Which Anti Trojan progam would be good for me ?

Hello everyone

I am very new here, and have a question regarding Anti Trojan software. I have surfed around looking for one and BOClean and Pest Patrol have caught my attention. But I just dont know which AT program to buy.

I already have Norton Internet Security 2003 installed, but it appears I will need something more to protect from Trojans.

Any advice, comments etc.. are more than welcome.

I am glad I found this site

 

Hi Tuskero and welcome to Wilders, Home of the friendly security conscious.
You can go here and get some good reviews on several programs.
BO Clean is good, TrojanHunter is good, and TDS3 is best, but it does have a bit of a learning curve and some find it daunting.
Unfortunately, it looks like Pest Patrol is turning into a lot of hype, but no substance. Too bad as it once showed promise.
We're glad to have you here, and I accept the fact that my opinion is just the opinion of one person, but I have been a security buff for a few years now and I try not to steer anybody in the wrong direction.

 

>BO Clean is good

Won't use BOClean. I think PSC and some others know why ... .

>TrojanHunter is good

Agree.

>Unfortunately, it looks like Pest Patrol is turning into a lot of hype, but no substance. Too bad as
>it once showed promise.

PestPatrol has still a quite weak engine and many many false positives.

 

Thank you guys for the fast response. I will be downloading Trojan Hunter to check it out

 

I'll bite.. why?

 

Andreas,

With all due respect I nevertheless have to say that I have a problem with one software-creator criticizing here the product of one of his/her competitors.

 

Sorry, but english isn't my native language ;o). The sentence doesn't make sence to me ). "Ich werde beißen" - do you try to eat me? ;o) Perhaps someone can say it in other words? )

 

Ok - first of all i won't provoke anyone ). If it sounds so please remember english isn't my native language ... .

A few time ago wizard did a test of BOClean (http://www.rokop-security.de/main/article.php?sid=21). There was one point:

a) Während der BioNet Trojaner problemlos erkannt wurde, übersah BOClean den neu gepackten Y3k.

(While the BioNet trojan was detected with both variants, BOClean missed the new packed Y3K)

A little bit later I found an other test http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests-2.htm ...

There you will find a little note:
Re-test Notes: In the initial tests run with Update 03/13/2002 23:31:28, BOClean detected only two of the trojan servers (Unpacked and default Packed). Once Update 03/17/2002 23:17:00 was applied, BOClean detected all six trojan servers.

I wanted to know if this is so with every trojan. So i buyed a version over a friend and did a huge test. I collected about 100 servers that BOClean DEFNITLY detects. Than i put them into one dir and did a upx *.*. After that nearly all were UNDETECTED (5 of 100 were found later). Later i found out why some where detected and why someone not. BOClean has some signatures of packed trojans in his database (mostly for common backdoors like bionet or subseven).

I asked PSC several times if BOClean is a MEMORY SCANNER. They said yes. I asked for the advantage of memory scanners. They said the possibility to detect ALL variants of a known trojan even if its packed or crypted. But the tests say something completly diffrent.

I tried to find out how BOClean works. I found something very interesting. If you run boclean and start a programm BOClean performs several read accesses to the program file. This can be checked easily using FileMon for example.

At this point i think: "LOL BOClean doesn't scan the process memory itself it only scans the process file.".

I tried a little bit more. I dumped the process memory of BOClean to look at the decrypted signature table. A signature entry looks like this:

seMILH00TSK#SUBSEVEN 2.2.3#!]AsIsB$#52166#

The first entry is the signature type. There are many types - for example for "trace scanning" ). The second part is the name of the trojan. The third part is the signature BOClean scans for. The last is the offset BOClean scans at.

I wanted to substantiate my guess and looked at a trojan BOClean detects as SUBSEVEN 2.2.3. I jumped to the file offset 52166 and what did i find there? Yes, i found the string: "!]AsIsB$".

Now my own personal conclusion of this facts:

1. BOClean isn't a memory scanner. In fact its a file scanner. It simply works like every AT guard (ANTS 2.0, TauScan Guard etc.).
2. BOClean isn't able to detect ANY packed or crypted trojan. Why else should BOClean have special signatures for repacked trojan variants?
3. PSC defrauds his own customers.

That is why i won't use BOClean.

By the way:
I give this information to Paul a view months ago. Paul and i confronted PSC with these facts. I didn't get an answer (i don't know if Paul got one). PSC didn't changed anything and continued his "game". I never reverse engeniered BOClean - just monitored it.

 

To help clarify the "issue" Andreas is one of our competitors, and there are personality issues involved here. That said, we looked into this problem quite some time ago and YES, there were some problems in the memory scanning which we've fixed quite some time ago. Andreas does NOT understand how BOClean works and his interpretations of the data he sees are not properly analyzed.

Yes, BOClean includes file examination functions as part of its database structure since trojans will execute in memory and ALSO make backups of themselves elsewhere in the file system. A portion of the database structure is used after detection in memory to examine other areas looking for stray portions of the trojans in other locations as well as for cleanup purposes after the fact.

Without giving away our design secrets (which was the BASIS for all this) the first part of BOClean's database looks for entries in INI files and BAT files based upon behaviors of trojans. Other sections look for specific trojans that are locked in older non-extractable formats where the trojan could indeed be spotted by its FILE signature. Other sections look to registry patterns, DLL signatures and other means of identifying trojans. In addition, specific file patterns of potential false alarms are also used to determine whether or not a trojan is a trojan or a legitimate program that could have accidentally set off BOClean.

If one examines our trojan list, you'll see that the entries appear to be repeated groups of names in alphabetical order that seem to keep repeating. Each of these "repeats" is a different set of "behavior" profiles. BOClean does indeed test memory although in our 4.09 version and shortly after release of 4.10, there were indeed problems with UPX 1.20 that was based on offset shifts that could not be covered in BOClean 4.09. Once we had everybody replaced with the 4.10 version, these offset difficulties no longer posed a problem.

But what we have here is one person's animosity because we wouldn't turn over years of our research when it was demanded by a competitor. I'll leave it at that.

 

>That said, we looked into this problem quite some time ago and YES, there were some problems in
>the memory scanning which we've fixed quite some time ago. Andreas does NOT understand how
>BOClean works and his interpretations of the data he sees are not properly analyzed.

I do - i did the test mentioned above with BOClean 4.10. If you want i will send you the testset. I will upload it and make it public - no problem ).

 

Thanks for your kind offer, but we've already collected your "packed/unpacked" collection from YOUR server a few months ago. You did indeed spot a flaw in our design with respect to UPX 1.20 and we fixed it quite some time ago. And yes, I APPRECIATE your efforts in pointing it out.

However your analysis of BOClean from the database you collected is highly CORRUPTED and does not contain the actual structures so any interpretation of the corrupted data you presented lacks just on that basis alone. I know what's in our database and how it's constructed and it is NOT as you claim, nor does BOClean function as you claim. I can understand though that there's a competitive edge to be gained by bashing others, sorry - I just don't want to play.

 

>Thanks for your kind offer, but we've already collected your "packed/unpacked" collection from
>YOUR server a few months ago. You did indeed spot a flaw in our design with respect to UPX 1.20
>and we fixed it quite some time ago. And yes, I APPRECIATE your efforts in pointing it out.

There are a few problems with TELock, too ... . UPX works well now (but as i said - always used BOClean 4.10).

>However your analysis of BOClean from the database you collected is highly CORRUPTED and does
>not contain the actual structures so any interpretation of the corrupted data you presented lacks
>just on that basis alone.

As i said - i didn't reverse engeniered it - just monitored it.

 

The same with armadillo ... .

 

Re:Which Anti Trojan program would be good for me ?

Oh boy oh boy oh boy !! This is good, not bad.
I for one don't see any problem with weaknesses made public.
everybody does it here. Not many have one good thing to say about Microsoft. What has become of this previously private debate?
One product has been improved. That is the main thing here.
I overlook a vendor if they have a bug or problem with their software
if they do not know it exists. I do have a problem if they know the problem exists and do not try in the least to remedy it. The nature of the beast is to let things slide.
I must say Good job Andreas. I respect your knowledge
Thank you Bo-Clean for improving your product and posting.

 

jesus christ..............

AS YOU SHOULD KNOW ANDREAS, (if you are really so good) is that FILEMON (from www.sysinternals.com) has CACHE PROBLEMS with the NT System - and you are using Windows XP, a NT based driver operating system.

That means, filemon DOESN'T monitoring ALL access made to files.
It's the filemon driver (yeah, that *.sys thing ) that cause this issue.

AND IF YOU LOOK IN THE SOURCE (yes, the Driver Dispatcher for IO_Request's where all call's from the usermode are handled) YOU WILL MISS A SOURCE CODE LINE THAT DISABLES THAT NT CACHE ISSUE.

And of course it's Possible to do Memory Scan's with a "classical" Filescan routine. YOU CAN ENUMERATE PROCESSES AND THEN USE THE 'CreateFileMapping' Function or some custom replacement.

AND I'm NOT A GUY FROM BOCLEAN.
No, but i don't accept here that some people are allways choosing trouble for personal ego reasons.

Best regards
Gladiator

EDIT: somewhat flaming text removed, as well as references to Gladiator software. Please open a new thread to discuss last mentioned software

 

Posts such as the one from Gladiator are the reason that I stick with Wilders Forums and software reviews. Your moderators and members show knowledge without the need to curse and flame. THANK YOU Paul and staff!

 

Hello Everyone!

For the sake of clarity I'd like to quote the New Member who started this thread because it appears to be swerving off topic in many respects!

He wants examples of good quality, most likely Gold, Antitrojan software. I sent two suggestions to him by IM. I will now put them here.

Newbie Friendly and easy to use but effective = TrojanHunter

Harder to use but one of the best = Trojan Defense Suite 3.++

I suggested he try them and choose the one with which he is most comfortable. I remember being a newbie at all this stuff. (Over-the-top is not required here.) Thanks.

Best regards from Larry!

P.S. Thank you Paul! In the time it took me to write this, you made your post. I fully agree with you. Now, does anyone have some positive information on antitrojan programs, they could provide?

 

May I suggest that Gladiator's entire, totally offensive post, be removed? Please.

......bellgamin

 

>AS YOU SHOULD KNOW ANDREAS, (if you are really so good) is that FILEMON (from
>www.sysinternals.com) has CACHE PROBLEMS with the NT System - and you are using
>Windows XP, a NT based driver operating system.

*lol* - quite easy Michael. I didn't want to see ALL read access - i simply wanted to see IF boclean do any reading on process files.

>AND IF YOU LOOK IN THE SOURCE (yes, the Driver Dispatcher for IO_Request's where all
>call's from the usermode are handled) YOU WILL MISS A SOURCE CODE LINE THAT DISABLES
>THAT NT CACHE ISSUE.

Jepp - exact ).

>And of course it's Possible to do Memory Scan's with a "classical" Filescan routine. YOU CAN
>ENUMERATE PROCESSES AND THEN USE THE 'CreateFileMapping' Function or some custom
>replacement.

Hmmm - i think OpenProcess and ReadProcessMemory would be more effective ... .

>No, but i don't accept here that some people are allways choosing trouble for personal ego
>reasons.

As you perhaps? Just listed a few facts that are right as Kevin said. You may try it for yourself. The last test was done with upx 1.2. BOClean reacted and fixed the error (using a fixed offset memory scan). But there are still many packers that make trojans undetected for BOClean (Armadillo, some ASPack variants etc. etc. etc.). And thats why i won't choose BOClean.

And than sorry Kevin ).

>1. BOClean isn't a memory scanner. In fact its a file scanner. It simply works like every AT guard
>(ANTS 2.0, TauScan Guard etc.).

Defnitly wrong (did a closer look to the programm itself). But you use a fixed offset memory scan and that is quite weak if you use some packer. TH has nearly the same problem but it was solved using a diffrent start point and not the imagebase as start point.

>2. BOClean isn't able to detect ANY packed or crypted trojan. Why else should BOClean have
>special signatures for repacked trojan variants?

The test was done with BOClean 4.10 as it was released a few month ago. There was a problem with upx 1.20 (that i used for testing) like kevin said. Played a little bit around. If the scanner doesn't use a "copy memory" technology (like upx and most common crypters) boclean would find it. If it uses one BOClean won't find it (cause the offsets changes).

 

I have Trojan Hunter and like it a lot.If you are looking for a "user friendly" out of the box anti-trojan,Trojan Hunter is good.As for the other AT programs,I don't know much about them.I never tried TDS-3 or Boclean.

 

Jepp - TrojanHunter is a very good scanner.