PC Doorguard

Xor posted the url as a demonstration to his previous post…

 

Difference is this can only happen with ASCII files and not Binary files…

 

It is not the sense how good this examples is compressed or if it is only possible with ASC-Files, the sense is to show that you have to be aware for such "jokes" as well if you use archiv unpacking.
You can even fool KAV with some strange RAR Files - no problem.
The sense of my reply was here just to say that it's worthless to test for malware detection in different archiv files such as RAR or ZIP.
Some Scanners setting here so called nested stop levels - to avoid a deadlock in a Zip File with thousends of other ZIP Files. So if you put a virus file in such a archive it will be never ever found with a on demand scan. But it will be detected if you move it out of this ZIP File (RTM)

Michael

 

Hey xor

I know what you saying; but I doubt anyone here personally experienced anything of the sort unknowingly. Maybe I’m mistaking but I know I’ve never seen anything of such occurring to me and those I work on. And if there was a malicious Archive as you described existing, anyone normal could spot the Large Delay & Cancel out of the Operating and view the file manually and decide whether to exclude it or delete or re-scan it…

And I cannot speak for others but when I select “Archive Scanning” I want my Archives Scanned thoroughly, whether how many Sub-Archives and Sub-Directories & files exists within.

And if you viewed through the Log I poster depending on your eye sight one can easily pen point numerous issues that I’ve discovered for all the Popular AT’s I tested…

 

If you test AT then you should test

* Heuristic / Generic Detection of trojan/backdoor samples
* Runtime Decrunching / Decrypting and not archive scanning
* Signature strength means weak signatures where you can just change "Optix" into "3-SDT" inside a backdoor and it goes undetected

And some other things more, but i am really to lazy now to explain you how to test trojan scanners.

Michael

 

Hey

Like I said previously I done numerous tests but I wouldn’t dare poster them all here, you guys criticize on everything I poster so far and besides I don’t have time to waste, but HEY no ones stopping you…

 

Oh come on Ph33r_ show us your's first. We promise to read all of it.

 

Hey Primrose

If the few folks didn’t attempt to criticize my post which was only attended to bring awareness of Archive Scanning issues then most likely I would be, and besides I’m not sure anyone comprehended the test results. And I don’t have time to waste explaining & pen pointing bugs/issues in baby terms.

Regards,

 

Well you know you are always welcome..and thanks for your time.


Regards,
John

 

Thanks Primrose!

 

To everyone from Firefighter!

Hi everyone! I have to admit that I am just in the beginning in the AT world. At first I thought it is only the trojan database including variants that matters and of course ease of use. That's why I have now Trojan Remover 1.1.1. and PC DoorGuad 3 in my PC. PC DoorGuard 3 has quite large database against trojans, several hundreds over that Trojan Remover has and thousands more than Tauscan has, when all variants are included.

After that when I found some simulator tests just from here "Other Anti-Trojan Software"; at Wilders Forum, I get very suspicious about some AT products.

Yesterday I made a test with "TrojanSimulator", from that link:

http://www.misec.net/products/TrojanSimulator.zip

After that I made a second test with "GAV test-virus", from that link:

http://www.gladiator-antivirus.com/downloads/gavtest-setup.exe

After those tests, it was only Trojan Remover (in my mind) that passed those both tests. PC DoorGuard 3 and Tauscan 1.6 were totally silent.

And then the main questions about those three.

Are PC DoorGuard and Tauscan after that totally useless?

Trojan Remover 1.1.1. has only On Demand scanner, but it is doing a scan every time you have opened your PC, is it enough?

Is it possible to make some AT scanner better, by using a powerful compress and uncompress tool, that is capable to look inside runtime packers and an anti-virus or anti-trojan is possible to integrate with that program? Or was that totally nonsensical idea?


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

If both don't deal with packed (backdoor-)trojans they are. So from that point of view as you are using F-Secure which is based on the KAV engine an additional AT program is not necessery as KAV has one of the most powerfull unpacking engines on the market.

If it has an unpacking engine but I doubt that (didn't checked their product for a while).

No it is not that easy. There are hundreds of packers/crypters available and each (un-) packer needs to be added seperatly. This is a huge effort, e.g. I heard that Kaspersky should have a dedicated team just focusing on the unpacking engine with 10 (or so) people.

wizard

 

To Wizard from Firefighter!

Thanks a lot! You never learn, if you don't try first!!!


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Hey Firefighter

Absolutely not, Memory Scanning is necessary and more efficient.
Unless you perfectly happy doing manual scans on EVERYTHING you receive off of the Internet and Disks giving by supposedly friends.

And as wizard pointed out recently, Majority of the Anti-Trojan On-Demand Scanners is far from being completed because they don’t handle packed/Crypted Trojans.

For an example use ASPack (http://www.aspack.com) to compress that Trojan-Simulator files and re-scan them with your Anti-Trojan system and see if they still known to it.

And if you want to go further try something like UPX which can compress/decompress using different levels…

 

To Wizard from Firefighter!

At first I launched those AT-test programs in D:\My Downloads folder, after that I scanned that folder with F-secure 5.41 and DrWeb 4.29c, nothing happened in the detection front. All that time I had my F-secure resident scanner on.

Were those tests only for AT-programs?


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Anti-Virus Systems don’t handle the work of Anti-Trojans Systems very well, that’s my mono and I’m sticking with-it! This would explain why the TrojanSimulator files and the other test Trojan Testing System hadn’t been detected by your AV Systems, unless you don’t update on a regular bases and your AV is improperly configured.

 

hmm, if a trojan simulator has been cached by an AT wouldn't that be a false positive ??
Dolf

 

To Dollefie From Firefighter!

If they were false positives with Trojan Remover, so it did two false positives in this case (= both tests)! How likely would that be with two different tests?

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Technically, that depends on the warning you get. If it is flagged as a trojan, that would be a false positive. If it is flagged as Trojan Simulator, as TDS-3 does with Magnus', if I remember correctly, that is a correct call.

 

To Metallica from Firefighter!

Trojan Remover was capable to name that malware as TrojanSimulator and described it a bit! The same was with GAV test "virus".

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Good for Trojan Remover.
Could it kill/stop Trojan Simulators' server being loaded?

 

All there from the link giving previously....

 

There’s a valid point there too, that’s another of many reasons why using a Anti-Trojan System over Anti-Virus System, Anti-Virus Systems usually remove Trojan files and not undo damages done in the Registry and so on... I could be mistaking, not sure how many AV Systems exists currently and whether it’s capable of now undoing damages done in the Registry and so on, but all the AV Systems I had used previous didn’t… And thus is where I base my Information upon…

 

I can see that it will be detected in memory, but that was not my question.

EDIT: our posts crossed. Did not see Ph33r's answer before I posted mine.

 

I could easily come up with 101 reasons why I rely & prefer using Anti-Trojan System to-do the work of Trojan Detecting/Removals rather then Anti-Virus Systems.