Is a dedicated anti-trojan program really needed?

By far the majority of us have no real way to make an accurate assesment as to the comparative effectiveness of an anti-malware application. Accordingly we rely on what we can understand to be fair and objective tests. As to AVs it is for me AV Comparatives (AVC) at the top, but I do look at whatever is available.

However, for other anti-malware applications there does not seem to be a test that is even close to being universally agreed upon as AVC is for AVs.
I always wonder when someone states that BOClean for example is the best, what is the basis for that claim? If it is a clean machine, then many of us could claim that our particular AT was the best. The same for the AS type applications.

I agree that the few tests I have seen do not give me a sense of security when the top ones are often much less than 70%.
I do not think I have ever seen a test of BOClean for example.

As for clean machines, I carry a fingernail clipper, and have never been in a plane accident. Conclusion: A fingernail clipper prevents air disasters.
Not very convincing.

So we do the best we can understand, and make the trade-offs between being able to use the computer vs security.

Best,
Jerry

 

People spend way to much, and listen, way to much when it comes to this stuff.

 

Several reasons why people feel AT is good:
- AT is *actually* good, worth the price
- they assume it is doing its job, and the computer looks clean and behave normally. However unlike virus, trojan is designed to hide its existence. If you are not technical enough to look for its trace, you just don't know.
- When a particular AT spot for something which their AV misses, they will assume it did detect something. However it may be due to (1) false positive; (2) your AV is just not good enough (eg AVG); (3) your AV is good, but is weak at detecting trojan (eg NOD32); (4) they are correct. AT detects a rare malware no AV can detect, so it is worth the price.
- Simply the name/nature of the product - it is called "anti-trojan" or other fancy names, it is a specialised product, so it should be good at detecting trojans.

Some phenomena observe is:
- freeware performs well
When a company offers its security product for free, the public will highly recommend it to others - not because of its performance, but the feeling of "using somethng for free"
- popular product performs well
If you hear several people mention the same product name again to you, you will start to presume it should be good, at least it can't be bad, or why many people recommend the same product over and over again. If you understand how the public forms recommendations and picks products, this is not a reliable way to pick a good porduct

For AS, the website Malware Test is available to be used as a guidance for performance benchmark.

For AT/AK/AR, no such source exists except www.virus.gr which can give us some clues how each AT/AK product performs. According to its on-demand tests, they are not promising.

It is because it doesn't offer any trial, s no one can test it before buy.
Also it appears it doesn't have an on-demand scanner.

Interesting anology.

The only way to know whether an AT/AK/AR is good is to:
- do the tests yourself (although the sample size is small, it is better than nothing but subjective feeling)
- read the informal tests done by others
- read www.virus.gr for some clues (its test is not perfect, but again better than nothing but subjective feeling)

 

Okay, this is about AT comparative test from AV-comparatives:
http://www.av-comparatives.org/seiten/ergebnisse/atreport2006.pdf

The author who performed the test has mentioned why anti-trojan test is so few. he author said "due to the low participation level of AT vendors, we don't know if we will carry this test next year".

Guess why AT vendors don't like to compare their products?

 

Altough i agree more or less 100% with you about the need (= most do not need it) for an AT...then to be fair it was an on-demand scan test and the results might have very different in that test if it was an on-execution test, whic i personally would really like to see...a test every 6 months with samples from the last 6 months used, i think there might be a few surprises....Andreas/IBK what do you think?but maybe you would have to recruit a few extra helpers for execution part!

 

You are welcome. You post well.

Certainly BOClean is not substitute for everything. They do claim to protect against, Spywares, keyloggers, rootkits and other malwares. They do say you should get an AV too.

I guess I have all that I need. I have not had an infection in several years or unusual activity. In fact very few Windows software hangups at all. I need to be careful do not want to tempt fate. . But no BSOD nothing in years. I do use my machine too.

If you have an agressive to capture new threats signature based product with people willing to get them out 24/7. Is this why a signature based product is good for some of us. Kevin and Nancy are always talking about being in the "Lab" and busy. If the service is top notch and sigs come out very regularly how big of a window is needed statistically to get an infection.

Note: I totally agree any program that steals passwords and other critical data is far worse then average run of the mill mess up your machine nasty. Because a Trojan or other such nasty acting in similar manor can MESS UP YOUR LIFE

Finally, I am looking over Prevx. I certainly see the value in this type of security. Thanks again for your postings here.

 

Exactly my thoughts, but after reviewing the kernel mode drivers installed by all these on-demand scanners I decided to remove them and switch to web based on-demand scanners. I don't like kernel mode drivers being active for products I only use for on-demand scanning.

 

That's funny, I consider on-demand scanners as a waste of time, not space.

On-demand scanners :
1. Only detect remove malwares, they don't prevent the installation and execution of malwares.
2. You don't run on demand scanners every minut. Users run them usually one time a day, which means
that malwares had enough time to do their evil job.
3. Since ONE isn't enough, you have to run more than one and that takes alot of time.

A frozen snapshot :
1. Is the same as on-demand scanners.
2. Is the same as on-demand scanners, because you only need to reboot one time a day.
3. During a reboot all changes are undone COMPLETELY in 2 minutes. That is the big difference compared with on-demand scanners.

You save alot more time with a frozen snapshot, than running a bunch of scanners and much more reassuring.

 

Hi,
[People spend way to much, and listen, way to much when it comes to this stuff.]

Not sure what your reasoning is. When I decide to buy a new car, I go to the test magazines, including Consumer Reports, and ask those who own them. In that way I can get some idea of the maintenance record, and the potential problems.
There is no way that I could test the cars.

Few have any idea how to test anti-malware, including me. So what would you expect us to do? Should we just close our eyes and throw darts? That would not be an intelligent move if we were trying to find the top tiered programs.

Not only that, the shopping is often more fun than the buying.
But until someone finds a better way for most of us average users to learn what are the best programs, I will continue to spend time asking, and reading tests.

I still consider AV Comparatives the best and most objective test that I can find. It seems that many who are smarter than I am agree.

Best,
Jerry

 

1)
Why don't you like drivers being installed on your computer?

2)
Hmm... If it provides a standalone on-demand scanner to download and install, normally it shouldn't install any driver.
I might be worried the installation of driver since this may get conflicts with my resident AV and its own driver.

3)
What on-demand scanners will install drivers?

4) For your information (you might be interested )
Standalone on-demand scanner(st) VS online scanner(onl)

• Both will occupy your disk space anyway
• st: scan faster
• st: more flexible (configuration, scan options)
• st: more handy (can scan right on the spot)
• st: most of them offer both scan and cure/removal; onl: few offer both scan and cure/removal. Most are scan only
• st: very low chance of getting conflicts; onl: probably slightly lower than "st"
• st: hardly use more than 1 scan engine; onl: some websites offer scanning individual files with multiple engines
• Any more to add?

st = Standalone on-demand scanner
onl = online scanner

 

If I understand correctly, an AT can catch what AV misses if:

1. that malware is known by that anti-trojan, ie it has its signature
2. AV misses it from both on-demand and on-access scans
3. anti-trojan can catch it from on-access scans

But how many missed malware can be caught by AT, or does it simply overlapping the efforts too much?

The detection rate of anti-trojan is determined by the size of the database. Provided that nearly all AT vendors' databases are increibly small, their detection is much restrained by how many they can detect.

Providing that there are so many options available to complement an AV, does an AT still a good choice?

Even if it is still a good choice, should we pay for just for some extra marginal protection?

Considering that trojans and keyloggers tend to be custom-made or bespoke for selected targets, AT couldn't help either.

Would "proactive prevention or behaviour blocking" be a better go?

 

Some thoughts:

• How about if you receive some files or archives, and you would like to verify its cleanness before opening?
• How about if you utilise your meal time or sleeping time to scan your computer? Your time is not wasted in this sense.

Good but may cause more hassles or troubles for many users.
Some concerns:

• How about if you wish to save changes in the middle of the day? This may not just changes of your personal data, but settings of your programs
• How about if you wish to try out new programs/games in the middle of the day, or add some new stuff to your computer? You need other methods to verify their cleanness (since you wish them to stay in your computer, not just rollback)
• How about if your programs are updating themselves in the middle of the day? The updates would be rolled back, so you need to reboot in thawed mode to do the updates. You can't use auto-update in that scenario either [pointless].
• How about if your system partition is very large, so creating a snapshot will waste much space?
• How about your other partitions (eg data partitions), do you rollback all changes made from other partitions too? If not, there are risks aready. Otherwise your snapshots will grow very big.
• How about if you don't wish to shut down computer every day? You wish to hibernate it only.
• How much time do you need to spend to save snapshots and do the rollbacks? Does it take more time if you need to roll back all of them?

Your approach is much safer since any change is wiped off at the end of the day, but it seems to cause more hassles and inconvenience for many people.

I prefer replacing this with sandboxing or virtual machine approach.

PS: Don't get me wrong I completely discredit the value of your approach, but since we have known the benefits of that approach already, so I skip mentioning them in that post.

 

My settings of each software are choosen and I don't change them every day. If I have to change them, I will restore the original archived snapshot off-line, make the changes and archive it back.

Bad programs, caution programs and unknown programs are blocked by Prevx1. Why would I try these ?
I can try any new software in my frozen snapshot, as long it is considered as a good program by Prevx1.
If I don't like the good program, I only need to reboot and the program is gone.
If I like the good program, I will try it in a test snapshot until I'm familiar with it and know which settings it needs and then install it permanently off-line in my archived snapshot.

For the record : I don't install softwares permanently, unless I really NEED them. I'm not a collector of installation files. That isn't smart either, because most programs have new versions after awhile.
If the software sounds interesting, I store the link of the website in a .doc-file with a comment until I have the time.

Lots of users might not like this, but they also get often in problems in real life. If you want to see real life visit the Malware Forums. Wilders isn't real life. Wilders has only knowledgeable users and experts. Even newbies at Wilders aren't newbies anymore.

This is only required for security softwares and those are anchored in my frozen snapshot, which means that they accept changes.
For now it's only Prevx1 that needs an updating. I'm still working on that and this isn't really a problem, it's more a matter of timing and how much you trust on-line updatings, which is a problem for everyone.

I have 70gb for my system partition [C:] and at this moment the maximum of 10 snapshots = 30gb, which will be 20gb in the next version of FDISR (compression). So space is not a problem yet.
I can store an unlimited number of archived snapshots on external harddisk/CD/DVD, but I don't need that.
I need only 2 snapshots :
1. Off-line snapshot, which is always the same and doesn't need anything.
2. On-line snapshot for on-line activities.
3. All 8 other snapshots are for testing and will be removed, when I don't need them anymore.

I turn OFF my computer, when I don't need it anymore. Leaving your computer ON at night isn't safe anymore according my readings.
Keeping my computer ON for just running scanners is a waste of time and energy.

This has nothing to do with my frozen snapshot stored on [C:].
My data partition [D:] is another problem that will be solved, when my system partition [C:] IS solved. First things first.

 

so you only run programs that Prevx1 has rated as good (green)?

what if a (trusted) program is updated and prevx1 doesnt yet have a rating for it?

 

That isn't a problem either. I always can create a test snapshot without Prevx1 on it and test the software this way, like I always did in the past.

Suppose I want RoboForm on my computer and Prevx1 doesn't accept it YET.
I know that RoboForm is a trusted program, because alot of members use it.
In that case I would use it in a test snapshot until I know how it works.

 

Yes, possible solution.
However you may have noticed, people need to change their behaviour on how to use their computer to cooperate with your rollback security system.
That's why I say it may not be suitable for all people.

For example, some people need to install many programs. That may cause them more hassles and inconvenience. Their using experiences will be

So is Prevx1 your only defence?
How about updates or other changes made by operating systems, non-security programs?

What if malware manages to bypass the protection of Prevx or compromise it?
What if Prevx flags the malware as green (good)?
What if the malware trick Prevx to return green flag while the actual flag is red?
What if the malware try to disrupt your connection to Prevx database?

There are many ways which can compromise a security program. I won't place so much trust on just 1 security program. Plus this is probably not your style since you are paranoid in that every change made in your system may not potentially dangerous (that's why you need rollback intrusion protection system ).

If you have 70GB system partition, will it waste too much space to snapshot it?
You also need to keep custom snapshot in external sources since the malware may be able to infect your snapshots.

Hmm... How about leaving your computer on but online connection off is safe.
It is unsafe only if your computer is being slaugthered by the malware, but then it is unsafe at any time you switch on your computer.

You can do the scan either in meal-time or any time you don't use your computer.

Some AV allows you to scan only new/changed areas, so this should dramatically decrease your scan time after your first scan.

Everything can be done automatically (scheduling your scans).
Your computer can be off once you finished the scanning.
Thus it may not be as inconvenient as you may think of.

How about if you encrypt your whole data partition?
Beware keyloggers which try to steal your encryption key.

 

I like to keep my system clean as possible. When troubleshooting problems I don't want to take in account drivers that are active but don't perform any function except being part of a program I use for on-demand scanning.

I've installed some products and disabled the active part, but then it still installs drivers. Preventing conflicts with resident scanner is the primary for not using these program for on-demand scanning.

They're not dedicated on-demand scanners, but programs with the resident part disabled. The dedicated on-demand scanners like MWAV Toolkit and a-squared don't install drivers.

Nice overview. I only use web scanners if there's no dedicated on-demand scanner and the product installs drivers when the resident part is disabled.

 

If you ask members "What kind of security setup do you have?" You get MANY DIFFERENT answers and I don't need to prove this because Wilders has several threads, where these security setups are mentioned and discussed.
Each security setup requires another approach, has it's own inconveniences and are not for everyone suitable.
If you decide to put your computer full with scanners, you have to maintain and run these scanners. If you decide to put HIPS on your computer, you have to learn how to use HIPS and answer its questions correctly.
If you want to talk about the advantages and disadvantages of each security setup, this is going to be a looong discussion and my security setup is just ONE of the hundreds.
All security setups have inconveniences, but users get used to these inconveniences and forget that they were ever inconveniences and therefore don't consider them as inconveniences anymore.
The problem is that you are comparing your security setup with my security setup which is quite different from the classical security setups and you see all kinds of inconvenciences, that aren't different from the forgotten inconveniences of your security setup.

For now Prevx1 is indeed my only defence, because I'm looking for two kinds of security software :
1. Softwares that PREVENT the INSTALLATION of malwares (Prevx1)
2. Softwares that STOP the EXECUTION of malwares. ()
I don't need more, because my frozen snapshot doesn't allow any change.
All the rest of your question apply to other security softwares also.

I decided not to anchor my Prevx1 anymore, because anchoring makes my frozen snapshot vulnerable.
I will update Prevx1 right after reboot (= clean snapshot) and re-freeze it.
I can do this for all softwares, that require an online-updating.
The period between reboot and re-freeze will be very short and of course there is little chance that I might
be infected during that short period. That little risk, I'm willing to take.
That risk is still smaller or equal :
- than scanners, who didn't find a threat because it wasn't blacklisted
- than a false positive that was removed by a user
- than a HIPS-question that got a wrong answer from the user.
- than an updating of a scanner that was too late or didn't happen at all.
Let us talk about the disadvantages of scanners.
Let us talk about the disadvantages of HIPS.

What are you talking about ? Problems with space, while you can get internal and external harddisks from 70gb upto 700gb ?
I can have maximum 4 harddisks in my computer case of 500gb or more and at least 2 external harddisks.
The special clean archived snapshots are stored on my off-line external harddisk and they are only used for restoration.
Only my daily backups can be infected, but that is common problem for ALL users.
I've read enough posts of users who run a NEW scanner, which finds malwares that were never detected before. During all that time these malwares were included in their backup files.

I answered already that question.

I considered encryption already and it was a very big disappointment for me.
Encryption protects you against PHYSICAL THEFT only, like a burglar in your home, who steals your computer or you lose
your laptop in the train, etc.
Encryption doesn't protect you against theft by malwares or hackers.
Once you mounted your encrypted partition, your data is an open book for millions of malwares and hackers on the internet.
I was so stupified by this, that I couldn't believe it. Encryption protects me against ONE accidental thief, while it doesn't protect me against theft by malwares and hackers, which are trying to steal my data constantly every moment when I'm online.

 

Way too much $ or time?

I take the approach that if it's related to my internet security there is no such thing as too much time.
For money it all depends on one's wallet and how much shopping he/she does for a bargain on AT software.

Shopping and testing are the fun part.

 

Hi trjam,
[People spend way to much, and listen, way to much when it comes to this stuff.]

I'm still waiting on a reasonable alternative for the average guy who cannot do any serious testing.

Thanks,
Jerry

 

I simply point out probably most people have difficulties following your security setups, since this would mean they need to adopt another approach or way of using their computers, which are very different.

While your securiy setup is much much safer, people may not follow for this reason. It is similar to people still use administrative accounts even if they know limited accounts are better security-wise.

Yes, that's the point.
If it is just you who is concerned, that's no problem. But if we wish to promote this security setups to others, we need to address its inconveniences and problems to them, so people will have a better understanding and pick the one which suit them best.

That' what I'm trying to do. It is not an attempt to completely discredit your security setup. No offense indeed.

Read this thread. It is a security test:
https://www.wilderssecurity.com/showthread.php?t=150840

I don't understand why Prevx1 simply allows it from running without any prompt.

Personally I think you are better off with other whitelist-type anti-execution product instead of Prevx1. I don't know if this problem is caused because Prevx1 thought it is okay to run, or it doesn't monitor this kind of files, but you may see similar problems may occur when you use Prevx1.

The whitelist-type anti-execution product should offer better protection than Prevx1 since everything is blocked outside your list. So some of my problems explained above will eliminate.

I think the installation and execution are just either side of the same coin. If the malware writer manages to install their malware into your computer, they would execute it as well during the installation. They won't give you a second chane to stop them.

Good as it is consistent with your own security philosophy.

So

 

I simply point out this would be the obstacles some people following your security setups. They may ether don't wish to buy additioal space or the price of hard disk is expensive in their countries.

I think the malware can only steal your data when your data is decrypting, or your encryption key is stolen.
Otherwise please why you think so.

No, I don't think so. Please explain.

After all, leaving it encrypted is still better than unencrypted.

It is equal to:
- they require some locks to steal your properties even if they break your house.
　　VS
- they are free to steal your properties after they break your house.

I don't see why you feel the other way round is safer, or they are just the same.
Sorry, it doesn't make sense to me.

 

Yes, you are right.
That's why I tell others not to install an anti-virus program (even if you disable the real-time part). This may still get conflicts.

I only install on-demand AV scanners, or AV programs which are configurable to install on-demand components only.

Thanks.

 

Installation and execution are different. Installed malwares don't always do their evil job immediately after installation.
Some malwares are sleeping until the user or some other program activates them.
Some malwares execute themselves at a specific day. I call them time-bombs

 

I might use both Prevx1 and Anti-Executable together in the same frozen snapshot. I have to test this.
I can't use Anti-Executable's highest level of security, because FDISR doesn't like that, but a lower level might be sufficient enough.