Boclean Advantage

mercurie?


Nice MOTO

I see we are on da same page

But I hope you know there is more

Bruce

 

Yes Controler. I understand. By the way I like your new avatar.

 

For the dissbelieving I want & need to point out
Artifatcs are not just jokes

The runestone is now linked to the knights Templers.

Wow to those that thought Columbous found the new world. NOT it was the Vikings

I don't say what they did was all good. Taking villages and killing babies but I will tell you the Romans feared them. I will tell you they did go where none dared.

Now it is becomming evident they went on crusades with the Goths, Templers.
I would have loved to been in that pact LOL

ALL I have is memories about WW II & it's heros

The Red Bull

You may think this has nothing to do with computer security but guess again


I am one of the new generation RED BULL

Yes I am of Viking desent

So as you know not much scares me LOL


Heardy HUgs

controler

 

I have checked this issue with Erazer Lite 0.2.

I can confirm that the signature is weak insofar as it is not code-based (i.e., you do not require patching skills in order to change it). But this has already been mentioned in our BOClean report.

Currently, it seems that there is no scanner using code-based signatures which is bullet-proof. For instance, Kaspersky may (sometimes) use code-based sigs but it suffers from the OEP change vulnerability, the rebasing vulnerability, the code permutation vulnerability, etc. pp. And it does not offer a memory scanner and, therefore, can be easily outfoxed with packers like Armadillo.

The concept behind Ewido (strong code-based sigs, FULL memory scanner instead of a process scanner like BOC) looks good. But it still needs to be properly implemented.

In summary, I believe it is still justified to recommend BOC (despite our many reservations and also taking into account the many advantages of BOC's lightweight concept). What I would like to see is a FULL memory scanner (covering also DLL and code injections) and perhaps an IDS.

 

I love guests posts

Don't you think the old TDS-3 looks at code besides sigs?

It is comming down to software like Deepfreeze, Shadowuser ect ?

Why? well because after reboot all is back to normal.

This means install it on a fresh refrormat with your security software in place.

We can go into the diff between the diff software if you like.

I for one am looking at a system with RAMDisk along with a snapshot program

I really don't think reformating everyday is a good thing.

controler

 

Hey Naut,

You lips did not even pass my mind when I made the post But since your ears are ringing, I agree Andreas is doing a great job on the IDS and Ewido is getting to be a top notch AV and even one of the best for all the new hijackers.

Hang in there..I am still not convinced the SUITE's that are out there is the way to go..but those layers do help.

Don't worry about the gunner..I am not really Primrose either

 

The problem with products like DeepFreeze:

1) A keylogger is installed.
2) The keylogger sucessfully captures and sends important data.
3) User does not know this.
4) User reboots DeepFreeze and all evidence is gone. User is unaware that any infection ever occurred.
5) User is sunk.

It is sometimes as important to know what type of intrusion has occurred as it is to get rid of the intrustion. This is why automatically rebooting, reformatting, etc. is not always adequate. The nature of the "crime" must be understood if at all possible.

Rich

 

richrf, are you sure about this?! I must admit that I have never used DeepFreeze, but this is the first that I have ever heard this. Are we sure that there is not another product or Trojan by the same name of "DeepFreeze"? Thanks.

Acadia

 

Acadia,

To the best of my understanding (and I could stand corrected), DeepFreeze is sort of a "rollback" to a prior state after a reboot. So there is always the possibility that there is an intra-boot intrusion, which would be eradicated on re-boot, but there is still a window of opportunity for some malicious work to be performed.

On Faronics site they state:

"Eliminate All Viruses & Damage any virus that infects a Frozen computer is treated the same as any other change - eliminate yesterday's, today's and tomorrow's infections with every restart. Deep Freeze completely repairs virus damage."

This implies that damage can be done, but eliminated.

I am personally convinced, that they only way to guarantee protection is to stop the malware from ever executing. If it ever gets a chance to execute, all bets are off. After that, it is about ease of cleaning and hoping nothing catastrophic has occurred.


Rich

 

richrf

Here is the deal

Whn you reboot all is gone period

This means any infection you incured is gone on reboot.

Next truth: YES you can get infected in current session.

With PG U don't allow new drivers or services in your current session OF Depfreeze- Shadowuser

Now let's bring it to a new level by adding RAMDisk

Thsi would be your RAM

I am using it now.

controler

 

When using these programs (deepfreeze -Shadowuser)
You will find your current security programs will need to be updated on every boot.

Big deal right?

Unless you either commit a file folder or full system.

Deepfreeze only allows a single LIC for the standard version which I do NOT like.

Drive Vaccine is a company that has a computer monitoring program besides it's protection. I am not sure I like this either.

Shadowuser is the most expensive of the three.

Deepfreeze has a 60 day eval which is awesome.

My advice is Deepfreese is ok for the home user. Shadowuser is for usrers like us with more control.

I am sure after my eval of Deepfreeze, they will offer the PRO version for the home user. @ least I would hope they do.

con

 

When some go-back-in-time programs such as GoBack and FirstDefense, etc. literally put every sector of your hard drive back to what it was, how can any malware possibly survive?

Acadia

 

We seem to have ventured slightly off-topic here. Which I recollect as BO Clean and/or the effectiveness of memory scanning. It would be nice if we could steer this thread back in that regard. If anyone wishs to continue down the other avenue, could we please start another thread with this new topic as the agenda.

Thanks

Steve

 

Hi Acadia,

I am sure the malware cannot survive (even here there may be some escoteric holes, e.g. hiding in EPROM and all that stuff). However, it is possible that the malware did some really malicious work, before the system was rolled-back, without the user ever knowing it. There lies the problem. Not only is there an intra-session vulnerability, but by restoring the system to a previous state, it destroys all evidence. The user will be totally unawware that security has been breeched (maybe an important userid/password) and their assets have been compromised.

I think these type of solutions work best in a school/library environment (where they are marketed) where there are no real privacy issues at stake - unless the student is doing financial transactions in school.

Rich

P.S. Sorry we went off thread. I wrote this before I saw the prior message.

 

I realise this a old review of BoClean. But I wonder if the comment that it can be easily knocked by certain trojans and the critizism of its lack of a scanner are still valid?http://www.anti-trojan-software-reviews.com/review-boclean.htm

 

Comment anyone? As I am considering a purchase.

 

There are valid points on both sides of the file scanning argument. BOClean's argument is that it's too easy to subvert, giving too much of a false sense of security, and generally accompanied by a weak memory scanner. I've been considering BOClean as well, if it weren't for the compatibility issue with PG I would probably already have it. If you want the best of both worlds, you could use BOClean for the memory scanning and Ewido free for file scanning.

If you decide to go for it, you might check out newegg.com

 

Wow thats a pretty good price, I would never guessed that NE sold BOclean, thanks for the heads up.

 

I was more interested in the reviewers claim in my previous post that BoClean was easy to knock out. I would appreciate comments on the review. Link is provided in previous post.

 

Matt_Smi,

The complications with going through NewEgg are that

• Being a bulk licenser/reseller, refund policy will be determined by them, not PSC.
• It will take some additional time to get into the PSC database of valid users. It will happen, it just won't be instantaneous and it depends on NE's process timing
• Extended download options probably won't be available. Usually not a major problem, but it can be a convenience during a new release

For other items (upgrades, etc.), coverage is the same. See here for additional information. My recommendation would be to buy directly from PSC - a little more $, much more flexibility in 1st 30 days, additional options down the road - to me it was woirth the extra cash on my second purchase.

Blue

 

I guess that I view being able to control processes at the keyboard using standard OS protocols and being able to knock out a process are different. End result is the same, but the malicious process needs to launch and run before it can accomplish that objective. Pragmatically, I don't see it as being a significant issue.

Blue

 

Thank You.

 

Regarding the Photoshop work.

Not only is Boclean paused as we know for certain. But If Boclean and Ewido both caught something at the same exact time your computer would explode, and undoubtedly you hair would catch fire. Ewido and A2 (and others) of course will catch it before BOclean and we know why.

It really is time for a real, truely impartial on access comparison instead of these terrible fairytale on demand tests which are really a comparison of unpacking ability.... i digress.

By the by, Avast (who does poorly on the on exlax tests) catches stuff before ewido and a2 via the webshield No doubt a2 would catch it next then boclean etc. Let me know if you'd like photoshops.

 

I see this as Blue does...stick with PSC for your purchase.

 

"I was more interested in the reviewers claim in my previous post that BoClean was easy to knock out. I would appreciate comments on the review. Link is provided in previous post."

Almost all ATs can be easily knocked out in one way or the other (unless they are protected with an application like Process Guard and/or RegDefend).

BOClean: see http://scheinsicherheit.sc.funpic.de/boclean.htm
Ewido and A2: see http://illusivesecurity.il.funpic.de/viewtopic.php?t=77

In my opinion, knock-out/termination protection is not the most important feature of an AT. Other features like the quality of the memory scanner, proactive intrusion detection, ease of use, quality of signatures, speed, stability etc. are more decisive.

I believe that the principle of layered security is generally promoted in this forum: the termination risk (and more important threats like DLL or code injections, the installation of services etc.) do not need to be covered by the AV/AT layer or the personal firewall layer. Such threats should be covered by the system firewall layer.