Any good free trojan cleaners/detectors out there?

which are?

please do not generalize, this is absolutely not true for all scanners...

what a really nice test... they testet ATs with the following testset:

* File = BeOS, FreeBSD, Linux, Palm, OS2, Unix, BinaryImage, BAS viruses.
* MS-DOS = MS-DOS and HLL*. viruses.
* Windows = Win.*.* viruses.
* Macro = Macro and Formula viruses.
* Malware = DoS, Constructors, Exploit, Flooders, Hoax, Jokes, Nukers, Sniffers, Spoofers, Virus Construction Tools, Virus Tools, Corrupted, Droppers, Intended, PolyEngines.
* Script = BAT, Corel, HTML, Java, Scripts, VBS, WBS, Worms, PHP, Perl viruses.
* Trojans-Backdoors = Trojan and Backdoor viruses.

why should an AT detect anything other than trojans and backdoors? you can't simply compare the results of AVs and ATs with the same testset, especially if there a lot of unmodified samples! and btw. an AT is ALWAYS supposed to be an addon, not as a primary scanner!

 

It is true of all scanners.

 

then please tell me how they all do...

 

Paul,

Whilst I believe you know more than I about these things, I find it beyond belief that Im asked to qualify the statement that they all use pattern matching since it is a fact that they do. Some also use heuristics also.

AVs and ATs do the same thing - that is look for specific files/bits of data etc - they do this by having a signature/image/pattern of what it is they are looking for - or in some cases a range of variations of a pattern - or heuristics. That is how all of them find what they are looking for.

Some also look for reg entries or open ports etc also.

Im sure there may be some ATs that may detect some trojans thatsome AVs dont - but given that most of the main AVs detect more trojans than most ATs (I have seen many tests to prove this - eg: http://www.claymania.com/tests-trojan.html - but not seen one test ever which showd that any AT detected more trojans than any AV) I simply suggest that if you are that concerned about trojans - simply install another AT.

How about someone supplying some proof that any AT can detect more trojans/trojan infections than any of the main ATs - like Norton, Kasperky, F-Secure etc?

In my view it is simply not a realistic view to believe that someone like Symantec cant produce a product that cant detect as many trojans as any AT.

Anyone who has seen TV news coverage of the recent worm outbreaks has probably sen footage of the command centres of places like Symantec - these are huge places staffed by hundreds of people that look like a cross between NASA headquarters and the bridge of the starship Enterprise - they have huge resources, almost unlimited finances etc and I find it impossible to believein the real world these guys products could be bettered by any AT manufacturer.

I would be interested if anyone can:

1) prove that all ATs/AVs dont essentally use pattern matching
2) give a qualified example of any AT that can detect more trojans than any of the MAIN AVs.(Giving numbers and proof)
3) Name any AT that has more regular updates to the scanning engine tahn the main AVs
4) Name ant AT that has more regular signature updates than any of the main AVs

 

Notwithstanding Chris' argument that an AV does a better job than an AT, what does it hurt to run both? NOTHING!

As long as there is a chance that one will catch something that got past the other, I will continue to run both. This is the basic reason, I suspect, that most of us run both Spybot S&D and AdAware, right?

 

Hi,

It does not hurt to run both an AV and AT - but I would argue that rather than running an AT in paralell with an AV - you would be better off running another AV alongside - since as you know - I argue that ATs detect a wider spectrum of trojans than AVs.

Paul - yes that test is old - but proves at that time ATs (the puppose of which is to detect trojans after all!!!!)were of little or no use in detecting trojans - and were vastly inferior to AVs. Unless something has cahanged since then (and I want proof) then my point stands!


(Please dont feel you must reply to this - Im just being a bit argumentative as Im using this as a nice break from doing a rather dull business plan!!!)

 

I run spywareblaster, and spywareguard along with ad-aware and spybot.
I do question the accuracy of Clay's site myself as things have changed in the last three years, but one thing I did notice about it was that KAV was amongst the top spots then, and still is today.

 

hex a server and it's undetected by any av, or pack it with a special packer, or do those tricks used to make a server undetected. any av scan will fail... ok launch the server-> any anti trojan with a true memory scanner will instantly detect it

problem with those trojan tests is that they included non-dangerous trojan samples, like clients and editservers.
if i scan my trojan collection with kav or f-secure, i'll get some 30000 detections, if i scan with trojan hunter i get some 7000 identifications, ( plus warnings etc. you see trojan hunter only detects servers) on the filescan trojan hunter is not capable of battling with kav because of kasperskys superb unpackers.. but when kav fails( it happens, any filescanner can be fooled, for kav it usually takes longer), trojan hunter kicks in with it's memory scan..

ca's ez antivirus is btw one of the worst scanners against trojans... lacking many very common trojans from it's database, it's primarily a virus scanner, a good one against viruses..

kav on the other hand has people(a team) on it's payroll just for the sake of trojans, and it really is the scanner to beat when it comes to trojans

 

Ok did ANY other scanner besides TDS-3 detect SubSeven 2.1.5 within 0 minutes of release ? And modifications of the most popular trojans..

Tests are usually scans on simply numbers of ITW viruses and trojans, as many as they can gather (and hopefully verify and document), in the real world trojans are modified so tests like this dont mean anything to an attacker who wants to send you a trojan. Why would they send you one of the ITW trojans that all AV's have got/shared with each other ?

Its common knowledge in the trojan users scene that a large percentage of users are now experienced enough and modify their trojans to bypass any AV. They also obtain (even buy) private trojans, BETA and unreleased and own coded trojans, and use keyloggers like Perfect Keylogger which most AV's detect poorly. Why is it so easy ? because a single file scanning detection is the only thing someone has to get past to infect you.

Your AV is part of your layered defense. If you rely solely on it, then bypassing it is VERY easy..

 

Whereas they cant bypass your scanner.....?

I suggest if your scanning engine is so advanced that you licence it to Kaspersky or Symantec.

I dont know, but then I would guess since Kaspersky etc have much greater resources in terms of personnel and finances than you - they were better able to provide updates than you or any similar small company in the vast majority of cases.

Not true with many AVs - F-Secure uses 3 engines.

Anyhow, this could go on forever. The key issue is having software to protect against Viri &trojans etc - and the only evidence I have ever seen published shows without any doubt that AVs protect many many times better against trojans than ATs.

If you have any independant evidence - based on a large sample of itw trojans which disproves this I think we would all like to see it.

 

true, f-secure has 3 engines, but the 2 other engines can't do s##t without the kav engine.. they rely on it for the unpacking and stuff..
the orion engine especially is dependant on kav engine, about the libra engine i don't know much

so basically bypassing f-secures filescan is as easy as kavs..

but to bypass a memory scanner you usually need the trojans source to recompile/modify it

 

@Illukka

"but to bypass a memory scanner you usually need the trojans source to recompile/modify it"

Wish you were right ...

AFAIK there are only three decent memory scanners available: BOC, TDS, TH. Memory scanners are good for detecting compressed malware (though some commercial protectors can still cause a problem). Unfortunately, memory scanners do not frequently use signatures which are both strong and hard to find/guess.

 

"there are only three decent memory scanners available: BOC, TDS, TH"

that's what i'm thinking too..

"Unfortunately, memory scanners do not frequently use signatures which are both strong and hard to find/guess."

how do you edit a file to make it undetected by memory scan if you don't hav the source? it's not as easy as hexing, packing whatever

those who have the skills will always have the undetected one, no matter what scanners are used against 'em

 

@Illukka

"how do you edit a file to make it undetected by memory scan if you don't hav the source?" ... " it's not as easy as hexing"

Well. It can indeed be done by so-called "hexing" (hacker slang).

Example 1: A memory scanner tries to detect the trojan "Roach" by searching for a text string called "Roach". You simply need to modify this text string with a hex editor and the trojan will not be detected anymore. (Btw. ... this example is less unrealistic than you may think.)

Example 2: A memory scanner uses very large signatures and does not encrypt its signature database which will make "hexing" very easy ...

Example 3: A memory scanner /w limited functionality uses text bases signatures and, moreover, its signature database was cracked. Again, "hexing" becomes possible.

In summary, I do not want to say that memory scanners are bad. They are definitely useful. But there is still much room for improvements.

 

i still think hexing is easier againt a filescanner than a mem scan

"Example 2: A memory scanner uses very large signatures and does not encrypt its signature database which will make "hexing" very easy ..."



with large signatures hexing is not that easy, even if you know the signature... could be that the signature is taken from such a spot that it is not possible to modify it without the source, not all sigs are text strings.. but parts of the code.. they can be hexed sometimes but it takes a lot of time and patience
like you i've hexed a fair amount of trojans, i remember hexing a server and editing a text string d.o.c.u.m.e.n.t to D.O.C.U.M.E.N.T and it was undetected by chris p's favourite scanner (and mine too){ no i won't say which trojan}

you're probably referring to trojan hunter on this one.. and if i remember right you took part in a discussion at gladiator forums about this subject.. even tataye himself admitted there( and at other forums too) that making beast undetectable against TH was very difficult(because of the size of the sig), and he has the source to work with..
anyway this is just one example

 

The fact remains - it is as easy to get round any ATs scanner as any AVs. - Dont keep replying by saying things like "you cant just say things you need proof" - since there is not a single person here who has provided a scrap of proof for anytinig they have said.

As for my "sarcastc" remarks - I was making a valid point - the KAV engine is used by quite a few AVs as it is possibly the best - its simple economics - how many AT engines are licenced in this way - none - as no one wants them - why - because they are no better than any other engine - thats why.

Not a single person here has addressed any of thge issues I raised concerning the relative performance of AT and AVs.

I use a "layered" protection system - I have F-Secure AV, Tauscan AT, Pest Patrol AT/Whatever, Spystopper, Blackice, Adaware Pro etc etc - but I dont believe having an AT running alongside an AV offers as much protection as having another AV running in paralell with an AV - eg - I think I would be better protected running say Norton in paralell with my F-secure - rather than running any AT.

I find it funny that people here keep making comments about me supplying proof - when Im the ONLY person here who has supplied any evidence concerning the TESTED performance of ATs and AVs (see links above) - and I have challenged anyone to provide data to disprove this - and no one has!

The TDS representative has not stated any facts as yet - only posited a question if you remember asking if there was any other AT/AV which detected Subseven before TDS - I answered that I dont know - the truth is that I dont - and neither does he.

I remember making a post here a few months ago concerning the detection of a new trojan (I believe the warning came from a post on BOClean) - I did a scan for this new trojan after updating Trojanhunter (which I was trying at the time) and F-Secure. F-Secure detected it immediatly - Trojanhunter did not - not for quite some time. When I posted my findings here, I was told by the AT lobby that I should not be concerned with which updated first or how quickly they were updated!!!! Its like you cant win.

Im a scientist and as such I try to look ant the evidence in front of me and make my decisions based on that. Good scientists should not have emotional investment in their theories or arguments. Theory should be based on facts and evidence - you would do well to remember that.

 

To chameleon1 from Firefighter!

U wrote: "AFAIK there are only three decent memory scanners available: BOC, TDS, TH".

I know that DrWeb 4.31b and Avast 4 have memory scanners too but how decent, that's up to u all Wilders visitors to decide.


"The truth is out there, but it hurts!"

Best regards,
Firefighter!

 

If you believe so strongly that you would be better served by running multiple AVs in tandem rather than an AV/AT combination, then why don't you? The software you list as being running on your system belie the point you've been trying to make -- very poorly, by the way.

 

Because I was given one of the ATs and purchased the other before I realised it was useless. Sometimes I have them installed, sometimes I don’t. I only ever use them to play about with.

I can’t be bothered to install another AV as believe the added protection it would bring is about zero.

Very poorly. I think not. I have proved my point with evidence and facts. Please, try doing the same, since so far you have not provided any facts or any evidence. You cant prove a point by just wishing it was true or making personal comments against the person who is providing an antithetical point of view.

Try being methodical and logical in arguments, present your argument backed up by research and documented facts. You cant criticise the logic or facts of my argument by pointing out that I run ATs. - By your logic, I guess if I didn’t run any ATs but instead had an AV running in parallel - then I would be proved right? Of course not.

I’m genuinely interested in getting to the bottom of all this and we wont get there by going the way we are.

I’m still waiting for some hard facts here. Show me:

1) An objective independent test of ATs VS AVs using a large No. of ITW trojans - where ANY single AT beats any single AV.

2) Show me independent proof that an AT cant be fooled as simply as an AV - Independent proof that is - using a large No. of trojans.

I would also be genuinely interested in the manufacturers of TDS and TrojanHunter letting me know:

1) What their turnover is
2) How many employees they have

This information (at least in the UK) is public domain and companies are required by law to publish this info - so there can be no reason I can see for them not to provide this data.

I ask this as I believe that whilst it is not a guarantee, the size of these companies relative to their competitors, will reflect their proportional ability to be able to research the malware out there and also develop new technologies to counter new threats.
***************

Although this information is not in the public domain, I would also like to know the following:
1) What is their R&D budget?
2) How many full time individuals they employ in R&D?
3) How many full time individuals they employ in researching new malware?

I would also like them to explain to me why they think it is that they are able to produce software which is unable to be bypassed by modified trojans - whereas the manufacturers of ATs cant.

Providing accurate answers to my questions backed up with proof is all I ask. Once I have recieved these, I will be a happy man.

 

this is starting to get hilarious ... omg

 

Yes it is.

Would be even funnier if someone came up with some answers!

Ho ho ho.

 

Hi Chris:

1.
I do not believe that your arguments are completely baseless (e.g., the argument relating to the bigger resources of AV companies is certainly true).

However, I am still convinced that the best AT scanners can easily compete with a good AV scanner like F-Secure. Therefore, I hold the view that it can indeed make sense to use an additional AT scanner.

2.
Since you have mentioned that you are a scientist I would like to invite you to a semi-scientifc experiment: the experiment shall demonstrate that it can be relatively easy (for an attacker) to modify a trojan so that F-Secure will fail to detect it. By contrast, a good AT scanner (with mem scanning) should not be affected.

In the course of the experiment we will try to compress a trojan and/or use a hex editor in order to outfox F-Secure.

(I will provide you with sufficient information so that you can verify my claims. However, I will not write a tutorial for hackers. Therefore, it is possible that certain sensitive information must be communicated via PM.)


3.
Please tell me whether you are interested in such experiment. If yes: please select a trojan of your choice. (You should be familiar with the trojan since you may want to execute it in order to verify what I will teach you.)

4.
Please note: the experiment will not tell you whether an AV scanner will detect more or less original (= unmodified) trojans than an AT scanner. Frankly, I do not think that the size of a signature database is of paramount importance. It is more likely to get infected with a well-known trojan that has been modified than with an exotic trojan of dubious reliabilty.