Do scanners just provide a illusion of security?

Sure, but you Guys are looking for 100% safety I assume and that ain't gonna happen. I'd rather have Process Guard/SSM than not.

So far, because I've set up defenses - Browser and secondary (firewalls, Proxomitron and scanners), well enough, I have had no problems for something like 2 and half years running XP. 99% of the time, what I've stopped are annoying behaviors of "legit" apps and sometimes of Windows using SSM.

Regards - Charles

 

Well, main problem of running the scan in background is performance. In fact the guard would eat up all your ressources cause to detect Flux you have to scan the WHOLE process memory (up to 2 GB) instead of just the memory used by the modules images. But I will try to find a solution for that and release an update, soon.

 

Well many tools actually detect the loader. But the main problem is that Flux has a "persistant server" option. That means Flux will recover the server as soon as its deleted. So as long as Flux is still active in memory cleaning is quite hard (or even impossible).

Don't know if Trojan Remover detects Flux in memory, cause I don't know if the trial on their homepage is uptodate and has all features like memory scanning. But the trial defnitly doesn't detect it in memory - only the loader that is recovered automatically by Flux each time you delete it.

And by the way - its http://www.simplysup.com .

 

Yeah I meant simplysup, thank you. As far as I know Trojan Remover scans everything but the memory and does detect Flux 1.0.1 and can reboot in DOS and automatically remove it for you.

 

I do realize this, and nothing in my previous post would suggest that I am looking for 100% security. In fact the example is highly more probable than you might think. There are already numerous sites which have uploaded legitimate files like that of themes, screensavers, wallpaper etc. and wrapped them with adware. If you install such a file in learning mode of ProcessGuard or allow installation of these files (via user interaction) with ProcessGuard or SSM you could also potentially be installing something you dont want. And this is just an example of the adware threat.

Exactly. Can you contribute your 99% success rate purely on the fact you use SSM? I would think not. At this point in time behavior detection method is just not refined enough to determine what behaviors are malicious and which are not. BUT in the right hands it does make for a VERY nice compliment to signature detection methods.

I see, that is a very legitimate concern and dilemma
Best of luck in your efforts, continue the great work

I am not sure I completely understand...
Trojan Remover will reboot the computer into DOS (before windows) and remove the infection that it detected in the previous windows session? After this reboot Flux does not reappear?

And how is it that Trojan Remover will detect compressed versions of Flux without scanning the memory?

 

I am just stating what I know and giving you some more options that you might not be aware of. Here is some info:

I am not sure about it detecting packed versions since it doesnt seem to scan the memory, but it is possible that it would still detect it. Maybe someone could update us on this.

 

So, as of right now, is there only two or possibly three scanners out there that provide real protection against Flux?


Starrob

 

You are wrong .

Trojan Remover would only do that if a nastie is memory resident. But the Flux loader (that is detected) isn't memory resident at all, cause the "real" backdoor doesn't need an "own" process. The Flux executable will just create the threads according to its configuration and quits.

So if Trojan Remover finds the loader it tries to clean it and succeeds, cause the loader isn't active and can be simply deleted by Trojan Remover. But Trojan Remover misses the fact that the loader is instantly restored once he was deleted.

Maybe it would work if you start in safe mode for cleaning Flux or you can use our Flux scanner first to deactivate Flux and clean the loader using your prefered anti malware tool - as we suggest .

 

Well, so far...the makers of A2 are the only Vendor that has responded to this thread. For awhile A2 has been off of my radar screen because the product was being so slowly developed.

It is just now starting to come on to my radar screen. I am interested in the direction this product goes.


Starrob

 

I dont see why Trojan Remover would detect Flux if it cannot remove it.

 

Maybe they never did a close look to Flux. But detecting something without proper cleaning of it isn't that uncommon. Look at the thousands of HiJacker. Most of them are detected by AntiVirus and AntiTrojan tools, but did you ever see one Anti-Malware tool that did a complete cleaning? If there would be one HiJackThis won't be neccessary anymore .

 

Yes, but Trojan Remover's entire purpose is to remove trojans. I do understand what you are saying though. I have emailed them and asked them to post here. Hopefully we can get some more information on this. Flux seems to be a very popular tool for script kiddies to use as you have said, its rather pathetic no one "wants" to deal with it.

Edit: Intersting link I came by:

http://download.broadbandmedic.com/
Pocket KillBox looks like it might help people with Flux?

 

BOClean detects Flux. Test it yourself.

This is just another attempt at deceptive marketing.

 

That is the feeling I was having from the begining...but hey we all need to make a living right?

 

Yeah I tested it, its detected in most cases . Good news for BoClean users I guess .

 

I understand that some lucky ones now find that A2 loads up it's sigs quickly when they attempt to use it - with me things are still so bad I can go out and make a cup of tea while I'm waiting!

 

I had a slowdown too. xp sp2 too

 

still impressive all those updates, I think someone is working really hard down there :lol

 

Good morning Andreas

I've been directed to this thread by one of our Users.

Does Trojan Remover detect Flux? - well, I dang well hope so. If not, I'd love to receive any samples we do not detect.

Can Trojan Remover remove Flux? - Yes. We do *not* examine running memory processes... - we look for a malicious file loading, and take action on that file - and any related processes - such that the loading file is disabled from loading after a Restart.

If we are missing something, then please let me know... - we aren't competing - are we?

Nigel
Simply Super Software

 

Why do you say in most cases? Are there situations in which the BoClean scanner can be beaten but in which A2 can't? What makes A2 method of detection better than what BoClean is doing?

I understand that you can't go very deep in specifics but could you give a general overview why A2 method of detection and cleaning is better than BoClean's reagarding Flux?


Starrob

 

Does anyone have any idea why most AT companies seemingly don't want to deal with this trojan. I would think since that since this is relatively popular among the script kiddies that every AT on the planet would all be falling over one another claiming how they both detect and clean Flux.

Is this trojan harder to detect than others trojans? I read in a few places that to detect it that the whole memory space would have to be scanned. I also read that performance of the scanner would also be slower. Is this the only reason that serious attempts at creating solutions for this trojan have not been developed (Other than A2, BoClean, Trojan Remover)?

So far only A2 and Trojan Remover developers have made claims to detecting and removing the trojan. BoClean seems to be able to detect but they have not made thast claim their self.

All other companies or users of other companies products seem to be relatively silent.


Starrob

 

I do know that Ewido does not plan to detect it as of yet, because of the memory scan slowdown.

Edit: I decided to test Trojan Remover against Flux 1.0.1 myself.

I downloaded Flux 1.0.1 from Evil Eye Software and created a new server with the following settings:

 

I then rebooted with all of Trojan Removers options turned on. It detected Flux 1.0.1 in various registry keys. I have attached a screen shot of one of them:

 

Trojan Remover then notified me that I will need to run the full system scan to be able to remove Flux, so I did. It detected all of the same registry entries and I choose to "Prevent this program from running, and rename the program file" for all of them: