AT Question

Boclean's support is second to none.
Helped me many times.

thanks kevin

snowbound

 

Snowbound, that is the same DCS products users say about DCS and for both companies it's told all over internet.
Top notch software and security and outstanding support; all imperative parts of the top notch products.


Aguest, i hope those details will follow. Might suppose the other samples mentioned are all provided to the developers for testing?

 

OK i also think that support is very important, but what about the signature quality. I read on some sites that some anti-trojan (also some anti-virus) programs has not really strong signatures. I want a good and saftey system program and not a program which can be fooled by a newbie skript-kiddie. Are these stories about weak signatures true or just bad and wrong theses. What should i do ?

 

That's the kind of software to avoid and to choose top notch quality software and with an outstanding support.
If you would use the other for some nice features besides an outstanding product in the same field (av or at for instance) you will still be safe because of the other product. But if you would be plagued with lots of false positives or missed code you might like to ditch the thing for harming more then doing good.
It's rather unfortunate possible weaker sigs confuse users and make them feel suspicious for other products. But on the other hand the other top notch products have proven themselves each time again.

The software in the dedicated forums here are outstanding, on www.wilders.org you will find reviews and recommendations, explanations, ratings, downloads, so you won't go really wrong.

 

Its a question of how you define weak and strong signatures. In my opinion a strong signature has to fullfill 3 points:

1. It doesn't contain text parts
Text parts can be easyly patched inside a file - even if you are a newbie. So a strong signature should always be extracted from within the malware's code to make patching as difficult as possible

2. It has to be specific enough
To clean a malware infection you have to know the exact name of a malware. Many scanners will just detect "CIH" although there are several veriants that need diffrent cleaning. If a scanner doesn't recognize the exact variant there is a good chance to damage your files or your system.

3. It doesn't cause false positives


Examples for AVs using weak signatures:
McAfee (text/ressource based, to generic), AntiVir (text based), BitDefender (text based), Norton AntiVirus (text based),

Examples for AVs using strong signatures:
kaspersky, DrWeb, RAV, NOD32

And no I won't name any AT with weak signatures. Perhaps tomorrow. I have to care of the blood pressure of several AT vendors inside this board .

 

That´s similar what i read. I read a text that also a well known anti-trojan program named tds, i saw that tds has also it´s own sub forum here, use sometimes (or often ? ) for trojans these weak (?) signatues, i mean these text things. So i want to know is this right, cause there are also other anti-trojan products i want to look at, and maybe later to buy, but at first i want to know if there is really a weak point or it is just a bad joke of someone. Or use the program also other signatures to detect a trojan ?

 

TDS is recognised as being difficult to get past dont worry about that I also have noticed something Andreas mentioned, there are a lot of threads about changing icons and bypassing AV's (resource modification)

So rest assured TDS signatures will not ever use a detection based around an icon or other binary resource, because this is something users attack obviously, to change the icon is useful for them. TDS has a lot of detection methods and extra detection cant hurt. We have some things which are secret and I dont know if they will ever be revealed, as that helps trojan writers, users. I recommend you add Process Guard free to TDS and try it, use it

 

mhh not the resource section thing, ok but i read a text which describes that tds perhaps use also texts for the other scans. The idea to use more than one scan method is good, but if it is right that there were also texts used as signature i think this is not really saftey, or not ?

 

You might like to look at the archives on the DCS site, like this one about AT tests here

There are always stories going around but rest asured the DCS people know what they're doing. I keep to Gavin's answer.

You might be able to point to the forum threads or where you read those discussions, making it easier to react in an adequate way on those comments?

 

1.
hxxp://www.dslreports.com/forum/remark,7722325~root=security,1~mode=flat

My 2 cents: Only the TDS-3 filescanner was affected (not the memory scanner). It is really a strength of TDS that it uses so many signatures and detection methods. Therefore, it is relatively hard to modify a standard, non-DLL trojan in a way that TDS will fail to detect it.

2.
TDS does use "weak" text base signatures. But this is not bad to the extent that it additionally uses "strong" signatures taken from the code section etc.:

The exclusive use of text strings as signatures is bad because text strings can be easily changed w/o destroying the trojan.

The supplementary use of text strings as signatures is good because they sometimes help to identify new versions of a trojan belonging to a well-known family immediately after their release (i.e., before a specific signature has been created). For example, the object memory scan feature of TDS searches for text strings. Moreover, text based signatures can facilitate the correct identification and removal of trojans.

3.
The supplementary use of "weak" signatures taken from the resource section is also a good idea because it helps to detect compressed trojans. McAfee uses such signatures. Sometimes exclusively (which is bad indeed).

4.
BOClean 4.10 uses "weak" text based signatures. Sometimes exclusively. I have not tried 4.11 yet.

5.
TrojanHunter's signatures are "weak", too. They are terribly big and not encrypted which makes the patching of trojans very easy. (This will change with Trojan Hunter 4.)

6.
Kaspersky uses "strong" signatures taken from the code section. However, the signature database has been cracked and most signatures have been made publicly available (i.e., it is relatively easy to patch a trojan so that Kaspersky cannot detect it). Moreover, AV scanners do not have a sophisticated memory scanner. If you compress a trojan with a compressor like Armadillo an AV scanner will not be able to detect it (unless it uses weak signatures taken from the resource section like McAfee).

7.
In summary, I believe that the signature quality and detection rates of TDS are not too bad compared to other AV or AT scanners.

8.
IMHO the main weakness of TDS is currently its limited ability to scan the memory for DLL trojans. There is apparently no heuristic detection for DLL trojans and, actually, I doubt that there is a full (!) module scan at all. This will hopefully change after the release of TDS-4.

Again: according to my personal experience other AT/AV scanners are not better than TDS. We will probably have to wait for a quadrupled vapourware solution in order to feel safe ;-)

See also hxxp://www.scheinsicherheit.netfirms.com/dll.htm

 

When i see two months old threads and each time the same names involved i get a feeling somebody is so much addicted to TDS, turning it upside down and inside out and analysing every bit of code from it, at the same time losing and wasting all valid time to release an own product to show the whole world it can all be done much better.

There have been discussions in the thread and because of the page mentioned, i leave that to the developers and techies who know. For the moment i just know the beasties mentioned are in the primaries list and detected, and i don't mind as a user if that is done with scanner A or B in my same TDS program, as long as things are detected at all somehow.
One of the forces is it detects the sleeping giants, stops it's execution and there is no need to first get infected before it can be detected at all.
Remember to read the 16 ways to smell a rat, which are several more ways by now.

 

Actually, there was mention of BEAST having some signatures like this. The problem is simply that those users dont understand the detection there is a window name created by the trojan. This is ADDITIONAL detection no other scanner gives you, and you would be surprised how many trojan users dont edit this or any part of their trojan before sending it out.

Because users are posting things about hex editing, maybe a few more attackers will change things like this. If they didnt post anything, the extra detection might well save someone's PC. But they do continue to post this stuff IN THE OPEN. Its just like posting the actual signature for an antivirus scanner

Remember, antivirus scanners have file only signature detection for a trojan. TDS has file signature(s), in memory signature, in this case a window object detection as well. More to edit to try to bypass detection means more hassle and LESS danger of being infected for our users.

And after this, you can easily prevent ALL Beast infections by purchasing Process Guard The free version will go a little way to protect from injection - or at least TDS-3.EXE for example cannot be shut down, so you can scan memory and find it. Layered protection again

 

Actually I missed a very good point

SOME text strings CANNOT easily be edited and the trojan still functional. If the strings are part of the Client - Server protocol used for trojan USAGE, then these are actually quite ok to use for additional detection. The attacker would need to work a lot to get around this.

 

yes that´s the one of the threads i also read..ok i must mention that i also visit a kind of other trojan "information" boards, it seems that there they talk how to use these things or so and there i found a discussion about which Anti-virus und anti-trojan product is the best, and also there (i think this was there on this kind of board) i saw some posts of some guys who wrote that this TDS (sometimes) use these texts signatures. Then I don´t know if it was on a board or a simple site, i found a paper about the weak things of TDS and for me it sounds ehm very strange, one the one hand i saw in that time search on boards about TDS often postings that TDS is very powerful, but then postings and also a paper which describes these text signatures of TDS., i´m confused and now Andreas Haak or the bguest@bguest.com who wrote that other scanners use weak signatures, too. Should i wait for the next generation of scanners, maybe the scanners nowadays are too old and the new one have better techniques and also better and stronger signatures ?

I´m new as a registered member, but i visit sometimes here also this board, because i want to find more infos about the best anti-trojan scanner for me, so i have to visit some sites and boards. OK so i saw in the last days or was it week that this program named process guard has been released, but i think this was Andreas Haak the same one who also post here, post at dslboards (?) a kind of kill-programs for this new product and then i read from the developers, the product is not really ready or finished, they will fix the bug..the program featres sounds interesting, but i want to have a good and saftey running program, so i will better wait some days or weeks for the final version or something like that.

 

You can run the free version of Process Guard right now, and for the best AT, well, you should have read enough to make up your mind
About the posts from A.H., he should have something better to do.
Dolf

 

Greetings, "Aguest" ... I don't see that Paul needs to answer this one, since he's not a "shill" for BOClean. That's why I appreciate very much his taking the effort to confirm what I had claimed prior since he certainly didn't need to.

Let me first answer your question simply by saying Yes, Yes and YES. As I said earlier, "injection" is NOTHING NEW. It was being done as far back as 1997 although it wasn't until mid 1999 with "Back Orifice 2000" that a WORKING injector PLUS the "source code" necessary for everyone SINCE BO2K to do it appeared. "Injection" has been going on for YEARS. Of the over 14,000 trojans BOClean handles, probably about 2,000 of them involve injection of one sort or another. And YES, BOClean deals with ANYTHING that tries to run and removes it without having to reboot. Unless of course, the trojan itself is unstable and wedges the machine. Upon reboot, the system will have already been cleaned. Just wanted to get that out of the way and answer your question before I explain this hoopla a bit further and also explain why BOClean doesn't "fit the mold" that others seem to have cast us in. Given where this has gone too many times, I'd like to explain a few things in more detail. Sorry it's a bit long. There's a LOT to explain.

About "injection:" Although there was "prior art" in the form of "zoo trojans," Back Orifice 2000 was the first popularly used backdoor with several "injection capabilities." Of course, DLL injection into another process, recently discovered by a couple of latter-day antitrojans was part of the feature, but in addition to the injection technique of attaching a DLL and running it inside another process, BO2K offered several OTHER features which apparently haven't been mentioned. BO2K provided "REMOTE THREAD attachment" which wasn't associated with a file, process, or DLL AT ALL! When it started, it expanded the size of another program running in memory (randomly chosen and NOT necessarily EXPLORER or IEXPLORE) and injected the entire memory image into the other program's memory and started running BO2K as a remote thread. There was NOTHING to detect! That technique is still used in many "undetectable trojans."

In addition, BO2K modified the KERNEL ITSELF! By hooking certain API calls, it was able to patch the process, thread and memory allocation tables so that any plain old "process/memory scanner" wouldn't "see" the startup EXE. So in addition to the "DLL injection" we're hearing about as PR work by a couple of folks, there's far more serious "injections" that haven't been touched upon that have also been "de rigeur" for years. And a patched kernel gives up nothing without a DEEP memory scan. Then there's the issue of remote threading and of course MEMORY injection. BO2K was the basis of the BOClean 4.01 release back in 1999 which required, in addition to checking files associated with startups, very close examination of memory, threads and "objects." None of this is new and BOClean's done it for going on 5 years now.

That all explained (hopefully - I don't want to give out assistance to the script kiddies by delving further) I'd like to also point out that lumping BOClean into the same barrel with any other "scanner" has served to obscure the whole point of BOClean's existence and WHY it's unique in its purpose and design.

BOClean was created back when there were four trojans out there - Sockets de Troie, Master's Paradise (forerunner to NetBus), Hacker's Paradise and one other whose name eludes me right now. The major antivirus companies leaped right on them and classified them as common "viruses." Only Symantec missed them at first. When the ORIGINAL "Back Orifice" was released, we put out a free cleaner because even though the AV's *detected* Back Orifice, they were unable to STOP it, giving the "common Joe" obscure directions for editing the registry, rebooting and blowing up their machine in the process. With the ensuing panic at the time, we created a small little free utility that would STOP it and then eliminate it without any need to "turn geek." We called it "BO-Clean" ... we gave it away, and foolishly thought we were done.

Then came "Agent" and "Acid Battery" and "Control" and "Girlfriend" and more every few days. Same situation - trojan took control and the AV smelled something funny but couldn't stop it. So we reworked BOClean and started swatting them down as an automated detect/kill/clean tool. Wayne and TDS came along within a few weeks of us doing it, and another antitrojan popped up a few weeks after that called "The Cleaner." We had to start charging for it at that point though as whenever it was "zero day" for something new, we had to throw money, people and time at it in order to keep up. It became FAR more work than we'd ever intended.

BOClean was a stepchild of our other products, NSClean and IEClean which constituted our MAIN "business" and it wasn't until we were contacted by a couple of government agencies that wanted to know if we could make BOClean "completely automatic so that it could be installed on desktops where ordinary users wouldn't screw it up." The objective in the original design and "BOClean philosophy" remains the same today as a result of its original purpose, and its original users.

The objective was to be VERY small (back in the days when 32 Megs of memory was "special") so that it could be run at all times. At the same time, there was the "we already have a virus scanner - we just want this thing to catch anything that gets PAST the scanner and destroy it immediately before it can do anything nasty" mentality of our customers. And in time, educational institutions had discovered that their students were breaking into administrative machines, so THEY wanted us to rework BOClean so that it could be made invisible and quietly destroy nasties and leave the kids believing they had been successful. And throughout, the PRIMARY goal for BOClean was to be unobtrusive, AUTOMATIC, and FOOLPROOF.

Again, the logic was "we already HAVE a file scanner, and if only we could get people to USE it, there'd be no need for this." So by this deliberate choice, BOClean lacked a "scanner" because it was unnecessary, duplicative, and wasteful of precious resources. And of course, the average user wouldn't run it ANYWAY until AFTER they were infected. All our original customers wanted was that should a nasty take hold and get past the defenses, BOClean should stand there with the proverbial baseball bat and swat it down if it managed to run in the first place. A "second tier of security" as described in the RFP's we received. And more importantly, it was designed to be so minimal on resources that people wouldn't shut it off in order to regain memory. Some administrators also wanted it completely hidden so people wouldn't know it was there.

As time trudged onward, the Antivirus companies finally began to take trojans and backdoors seriously and began to find means of at least trying to stop them BEFORE they ran (that big red screen in Norton for instance) but still, many leaked through and ran anyway. BOClean, sitting inside the lobby would break out the baseball bat and take 'em out. We didn't get to swing it often as the AV's got better and started to discover "packers" but the kids continued to elude the file scanners with file padding, encryption and flat out hex-patching (1999 as well).

At many points in BOClean's history we considered as a result of demand by our "consumer users" adding a file scanner to BOClean. And every time we came close to doing so, the more we realized the utter futility of it all. And while there are many Anti-TROJAN scanners out there now, they've become so huge and demanding of user attention that the entire class has largely become a replication of antiviruses. Now folks routinely scan with an antivirus, then follow up with an antitrojan and still, every now and then something gets right past them by means of polymorphism, outright patching, custom packers and other means of elusion. And I'm not trying to denigrate file scanners by any means here, I'm just trying to explain why we chose NOT to.

The REAL issue to OUR customers is unnecessary duplication of effort, bloat and the reality that if we included a file scanner and something got past it anyway, there'd be all sorts of wriggling and howling over it. Furthermore, antiviruses like Kapersky, NOD32, and even Norton and McAfee have gotten PRETTY GOOD at catching the nasties as they come in the door unlike the earlier years. We deliberately chose to keep BOClean as that "second tier" that our larger customers demanded that we remain, and keep it small, and simple.

BOClean is designed for the NON "computer rocket scientist" ... doesn't require puttering, doesn't require knowing what "double dots" means, doesn't require the end user to make a decision at all or to follow a regime of computer hygiene. The spread of the "worm du jour" is more than ample evidence that the grandparents or that political appointee in the corner office on the 20th floor are just not up to the task of scanning and interpreting, much less manually removing and editing the registry to shut down a nasty. That's what WE built BOClean for. System admins were delighted by a "don't bother me" utility that made them go away. Our company is run by a woman who is a VERY firm believer in "keep it simple, but make SURE it works."

But yes, we do processes ... we do threads ... we do DLL's ... we do "injectors" ... we watch the KERNEL ... we shut nasties down instantly, no need for a reboot. If a particular program has gotten a dose of the plague, we'll try to remove the attached insect. If that's not practical, we'll CLOSE the program affected and remove it that way. If it wants to jump from one process to another, we can do that too. BOClean's objective is, and has always been, to "shut it down." Nothing more, nothing less.

Forgive me Paul, and everybody else - Sorry for the history lesson, but it seems that other folks and their mindsets have distorted reality into a curvilinear surface. And our so-called "expert" has SO muddied the waters with defective interpretations that an explanation became necessary. Sometimes, SIMPLE is the best way. Hope this helps. Nighty!

 

Thanks for the kind words ... happened to be re-reading it as I discovered your comment. I only wish I had the TIME to come out and play more often ... coulda settled this a long time ago. Alas, my choices are:

1. FIND nasties as they're released to do an update
2. Do the lab work
3. Answer email
4. TRY to write new code
5. sleep

Kinda screws me for spare time.

 

Thanks Kevin.
You should use that post as a 'Promo'. Great stuff.
Best regards
Tim

 

Yes but giving people technical details gets far too long we could all go on forever about it and Kevin could make the longest post in history

Customers are being satisfied and with good scanning and good support which is very important and we all here give them that. With the good AT teams around, and some pushing development (we are pushing hard) the attackers are on the back foot a bit which is what matters.

 

Thanks for the history lesson and your time Kevin, quite interesting read. Together with the other posting, valid for your sites!

Hope this also answers questions about other parts written in this thread, i can just repeat there is nothing wrong with TDS databases and code, as Gavin has explained very clearly too.
To all those anonymous guests names appearing each time all of a sudden when it comes to blackening serious developers --one asks why, as they seem so devoted and addicted by TDS and other DCS products, they make it their whole life style to miss not a single bit of it and one can ask if it is all time one and the same person writing with himself-- can just say: don't let yourself be blinded by two months old or even older discussion which have been solved and proven to be different in reality, better not lose your good name spreading the wrong stories.