New Trojan Test

This might be slightly overstating it.

In my opinion, if you think you need virus or trojan scanning on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

What's the difference between this argument and the one you are making? The only difference is the method used.

 

Using a simple execution blocker, which does nothing more than alerting you if you execute an (unknown) application, is a bit rediculous, imho. I mean, you double-click something, and your exec blocker says 'hey, you just double-clicked something'... thank you, great information...
That is a bit like always driving with a speed limiter, instead of driving at the allowed speed by yourself. I don't see any real benefit in it...

Thorough system firewalls (with injection blocking etc.), AV programms, network firewalls etc. is a whole different story, as they can give you something, that you can't get that easily by yourself.

 

I don't know what application you're talking about, because Process Guard certainly doesn't do this.

 

Sure it does. It's one among several functions though.

Of course all these exe blockers might become useful , if say you are surfing along happily and some guy hits you with some exploit that is totally new, and causing the download and more importantly execution of this new process.

Those exe blockers will then pounce!

 

Yes, I know (I use it). What I meant is that if it only worked like that, it sure wouldn't have been very useful (and sure I wouldn't have used it).

 

Of course, there's a whitelist and learning modes But otherwise I don't know why you object to that description...........

 

That's right... there's whitelist and learning modes... and it recognizes the hashes of the executables so you can choose to be prompted again only if they change; this alone (not including the many various other features, i.e. protecting applications from reading/termination, protecting physical memory, blocking global hooks, etc) means it's TOTALLY different from a silly "are you sure prompt".

 

Hi,


*Rmus, just to cross over the Atlantic again to clarify my point of view .
I don't discuss about real trojans protection: in this case, a white list protection (as AntiMalware, AntiExecutable etc) is certainly one the most effective to deploy.
Th subject is TrojanDemo.
This file is a test demonstration tool.
It's not a leaktest because it was not designed to bypass a firewall (by dll injection etc).
A test/proof-of-concept/malware demonstration tool is intended to illustrate "in vivo" some features, abilities, theories, exploits, methods and so on.
In our case, TrojanDemo demonstrates how some data can be stolen or exfiltrated from an user local host to the Trustware remote server.

Therefore, since this is a test tool, it 's a piece of nonsens to block the .exe!
If i want to audit my firewall with a leaktest like Ghost, should i block the executable?
-By blocking the .exe, the user just demonstrates the efficiency of his execution protection (HIPS etc);
-by blocking connections attempts with the firewall, the user just demonstrates the well functioning of his firewall.
Nothing else.

The primary interest of TrojanDemo is its ability to record usr's documents, to create a SPY.TXT file and to report the document to Trustware servers.
Then a result like this one http://idata.over-blog.com/0/03/91/26/abtrupro/softclan/softclan4/vstrojandemo250.jpg
is much more interesting for me.
But as usual, each user his own point of view.

But i'm not sure that this "marketing" tool (marketing like Regtest, KeyHook etc) could be effective as a real malware/attack.
For a data theft, the most efective methods are SQL injection (on MST SQL servers), XSS/Cross-site-scripting, java exploit, or a Man-In-The-Middle: none AV/AT/HIPS listed on this forum will be able to detect such attacks.

*TopLoader, Trust-no-exe (the same product as Exe-Vaccine without passwoard protection) is an executable filter: then if the user keeps rules (white/access list) by default (windows and Program files folders), and if TrojanDemo is run from one of this folder, the executable won't be blocked.
Since it is an .Exe filter, the rules must be composed of .Exe , and not by folders (logical)!

Regards

 

Hi kareldjag,

Point conceded!

Does it count that when I allowed the test to run, that my firewall blocked the outbound attempt tosend the document to Trustware servers?

Hope your trip to Spain was lots of fun.

regards,

-rich

 

Yes they do, believe it or not.

Sadly not all of them do, but they do run these tests to see if their security programs can catch it.
These 2 'useless' tests take 10 minutes tops to analyze.

Your the one calling people noobs, so you tell me. ?

Experts know better yes, because they should analyze the file themselfes before scanning them with an AV.

No, it's simply my view on this. If you can't respect that, so be it - I think it bothers you more than it does me.

 

I expect less time actually. That's why it's so useless.
But 10 minutes can be the difference between someone getting infected by something that should have being analysed instead of time spent on harmless stuff.

Sure you can have any view you want. Even a wrong one. That doesn't borther me the least. And as i predicted , you don't have any good reasons to support your view.

 

Oh your one of them who want's an update everyone second. Well good luck with that...

 

Someone needs a lesson on logic badly.

 

To me, that implies no knowledge of the program or security. I've only been using it for a couple of weeks, and its GREAT. Want an example ? ok ;-)

What happens when you execute game.exe and it is a self extractor or a trojandropper ? It puts svch0st.exe (trojan) and game.exe in the TEMP folder and runs both? Without a EXE protector you wouldnt know crap. Your game.exe is running and away you go.. have fun ;-)

Task Manager just shows game.exe running, maybe you miss the svch0st.exe. Or svch0st.exe is named svchost.exe so you can't kill it in Task Manager, thats even if you can guess which one was the bad one. Task Manager doesn't even show me the path of the file.

Even better ? svchost.exe is a DLL injector trojan and is now inside a trusted process ? even PG free blocks that. What if svchost.exe was a rootkit? well you could just buy PG like me but the free version or any exe blocker told you it had put those files in the temp folder and run them.

 

I tried the disable antivirus test. ProcessGuard asked if I want to block it. To test i let it run and it did disnable Norton antivirus. Where does that leave me?

 

Couldnt help myself.

Bufferzone test: All downloaded and run from within the DW Sandbox.

AntivirusDisable.exe; ProcessGuard alerted - permit - nothing happened - is that a passed test?

TrojanDemo1test; PG alerted-permit-PG alerted for something else - permit -
calculator starts in DW box - window confirms test fails - OP component control at the same instent warns that trojdemo "one or more components are changed" do you want to allow? So I suppose its a passed test.

After that I pressed the button for the third test several times - nothing happened.

How do I get rid of these exe-files - just delete them?

Best Regards

 

Hi every one, Probably after I post this message I will get busted from many of the securities products fans.

initially a couple month ago I test all the securities product fire walls, anti virusses and the hardest one are anti trojan

there are there trojan sites that I used. before I test these security products I deliberately open my self, barely without any security system

backdoor trojan ~snip~ only a couple of firewall product that pasa and report an outgoing activity kerio, zone, look( perfect) visnetic Outpost(perfect). the remaining product like sygate is only a hoax commercial program whereas tiny is completelyy tiny and unable to perform a big job corectly

down loadr: ~Edit: Links removed to conform to TOS.
Please do not post links to trojans, virus or other malware....Bubba~ """spy sherif infection""" on your desktop will appear a filei.e. ibm

these are the hardest test the only AV product that pass the test only kaspersky and NOD32(even detect the tracking cookies file)


from the AT product trojan hunter is being hunted by the accute spy detective file. only a squared can detect and remove a apart of the trojan files. I havent completed the test so these all I can said

 

hypersteroid2ooo,

Please do not link to possible malware sites here. It is a TOS violation.



snowbound

 

I looked but couldn't find where anyone who uses DrWeb tried this test, so I did. DrWeb blocked the download quicker than the blink of an eye. ZZZZZZZZap!!!

 

@ StevieO,

Your post was removed given the fact you posted the same links commented to above by Snowbound concerning TOS violation.

It matters not that you made the links unclickable.

 

Cool!



Best regards,
Firefighter!

 

This is another trojan test of sorts. If this is already been mentioned i apologize for the redundancy. Like you, i fancy putting these type tests up against our current setups.

http://www.morgud.com/interests/security/dfk-threat-simulator.asp

 

Very interesting read. Thanks.

It appears it would try to disable three of my resident security apps. There are still a few i use that are not in it's list. Still, it's pretty scarey.

muf

 

Yes, the morgud test is quite scary, BUT executing it in something like Sandboxie shows that it basically can't do MUCH when it's sandboxed; when I execute it in Sandboxie + Process Guard full is active + Core Force is active (and set up properly), it basically can't do anything at all and can be flushed without any problems.

 

Hi,

This is a very good and comprehensive test, the likes of which i've rarely seen anywhere ! We had a full shake down of this test before though, and you can see the results etc in this thread.

New security test: DFK Threat Simulator (DFKTS)

https://www.wilderssecurity.com/showthread.php?t=103492

I think that you will find it very interesting as i did.


StevieO