Is a dedicated anti-trojan program really needed?

In addition to an anti-spyware program (the new generation programs can detect trojans as well), do you think that a dedicated anti-trojan program really needed? If yes, what would you recommend among the most popular anti-trojan programs (Ewido, a-Squared, Trojan Hunter or BOClean)?

 

Simple answer, no. If you have the right suite.

 

if your antivirus has slightly lower detection rates and/or if u are a high risk, you might want an antitrojan but its not an absolute necessity.

supposedly BOClean is very good as resident protection but theres no trial so i cant tell u much more. it lacks a full on-demand scanner however, so i recommend u keep avg antispyware or a-squared free for scans.

 

Thanks for the input trjam and WSFuser

 

AVs are getting better and better and better... , but for me the answer is still a yes. Keep in mind attacks can disable security programs is it not a good idea to have an extra malware killer like BOClean. I think yes. Just me I guess and one purchase and you are pretty much done, no yearly renewals

 

I dunno if antitrojan is needed - maybe for on demand but I don't see the need to buy one, with most AV's being between 95-99% as far as trojans go.

 

At what point would you say an AV is all you need or would you?

BOClean seems to cover everything except virus. Things just seem to me to be Virus protection and then other malwares.

 

A dedicated antitrojan will handle malware it detects better than an av. Even though some av's detect as many or more trojans than a dedicated AT they usually don't handle them near as well.

 

Hi BigC,

I have believed that if one has a top AV, such as KAV, he did not need a dedicated AT. KAV, and others, have a higher detection rate, as near as I can determine from the various tests, than ATs.

Your statement, "they usually don't handle them near as well." makes me think I might not be correct.

In what way do the ATs handle trojans better?
FWIW, I have KAV 6 and Ewido Plus (lifetime license).

Regards,
Jerry

 

a dedicated AT will clean or delete trojans much more reliably than an AV. I agree that some av's like Kav do detect a lot of trojans but can't clean all it finds. Detection and cleaning are definatly two different things. And a dedicated AT is created to to handle trojans it doesn't use it's resources looking for anything else.

 

Thanks for the reply. I have often wondered what advantage the dedicated AT had.
The lines between ATs and anti-spyware seems to be blurring. I use layering, and since I have lifetime licenses for Ewido, and SuperAntiSpyware I use them.

I have been trying a-squared 2.0 free as a scanner, and am impressed with it as to updates and scanning speed.

Best,
Jerry

 

Information to your answer:

Has your real-time anti-trojan ever caught anything?
https://www.wilderssecurity.com/showthread.php?t=93179

comparison of anti-trojan programs and intrusion protection systems when dealing with trojans
https://www.wilderssecurity.com/showthread.php?t=94258

Why bother using any anti-trojan program
https://www.wilderssecurity.com/showthread.php?t=93044


If you wish to know the detection rates of known trojans achieved by Anti-virus programs and anti-trojan programs, go to:
http://www.virus.gr/english/fullxml/default.asp?id=82&mnu=82

Scroll down to the bottom. Then click on: DETAILED TEST RESULTS

You will get Excel files which classify the detection rates by different types of malware. Look particularly for trojan detection rates. Now look for the performances of your interested AV/AT by searching their names.

The best AV can get about 99% detection rates. Most AT cannot even come up with 50%.

 

If you ask me, I still don't think anti-trojan program is necessary if you have good security suite, ie good AV (eg Kaspersky) + Firewall + AS.

Unless you are using some average AV, the AT should only provide you marginal benefits in real circumstances.

I would prefer adding another type of security product first (eg HIPS), rather than going for an AT. Even if I wish to have an AT, I won't pay for an AT. Simply use a free one if you do wish to have one.

Links about free anti-malware:
http://www.mnsi.net/~jhlavac/freeware/security.htm
(Any more?)

My reasons:
Discouraging AT
- Both AV/AT have the same thing in common, they are mainly signature-based. That means they can mainly detect what they know. Heuristics help but not much.
- AV has far more signatures than AT. When doing an on-demand scans, AV are going to cover what AT can detect.
- Both AT and most AV offers memory scanning. However most AV's memory scanning is actually process module scanning. So, if by any chance, AV cannot detect that trojan due to the fact it is specially packed/encrypted (when a program is packed/encrypted, the original file image is changed. If the AV can't depack/decrypt correctly, it may not be able to detect it even if it is contained in its database).
- Then you run the malware, and the malware will load itself in the memory. Since memory scanning in AT is supposed to be stronger than AV, so even if the AV misses it again in memory scan, the AT may be able catch it and stop it from harming your system. But how effectively is it to prevent what AV misses? It is a question mark.
- Trojans/keyloggers tends to be more personalised, that is they only send its "home-made" malware to the selected audience. The researcher cannot even get reach of them at all. How can AV/AT detect such kinds of malware?
- Overall AV and AT are more or less doing the same thing to protect you against trojans. That means they share some common problems or weaknesses. Why not try to install another type of security product which can protect your system (and trojan) in another approach? It adds much more values to your security.

Other security products:
- HIPS
For newbies, you may wish to use Prevx1. Prevx1 can be used as a set-it-and-forget-it type of HIPS. Unlike other HIPS which will prompt you for security decisions, it uses its central database to help you to answer these questions. If a executable file is going to start, it will check the database for the proper answer first (ie allow or block), if it has an answer, it will answer it on your behalf. Otherwise it will prompt you for a decision.

The disadvantage is it won't let you control your computer. Everythng is controlled by your program. If your program goes wrong, so does your computer. And if you wish to customise/control on how the legitimate programs should behave on your computer (you know, some legitimate programs still do annoying/stupid things, you wish to control them in some ways), you can't.
Note: Prevx1 Expert mode can do, but currently there are some annoyances.

For users with a bit computing knowledge (or don't mind answerng the popups), you may choose other classic HIPS which provide learning mode or the like. What is learning mode? Learning mode is to tell the HIPS to learn your system. First ensure your system is clean. then let your HIPS "learn" your system. After the HIPS finish learning your system, turn the learning mode off. So it will only prompt for any non-typical activities.

When you are not sure whether you should block tne process, either block it first. Then see if it affects what you're doing. If not, that means you don't really need to allow it (or they might be malicous).

If you wish to know more, simply google for the process name, or ask in security forums. They can help you most of the time.

For experienced security people or experts, they may use really classic HIPS which will prompt them for every activity/behaviour which is within the control of the HIPS, and let the person decide. Thus they can fully control of what their computers and the programs can do.

- sandboxing applications
You can minimise your risks of being infected by sandboxing some of your applications. This may include your internet client (eg IE, Firefox), mail and newsreader, chatting programs, and any executable files.
Once they are sandboxed, any change made including the infection of malware are isolated.
The malware are being trapped in the sandbox. They can't infect your computer.
After you finish using that program and close it, you can clear any changes with just one button.

A graph is probably a good way to tell you how it works.
This graph is taken from sandboxie website.
http://www.sandboxie.com/img/FrontPageSystem2.png


Note:
- Some sandbox applications offer you the ability to save some personal files or settings inside the sandbox.
- It is what sandboxing tools are supposed to do. Sure malware can find ways to break out of it. But after all, any protection/blockage is breakable.

- Virtual Machine
This is a more complete version of sandbox in that it sandboxes your whole operating system. What you do is to install another operating system in the virtual machine. So you can try to do anything which may infect your system in the virtual machine, other strictly safe things in your host machine.

One way of using virtual machine as a security tool is you can try to do different things on different machines, ie host or virtual machine. When you are doing somthing which may be potentially unsafe (eg browsing the Internet, installing new programs and so on). Do it on the virtual machines. hus eve if you somehow get infected and you don't realise this, it still can't cause damages on your host machine.

Okay. Let's say you would like to do online banking. Now you can use the host machine (that's only for very secure tasks) to do that job. Is it much more secure than just using 1 computer to do all the things and stuff? Even some of the sneakiest trojans/keyloggers have to shake their white flags.

This one is much safer than sandboxing tools. However the disadvantage is you need more resources to run this virtual machine. The virtual machine will also take up your disk space, memory, CPU and so on.

Note: The same thing can be achieved if you have 2 computers. One is test computer. Another is just for very secure tasks.

 

Alternatively you may download any removal tool to remove particular trojans. Simply search for the "{trojan name} + removal tools".

By the way, it is a bit too late if your trojan has infected your system. you should stop it cold before it infects your system. The "cleaning" part is the least concerned part. Sometimes even AT may have difficutly to kick the malware out COMPETELY. To lower the risk that the malware is still hidden somewhere, I would restore back to the previous clean state. If you don't keep snapshots, do a OS reinstall - the safest.

 

Thank you Wai Wai for your authoritative answer.

 

Thank you, but that's not the authoritative answer.
It's just a personal comment/suggestion.

 

Wai Wai,
Thank you for your informative and thougtful responses. They are excellent educational posts for someone who wishes to deal with all of that....

But why

Just get BOClean and be done with it all. What am I missing?

Removal tools, Sandboxies, (HIPS makes the most sense) or decision making

 

Thank you very much.

No single security product is perfect.
Why do you think BOClean can do it all?
If I understand correctly, it is another signature-based anti-trojan program.
(Note: I know it detects more than just trojans, but I think most people would call it as AT)

What does the above means? That means it will share the same problem other signature-based programs have, ie they only detect what they know.
The detection effectiveness is determined by the size of its database.
Unfortunately I couldn't find any third-party malware test about this program, nor there is any trial available.
But does it come up with what it claims? How many malware can it catch?
Can it still catch the malware when it tries to bypass the detection or attack the application?
(Note: I'm not saying BOClean must be bad. I just don't know. Most people don't either since they judge based on their feeling, or personal experiences)

Or did I get you wrong?

I can't quite get what you are asking.
But I have updated my post. Hopefully this will clarify somethng.

Note that you don't need to have all of them. The reasons why I mention all is to introduce you to other possible choices (apart from AT). Everyone has different needs. Just pick one or several which suit you the best.

Personally:
Resident programs:
- 1 AV*
- 1 firewall
- 1 AS*
- 1 HIPS
- 1 sandboxing application
(- or 1 virtual machine)
*: They can be backed up by on-demand scanners (AV/AS). Since on-demand scanners just waste space (I have plenty to waste ), you can install as many as you wish.

 

Short answer:
Yes.BOClean.
AVG Antispyware could be added if you want a scanner.

 

hi everyone i never hear to much about trojan hunter?how does it compare to the rest of the pack of anti trojans?...

 

Trojan hunter?tried it a while ago,was not very impressed.maybe thats just me but back to the question of weather or not a dedicated anti trojan is really needed or not,imo it is. After trying several,I deceided on BOClean,only caught 1 very bad thing that others missed but worth every penny.Maybe i'm just parinoid but i like to be careful.

 

Very informative posts.

I guess having Ewido/AVG Anti-Spyware (as a realtime and on-demand anti-spyware/antitrojan) + an antivirus with good detection rates (i.e., NOD32) + numerous on-demand scanners would be OK to cover for trojans.

My interest has been piqued by BOClean which is highly recommended by mercurie, the_Tester and travellinman. I wish they had a trial version

 

Is there a comparative test of BOClean and other similar applications? I am not aware of any, but I would not necessarily know about such.

Best,
Jerry

 

I won't use AVG. It is just an average anti-virus program for detection sakes.
If you wish to use strong free AV, Avira AntiVir is the best - free but offering one of the best detection rates, very hard to beat! However beware of its false positives due to its aggressive heurisitics approach. The second option is Avast which is still better than AVG in detection rates, but is far inferior to Avira AntiVir.

If you are willing to pay, Kaspersky and Avira AntiVir (paid version) are probably the best in detection rates.

NOD32 is good, but not as far as trojans & keyloggers are concerned. I am particulary concerned about trojans/keyloggers and its likes due to its nature and unnoticeable nature. I also do quite many internal tests myself, just to see how good they are.

That's one of my on-demand tests published on the Internet. It is just an informal test. Here's what my research about the effectiveness of different on-demand scanners. The result is disappointing .
https://www.wilderssecurity.com/showpost.php?p=839371&postcount=33

I am surprised to see NOD32 doesn't find as many trojans/keyloggers as I expect.

Another small test relating the detection capability of keylogger of NOD32:
https://www.wilderssecurity.com/showpost.php?p=824219&postcount=67

No, what a shame.

Note: The above recommendations are based on the results presented in AV-comparatives and some other third-party tests too, not subjective or personal feeling/experiences.

 

Not as far as I know.
I wonder most comments or recommendations about BOClean are based on personal preferences or experiences.

Not just BOClean, other AT don't have comparative tests either.
The only site which have recent tests is virus.gr, but it only carries the on-demand test of AT.
http://www.virus.gr/english/fullxml/default.asp?id=82&mnu=82
Feel free to (mis)interpret the results.
Just notify you of possible sideeffects before you read this article. When you read their detection rates, you are guarantee a complte shock. You probably don't believe your eyes, or don't wish to read any further, or don't wihs to buy AT anymore.

If you wish to investigate further about BOClean, you may wish to read this:
https://www.wilderssecurity.com/showthread.php?t=108929