Info on eventual BOClean 5 upgrade

From the NSClean website:
http://www.nsclean.com/index.html

15Nov2003
Development for BOClean 5.xx commenced, establishing this (11/15/03) as the date after which all BOClean 4 series purchasers will qualify for a FREE upgrade to the feature-based BOClean 5 upgrade. Critical upgrades for the 2 and 4 series will be fulfilled (as necessary during this interim period) according to the current BOClean Maintenance Agreement.

http://www.nsclean.com/nancysnote.html



(Apologies to the Mods if this post belongs elsewhere.)

 

Optigrab, VERY interesting, thank you.

Acadia

 

Great News, Now I can consider getting BOClean.

 

More info straight from the horses mouth:

http://news.grc.com/news.exe?cmd=article&group=grc.security.software&item=92333&utag=

Acadia

 

I love Kevin, but I hardly ever know WTF he's talking about!

 

He does have his own unique style doesn't he. Or do all New Yawhkers talk like that?

Acadia

 

Heya Acadia,

BIG thanks for THAT link; I missed it

[hr]

Yeah, I love to read Kevin's postings

 

Well, I live just a couple hundred miles from Kevin, and I don't talk like that.

And for people who might want to (or already have) mentioned their interest in BOClean 5, here's a quote (one of many) from Kevin on it:

Good thing Kevin doesn't work in marketing! I love the honesty! And I agree with him 100%.

 

LOL, yes Kevin's aways had difficulty containing his uh..."enthusiasm" every time the issue of a BOClean on demand scanner has come up.

I must say that when I first downloaded BOClean I was stunned at how small the app is. Then delighted. No care and feeding required and it's well behaved: it stays out of my way and now even updates itself. Glad to see that BOClean 4 will remain viable.

 

me too, besides there's always a wealth of information hidden there? plus a sense of humor..

 

Well, gawrsh, THANKS, everybody! I guess I'm just a product of living out in the woods of upstate New York. Yes indeed, BOClean "4" as everyone's come to love it will "forever be wild" regardless of what we do - everything ELSE wouldn't require "runtime" ANYWAY. But for those who INSIST that we sniff at buggered files and find NOTHING until it runs, then fine - if that's what people want, we'll do it ... but the spirit of BOClean 4, if something gets past the file scanner, will still leap up and give it a solid biffing just the same.

Once the snow flies (as it has) then "cabin fever" (an incurable disease, only cured by death) sets in. In order to live in a remote area without becoming a "republican" one MUST have a sense of humor, and STILL watch cartoons every day on TV at the age of 54. "Life is what you MAKE it."

But in my continued childish jumping up and down before our wigs here, I still insist in Monty Python truism by inference, based on "Argument Clinic" ...

"FILE SCANNER? You bloody Scots GIT, you've already got one."

"No I haven't, I need ANOTHER program to rescan what I've juist scanned" ...

"No you don't!"

"Yes I do!"

... continuing to spiral from Monty Python into Laurel and Hardy ... I guess my mentality is my own fault here - I'm used to dealing with digital terrorists ... instead, I perceive the exterior goings-on as schoolboys doing pratfalls. It's *so* boring.

So PLEASE excuse my flippant attitudes, I'm just so tired of it all ... FORTUNATELY, here where *I* work, they appreciate my freedom to say what I think, even if it's embarassing. And in "Uh-merica" lately, that's SOME SERIOUS freedom! After all, one's BOOT is the only truly politically correct orifice.

Seriously though ... as I posted elsewhere ...

My "ridicule" is based solely on the perpetual harping on "it's GOTTA
have a file scanner" and my own attitude of "fer KRIMMINY'S SAKE! You've
GOT a file scanner already, it's your ANTIVIRUS. What good did it do ya?"
99% of the time, it's already caught the critter before it even gets
written to the hard drive. BOClean's there for that other 1% ...

I wrote a little diatribe earlier on DSL Reports, but it's a needle in a
haystack at this point, page six on this link:

http://www.dslreports.com/forum/remark,8620641~mode=flat

I'll reproduce it here since you folks are actually INTERESTED in why I
did all that ranting and raving and am threatening to call it "BozoClean"
... fear not, Nancy will NEVER let me do that but *I* think it's a catchy
name that will finally put us out of business.

The article is about virus tests, how useful they may or may not be, and
one of the diversions in the thread turned to why antitrojans don't detect
the clients and editservers unless they too are malicious. My response was
as follows:

-------- rant mode ON! ------------

The PROBLEM with "file scanning" is that there are just TOO many ways of
getting around them. It's not so much that the AV's aren't doing their job
- they genuinely ARE. And if a nasty gets into a machine with the DEFAULT
format as generated by the editserver, or they use something like UPX,
Aspack and such, there ARE "unpackers" which are part of the HUGE
collection of DLL files included in the file scanners out there. With any
such modifications, they WILL be detected at the file level successfully.

The PROBLEM is that there are a number of techniques that can cause the
unpacking to fail or to fool it. There are other techniques which cause a
file that has been successfully unpacked to slip right by. This comes down
to the "AV mindset" which hasn't changed much since the 1980's.

Back in the "golden age of viruses," a virus would attach itself to the
*END* of a file, then alter the init "entry point" to do a JUMP to the
viral code which would execute first, then point back to the ORIGINAL
entry point. It was *so* easy. As the number of viruses got larger and
larger over time, the AV's found themselves getting VERY slow in scanning
the WHOLE file. So in order to increase scan speed, they began cheating
since viruses almost always would provide a pointer to the end of the file
anyway.

They'd just scan the last X number of bytes at the END of the file and if
a match occurred, "Y virus detected!" It was fast, efficient and workable.
As viruses became more sophisticated, the authors began adding junk at the
end of the file, and this resulted in throwing off the AV's which were
designed to count back X bytes and scan. This worked well since viruses
could attach to any number of files of varying size, so the "back count"
became the "modus operendi." If the match code wasn't at that location,
they'd slip by. So over time, the AV's had to find an alternative to "scan
at a fixed location" without resorting back to the "scan whole file" that
was obsolete.

The "magic" involved finding that "entry point" and doing a CRC, or an
MD5 hash of a swatch of data at the "entry point" using a "pattern match"
or "signature" to match definitions against the suspect data. Compared to
a moving window match, this was fast and allowed some flexibility. Many
Antitrojan scanners use this "standard antivirus" technique as well.
However, once again, while viruses and worms tend to create and distribute
a "fixed pattern" in most cases, those who create and distribute "back
doors" (and now many of the "spyware" types as well) use techniques to
modify the data, change the sequences within the file, or "pad" the data
in order to "throw the dogs off the scent."

File scanning, whether done by an AV or an AT, is prone to this problem -
this is the reason for my comments (I've been involved in computers longer
than Bill Gates, so I've been along for the historical ride since the
beginning) as to file scanning and the efficacy of antiviruses in general.
"Trojans" are different. There are many tools which allow a nasty placed
on an individual computer TRULE unique, which is not the case for
mass-distributed nasties. "Customization" is the problem with many of
these where a particular "ne'er-do-well" assembles a special "server" for
a SPECIFIC target that is highly unique. Therein lies the difference.

I agree that it would be nice to hunt down the "client" applications, and
possibly the "edit servers" as well, but therein lies another issue. For
each and every "unique signature" you add to the definitions, the LONGER
it takes to compare each item against the totality of possibilities. Given
the dangers of keyloggers, password stealers and other "fast" trojans,
time is of the essence. Each comparison takes CPU time, and it is
cumulative. The more "signatures" you have, the longer it takes to parse
each "suspect." And faster CPU's doesn't change this fact - nasties run
faster as do the "chasers." And we've long since reached entropy on "short
cuts" to scan as fast as anyone is able to, so there's no new techniques
available for faster scanning. And as the number of definitions increase,
the longer it takes for each "sniff." Folks notice lags when they start
programs and I see frequent complaints about "slowdowns" by AV's. There's
why.

Thus, it comes down to keeping the number of definitions that must be
compared to the absolute minimum. To be able to cover as many "variants"
as possible with good solid "unique" definitions that can identify
variants, behavior patterns and such. And sadly, because so many "hacker
tools" and libraries are finding their way into a lot of recent software,
written by lazy programmers who use them rather than writing their own
code from scratch, heuristics tend to false alarm so frequently that many
of the time honored "heuristics" are falling by the wayside as a result of
legitimate software containing "bad code."

In our case with BOClean, that's the reason why we DELIBERATELY exclude
items that are not in and of themselves malicious, why we exclude many
worms and viruses that AV's can be COUNTED ON to detect long before WE get
a sniff at them, and why we don't cover clients or edit servers UNLESS
they contain a server WITHIN. Sadly, given the realities, speed is
everything in preventing nasties from performing their tasks.

Sorry for the long-winded diatribe - but there are reasons for why these
things are done the way they are. In our product, we leave the
file-scanning to others. We don't mind another product "grabbing the
glory" ... our purpose is simple: to get that which gets past the scanners
as a "last resort." That's also the reason behind many of my more colorful
comments about "bloat." The AV's and most AT's are VERY good at catching
nasties by means of a file scan. (and how long was it running before the
scan found it?)

-------- rant DETECTED! Do you want to remove the file too? -------

But that's why ...

 

Thanks Kevin for this post. It's how newbies like me learn.
It's good to hear a voice of reason (even if it's in the rant mode ).

Regards,
Douglas

 

So Kevin,
If I understand all this, there will be seperate upgrades for 4.xx, when needed and 5.0 being done, with an option to upgrade to 5.0 if someone wants to do that?

 

LOL. Hey Kevin, I'm curious. How much coffee do you consume on an average day?

Acadia

 

Hi....

Yes, for all those who purchase BOClean on or after 15November 03, a free upgrade to the 5.0 version is included at the customer's option (in other words, email me when it's out and request it). All others can upgrade for the special price of $20.00, even though we haven't set a price for it yet. Support for 4.xx will continue.

Kevin has (finally) gone to get some much-needed (to put it lightly) sleep.

 

Well, I just IM'd him, and he said he'd been up for 36 hours. So I'm guessing in the 3-gallon range.

We should start a pool!

 

If one has 5.0 & uses it a while, then pines for returning to the simplicity of 4.xx, will one be able to run ONLY those aspects of 5.0 which equate to 4.xx alone?

I am a bozo [but I might recant].

 

Hello all

For those of you that do not remember, Bozo was a clown.
I used to watch him all the time as a child. Our parents generation
coined the phrase "Bozo" to characterize a certian person as having clown like qualities. We used to hear people using that alot back then.
If you did somthing goofy somebody would call you a "Bozo"
But some people got mixed up and used "Bozo" for other meanings, such as if you had done something they thought was stupid.
I have been reading Keven's posts too lately and want to thank him
for bringing back some of those memories.
Even though there was another phrase used alot back then by our older sisters " It takes one to know one" , I know Keven it not a "Bozo" LOL
Although we are all clowns at certian times of the day.
Keep up the good work Kevin

con

 

It's a bit early to say for certain (as I don't know what sort of integration issues are yet to be seen), but the desire is to allow that.

 

Just fill it with coffee, OK?