test before though, and you can see the results etc in this thread.

New security test: DFK Threat Simulator (DFKTS)

http://www.wilderssecurity.com/showthread.php?t=103492

I think that you will find it very interesting as i did.


StevieO" }-

Thanks StevieO, You were of course bang on! It was very interesting.

muf

-{ Quote: "Sandboxie+ PG full + Core Force?

Wow, talk about layers!! Very solid." }-Yes, and Deep Freeze. ;D

I tried this little test--f-prot and ewido picked nothing up-- LNS firewall stopped it though.I d/l the demo of process gaurd and it stopped it right away so i might add this program to my computer.I will wait and see if it plays nice with everything else first.I wonder if regdefend would stop something like this?

Looks like the Morgud test has been uodated:

http://www.morgud.com/interests/security/faceoff-2006.asp

Just ran this test today and my computer failed. Currently running Kaspersky Antivirus, Spy Sweeper, Zonealarm, and BOClean. All were active and running and nothing warned me. Very concerning IMO. I really expected BOClean to catch something like this out of all three of the security products.

I run this program with kis 6.0 and Bo Clean and i am embaressed to say i failed big time. So i stopped Bo Clean and used trojan hunter i still failed.This time i unloaded TH and used Avg anti malware and still failed. For some odd reason that did not make me to well about ll these programs to protect my computer.

@ donsan

Boclean does detect both these tests, and has detected the new one since 10/09/06. I tested it on mine, and i also asked the guy who knows when it was added into the defs, Kevin from Boclean !

So i don't know what's happening at your end, but it's not typical behavior for others ? When was the last time you updated the defs, and have you also upgraded to version 4.22.002 ? If you have done both these, then email support@nsclean with your story.


StevieO

I do have the latest product from Bo Clean and if you read a few post back some one else said that they also have Bo Clean and the program failed to work for them as well. Please don't misunderstand i like Bo Clean very much but for sure it did not stop the test with the latest version for me anyway in fact trojan hunter and AVG didn't either.

-{ Quote: "Boclean does detect both these tests, and has detected the new one since 10/09/06. I tested it on mine" }-Hello StevieO,

When you say "tested it on mine"....what are you actually meaning....BOclean, operating system....etc :-\

Also....are you speaking of the DFK Threat Simulator v2 test when you mention "tested it on mine" ?

Bubba

@ donsan

What did support@nsclean say about it ?

@ Bubba

Hi,

I scanned all the files in DFK on demand with BOClean, and with both versions of DFK. That's how i was able to say "does detect - on mine" as i got the malware removal popup box from BOClean when doing so.


StevieO

I think whether BOclean or any other anti-virus or anti-trojan detects the morgud test by signatures eventually seems to be besides the point.

I'm using Comodo Firewall, and the (Kaspersky) AOL AVS AV, and failed. Would Cyberhawk pass this? Also someone posted that their Kerio Firewall blocked outgoing to pass this test if that's correct, what version? CPF has passed all Leak Tests and Kaspersky is rated very high in Comparitives, but someone also said their Nod32 stopped this Trojdemo exe. I'm very curious about this Trojan Test, and posted about it in the Comodo Forums. Thanks for anyones replies.

I tried this test. Prevx1 asked me to allow it or not. Of course I said no. Prevx stopped it. Test passed.

I then re-ran it and this time allowed the file to execute past Prevx. None of my other security apps stopped it.

My thoughts? Well Prevx is what I use to detect unknown or bad apps and alert me on them. In this case Prevx did what I want it to do, it stopped it. I presume that BOClean, KAV6 and Regrun don't alert because it's not a 'real' nasty. This is where a HIPS comes into it's own. It's there to control what apps run or don't. Yes, HIPS sure are important.

muf

-{ Quote: "My thoughts? Well Prevx is what I use to detect unknown or bad apps and alert me on them. In this case Prevx did what I want it to do, it stopped it. I presume that BOClean, KAV6 and Regrun don't alert because it's not a 'real' nasty. This is where a HIPS comes into it's own. It's there to control what apps run or don't. Yes, HIPS sure are important." }-
That's right. If you can stop the installation of malwares you have the very best solution.
If you can't stop the installation, you get two more serious problems :
1. you have to stop the possible execution of the malware until it's removed.
2. you have to remove the malware.
It's quite simple in theory, finding the right userfriendly security softwares to do the job properly is something else.

-{ Quote: "Would Cyberhawk pass this?" }-Cyberhawk will pass this *specific* test now, I think. I ran the test program today (10/19/2006). CH didn't pop an alert until the bad stuff already had done a fair amount of raping & pillaging.

When CH did jump in, it requested all the files for upload to their analysts. I said yes. So I expect CH will fully do the job next time around.

I feel it significant to make note of the fact that CH jumped in because it detected malware-like behavior, and not simply because the process was not on a whitelist. Nevertheless, I was disappointed that CH didn't jump in fasterr.

Of course System Safety Monitor popped up several warnings right from the get-go -- BING! BING! BING! Ergo, to run the test I finally decided to just turn SSM off.

Shortly thereafter the little green spider in my system tray was dead (i.e., DrWeb got terminated). DrWeb gave no notice of any problems, but merely died without so much as a whimper. R.I.P. :-[

As to SSM -- yes, it gave me MORE than ample warnings. Again & again & again. However, I would expect any adequate HIPS programs to ask me if I want to "allow" any hitherto unknown processes.

To be honest I would be likely to say "allow" in situations where I myself downloaded the executable(s) from a trusted site of origin -- unless, of course, I already knew the download to be a test of my security.

If my HIPS BLOCKS the bad stuff & makes it bloody difficult for me to override it's judgment, THAT is a "pass." However, if my HIPS asks me "block or allow?" & I say "block" then the one who passed the test was me, moreso than my HIPS.

This test has convinced me of two things (at least)...

#1- Although I looove my SMS, I need a behavior blocker that will save me when I make baaaad judgment calls. I'm hoping that Cyberhawk will evolve to better fit that role. It came close to doing that this time -- but "close only counts in horseshoes."

#2- In the final analysis the only *fail-safe* to counteract dumb decisions &/or laziness on my part is restoring a pre-stupidity image. IMO, anyone who doesn't have this sort of fail-safe is a lot braver than me.:o

Boclean at my end doesn't stop this test either. Actually nothing I am running stopped them. :'(

dja2k

I don,t think if any scanner detects this test by signatures then u should feel safe.
Ideally it should be detected and stopped heuristically or by beahviour.
I played with it using various sandboxes( GW, DW, BZ, Sandboxie etc) and it was not able to do any harm.

http://www.wilderssecurity.com/showthread.php?t=148690

So if this is the case to block this kinds of viruses, then we all have to get sandoxed and well basically run everything in there. That is totally insane! :o

Here goes another question, are there really any heuristically that stop it? I haven't seen anyone block it heuristically but only behavioral.

dja2k

I don't know about which test you're all talking, but I ran the trustware trojan test and Prevx1 blocked it.

-{ Quote: "I don't know about which test you're all talking, but I ran the trustware trojan test and Prevx1 blocked it." }-
http://www.wilderssecurity.com/showthread.php?t=103492

-{ Quote: "http://www.wilderssecurity.com/showthread.php?t=103492" }-
Thanks aigle, this seems to be a more interesting test. Unfortunately I'm in the process of re-installing my computer from scratch to improve my special clean backup files and special clean archived snapshots and a few other things.
After that I'm ready to test my new security setup and this will be a very exciting adventure, probably with many ups and downs and many posts. :)

Ok, let,s know when u run it.

I decided to throw this at SurfinGuard Pro. Seeing as I'd already installed it to test against this http://www.wilderssecurity.com/showthread.php?t=150840

So here's the result.

-{ Quote: "I don't know about which test you're all talking, but I ran the trustware trojan test and Prevx1 blocked it." }-

How did it block it, by just saying its unknown and you clicked block?

dja2k

-{ Quote: "How did it block it, by just saying its unknown and you clicked block?

dja2k" }-
For "unknown" and "caution" programs you have three choices : Query (Default), Allow, Block.
Query means that Prevx1 will ask you what to do.

If a program is considered as "bad" in the Community Database, I don't think you will have a choice, it will be blocked.
If a program is considered as "caution" in the Community Database, than Prevx1 will act according your settings for "caution" programs.
If a program doesn't exist in the Community Database, than Prevx1 will act according your settings for "unknown" programs.
If the Community Database isn't available, than Prevx1 will act according your settings for "unknown" programs.

Don't think you have to explain how it works, I was a beta tester for Prevx1 and I already know that, but what option do you have. If you have block, then I understand why it got blocked.

dja2k

-{ Quote: "Don't think you have to explain how it works, I was a beta tester for Prevx1 and I already know that, but what option do you have. If you have block, then I understand why it got blocked.

dja2k" }-
I didn't know you were a beta tester. I block everything.
Caution = bad for me, so I block them.
I don't change my softwares often. So "unknown" is not a problem, I just block them.

I only install and try new softwares in test snapshots without Prevx1.

Thanks ErikAlbert!

dja2k

Cyberhawk popped up a warning right away.

Hello!

I've downloaded it yesterday. I have seen popups from GMER alerting me before starting taskmgr.exe, telnet.exe and ftp.exe (and calc.exe of course and explorer.exe also :) ), and two from Jetico asking whetear to allow "acces to network" and - after running this test second time, when I accepted "acces to network" - alerting me before connection.

The test program has showed: "Your system is not secured! The attack demo collected listings of your data files and POSTED IT ON THE INTERNET..."
I said "Oh ****!" ;)
I'm a stupid lame, I'm afraid of these all trojans, worms and other junk. But, I've though, that maybe this time something went wrong... As a stupid lame, I did an easiest test of this "trojan tester" ;D

So I have PLUGED-OFF NETWORK CABLE FROM MODEM, SO THERE WAS PHYSICALLY NO CONNECTION TO INTERNET!!! Then I have run TrojDemo once again. It showed the same "(...) The attack demo collected listings of your data files and POSTED IT ON THE INTERNET..."

Yeah ::)

Greetings to all.

-{ Quote: "So I have PLUGED-OFF NETWORK CABLE FROM MODEM, SO THERE WAS PHYSICALLY NO CONNECTION TO INTERNET!!! Then I have run TrojDemo once again. It showed the same "(...) The attack demo collected listings of your data files and POSTED IT ON THE INTERNET..."

Yeah ::)

Greetings to all." }-
LOL. That's funny. Posted it on the internet without internet-connection. Must be a bad programming.

Ya. I know if I run it without intetrnet connection it says ur system is secure.

I posted about this Test in the Comodo Personal Firewall Forum, and a few agreed the test is suspicious. I was just saying that at least some software detects it right away. Comodo and AVG Free didn't, but as long as I denied it access to the internet via fireFox by CPF, there shouldn't be any information going out. It was good to see Cyberhawk pop up a warning right away though. I may try the HIPS in Spyware Terminator later to see if it detects anything right away too.

Avg Suite failed miserably......i got pop ups everywhere my calculater too lol now i gotta reboot...Arghhhhhhh hope its innocent... anything i can use alongside AVG Suite Tx..MD

As in my experience this test seems buggy.