Any real world experiences with BOClean?

Discussion in 'other anti-trojan software' started by Wordward, Jan 9, 2008.

Thread Status:
Not open for further replies.
  1. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    It seems that BOClean is just blacklisting that scans memory rather than on read/write access. So only malware that is not on my AV signatures and not picked up by heuristics, BOClean will try to get rid of it. Doesn't that mean that it is a case of who has the bigger signature database?
     
  2. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    A simple explanation would be that Heuristics or behavior based interceptors if you wish work on rules. The more intelligently the variables are coded the better the detection rate. As for lists scanners they are usually built to use compressed checksums like MD5 - SHA1 signatures to increase speed during scans/comparisons as well as to lighten the weight of the database. Both method are basically active & passive process / executable monitors & scanners. Most AV's are hybrids of these two method. They also look for specific entries in the many invocations points for the registry and other program startup areas and so on. In the case of BOCLean it only scans active processes when they are invoked into live memory. But it uses both methodology as well. (Heuristics & Checksums database)

    In my opinions it is a case of who has the best heuristics and the most AI not the biggest database. The database based products by nature is reactive while building more advanced AI into a product will allow a more dynamic response in real time where the decision made by the AI is based on the actual current behavior of the executables as well as on the extrapolation of it's probable intended purpose. This is a much more complex and obviously difficult method to code but the rewards are far greater in the long run...

    Perhaps some of the other peeps lurking here, more qualified than me could complement this explanation...
     
    Last edited: Jan 16, 2008
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Ok I understand about the heuristics. However my original point is that BOClean and the traditional AV are still black listing products. The difference is that they scan at different points in time. Why use two blacklist scanners? Would an AV and a behavior blocker cover more bases?
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Surely :)
     
  5. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Actually I think that being hybrids they now all do. It's the intelligence of their products that is weak. I don't know of any products able to detect 100 % without some listing being involved wither white or black. In the end the best AI will prevail. Weather it's an AV or anything else...

    Think of it as a cop... Finger prints and camera evidence is only used after the fact. As such they are failing to prevent crime but are excellent at convicting criminal when used as evidence. However a behavior analyst may be able to use the past evidence to demonstrate patterns in individuals approach to crime and lay traps in wait until some bad ass trips them... Same with with many security tools... ergo AI is best in preventing by analyzing patterns instead knowing specific individuals whereas evidence (lists) is best at convicting repeat offenders... In either cases both are needed in some way to be truly effective.
     
    Last edited: Jan 16, 2008
  6. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I have had Boclean pop up and stop something while my AV was showing nothing a few times. I have used it for years with very few problems except when Comodo first took over, and we all know what happened there, but it runs fine for me now.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.