Do scanners just provide a illusion of security?

Trojan Remover then informed me that I needed to reboot in order to remove Flux:

 

Upon rebooting everything started over again. I repeated the process listed above and even after rebooting a second time, Flux was still present. I downloaded fluxscan from www.emsisoft.com and it detected Flux 1.0.1 and removed it completely, even from FireFox (my default browser). I then rebooted and was alerted by windows that aj4d43543df.exe (my designated filename for Flux) could not be found. I used a registry cleaner to removed all of the keys Flux was previously using and was finally clean again.

Sorry Nigel, but it looks like you have some work ahead of you.

 

I decided to test Trojan Hunter 4.0.
I created a new server with the same settings as before and infected myself again. Trojan Hunter's memory scanner did not detect it, but the on-demand one did. It renamed Flux and basically had the same results Trojan Remover did. Like others have said, this is a serious problem.

 

AJohn

Appreciate your efforts in these experiments (and the risks.)
At this moment I am so pleased that I have both BOClean and a².

 

That is a very begrudging admission.

 

A picture says more than a thousand words

 

You got mail

 

Where have you sent your mail to as I haven't received anything yet ;(

 

peter.klapprodt@ewido.net and tobias.graf@ewido.net .

 

Got it, thx

 

Nice big download with A2 today - but I can still make that cup of tea in the time it takes the Sigs to load!

Could it be that A2 is in a state of flux!

 

Well, it looks like the only ones that are able to detect and clean Flux is A2, BoClean, and Ewido. It is good that some developers have worked and the problem and developed was to detect and clean this trojan since it is so popular.


Starrob

 

I believe that Trojan Remover is being worked on to remove Flux and A2 does not yet remove Flux without its seperate Flux Cleaning utility.

Edit:

fish25, the newest version of Ewido with all available updates does detect Flux via the memory scanner, but does not remove it (like Trojan Hunter and Trojan Remover it claims to, but actually does not). I tested with the latest version of Flux (1.0.1) from Evil Eye Software. Here is a screen shot with the settings I used:

 

We're working on a generic way to remove persistant malware, that's why cleaning of flux is not possible yet (when the server was built with the option "Peristant server" turned on) but as you get the full path of the server, manual removal is very easy

 

you guys are not alone, they definatly need to do something about the slow def load.

bigc

 

It takes 19 seconds to load the sigs with A2 after I select "scan your computer for malware infections" on my computer. That doesn't seem too bad for a free program.

 

2.5

But we decided to backport the whole engine (maybe tomorrow) so you will get a much higher signature count a better performance, soon.

 

I assume you guys are talking in seconds right? I am at 3 and 1/2 minutes here. not acceptable even for a free scanner.

 

I swear to you...eight seconds (as in 8 seconds). No pulling long-bows, no porky-pies...8 seconds.

XP SP2

I'll just do a quick edit here to say it wasn't always like that (v1.2) but it sure is now!

 

"Persistant server" is for the most part the only reason people use Flux. If people diddn't want that option they would most likely use something like Sub7, Optix or NetBus. "Persistant server" is why Flux is such a big threat. I could not picture someone infecting someone else with Flux and not having that option turned on.

 

Thanks for doing the testing, AJohn. Many times developers will make certain claims that their software will do this or that and sometimes those claims are not true. That is why I hope that there will eventually be more independent testing done of both AV and AT developers claims. Nautilus does some testing of AT's but I wish their were more doing this type of service.

Sometimes the developers will come on forums making claims that may not be true because marketing concerns over-ride actually putting out a product that actually does what it claims.

I will say that I have yet to look at A2 as a product but I will test it after I return home to the USA from Indonesia.

As for BoClean. I have great respect for them because I have rarely if ever saw them make claims that they don't support. Also, if a flaw is found in their product they don't engage in arguing about it on different forums like I have seen some developers do. They simply fix it and then make their claims that they fixed whatever the problem is.

I have great respect for Ewido too. No AT product is without flaws but I have not seen the represenative from Ewido make claims about their product that is far beyond what the product can do. Fish25 usually only makes comments after whatever flaw or problem is found in the product is fixed or he will admit the problem and simply say we are working on it. No excess marketing or comments....this I like. I don't like to be marketed to. I prefer companies the simply put out good products.

Ewido is on my favorites list along with BoClean, even though I am not a current user of BoClean. As for A2....they actually just got on my radar screen. I will follow what they are doing. They maybe on to something because they seemed to attack the problem with Flux a bit faster than others.

I try to keep aware of the most dangerous threats out there even though I am a amateur at computer security. I would have thought that as soon as Flux made it's appearance and starting becoming the favorite trojan that AT companies would really be out in front making solutions to this problem.

I started this thread to make other users aware that Flux was not be dealt with very quickly by the AT companies so far. I knew that once users are aware of this threat that they would use more care and also maybe many might start demanding that their favorite AT provide some type of protection.

Kudos to the AT companies that are responding.


Starrob

 

It seems like no one has implemented removal of Flux, because it makes the scanning process a lot slower. I wonder if there is a way to remove Flux that would be able to be used against a wide variety of other trojans also. If they were to include removal of every trojan that all used different methods it might a little too much for people that don't even have the infection. One product that I view as an exeption to this is Trojan Remover, since its whole purpose is to actually detect *and remove* the trojans. I think Trojan Remover's method of detection is great for things like this that require special removal.