Do scanners just provide a illusion of security?

Maybe, scanners could be built allowing the user to decide whether to scan quickly for all other trojans or scan more slowly (a special scan mode for Flux only). It could include a warning about the scan for and removal of Flux would take a lot longer.

Or maybe once a scanner detects flux on a system, it will give the option for a more thorough scanning with removal options.

I don't know....just ideas from a amateur.



Starrob

 

I think AT (and AV) programs could monitor the file being deleted and replace it with a folder with the same filename. This would make the trojan think it doesnt need to replace itself and could then be terminited from memory. Then, afterwards the AT or AV could delete the folder. Is there something I am missing?

 

As I said before, we're working on something like that to remove malware that is really hard to remove...

Removal has nothing to do with detection and it does not make the scanning slower. Also, please keep in mind that ewido is currently the only scanner on the market that is able to get the filename of the flux-server, making it easy to remove it in safe mode etc.
If someone really should get infected and is unable to clean it manually, our support will be pleased to help until the ewido clean-engine can do it

 

Did anybody try KAV to remove Flux ?

I have made a little experiment with my basic defence line: full version of Process Guard, KAV 5.0 Personal and Tiny 6 trial.
When I downloaded Flux installer, KAV already detected it, but I let him go and created a custom made server. Now, It was PG complaining about flux willing to modify Firefox and explorer.exe.
After reboot, flux was already in starting blocks, well installed in registry etc, but would'not run because of Tiny blocking it accessing process memory, trying to get system privileges (with VirtualProcEx) and accessing restricted registry.
KAV also showed up, detecting it at windows startup. It also deleted all significant files after a complete system scan, leaving only some registry entries. Checked with Fluxscan from emsisoft, which did not detect anything more.
After next reboot the system was clean. I don't consider my system more secure than many others here at Wilder's, but with all those alerts popping up from PG,Tiny and KAV, it was impossible to get really hacked. Removing is another question though, It was OK for me but as I am not experienced hacker I'm not sure if I attacked myself properly

Isnogood

 

I think this thread is an excellent example of why we should be layering our security apps and not just rely on one single program to do it all. Having a few different anti-viruses, anti-trojans, anti-spyware and other programs can only help you even if you never really use them all, just having them as backups can really come in handy when you least expect it.

 

I am currently evaluating TrojanHunter, but I won't register it until it can should be able to handle trojans like Flux properly. I was going to ask Magnus about this problem, but I see that someone already has:

http://forum.misec.net/board/TrojanHunter;action=display;num=1100065758

I'll be waiting anxiously for the answer and solution...

 

Until you disable PG to install some new software (as DCS recommends), then that nice new freeware package installs a private trojan build.

 

You are right, Nameless. I did not disable PG when istalling flux server, and it was blocked from modifying other apps. Perhaps it was not istalled properly then. Usually I don't disable PG in such cases, but agree it can happen.
Maybe I will do another try just by curiosity with PG off at first.
In fact, I wanted to place myself as a inncoent user who download a seemingly useful app from the net and install it. Suppose that app contain a flux or other trojan. What happens ?
It was blocked from starting properly after reboot anyway.

By the way, I am impressed by Tiny which I am trialing now after testing many other firewalls aroud here. Pretty much security, even at default settings. Rather awkward, complicated and deseperately slow GUI, but a superb security engine. Block all leak tests with ease, for example. In fact, Tiny + PG cover almost evrything I need.

Well I just wanted to say that having a mimimum defense line and some common sense you may feel relatively secure even with these new trojans.


Isnogood