which is the best anti trojan ?

[monica_84]

i am using nod anti virus and i want to know which is the best anti trojan software and also lighter in resources

[john2g]

BOClean

[Jooske]

Hi Monica, welcome to the forum.
Is there a special reason why the resources are a matter for you?
Choices depend so much on personal likes and dislikes on your own system.
There are quite some discussion threads about exact this question in this forum, which you might like to read through, download and try on your own system.
People will love to assist you with your questions and experiences.
Wonderful that you want a special layered protection!

[Q Section]

Hello monica_84

We prefer to use the oldest and most thorough anti-trojan software when necessary. This is TDS3 found at this address.

Try it and see! Out of the box it has wonderful functionality and does not need anything else but if one wishes there are a myriad of user settings available with extra tools to go with it.

Hope this helps!

[Paul Wilders]

Quote:

quoting: monica_84 link=board=25;threadid=19163;start=0#msg117619 date=1073562475]
...and also lighter in resources

Bear in mind that's an essential part of the question, ladies and gents

regards.


paul

Try Trojan Hunter...

http://www.trojanhunter.com/

VERY Light on resources, and it's a FULLY featured Anti Trojan that's both easy to use, and understand, and it has both memory scanning AND an on demand scanner...

[JimIT]

Quote:

quoting: john2g link=board=25;threadid=19163;start=0#msg117626 date=1073563615]
BOClean

I agree.

If you want an AT that works with a minimum of user intervention and don't want to "bother" with a file scanner, BOClean is a good choice. It is extremely light on resources.

TDS-3 and TrojanHunter are good choices if you want to do scheduled or on-demand file scans for trojans in addition to a resident monitor similar to your AV. They both also have other useful tools included, and are also worth checking out.

My opinion is that an extra file scanner is redundant--but that's my opinion, and others will disagree for what to them are very valid reasons, so it certainly depends on how many/what features you are looking for.

Best of luck, and have fun in your search!

[subratam]

when i saw the topic... i knew the fight would be mainly btw BOclean, TDS and Trojan Hunter... i love the three of them... but to choose one... i would go for TDS for its memory scanning and also useful tools with it... to go with...
but anyways... one can choose any 1 of these 3... best possible anti trojans out in the web....

[Paul Wilders]

Quote:

quoting: Crooked Shot link=board=25;threadid=19163;start=0#msg117682 date=1073579212]
Try Trojan Hunter...

VERY Light on resources, and it's a FULLY featured Anti Trojan that's both easy to use, and understand, and it has both memory scanning AND an on demand scanner...

Shooter, someone pointed me to a rather annoying hole in the ThSec.dll. I really do hope Magnus will have this fixed real soon!. That said: I'm sure you agree until this has to be fixed first - not only for new customers, but for existing ones as well. A matter of time, I presume

regards.

paul

I already fixed it by downloading a replacement dll file for thsec from his forum... Magnus should update TH after he tests it pretty soon.. I'd say that was fast response, wouldn't you?

[Paul Wilders]

Quote:

quoting: Crooked Shot link=board=25;threadid=19163;start=0#msg117698 date=1073582837]
I already fixed it by downloading a replacement dll file for thsec from his forum... Magnus should update TH after he tests it pretty soon.. I'd say that was fast response, wouldn't you?

I haven't been informed about a recplacement dll file - is it safe to assume no one but regular TH forum visitors are actually aware of the issue at hand - and a possible fix? As for a fast response: as for the forum regulars: yes. As for the vast majority of paying customers: not at all.

Anyway, I for one am looking forward to an engine update. There's no doubt in my mind, Magnus will soon take care of this!. After that, we can test the new dll

regards.

paul

[muf]

I'm a fully registered TH user and i did not know about this .dll file. Seems to be a breakdown in communication somewhere along the line. I would think that registered users should know about any patches/improvements. Poor that the liveupdate doesn't have a way of telling you, and even worse that you have to rely on visiting the TH forum to find out!

Lets hope the liveupdate is improved to let users know about version upgrades, patches and improvements.

muf

[spy1]

Paul - Magnus actually did have a fix out for the problem within an hour - reference this thread: http://forum.misec.net/board/TrojanHunter/1073407081 - which isn't too shabby, IMO, as long as the fix works well for everyone. Pete

[Paul Wilders]

Pete,

If I do read correctly, this seems to be an untested new .dll - and has only been published in the TH forum.

Once more: I'm pretty sure Magnus will tackle the issue - I for one sincerely do hope so!

That said: very few TH users actually visit the TH forum, and thus are totally unaware of the issue plus the temp fix available.

regards.

paul

[spy1]

Yes, I'm sure the fix won't be generally released until it's proven out in testing - that's as it should be.

Listen, can we all kind of try to remember here that this is a win-win situation?

Wayne (DCS) puts out APT for free - Magnus uses the program to discover a problem with TH - Magnus goes to work to fix the problem.

Who won?

Everybody!

Wayne gets the satisfaction of knowing that his program helped
someone else improve/make safer their program.

Magnus got to find an error and fix it (and thus) - all users of TH benefit - and the Internet becomes a safer place for everyone.

At least, that's the way it seems to me. Pete

[Paul Wilders]

Hi Pete,

Let's keep DCS out of this discussion - in the end it's of no concern who detected the flaw; it could well have been you for that matter, and it's really of no importance.

I for one do wish all decent software developers all the best - and that includes Magnus, Wayne, Kevin, Daniel, Mikheal, to name a few antitrojan developers.

My concern in this - TH related! - discussion is stated above. No need to quote, I presume.

regards.

paul

[ReGen]

I’m really surprised that people are getting so upset about the supposed “problem” with TH Guards shutdown protection. The protection that currently exists is still better than any other AT’s built in protection as far as I’m aware. (Please feel free to correct me).

Yes APT can shut down TH Guard. APT could shut down Process Guard using some of its techniques initially. But, I’m sure Magnus will continue to improve the protection for Guard just as Wayne has for PG. TH will still detect Trojans and still has a memory scanning module that is well protected. Plus it would seem, with just a few modifications people will be even better protected from attempts at forcibly closing Guard. Flaw?

The THsec.dll file in question is currently under going beta tests and I’m sure Magnus will widely announce its availability once he feels it’s 100% ready.

[Jooske]

I would like to read from the original questioner why light in resources is important.
Is that the main importance or are other issues as user friendliness, set and forget, extra security also important issues?

You'll find in the forum here each time the same three mentioned, BOClean, Trojan Hunter, TDS (in no specific order) as the top three to chose from and each depending on some personal circumstances and wishes.
Try what you like, and at the moment you're close at deciding there comes TDS-4 Active Guard (currently in the build) to change your whole view and you can start again

You can read many threads in this forum area and you will see each time the same kind of discussions, be it that now this time the one dll fix in the build is being mentioned.

You will also see a couple of golden remarks and threads about developers discussing and helping each other, building more security or detection in their products. It's really nice to see the people working together and using each other's tools to enhance their own products too.
I do know my choices which work nicest for me on my system, but it is all personal!

[Paul Wilders]

Jooske,

The need for extremely light on resources issue is one and the same that made the initial poster go for NOD32 - a cleary stated wish - no offense intended TDS4 as at this moment not an option, and obviously there's a need for antitrojan protection now.

Regen,

Let me start with your last comment:

Quote:

The THsec.dll file in question is currently under going beta tests and I’m sure Magnus will widely announce its availability once he feels it’s 100% ready

I surely do wish this will happen - for the benefit all TH users . Nevertheless, I'm somewhat worried here.

user-mode hooks could well be an issue here; they can be "undone" - contrary to kernel-mode hooks. Delphi/pascal (and that's what TH is all about) can only create executables and dll's - nothing in the kernel mode. Therefore, I'm kind of worried this THsec.dll (old or new) will be actually no real defense at all.

now,

Quote:

...But, I’m sure Magnus will continue to improve the protection for Guard...

Quote:

Plus it would seem, with just a few modifications people will be even better protected from attempts at forcibly closing Guard. Flaw?

I surely do hope and wish so!. In perspective of the above mentioned, it seems to me, this might very difficult to accomplish. Delphi/pascal does come with limits.

regards.

paul

[Magnus Mischel]

TrojanHunter is currently the only trojan scanner that has built-in protection against TerminateProcess and similar attacks (others rely on a second watchdog process or random file names) so it is beyond my comprehension why someone would argue that this feature of TrojanHunter is a reason for not chosing it.

As for user-mode vs. kernel-mode: Any hook installed in software can also be undone by software. The procedure to remove a kernel-mode hook is the same as that for removing a user-mode hook. If the account being protected was a limited account in the first place then the protection wouldn't be necessary anyway. The thing about protection against these attacks is that it makes it much more difficult for malware to terminate the security program. It's not possible to get 100% protection, and it doesn't matter if it's done in user mode or not - but it's possible to make it very difficult for an attacker.

[ano1]

IMHO it's almost ridiculous to discuss whether TH is sufficiently protected against TerminateProcess:

1.
It's not really important whether TH is protected against such an attack. Yes...anti-process termination is a nice feature. But that's it. If a trojan actually manages to terminate TH the user will get warned (at least in the long run) since the resident monitor will not work anymore. Be happy if this ever happens. Things could be worse. Imagine an undetected trojan which stays silent ...

2.
It's also funny that people talk about minor, potential vulnerabilities (like possible termination attacks) but do not take into account that the signatures of many AT scanners can/have been revealed (either because they are not encrypted at all or because the scanner's signature database was cracked).

[Paul Wilders]

Hi Magnus, good to seeyou join in!

It's an interesting discussion - I for one do hope for the benefit of all

As for your second remark user-mode vs kernel-mode): isn't SetWindowsHookEx merely a global hook?

Debuggers should have no problem with a user-mode in general. Very few debuggers are able to reach the kernel - Win32dsam, OllyDbg, IDA - none of them can.

I tend to disagree on:

Quote:

...and it doesn't matter if it's done in user mode or not..

for reasons stated above. Open for discussion


regards.

paul

[Magnus Mischel]

All it takes is a small driver and any advantage you think you have of doing something in kernel mode is blown away. There are already pre-made drivers that allow for access to the entire kernel memory so an attacker wouldn't even have to write his own. Like ano1 said, I think this whole discussion is blown way out of proportion... instead of discussing the fact that TrojanHunter is protected against TerminateProcess maybe we should start discussing why other scanners aren't? Or perhaps let's just let this issue die so the original poster can get his questions answered...

[Paul Wilders]

Quote:

quoting: Magnus Mischel link=board=25;threadid=19163;start=15#msg117881 date=1073603701]
All it takes is a small driver and any advantage you think you have of doing something in kernel mode is blown away. There are already pre-made drivers that allow for access to the entire kernel memory so an attacker wouldn't even have to write his own.

Magnus, as far as I'm concerned, this isn't some sort of contest - please keep that in mind I for one couldn't care less which software is discussed.

As for your comment mentioned above: do I understand you correctly: there's no way to prevent access to the entire kernel? If so, please elaborate in specific. Furthermore: isn't it far more easy to tackle te user-mode?

Quote:

Like ano1 said, I think this whole discussion is blown way out of proportion...

IMHO it's fair to leave it to readers to decide. As always, everyone is entitled to his own opinion over on this board.

Quote:

instead of discussing the fact that TrojanHunter is protected against TerminateProcess maybe we should start discussing why other scanners aren't?

You are most welcome to start a separate new thread in regard to other scanners. In this thread, TH has become an issue of importance.

Quote:

Or perhaps let's just let this issue die so the original poster can get his questions answered...

The original posters' issue has been answered - and other answers are welcome.

As for letting the issue die: as long as there is input, it will stay alive. As a developer you probably agree this is an interesting thread - whatever the outcome.

regards.

paul

[Magnus Mischel]

Quote:

quoting: Paul Wilders link=board=25;threadid=19163;start=15#msg117900 date=1073605188]
As for your comment mentioned above: do I understand you correctly: there's no way to prevent access to the entire kernel? If so, please elaborate in specific. Furthermore: isn't it far more easy to tackle te user-mode?

No, there's no way to prevent access to the entire kernel memory space if you're running under an Admin account, which 99% of all home users do. If you're running under a limited account you wouldn't need any special protection software anyway as you could just run your security software under a privileged account thus making any attacks impossible.