Has your real-time anti-trojan ever caught anything?

By other solutions, if you mean Anti-intrusion/execution protection - it would prevent an editor or "editserver" from unpacking/executing, making moot the point of bypassing an AT program.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Yes, you are right. Otherwise AT would have already alarmed you of an intrusion. Due to its limited scope (mainly deal with trojans*) and act as a supplement to AV only, it doesn't really help much, not to say any, in real circumstances.

Probably when someone would like to invade your system:
- either it get caught by your AV (this situation is what you can notify);
- or the malware can pass both AV & AT witohut your notification.

But in neither cases, AT proves its efficiency.

*AV and AS can handle more kinds effectively, not just limited to virus or spyware respectively.

 

Hello Wai_Wai, thank you for your interest and comments my friend. Basically all I have in mind is the common concept of layered security -- meaning, a malware might get by one layer {AV} but get caught by another {AT}. Yet another layer to add would be a resident antispyware {AS}. The more layers you have, the less the chance for success of the malware, because he has to: (1) avoid detection by several security programs, not just one; (2) terminate or kill several security monitors or processes {not just one} before they kill him first.

That is why I run TH alongside NAV. Permit me to clarify, I think trojan authors target KAV -- it has nothing to do with market share but with reputation and detection rate -- since if they can create modified trojan to elude detection by KAV, almost surely the same modified malware willl escape detection by all the other scanners. Really it is a "compliment" to KAV that trojan authors target it. One gets the impression that it is a "trophy" of sorts, to be able to boast creation of malware variant which {at least temporarily} goes undetected by KAV. Now, if KL gets ther hands on a sample of said malware, chances are it will *not* go undetected for more than few hours, heh -- KL responds *very* quickly to add sigs and KAV updates hourly. Thanks again for your comments.

 

Norton, although established, is not really good. However it rebounces recently. See this test http://www.av-comparatives.org/seiten/ergebnisse_2005_02.php which is to test their capabilities to detect ITW malware:
- AVG.............86,03% (freebie)
- Avast...........90,81% (freebie)
- NOD32..........95,50%
- Norton..........98,31%
- Kaspersky......99,65%
(Test in 2005)

2 other products people may not notice is F-Secure and AntiVirenKit (AVK) (German only). They use multiple scanner, and is KAV-based. They are more or less as good as KAV. So for some people, if you don't like KAV for whatever reasons except its performance (eg ugly interface, your system is not happy with KAV), you may wish to try them out.

 

Yes it is one of them.
For some others, you may look at my signatures.
By the way, since I have run too many security programs, I don't bother running AT anymore.

 

Thanks for your reply too, buddy.
I very agree with your multi-layered protection approaches. I'm doing the same too. What security software have you installed?

I'm personally using 5 kinds of layers:
- Anti-virus
- Firewall
- Anti-spyware
- 2 kinds of System baseline programs (act as a safenet to take care anything missed by AV and Firewall and AS. If 1 program fails, another program can help too)

As you see, I don't bother the AT since I think I have run too many. AT is going to be my least choice.

But does an elusion from KAV guarantee an elusion from other AV too?
It seems there are a lot of possibilities before reaching this conclusion.

By the way, what I am sure what they tend to target is Windows-based, IE-based, &/or OE-based attacks.

 

Thank you for being fair; I don' t want to get OT but I have a Gigabyte of collected malware that I have tested NAV on, I have submitted thousands of samples to SARC, and I am confident that NAV, although not perfect, is a good scanner, as your numbers testify here. NAV does not quite have Kaspersky's detection but then again, it doesn't have as many f.p. either. My experience has been that many of the reported "misses" by NAV are due to: (1) old engine being used; (2) confusion of terms, forex only engine version 10.0 and higher {home edition} will detect expanded threats like spyware, adware, dialers & keyloggers, etc. Several times I have gotten folks to send me samples of things they *thought* were undetected, I tested with the latest engine and signatures, guess what, they were mistaken. I am not saying all such public claims are bogus, but I do take them with a "grain of salt" unless I can test a sample and see with my own eyes that it is undetected with latest engine and sigs. JMHO .. And even in the case of samples truly undetected, {and plenty of them do exist, I know} -- let me encourage everyone to take a few seconds to submit malware samples to vendors, it's not that hard to do, and doesn't require too much of your time, and in so doing, you can add to all our security, since it is in all our interest to improve detection -- not just for NAV but for all scanners of all vendors, it is good for us to work to improve detection. Thanks again Wai_Wai, Lord Bless!

 

With rare exception, my thoughts would be *YES*, if they can elude KAV's detection they will probably be missed by the other scanners as well. Possibly McAfee, with strong generic sigs and good trojan detection, might flag some of them, but even McAfee doesn't keep up with KAV in trojan detection.

 

Hi guys,

Maybe a new thread is needed regarding the overall usefulness of AV vs. ATs. I was hoping that this thread would concentrate on real-life experiences, so I and other forum members could quickly run down the thread and read other users' real-life experiences.

Regards,
Rich

 

I must have missed it but what program are you using to block the execution of the file?


Starrob

 

It's Anti-Executable, but Process Guard and other similar programs would do the same, I think.

We should start a new thread if you want to continue talking about other ways of stopping trojans/viruses since it's getting away from Rich's original topic.

-rich
________________
~~Be ALERT!!! ~~

 

Forget to tell me own experience.
The answer is still negative.

When I used to use AT (I tried several), they sat silently without producing any noise.
Should I be happy or sad about that?

 

For people who wish to disucss other more effective ways to stop trojans ans other malware, here's the new thread:
https://www.wilderssecurity.com/showthread.php?p=533727

 

I don't strictly believe those results, although many people quote them. I believe a large majority of malware is unknown and most can't be detected.

It is part of the reason that KAV must update every hour or so....so many new detections and I think even KAV realizes that one day they might have a hard time keeping up. I heard KAV 6.0 will have behavior blocker/hueristics.

There are even ways of evading heuristics, if one looks around enough. It is one of my beliefs that the best defense is education......but of course most people do not want to educate themselves on computer security.

Despite what some people say, there is still a market for AT software, even though it is small. If there were no market then companies like Boclean would not exist.

The reason why products like Anti-executable work for people like RMUS is that because he has appeared to have educated himself and even if he does make a mistake he has backed it up with Deep-Freeze? (It is deep-freeze right?)

Secondly I have seen no response to Chopper here: https://www.wilderssecurity.com/showthread.php?t=92178

the answser is no my friend !!! there are ways around this with the gold version !!!


ch0pper

hacker defender team"


Now is this a scare tactic? Or does the hacker defender team know something that you don't know

I will say this I do know a theoretical weakness in PG that I will not elaborate on because I am searching to see if their is a defense against it and also I don't and won't expose PG weaknesses publicly.

I do know one thing....If a inexperienced amateur like me can go googling and find weaknesses in products then it is fairly easy for Hackers to find these weaknesses.

I know some people sit behind their defenses and think they are bulletproof but I have been told by more than a few vendors that nothing is bullet proof despite being advertised that way.

Some people argue against AT's. Well AT's are nothing more than another tool. It is a specialized tool that some find useful and others don't.

Some that think they are bulletproof because they use other tools might find a surprise one day if they are not using their head and they rely too much on their "tools" and not enough on their knowledge.

All these "tools" have weaknesses.

RMUS has a fairly strong set-up but even his set-up can be beaten if he does not use his head. Believe me....any security tool can be picked apart for it's weaknesses and said it is not necesarry.

Even AV's have big weaknesses. I heard Holy Father does not use a AV. He probably does not use a AV because he is aware of it's weaknesses. So, he probably never scans anything because he has enough specialized knowledge to dis-assemble programs and read their code and knows what is a danger and what is not. Perhaps he even uses Linux. Collecting that amount of specialized knowledge is a inconvenience for most people so most people opt to use Windows and AV's for convenience sake.

Some people opt to use AT's also for convenience sake. In fact if I owned a business I might use a product like BoClean for convenience sake. Maybe some of the HIPS products would cause too many "complications" with all of their alerts. A AT is a option and a viable option for some. For others it is not. If you feel you don't need it then don't use it but realize that for some people it might be a viable option....for one reason or another.



Starrob

 

Hello Starrob

You are trying to stay ontop a things. Seems only you and RMUS even respond to my posts anymore.

Yes Kevin does know the rootkit world as we know it.

Also, I hope you don't think even the Holy father is immune to a hack.

The basics tell me all you need is an IP address.

Like you say , he is not completly the enemy or he would broadcast his presence so much.

How bout we look at reformat on a weekly bases? LOL

con

 

Starrob

I am happy you are on the right tract.

We look at motives

Political

WAR

IGO

You need to look at who you are dealing with.

Is it GOV related?

WE here at Wilders look at everything.

Countries aside

BUT


YOU MUST REALIZE countries are at WAR!!!!!!!!!!!!!!!!!!

and so is what you see what is really happening?

PLease look at Broader pic.



DO NOT look at AV comparitives

USE UR GUT feelings

YOU have MS haters

YOu have UNIX haters

JUst understand it doesn't matter which OS you choose, it is about your ROOTS.

When all is said, it IS About your country and it's allies.


con

 

Irrelevant.

There's a good reason why there is no reply.

How considerate of you. So what is your purpose for saying this? Are you trying to scare people? Or show off your knowledge? Or just illustrate the point that nothing is bulletproof?

If an amateur like you can find it, you might as well just announce it. But you won't of course, because hinting that you know something the noobs here don't makes you feel powerful.

Yes, we really need a Vendor (professional/expert whatever)to tell us nothing is bullet proof ! Has the standards here really dropped so low?

In most places this would be stating the obvious , but in WSF this cannot be stated often enough. After all this is a place which gives users a false sense of security by praising all the virtues of security software and removes links to examples of tools that can defeat them.

Oh yes and linux makes you unhackable.. Oh yes indeed A vendor told me this isn't true btw.

 

Ho-hum.

I am looking to learn what I don't know. Do you know why no one will provide a answer to Chopper's claim?

I sometimes suspect Controler might know but who really knows?


Starrob

 

Well I am glad that my surfing habits and AV are working well. I keep Ewido and/or BOClean running for peace of mind.

Cya,
Rich

 

Starrob

Think for a second, if a vendor did respond to such a bold statement and maybe even saying that this particular vendor does in fact detect everything that this Hacker team sells.......

The next thing that happen is someone.....well probably you , would be asking how exact they do this!!!

This will never happen, an intelligent guy like you would of course know why. In other words some of the answers you are seeking will never be answerred.

OT. I have had trojan detections with an AT more than three times, less than 10, all with the same AV, and no it wasn't Kaspersky.

This is exactly what an AT should be bought for, a backup in case your AV fails.

 

Hi Don,

A couple of quick questions if you don't mind. Were these encounters with trojans recent events? Were you doing normal browsing or were you on a "trojan hunting expedition" a la Blue's. Thanks.

Rich

 

No, this was just "normal" internet activity, if i where to announce every encounter, it would be more or less daily.

 

Yeah, I've seen this before. So surprising how a couple of codes line can damage a computer.

 

Hi Rich,

To answer your question no. My choice of AT (BOClean) has never caught a *nasty* on my machine. However, I am a safe surfer and don't hang out on porn/warez sites so that could be why. However the very few times that I was surfing and was hit with a problem, my AV (NOD32) stopped it completely.

I still run BOClean as a backup, and plan to do so for the foreseeable future. It's there, it does it's thing in the background, and it gives me peace of mind while I am on the internet.

BTW, in just trying to dl the trojan simulator test, you can see how NOD32 reacted.

Jag

 

He could ask, but the details would be beyond Starrob.

But more importantly than that, given that hack defender gold is essentially private [/b]And constantly undergoing revision, trying to claim you can block it, is like the "bulletproof" claim that Starrob so wisely showed to be foolish.