BOClean same story that TDS ?

Discussion in 'other anti-trojan software' started by A884126, Aug 5, 2005.

Thread Status:
Not open for further replies.
  1. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Oh please. :rolleyes: :p
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I agree as well.. debate between peers is fun to watch (and learn), but when it gets to the point of being obviously personal then it's gone too far. Although this doesn't speak for the program itself, customer relations is something that does factor into decisions regarding where I'm going to spend my money.
     
  3. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Why doesn't everyone step back and chill...

    @ all: Please focus your contributions on the posts, not those of us who have made them.

    @ Edwin024: Your short comment provides absolutely no background context. None at all. Your expanded response puts it in a much clearer light. Clearly one approach to circumvent the immediate onslaught of the shear volume in malware is to go in a direction of generic signatures as a delaying action and heuristics - which are behavioral based - as a much longer term remedy. Naturally pure behavioral monitors don't depend on program details, only on what they do or sequences of what they do, which is a much more limited domain and hence somewhat more robust, in principle. I say in principle since this area remains a somewhat immature approach. There's a lot of activity underway, but whether or not this strategy pans out is still being fleshed out. I do feel that this is an attractive approach for a lot of reasons.

    Blue
     
  4. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Yes Blue. I think I was a little short and out of line myself just above with justnoticed. :oops: :oops:

    Sorry about that.
     
  5. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Interesting rumor. Where'd ya hear that? This news of our demise is news to us. As we have a number of corporate customers whose support is contract based, we'll be around for the long haul.
     
  6. hayc59

    hayc59 Guest

    Thanks For the info Nancy
    appreciate it:)
     
    Last edited by a moderator: Aug 6, 2005
  7. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    My personal opinion is that the top ATs will be around for a while simply because they are still better at trojan detection (imv) than a lot of the AVs out there.Yes there are a few exceptions like kav , nod etc ,but how many people actually use these when comapred to the free avs such as avg,avast,and antivir?.It seems everyone and his dog seem to be using these ( in my area at least ), and while i would not dispute how good they are , i would still dispute them being as good as boclean , or TH etc in trojan detection.For the person that likes a free av , then paying once for AT protection and recieving free updates (of course this might change)is usually preferred (at least in my experience) , rather than buying something like kav or nod and paying yearly,for the better "trojan" detection.I guess everything evolves..maybe an operating system impervious to such threats (how are apple macs in that area?) may emerge and leave all security software obsolete :)
    ellison
     
  8. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Well since you expanded on your original post and made it a little clearer what you were saying then i'll take back my comment. Sorry. I have no problem people posting about alternative products where their post is quantified and adds constructive advice to the thread. There are too many people in security forums these days who are just posting to advertise their own favourite programs. I do tend to tell those people that are doing it to stop brainwashing/converting. So it's not just you.

    If someone starts a post that says "What's your favourite AT?" then fine everyone chip in with their favourite. But when someone starts a post titled "What do you think of Trojan Hunter?" and people chip in with 'I've never used it but BOClean is great' it's just meaningless pet product advertising.

    Back to the topic.

    I've no plans to ditch BOClean based on a 'rumour'. It's already been documented that BOClean is here to stay for a number of years. I'll carry on using it. If they want to change things(pricing, new product etc) then i'll review this at the time. But as things stand, it's here, it's good and it's a keeper.

    muf
     
  9. Why

    Why Guest

    The only thing that keeping the AT alive now is the memory scanner. Most AV's have caught up in the on-demand detection part of the software but most AV's don't have a real memory scanner.

    When and if AV's decide to develop good memory scanners then AT's are probably history because they have more resources to do things bigger and better than the AT's unless the AT's evolve to become much bigger operations than they are now......or change their method of operation so they might not be classified as a pure AT any more.


    Why



     
  10. controler

    controler Guest

    Hi all

    Me thinks we need to look at the whole picture of what is going on today.

    Why does some AT AND AV people think even memory scanners are to be a thing of the past?
    To answer this question, I would say one word! ROOTKITS.
    WHy would I say this? I am sure any of you that frequent root kit dot com would know the answer.
    Look at what is being talked about over there. From reading the LATEST, you will see to detect a great rootkit, you need a rootkit itself. Example being Icesword.
    Looking at what Johanna writes about hidding and not hiding files.
    New detectors are looking for hidden files and AV's looking for not hidden files.
    Johanna thinks the best detection would be at the lowest I/O level.
    If I understand her, she is still recommending a driver for this (disk driver )

    I could be wrong but it appears you do need to use a rootkit to find OR break a rootkit.

    As I mentioned before, Kevin is bound by the government NOT to mess with kernel. If this also means NO driver, I don't know.
    I do not see how you can make a rootkit based detector without a driver or drivers that can stop or break the rootkit.

    My last brain cell tells me Kevin would therefore need to develope a new program for single users. I don't think he would do this since he said single user LIC's are not worth the effort. He deals in Corporate - Government.

    Then who do we turn to? Will it be DCS? It could be. It could be another.

    IMHO, I do not think the great detector of the future will be based on online offline file comparison.

    controler
     
  11. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    DCS, Ghost Security, Online Armour, Ewido, Kaspersky, NOD and a probably whole HOST of others are probably developing solutions for this.

    It will be interesting to see who the marketplace thinks has the best percieved solutions.


    Starrob
     
  12. ----

    ---- Guest

    Right now though, anyone who thinks he can get away without a AV or AT merely because he uses 'HIPS', is a fool.

    Of course, if you never ever felt the need for ATs even the first place, then that's different. ;0)

    It has always being that way muf, nothing new.
     
  13. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,008
    I have Ewido and Online Armor plus Regdefend, Look 'n Stop firewall and NOD32. I feel pretty secure with this package. I hope most can agree :)
     
  14. A884126

    A884126 Registered Member

    Joined:
    May 16, 2004
    Posts:
    191
    Edwin024, as Muf already told you this is not a thread about your own configuration, neither about your suggestion regarding ewido.

    Then you will be nice if you could open your own thread if you have any personnal question or request. I am sure many people will help you.

    No offense.
    Thanks
     
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    And awaaaay we go yet again. PLEASE stay on-thread!
     
  16. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Greetings ... well ... looks like the old "telephone game" of rumors and "competitive posturing" has resulted in some interesting concepts and fears here, so I suppose I need to address them ...

    So let's rewind back to Uncle Wayne's announcement about TDS. Why do I call him "Uncle Wayne?" Simply because he, the Otis Vigil brothers and a handful of us go all the way back to the beginning of the not-so-nice "wooden horsie" and back in the early days, though we were all "competitors," we SHARED, we COLLABORATED and worked together at finding, figuring out and defeating the little wooden horsies. If one of us spotted something that the others didn't, we emailed a copy to each other. We were all friendly with one another and everybody benefitted from that. No "collusion" but rather "professional courtesy." Interesting how that's been turned sideways since.

    I felt as though one of my best friends fell by the wayside when the annoucement of "no more TDS" happened, and I felt compelled to explain what an overwhelming and EXPENSIVE job it is, how historically it was easily manageable and how it's gotten completely out of hand lately with so many "professional, organized-crime funded" nasties there are today. Certainly none of us saw the explosion of these which came to pass in the past two years. And the degree of difficulty has similarly ramped up. In my words, I was trying to explain simply that it takes a tremendous amount of resources and people to keep up and that I understood WHY Wayne saw the "point of diminishing returns" and that we'd been there too. I said it because I don't think many folks truly understand just how MUCH is involved in doing this.

    I also explained that OUR situation is different in that because our main focus and design was "institutional" in nature, we had the benefit of being able to hire people to do a good amount of the work for us, and even more importantly had the continued revenue stream as a result to endure the added workload. Those depending on "home users" are saddled with a LOT more work on a basis of support which is also expensive and time consuming. At no time did I say we "don't want individual licensees," what I was saying is that because we primarily cater to large user bases, we're economically more stable and the licensing which we extend to individuals is covered by this situation. In other words, WE are going to survive unlike most others simply because the "expensive" parts of what we do are heavily diluted by major purchasers, and that keeps us "profitable." And that's a GOOD thing for "ordinary folks." Means we'll be here as our current funding is assured for AT LEAST 3-4 more years.

    In the nearly ten years that BOClean has been around, those who have been with us for a while have seen BOClean expand and adapt in its capabilities and yet still retain that "set it and forget it" design despite so many new "needs" emerging over time. And for all those improvements and expansions, never has the "deal" changed. It's possible that we may need to either raise the price or go to a subscription basis at SOME FUTURE TIME, but there isn't the need to do so at THIS time. Those who are already customers are not due for any surprises, and like I said, we're not going anywhere. Can any OTHER vendor ASSURE that they'll still be around for the next 3-4 years? WE CAN. :)

    Just as "file scanning" became obsolete in many ways back in 1998, resulting in BOClean becoming a "pure memory scanner," BOClean too is adapting under work already in progress for the next version and remains up to the job in its current incarnation. All the hoopla over "rootkits" is as amusing as all the hoopla over some trojans being called "spyware" in 2001 as though those too were something "new."

    "Rootkits" have been around for YEARS now! The first "popular" rootkit was "Back Orifice 2000" (BO2K) back in 1999. And there's nothing new to any of the new incarnations either. Rootkits simply redirect kernel functions to somewhere else where they can be intercepted, filtered, and then whatever desired results by the malware author is returned to the "user level." Some of the latest trends actually patch the kernel itself in memory much like the usual "injection" trojans of recent years.

    And a "rootkit to fight a rootkit" isn't actually necessary although that's what SOME vendors are doing. Rootkits can actually be spotted rather easily by looking for what is MISSING, but I won't go into the technical details of how we spot them or why a kernel driver isn't actually necessary at all to do so. Suffice it to say that any hook into any kernel function can be detected, and its "hook" removed as easily as stopping a process or unloading a rogue DLL. And from USER (ring 3) level. When "Vista" is released though, this will likely no longer work. For now though, it still does.

    It's TRUE that demands have been made by our major customers NOT to tamper with the kernel, but there's a bit of a misunderstanding as to what that means. Some antiviruses and antitrojans attempt to "patch" the kernel addresses with various "libraries" compiled into their code by the very same people who make those same libraries available to trojan authors. Many of them are cob-jobs which can result in strange crashes and other misbehaviors. Since a number of systems which use BOClean are "mission-critical" types, then by definition we can't be patching the kernel on those machines because of that status. And any kernel drivers written for such situations must not only be flawless, but they must mesh properly with any other kernel drivers present. This is why you'll never see some highly popular commercial brand name software on machines of this particular class and situation.

    That all said, there is in fact a BOClean kernel driver already being built for the next generation of BOClean with a rather interesting design to it owing to some truly stupid things that other vendors have been doing which necessitate our doing it. Additional "specialized" builds are also underway for specific needs of specific large customers and some of that will find its way into the "regular" BOClean around the end of the year.

    But as I said before, we're not going ANYWHERE, and the best is yet to come because we actually HAVE people to do it. :)
     
  17. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Will the BoClean kernel driver in development also be able to work under Windows Vista?

    I am fairly certain that some of your references to vendors "doing stupid things" are a reference to some programs that flag BoClean as being malware or create some type of incompatibility with BoClean.

    I wish I knew more about how the kernel works because I would like to know the stupid things that some vendors are doing. I would like to know the rationale of why they are stupid, so I can make a determination of whether I should even consider using certain programs or not.

    I know you might not be able to fully answer these questions on a open board but I wish you could. I personally have only found two vendors that answer questions fairly directly. There might be more than that but there are only two that I have found so far that I have talked to for any lenght of time.

    In the past, I know zonealarm has been mentioned as a program by you that "does stupid things". I wish you could tell me why I should avoid a product like zonealarm 6.0. Just by reading around I see some people that have complaints about it and others that are already big fans.

    Most of the people making these comments for and against zonealarm probably don't have much of a idea whether zonealarm 6.0 is really doing all that is says it can do or not.......but that is another story.

    I am looking for answers from people that actually knows what security software does under the hood, although I doubt I will get a satisfactory answer.....at least in a public forum.



    Starrob




     
    Last edited: Aug 8, 2005
  18. controler

    controler Guest

  19. controler

    controler Guest

    Nother good read on Shadow Walker

    Quote from the page:

    "If we can control a scanner's memory reads, we can fool signature scanners and make a known rootkit, virus or worm's code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code," she added.

    "The code will execute but scanners will receive incorrect information."

    http://www.eweek.com/article2/0,1895,1841266,00.asp


    controler
     
  20. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I wonder if BoClean would be able to detect this Fu-Shadow walker rootkit? For that matter, can any scanner whether AV or AT dtect this type of rootkit?


    Starrob
     
  21. controler

    controler Guest

    I don't know if Boclean in it's current form can, I am sure the new version would.
    Possiable with the use of a driver.

    From what I gather, The next level would be to use a mem scanner off a extra circuit board containing it's own CPU.

    The question we need to ask is, Do we expect AT's to find rootkits also?
    Maybe if they are part of a trojan?

    I also think we need to ask ourselves right now. I would be willing to pay a yearly subscription to Kevin. How about you? I think he is well worth it.

    I dought he has the time with current work force but maybe he would code a special program for a price. It appears it is limited to huge LIC again.

    How about Wilders form a corporation and gather enough people to make a special program woth it? Like say 4000 Wilders members.

    controler
     
  22. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I am following the solutions that BoClean proposes, as well as the solutions that a few others are proposing.

    I am fairly amused at all the differing opinions on how to prevent malware from entering the computer. Some believe HIPS is the answer. Some believe more in scanners. Some believe more in "common sense". Some believe more in "education" and some just believe in arguing....lol

    I am sort of a agnostic....maybe some would call me a heretic because I am not a "True Believer" in any one particular method. I simply study them all
    and will use different solutions in the situations in which they most apply.

    I am very interested in BoClean's future development . I pay attention to Kevin's remarks..... just as I pay attention to remarks from all developers.

    What really interests me is why Kevin feels that Zonealarm 6.0 does not make a good solution for the growing malware problem in his opinion.



    Starrob


     
    Last edited: Aug 8, 2005
  23. controler

    controler Guest

    One thing to keep in mind is the fact companies like Symantec have been around since the beginning and will probably stay. They have a tendency of gobbling up the competition.
    They are also innovators. Look at e-mail scanning. I am pretty sure the first Av I remember that did this was Symantec.
    I tried their latest beta not long ago and they still have good detection.
    Now we are seeing Microsoft pulling part of Vista, knowing it would be a huge target for crackers. Microsoft is buying up all kinds of security companies.
    Some I never heard of before.
    Linux has come along ways but still isn't there as of yet for most common users needs.
    But alais, as we know, competition is a good thing, not only between security companies but between black & white hats. Keeps things in balance.

    controler
     
  24. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    This is what I find interesting. I am not technical enough to know exactly what this means. Except there will never be a dull moment. ;)
     
  25. gottago

    gottago Guest

    Perhaps no words more true have been spoken in this forum (right, --- ?)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.