Media Discovers Spyware

Oh I did say I read average users reports, on many different apps...and as
far as I can recall...they were all good about BOClean.

We can let it end on that.

By the way....is your hubby Canadian....with all the "hehs" he uses...or at
least very close to the border

 

Sounds fair.

No, we do live somewhat close to the border now though. That's just something he picked up years ago. We used to chat a lot with a Canadian BBS (remember them? ) back in the pre-Cambrian epoch before the Internet got commercial.

 

As far as i can tell,file based scanning is still the basic form of detection.
Files are like atoms or moleculs that form one entity (disk partition).
You can't just send some trash to PC and infect it. Malware must be distributed as executable file (not the exact case for certain exploits).
And when we talk about files,there is also a file scanning.
Sandboxes are still file scanners,only in controled environment. TruPrevent like methods are different from file scanners,but again the malware must be a file in order to execute it in resident memory. IDS systems like Prevx or McAfee VSE access control again act based on file scanning (or better to say blocking,ofcourse apart Buffer/Stack Overflow protection).
Registry monitors. You can't just modify registry. Again you need file based package with payload. So basically file based scanners are far from being obsolete in these days since this is the nearly most effective way of protection.

And what does BOClean do if it doesn't scan anything? Scanning air maybe?

 

Didn't you know that is the new black.

 

yep, that sounds basicaly what I was thinking I truely believe that a filescanner isn't a gadget and should be considered as an important layer of background defence...eventhough there isn't malware in memory I would still like all "dormant" malware from my system
A memory scanner is very important, but I don't underestimate the power of a good filescanner. And that was the reason I waited sooo long for my Boclean copy

 

Can a file scanner correctly analyse a piece of malware that's encrypted and packed? I was under the impression that only when the malware is unencrypted and unpacked that the enclosed malware can be detected. I know file scanners can unpack, but can they unencrypt as well? I thought that would be termed as hacking into a file. Please provide more info regarding unpacking, encrypting etc.

muf

 

In regards to tests, numbers are easy to manipulate. Since they are aggregates in themselves, they depend on external context to give them meaning, and that's the crux of the issue here. You can surround those numbers with just about any meaning to make your point, especially by not including certain facts (intentionally or not).. which brings me to my point. If the readers aren't coming to the conclusion that you intend, you can't just blame the reader for not knowing. As you've stated, that is many times the reason for these rediculous tests. I now see what you meant after much explanation, Mr. McAlealvey, but without your background understanding (ie those you wrote the article for) you have to be able to see where this kind of misunderstanding can happen. I do mean this with all due respects, but find myself a little frustrated (as someone who makes their living choosing words carefully) when the sentiment of "well you just don't get it" is expressed when the point is lost in an article that is meant to be explanatory. I hope you will consider taking the time to clarify this in your article, as I do believe it is an important point.. just one that seems it can only really be understood by your contemporaries in it's current form.

 

All,
I for one was amazed at the reaction to the PSC News Letter I was surprized a little that it was posted here. I stand by my comments in post 2. I enjoyed the history lesson. As to the testing and "our product cleans so much better then the others see"...well what author or creator does not say their work product is better then the next guys. "Puffery" I think it is called. Well I happen to think the product is good and it lives up to my expectations. I do want my system kept clean. Not remove already installed crap on my system caught and removed by a scanner that relys on periodic scans. Which realtime product is better I can not tell you no one has come up with a test that can prove to me that one is better then the other. And while even Nancy herself said somewhere at one point (I do remember this) that AV's were getting better at catching the trojans and that they were finally waking up, I still believe they can not and do not do as good a job as a dedicated trojan killer. Yes, I agree there is a lack of good comprehensive testing. So sometimes the vendor will have to resort to their own tests. I did not even look at the tests carefully they are meaningless to me. Testimonials, research and my own experiences that is what counts. Do you believe every test a car company puts in front of you on the t.v. Big deal! So what! Consider the source (the vendor, the author, the creator) and move on.

I have never had or felt the need with BoClean on the job to try anything else. The thing sometimes updates twice a day. Weekends, holidays 24/7 always on the job. It has never failed or caused my system problems that was not the fault of something else and Kevin has always helped me even with non BoClean issues and advice. So why don't all you Nay Sayers just cut them a little slack

Kevin has a way of saying things sometimes that if you are always on the edge of your seat ready to point a finger or are so sensitive you would not get offended. I speak from experience I've gotten emails after asking questions. They respond quickly and with an answer that makes sense and I am not that much of a techie. I got a good education generally in the answer.

Freeware, Shareware, Payware, I will tell you this, I have spent $39 on BoClean gotten great support, several product updates and hundreds of "signature" updates and a protected machine...no wait a minute two protected machines. WHAT MORE DO YOU WANT.

NOD32 a product I have not tried but the testimonials and my own research indicates it is an excellent product charges $39 and then wants more for yearly updates. Enough said for now.

 

To be completely honest,we don't do that. Software that is just packed can be unpacked by a filescanner, but many malwares are now hacked after being packed as well as repacked multiple times. Encrypting may be able to be decrypted through brute force, but it isn't easy and would be very time consuming.

For example, consider a typical malware submission. You zip and password protect (which is encrypting) in order to bypass AV systems on yours and their end. The file gets through. Both AVs don't spend hours on end trying to hack the password, it puts it through "encrypted file ignored/bypassed".

 

So what are you saying? ... Please, don't tell me you are actually comparing BoClean to NOD for virus detection?

Trojan Hunter 1 out of 100? ... TDS 37 out of 100 ... BoClean 100 out of 100 - C'mon friend ... were not idiot's here. Seeing how they were from BoCleans private stock - and having access to them to create definitions ... frankly makes this whole thing a wash. (imo)

This was a half a$$ test ... and one which magically seemed to pop up at every security forum. then, in defense we get this statement: "Nobody can accurately test comparison trojan scanners" - WTF did you just try and sell everyone on?

This type of marketing is better left to scumbags and bottom-feeders -of which your neither

 

Nope, that is not what I said nor is it what I am saying. It is a price comparison of two security products and NOD32 costs a lot more. Virus, Trojan, spyware, rootkits whatever, all crap that gets on your system. What is the least expensive way to protect yourself and still obtain good service at a fair price that should be your goal and BoClean is one excellent choice for the stuff an AV may not in many cases get no matter how good it gets in the Virus area. Give me cheap or free AV (cheaper is better then free) so I can pay for an Trojan Killer. BoClean over the long haul has been very cost effective under the current pricing structure. Will it change I do not know but if it does I will reevaluate at that time. I just picked NOD32 as an example because I like it but it is more than I think it should be when compared to other similar products.

IMHO I have found BoClean combined with Command AV some of the most powerful, resource friendly and cost effective protection out there. Now, just because I did not talk about a firewall do not think that I am suggesting you do not need one...lots of good ones there too...another topic...

 

I suppose some further explanation is required since this silliness continues (curious how it's just here and ROKOP, but I digress) ...

The "furious activity" when BOClean starts up with your system is the result of registry, port, and file scanning of anything connected with startups. Hell, we've heard reports of BOClean firing up a "Trojan found" THERE sometimes. I wouldn't whine about "file scanning" the way I do as a coder if I actually believed it was useful beyond "oh wow! A MATCH!" ... so yes, we do "file scanning," "registry scanning," "SERVICES scanning" and "kernel load" scanning. Kinda necessary with things like "HACKDEFEND" loaders (to save database space, we try to abbreviate where possible to do so) as WE call them - or "Hacker defender" as the rootkit kids know them. But my own attitude about "file scanning" is based upon years of personal experience. It's been USELESS since 1997 with "crypting, packing, repacking, stuffing, hacking the headers and redirection" as well as other techniques. There are a million ways to make a "no match" against "signatures" ... THAT is why any of us still have a job. The AV's are STILL living in 1980.

So let's fire up the "way back" machine as we did in the newsletter from which this "thread of angst" careened off the tracks into a bridge abutment, and was twisted with the floor shows of our competitors ... let's "make it real" then ...

When BOClean 1.01 was released, it was a FREEBIE. The "final straw" was the way everybody ELSE was handling the original "Back Orifice" trojan. POORLY. That's where "BO"-clean came from as a name. And as miserable a "marketing brand" it was, it stuck *way* back and changing that name to "TRO-clean" or similar would have broken the "history." In THOSE days, there wasn't UPX or Polycrypt or all the other "masking" tools to elude file-scans. The ORIGINAL BOClean scanned the file, and then killed the process as well as its injected DLL. Corrected the corrupted "import tables" from the 9X kernel that had been jiggered to hide it (real easy, they SAVED the original values to another piece of memory so it could be copied BACK upon a "cure") and we checked the files.

Also back in those days, every "trojan" on the planet that had an auto-startup did so from the HKLM hive, "Run" key so as to start up before you logged in. My "bad attitude" therefore comes from the historical fact that these things were *SUCH* an easy kill back then, how COULD the antiviruses not even NOTICE these things?

So the FIRST BOClean *was* a simple file scanner. In fact, in order to maintain the "overlap" from releasing a NEW version vs keeping folks running the OLD version going so that we could get them all upgraded before we shut off old stuff, the database coding even to this DAY still holds a pair of fields for each FILE we examine and determine to be "unique" and thus added to the database. However, only the ORIGINAL file data from the ORIGINAL copy of the trojan is in there as the database REQUIRES an entry for that even though it's no longer germane to the way BOClean operates since version 2.0.

But what's ALSO amusing about that is that garden-variety "spyware" and all those nasty "worms" that the antiviruses DO do, don't change. MASS-distributed nasties are indeed capable of being detected with a file scan. "Easy pickin's" ... so in THOSE situations, BOClean can indeed "find the mystery meat" on a file scan. But it WON'T find "repacked variants" or modifications to the file. This has ALWAYS been the downside of "file scanning" and thus my disdain for it ... sometimes it works, MOST of the time it doesn't. You can thank creative ne'er-do-wells who will pound away at crypting, repacking, triple-packing, stuffing and other tricks to make a file scanner go away. As I've always maintained since BOClean 2.0, "memory is where you want to be - if the SCANNER fails, this is the way to win." And it's worked all the way along. And with each version, more refined in speed and capabilities.

But BOClean DOES do a file scan, always has, consider it USELESS vestige of "history" ... any time BOClean detects "trojan name" instead of "trojan name VARIANT" then it was a file scan that successfully detected it. But those are DAMNED rare. That's why we always "peddled" BOClean as a "secondary line of defense" ... everybody and his cousin is in the "scanning" business and that always requires "HALT THREAD!" stopping the machine cold while they "sniff" through all of their "signatures" (the MORE signatures they HAVE, the longer it takes!) for all those files. While the thread is halted though, CPU is spiking its butt off. *WE* have frequently gotten blamed for that when OTHER products were the ones actually holding the CPU ransom in our name, since we were the last "sample" in the PERFMON registry entries. AND the more qwap you have "shutting down the CPU while the LAST registry entry gets timed out," the "spikier" it gets. There's some REAL garbage out there being peddled as "security software" these days, but Madshi's code sells well to newbies to all who can't count CPU clocks, nor clock "systemwide hook" results unless they're ones that have callbacks, "nop" waiting. There's a lot of GARBAGE out there as far as CPU usage goes, but I won't name names. Still, it angers me to no end that WE've been blamed for it here and there.

And the MORE stuff you have stopping the CPU for a community sniff, the slower things get. Most antiviruses are VERY good these days (though not perfect - only things like SOBER seem to make them put out an update "now" instead of when it's convenient for THEM) and we always designed BOClean to NOT hijack the CPU for the sake of the end user. Our original customers ("institutional agencies") demanded "unobtrusive, small and don't get in the way" ... that's what we delivered.

So ... as part of this little secret, a revelation to screw with if you want to - it's been part of BOClean since version 2.01 and remained undocumented because *I* always believed it was USELESS ... behold!

Right click the BOClean traybar icon (despite rumors by our competitors that a right click buys you nothing) ... when the button bar appears (you DID grab it by the top at some point and moved it where you wanted, no? Heh) let it just SIT there.

Now ... open a file explorer window, pick a suspicious file (or a known malware, OR "test trojan" like Steve Gibson's LEAKTEST - that one's SAFE to play with) and DRAG it carefully and DROP it on the menu ... preferably near the top, but depending on your video driver, just about anywhere there will do - if you miss, nothing will happen. If you "hit the sweet spot" (it's big) then a window will appear as it SCANS the file!

Chances are though, aside from things that ain't been played with or are "mass-distributed", nothing will happen. If it DOES match a "file pattern signature" then the alarm bells will go off! And if it's "access denied, in use" then a reboot will get rid of it if it happens to be running. The ORIGINAL FREE BOClean worked this way.

So now, the naysayers will say "why didn't you ever tell us about this? It'd be USEFUL!" ... answer is simple. I determined in 1997 that this wasn't RELIABLE. And if I told people that was there, then there'd be some REAL unhappy campers if they "scanned it" and it wasn't DETECTED! There's the answer.

But OUR associates HERE test with that feature to determine whether to send it to us or not. If it's already detected, they don't send it to us. If it ISN'T detected, they do. When I spoke earlier on of "scanning to see" this is what I was talking about. The number of detects from the "file scan" are PITIFUL! Once we get them in the lab though, a very large number turn out to be variants that are detected as soon as they try to start up, though the FILE SCAN found nothing. THIS is what I was talking about, and why I maintain (it's *in* BOClean if yer dumb enough to TRUST it, WE don't!) that "file-scanning" is WAY too easily fooled. If it actually WORKED, we'd put it in there.

And as far as "emulators" go, "virtual machines" for nasty detection are increibly expensive on resources and system stability. And the vast majority of modern trojans work on a basis of DETECTING "IsDebuggerPresent()" using the WINAPI. If you're VM'ing, or you're running a "sandbox" or "observation tools" ... many of these bastards will detect that, and "behave uniquely" until they've been cleared to run on a REAL machine. Been there, smoked that too.

I tried to explain that the "test results" that were perhaps unfortunately distributed with the newsletter on an otherwise CRITICAL topic were done "tongue in cheek" ... that was MY intention. However, the RESULTS were true and the purpose was to ILLUSTRATE what happens when a "test" is a "snapshot" in time. It was 4AM here in the states when it was done. That would be 8AM GMT and 10AM in central Europe - certainly a reasonable time to expect any updates to be out, especially for companies located THERE and EAST of there. NONE of this was intended to be an "insult" against EWIDO. Hell, you guys actually showed up on the CLOCK! Compare to OTHERS.

A2 hadn't updated since BEFORE the major outbreak! Nor had "SpyBot S&D" and the *MAJOR* brand antiviruses! It was this LATTER bit of date info and "zero scores" which MADE it "news." If yer gonna DO this for a living, then ya gotta be there, weekends included. Security is NOT a "part time hobby gig." You gotta be there WHEN you're needed. Ewido WAS. TDS was ... I don't wanna go back and look, but those products that *I* respect did fairly well given all the biases and one PYTHED-OFF "contributor" whose work goes to ALL parties had commented that "BOClean is the only one who responds to what I do within an hour or two at worst - not ONLY don't the others apply what I sent in a timely manner, YOU are the only one who's actually THANKED me for sending the stuff - so here's what I tested."

SORRY we published it I suppose, but as someone who's ensured that things we DIDN'T see got to us (and everybody else, I checked) I felt I owed him the chuckle of submitting that for publication too. So ... was it a joke? It was INTENDED to be, but at the same time, it was ALSO an HONEST result at the moment he did the tests. So maybe it WASN'T a joke after all. But when I presented it for publication, I went out of my way to say "HIGHLY BIASED TEST" and several other OBVIOUS comments to tell the even half-clueful: "kids, don't try this at home." (or DON'T take this seiously) I should have realized, as isolated as I am living in the woods near Canada "in these terrorist times" that the first victim of mass paranoia and tinfoil hat mentalities out there, that a decent sense of humor would have been the FIRST casualty. The results were true for the probably five minutes that the reality lasted, but MANY "reviews" of antiviruses actually published in magazines with a CLOCK counter as to EXACTLY when they updated. As a result of that publication, suddenly it was a "point" ... We were there with the update at that time, where was everybody else?

But GEEZ, kids! Once upon a time, all of us COOPERATED and SHARED with one another. There wasn't this "cutthroat mentality" ... the reality is NOBODY is making money in the "antitrojan business" and we never DID and we never WILL! People really believe that NORTON and McAfee will solve all their problems and catch everything, and is the only thing they'll ever need. Heh. Those of us who DO this know better. And perhaps the most IMPORTANT lesson for EVERYBODY ... when somebody goes out of their way to SEND you a sample that you DON'T have to pay people to get for you because they're motivated by DOING the "right thing" by SENDING you that sample, HONOR them by handling them for the gems of "community soul" that they are. GET that updated out and *THANK* them for their efforts! ANSWER their questions, TELL them the story and *DON'T* be smug in an attitude of "the world OWES me samples." It ain't that way.

BOClean works because we have *APPRECIATED spotters* out there - the folks who we consider as FRIENDS and BENEFACTORS for doing so ... we have FUN with them, and we HONOR them for volunteering time sending us additional toys to what we find on our own. While the person who did the TEST sent samples to all of the "vendors" who were offended, I also note that we've got a lot of OTHER spotters who DON'T consider some of the newcomers as "recipients" as well. The "test results" were NOT based on any samples which had not already been sent to the "offended," so if this is insisted upon becoming an ISSUE, y'all failed the test fair and square. It wasn't OUR intention to make such a big deal over it. As I've said, once upon a time, vendors were COOPERATIVE with one another, even as "competitors." Unca Wayne and I, as well as several others, still observe this "professional courtesy" of mutual respect. Sadly, some newcomers prefer to wage battles instead of building bridges with those of us who still have EVERY trojan ever released. Pity for THEIR customers.


Finally, as for you ROKOP kids ... geez. You guys are sounding like AMERIKANERS. I *am* one, and prefer a more civilised reality. This living in a tinfoil hat ain't good for the soul or the sanity. CATCH a train to AMSTERDAM ... visit a few kaffe haus' ... get LAID ... you'll chill yet. Might even make some FRIENDS. (grin)

But fer Krimminy's sake ... GROW UP! It's all about CHOICES as "vendors" ... you can CHOOSE to make friends, or you can CHOOSE to make adversaries. In this thread, as well as our collective dealings with each other, not much offered in the way of choices. It's not like *ANY* of us are "getting rich" doing this.

 

yep, point taken Kevin .. and your statement is crystal clear to me.

I didn't want to offend you OR your superb product .. afaik there haven't been any recent hijackthis logs with boclean in it, so I know for a fact Boclean does it job.

I will go to Amsterdam (However I prefer Maastricht cause it's only 15mins away ) and I will think of you when I lit one up ohh yeah!

 

HJT logs posted by users of BOClean are rarer than hen's teeth.

 

Whew!!!! words are a very powerful tool

Look what happened this week with NewsWeek. One report of how the US soldiers flushed a copy of the Koran down the toilet outraged the Islam community around the world. NewsWeek now says the report was not true after many people have died over it.

Now Kevin, you know as well as do, A tin foil hat is good for nothing unless it has a nice copper wire running from the hat to earth ground

There are many waves traveling around these air spaces these days. On a side note, without sounding paranoid, Countries have been studying mind control for years. Must not work. Look at the turmoil the world seems to be in?

Sound like you are living in a nice area away from the busy bee city life.
I envy you. I don't know if it is as nice as Minnesota though LOL

Kevin? if you do get back to this thread. I was wondering what you thought about programs such as deepfreeze, shadowuser, ect? Do the new nasties search for them also? I think they are just a nice app for home users,with other security in place.

I know for one, I have always respected your thoughts on many a subject.
Your support can't be questioned. I dought you will get the same black sheep listing that this site gave to Paris

I can give a example of how an nice AV can be of use. Last week I got hit by
one of those varients. Since I did not execute it, BoClean wasn't needed.
IF the scanner in the AV would have picked it up, I could warm my friends.
The AV didn't pick it up and neither a half dozen other well know AV's.
I am guessing it took almost a week for Norton to start catching the bugger.
This is how I KNOW looking at the mem is a good choice. Everything we do has to go thru mem. This brings me to the latest in Mem protection offered by M$. DEP. soon to be included in the CPU if is isn't allready. Suppose to stop antthing else from holding the same mem space at any given time.Any thoughts on this? The default setting in Xp is OS systemfiles only but can be changed. Without a DEP enabled CPU,current DEP is software only.

Have a nice day

Bruce

 

i've never seen one
if you know where to find one, give me a link to it

 

I can see how BOclean would be a great tool on a clean pc, but how effective is it on an infected machine? What if the keylogger or rootkit is already installed? Will it still zap the bad guy?

Incidentally I am a big fan of BOclean's one time fee, multi-user licence approach. I would have bought in if I had got a response from someone representing BOclean either here or through email. It might be a great product but lack of feedback to people who aren't in the know results in lost customers.

 

Yes. When BOClean boots (either started on a already running system or system boot) it scans the entire system...memory, registry, etc. and it will nail any nasties it knows upon recognition.

Sorry about your experience, we do try to answer all mail. Sometimes keeping up with all the nasties completely consumes the standard 24 hour day. If nothing more, you can be sure of our dedication to keeping our customers protected.

 

Kevin,
No need to do a big quote. I am a customer who understands and appreciate what you are doing.

Doubters,
Nothing I have heard here from either Nancy or Kevin is inconsistent from what they have told me both privately (emails) or publicly over the years. Some just refuse to listen. I guess it is just the way it is I do not know what it will take for some to understand. At least one competitor posting thinks they are not being honest. Perhaps a hidden agenda, well this customer knows better of their honesty. At some point one must take a stand for their product and set the record right. Some have faulted them for doing it.

Well my comments are based on my observations and experience with the company and its products. I will continue to watch this thread with keen interest. Read my signature it is why I enjoy being here. No matter how much I disagree at times.

 

I don't think anyone following PSC's position would accuse them of wavering or being unclear. One can debate the relative merits of these applications or the technical approach that PSC employs until the end of time, but personally, the complete lack of HJT logs listing BOClean speaks volumes to me. Sure it is anecdotal, but that doesn't immediately disqualify it from consideration. There are a few other applications that seem to never make it into HJT logs, but this thread is about BOClean, so I'll keep it focused on BOClean.

There are a few companies which engender extreme brand loyalty in this industry. PSC appears to be one of them. I must admit that I have BOClean running on all 5 of my home machines. It works, there isn't much more to say. It is there are my own realtime backup.

I wish continued success for PSC with somewhat selfish motives, I like the fruits of their labors. The simple fact of the matter is, if every person working through a HJT log session, took a breath, decided to get serious about keeping their machines in order, and spent the $40 for BOClean, there would be a lot less HJT activity and stress from casual users out there. It is one of the simplest applications on the market, and one of the most powerful.

Blue

 

I have to agree. It seems like about once a year, PSC publishes something that gets collective panties in wads, (for whatever reason--known only to the wad-ees) and there is much wailing and gnashing of teeth.

But in every instance I've seen, they put their money where their mouth is and back up their product. Either you "get" Kevin, or you don't. He teaches me something every time he posts, and I always get a chuckle.

I've mentioned several times that their customer support and product is outstanding. At the top of the list of software companies I've ever dealt with, that's for sure.

 

While it is true that memory scanning can counter the compression/crypting schemes currently used to defeat file scanners, it does have the problem that the suspect malware has to be allowed to execute, at least partially. If the malware does all its decrypting/decompressing first before attempting any mischief, then memory scanning should detect it before any harm is done - however it seems perfectly plausible (and likely in my view) for someone to design a trojan with techniques to hamper memory scanning.

The only truly safe method for detecting malware would be via code analysis/emulation where the scanner would create a "virtual PC" environment to run the suspect code in - this would however be far more computationally expensive as Kevin has pointed out.

DEP is where the CPU only allows programs to run from memory that has been marked as executable (see MSDN's Data Execution Prevention article). Since programs have do to this marking themselves, DEP is going to have no impact on malware that takes account of it (it would be an extra issue for the author to consider, just like with any other program). Where DEP can help is with preventing bufffer overflows (where excess data is sent to a program with the intention of overwriting program pointers and causing an attacker's code to be run instead). However, anti-trojan scanners may be able to hook into DEP themselves and use it to assist in program analysis.

 

Hmmm...it seems that it may be possible to execute a buffer overflow even with DEP:

Blog on Cyberterror: A DEP evasion technique

 

You know what a rootkit is? i don´t believe that BOC detects and removes(!) ring0 rootkits.

 

This is more likely to be due to there being no trial download of BOClean available. Those people submitting HJT logs therefore may have loaded one or more trials of other anti-trojans instead in an attempt to clean their system. Now clearing out active malware (especially those using rootkits) is a much harder task than preventing it from installing in the first place, so it is not really possible (or fair) to judge other products by the frequency of their appearance in HJT logs.