which is the best anti trojan ?

I'm not sure what other parts I should be responding to... I answered the only question I saw. Maybe I'm overlooking something, though.

If you're running under an Administrator account you can simply load a new driver and you would have full access to kernel mode. Like I said, there are even pre-made drivers available so there's not even any need to write a new one, though that would be trivial as well.

 

I'm not sure what SetWindowsHookEx has to do with this discussion? I'm also not sure what you mean when you're asking if it's a "global" hook?

 

.

So, everyone should be doing that then?

IOW, if I purchase TH (or whatever) - I should install it in the "Administrator" account (not my own account, which has administrator privileges) - and then I should do ALL my Internet stuff from a DIFFERENT account which is a simple "User" account?

Are we ALL supposed to be doing it this way? Pete

 

Correct, that's what you should be doing if you want the highest security. This is the way it's been working for a very long time in the Unix world - only use the root account if you really need to and use a limited account for your day-to-day tasks.

 

I noticed this on the GSF forum:

http://forum.gladiator-antivirus.com/index.php?showtopic=9954&st=0&#entry35146

Professional accounts would actually switch vendors over the method of protection?? Pete

 

Hi Magnus, I would like you to tell me how you would remove a kernel mode hook (one which patches the service dispatch table). Due to the way it works (ie there is only ever one pointer pointing to the service, its up to each service to pass it onto the next one like a chain) wouldn't you need to :-

a) Install a kernel mode driver yourself.
b) Read the "system address" space looking for the pointer to the original function that the service you want to skip needs to call. You can find this by reverse engineering the .SYS file but this will most likely change for each version of the .SYS requiring you either add generic detection for it or record the changes for each version you want your anti-kernel mode hook to work again.
c) Make sure there are no other services hooking this function because if there is you will then need to modify some of them to work correctly with your modification of chain. You are going to support each .SYS file which can be loaded and installs a hook?

So now I have given you the outline I would like to see some actual "working" code which does this to support your comments. Whilst theoritically it isn't IMPOSSIBLE, I think implementing it correctly would be close to it.

The other point you don't mention is if you are already in kernel mode, you can stop other kernel mode drivers from being installed, and hence, you CAN ALWAYS stop something from patching the kernel even IF you could achieve those steps I outlined aboved. You can't do this with a usermode hook...

I find it funny you make this comment when it seems you don't know how some of the kernel mode hooks work. . C code to remove user mode hooking which rewrites instructions (what MADSHI uses by default) is less than 100 lines. A driver to do what I outlined (if possible) would be many times larger. You think once one open source trojan is released which has these 100 lines your protection will still be effective? Trojan authors probably won't even be targetting your program either, rather the sandbox systems like SSM, etc. So it is a likely scenario in my opinion.

I do appreciate and acknowledge that you have put some protection into your program, I don't want to discredit you or your program. However I don't see why you need to defend 'usermode' hooking that you use, you know (at least now I hope you do) it has vulnerabilities/problems. It is better people find out now about these problems (most importantly people who write the software which relies on it) before trojans/malware are available that make this protection impotent.

-Jason-

 

It seems to me that Magnus defends the method TH currently uses, simply because it provides the best built-in protection provided by any AT program.
When a rival company starts saying

you would thing it’d take at least 200 lines to currently shut down theirs. I’m not a programmer but I’m sure it can currently be done with 5 or less and is already implemented by various malicious programs.

Process Guard is a standalone program for preventing this. If it wasn’t better than one provided as part of a standard AT installation then I for one would be asking for my money back. But TH users will at least have protection from most / all current Trojan shutdown techniques from the second they first install it. Plus they have the choice of using additional protection programs (such as Process Guard) should a threat eventually exist. They’ll know if that time should come simply because they’ll have a visible confirmation with the Guard icon disappearing.

But luckily for TH users Magnus integrates a lot of elements into one package (Memory scanner, file scanner, shutdown protection etc) and still continues developing at a great rate of knots. So I personally think he’ll always be on top of things and certainly match the current threats.

How many times has one of my security programs been closed down by a malicious program in the last 30 years I’ve been computing – Zero times. Good computing practices and a little common sense goes an awful long way.

 

ReGen, we commend Magnus for his efforts in addressing this issue. Other vendors (and this doesn't only affect anti-trojan vendors) just seem to be shying away and seemingly hoping the issue will go away so it's good that Magnus has at least implemented some level of security (something is better than nothing). All we disagree on is the method, or level of security. User-mode hooks just don't provide enough adequate security for our liking, and it requires patching a lot of critical and common API functions to accomplish this so although it wouldn't take us very long to add user-mode hooks to our software (a day or two) we don't see any point in doing so, as they're like bandaids in that they can be removed even easier than they can be applied. This is why we're developing kernel-mode drivers for this, to address the problems at their lowest level, a level where very few programmers can go. So if you've got the capability to develop a kernel-mode driver, then user-mode hooks don't even get a second look.

However, we don't believe each security process should have built-in protection. If that was the case and you had a decent layered-security setup (ie. a firewall, an anti-virus, an anti-trojan, etc), then you wouldn't want half a dozen drivers or half a dozen injected DLLs all trying to do the same thing - it'd slow the system down unnecessarily and almost certainly cause conflicts. This is another advantage of Process Guard - you can use just the one program (which protects itself) to protect as many other processes as you like, with virtually no performance hit (you don't even need a process to be running for Process Guard's protection to be active, as virtually everything is handled in the driver).

But you choose whatever you're happy with and what you feel works best for you.

Best regards and enjoy the weekend,
Wayne

 

From a end user point of view and programmer in his spare time, i don't really like user mode hook.
However, i'm using SSM which does it, but i would really like it much if it has a kernel mode driver than a user hook.

Why ?
because when i'm coding programs, i always try to optimize them as far as possible, i can spent 2 weeks after the code is clean and runable only to optimize it dramatically... and user hooks inject their dll into my program which so consume more memory, even if generaly it's virtual memory.

From my end user point of view, user hooks hijacks processes, and i don't like this idea.

But, as i stated before, i'm however using SSM which has features i didn't find anywhere else, it's because i haven't the choice, even Abstrusion Protector which use a kernel mode driver doesn't fits to my needs.

So now you have the point of view of a simple user, i'm not a competitor because i sell nothing.
This is just that i see that if each security apps that i have where doing user hooks (AV/AT/FW/SSM) my system would be slow as hell and wouldn't be stable.

This is my opinion about general user mode hooks, not TH.
I have never tried TH, but from what i have heard it's a very good AT, i just wanted to give my opinion on an interesting subject

 

Re the quote above, is that lighter in resources still the most important part for the choice? Hm....
You have NOD32 already as a resident protection?
And a specific AT would most of times be ran on command or would you like to have that resident too?
Remember the scanning process itself is the heaviest and best to do such intensive scans when you're away some time from the computer and you close all unnecessary applications and screens to give it all bandwidth to speed up the process. Could this help a bit in more choices?
By the time you tested several on your own system there might be new products to try so don't decide to quick yet

 

Among the top 3 AT's mentioned here, in terms of ease of use, ability to use on low end machines/W9X as well as W2K/XP and the ability for the home user to legally use it on any other PC's he/she may own I'd recommend trying BOclean. It's a small program and just a real time monitor. Install and just let it do it's thing. It even autoupdates itself. Minimal user interaction required. About as simple as it gets.

It doesn't have a lot of bells and whistles or an on demand scanner but it's good for people who just want some specialized real time AT protection backing up their AV. No free trial is available but a 30 day money back guarantee and excellent support.

I know of people who run it without any problems with NOD 32 as I do. Some people may report apparent conflicts with NOD and BOClean and if that cannot be resolved within the 30 day trial, BOClean will refund your money. Historically AMON did not always play well with other programs but I've the impression that the ESET folks are working to resolve such issues.

I got BOClean because I just wanted some specialized "insurance" on the AT front but wanted something that would just do its thing and stay out of my way. I understand TDS has some great tools for those who want to use such things. And TH apparently also has some nifty features. But for an average user who really doesn't want to get into those sorts of things BOClean is another option. Perfect for "clueless" users or those who don't really want to have much of an interactive relationship with their AT program.