Tests/Reviews

Discussion in 'other anti-trojan software' started by Pan, Mar 10, 2003.

Thread Status:
Not open for further replies.
  1. Pan

    Pan Guest

    Hi

    From reading here it seems the big 3 are TDS, TrojanHunter and BOClean.

    But unlike AV software I don't seem to see any links to tests? Can anyone give me any links to some hard facts and proof that these are better than others etc...

    Thx.
     
  2. jmschwartz

    jmschwartz Guest

    Hello Pan,

    Try this site:

    http://www.wilders.org/anti_trojans.htm

    for a start.

    Regards,
    Jim
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    The problem with tests of anti-trojan software is that there is unlike anti-virus software no independent test institutes. One of the biggest problems with anti-trojan tests is also that most times the testers have not enough knowledge and also include in their testsets files that are no real trojans.

    Also av-test.org for example which is a reliable source for anti-virus tests is still publishing tests with ignoring this fact. So the line trojan-detection in each av-test is IMHO rubbish.

    Another problem is that most 'trojan users' (or scriptkiddies whatever you would call them) are using tools and methods to make the trojan 'undetectable' (or better more difficult to detect ;)). Most tests just do not consider this 'reality'. So you will read from time to time that for example NAV or AntiVirPE (which we discussed recently in another threat) are able to deal with trojans. That's IMHO wrong. Just download a tool like UPX (which is a valid tool) and repack a trojan. NAV or AntiVirPE would detect nothing. Every 'trojan users' knows that. But of course this problem does not apply to anti-virus software at all. There are still anti-trojan programs on the market which can't deal with such modifications either.

    So it is real hard to find good anti-trojan test results over the web. For German speaking users I think http://www.rokop-security.de is a good point to start. :)

    wizard
     
  4. angel

    angel Registered Member

    Joined:
    Mar 7, 2003
    Posts:
    44
    Location:
    22. district, Vienna, Austria, Europe, Earth
    >But of course this problem does not apply to anti-virus software at all. There are still
    >anti-trojan programs on the market which can't deal with such modifications either.

    NO AT program can deal with packed trojans. Some of them are using techniques like memory scanning that is very unreliable - but no AT program can deal with them in its packed or encrypted form. Ok - some of them can unpack UPX. But its not very hard. If you want to hide a trojan from this scanners just use ASPack or TELock for example.

    >So it is real hard to find good anti-trojan test results over the web. For German speaking
    >users I think http://www.rokop-security.de is a good point to start. :)

    Rokop never tried to patch a trojan, doesn't he? Would be interesting to see how good or bad TrojanHunter, TDS-3 and BOClean can deal if the malware is patched and how strong the signatures are.
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Don't think so. TDS-3 or TrojanHunter can do. We might agree here that either TrojanHunter or TDS-3 are able to handle to deal with 100% - but that's something no product can claim. I think memory detection is not the perfect solution (unpacking isn't it eiher ;)) but at least it is a better than most AV products can offer.

    If you compare it against an unpacking-engine than you have to say that this is also an unreliable technique because you have to add unpacking for every individual packer. So as long the scanner does not recognize the packer than the trojans stays untedected. So the solution might be a combination of both: unpacking engine and process memory scan. Like the concept of DrWeb for example.

    BTW I forgot there is now a German guy(who now lifes in Austria) who promises to deliver something much better called 'system firewall'. You might now him. ;)

    As I far I know Roman never published a test with patched trojans. But I agree this is of course an intressting test which has to be done in the near future as well. :)

    wizard
     
  6. angel

    angel Registered Member

    Joined:
    Mar 7, 2003
    Posts:
    44
    Location:
    22. district, Vienna, Austria, Europe, Earth
    >Don't think so. TDS-3 or TrojanHunter can do. We might agree here
    >that either TrojanHunter or TDS-3 are able to handle to deal with
    >100%

    TDS-3 and TrojanHunter are not able to deal with 1% of them.

    >I think memory detection is not the perfect solution (unpacking
    >isn't it eiher ;)) but at least it is a better than most AV products
    >can offer.

    Most AV products can deal with more than 1 exe packer/crypter.

    >If you compare it against an unpacking-engine than you have to
    >say that this is also an unreliable technique because you have to
    >add unpacking for every individual packer.

    No. There are several ways to generic unpack a file. You don't have to know the exact packer.

    >So as long the scanner does not recognize the packer than the
    >trojans stays untedected. So the solution might be a combination
    >of both: unpacking engine and process memory scan. Like the
    >concept of DrWeb for example.

    I think all programs have to use the "ReadProcessMemory" and "OpenProcess" API. Well you does not know the a² wall as i do but it is very funny if you deny TDS-3 or TrojanHunter to open a process. A backdoor can do it in the same way. Just do an import table hook of OpenProcess and/or ReadProcessMemory ... very easy. A sample source code for an import table hook can be found on germanys biggest script kiddie page:

    <link removed>

    >You might know him. ;)

    Its my neighbour *rofl*. Well, not exactly. He lives in the street next to me :D.

    >As I far I know Roman never published a test with patched trojans.
    >But I agree this is of course an intressting test which has to be
    >done in the near future as well. :)

    Well ... we will see :D.
     
Thread Status:
Not open for further replies.