Boclean false positive?

Discussion in 'other anti-trojan software' started by Atomas31, Jul 22, 2006.

Thread Status:
Not open for further replies.
  1. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    If you didn't download the first update (of 3) released yesterday, you never would know about the FP we fixed an hour later. What happens with BOClean is that it checks for an update a few minutes after you boot your computer, then 6 hours later, and so on. Typically, BOClean updates once a day, so this scheme usually gets everyone covered quickly. Since we updated later in the day than normal, owing to the sheer number of malware handled before the first update was released (over 20,000....we don't count repacks, which make up the majority-over 4,000 variants and 67 new unique malwares) it stands to reason that a lot of people had their systems booted already, didn't see the first update but then, after seeing the buzz around about the FP, manually downloaded the second (or crossed the 6 hour threshold at that time) missing the FP altogether. Which is a good thing, the fewer people who get an FP, especially one like that, the better, and is why we handled it so quickly.
     
  2. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Thankyou.
     
  3. jbob

    jbob Registered Member

    Joined:
    Dec 2, 2005
    Posts:
    10
    Location:
    Arkansas
    That sounds plausible at least for me. My computer is set to check for an update 8 minutes after bootup and then every 8 hours. When I finally asked for a manual update I noticed a 7/22 date but not the time. It was much later in the day after I saw the initial posts about this issue before I ran a manual update.
     
  4. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Yes
    Example of NSclean speed of response and attention to detail.
    Not many other FP get fixed like that!
    Regards
     
  5. NightStalker

    NightStalker Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1
    Location:
    Brisbane, Australia
    Hi Nancy :) Thanks again for the superb support that you and Kevin and the team give to users. It really is very much appreciated, and is the reason I have BOClean bought by everyone whose computer I get to set up. Wonderful stuff :)

    Regards, NightStalker.
     
  6. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    You're welcome! :)

    It's beginning to look like that FP wasn't exactly the mistake we thought it waso_O . This one goes in the dictionary next to the definition for "fuzzy gray area":shifty: . For now, we're not going to add the detection for it, but check it out and make up your own mind....

    http://www.privsoft.com/archive/nws-who.html

    ....and enjoy the game!:D
     
  7. jiznrxry

    jiznrxry Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    2
    All due respect Nancy, but quite frankly, that newsletter is the most ridiculous thing I've ever seen. It is entirely unprofessional, unfounded and just flat-out wrong. Barely any (bordering on none) of the allegations made within are true and any basic amount of research would have shown this. I highly recommend that whomever within your organization wrote this see Frank Hecker's and Nelson Bolyard's responses to it on the mozilla.dev.security newsgroup.
    I'm quite pleased with the quick response to this FP and that my copy of BOClean was updated promptly to resolve this, but that newsletter has left me with the impression that I may have to begin searching for alternatives :(
     
  8. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Welcome jiznrxry to the Wilders Forums.

    While all must make their own decisions on this very rare FP with BoClean as to if they would want to continue to use the security product. I for one never would have known of this had my sharp eye not have been perched above the Wilder Forest scanning for information on security issues and products.

    One does have to wonder why you would register just to post this post. I would like you to educate me as to why you feel the way you do.

    Let me see who am I going to trust....mozilla.dev.security newsgroup or Nancy and Kevin who have given me years of protection. :rolleyes: (well that was an easy 2 second decision) Perhaps you can tell me what you find so bad that you would want to look for an alternative product. Just wondering, What I am missing? o_O
     
  9. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Not that I in nay way really understand the circumstances :doubt: about certificates, and having read the thread at mozilla.dev.security newsgroup I would have to think that there are holes in the certification proceedures.

    When NMcA starts mentioning CWS, 180 solutions et all, I get a bit apprehensive.

    That being said I appreciate the comments from the MozDev teams and respect thier ststements about not writing to the registry as being prima facie OK

    Nonetheless, if privecy corp have concerns about possible exploits, if the fix did not "break" FF then I would be keen to see it (the possible malware exploit) gone.

    Can anyone enlighten me beyond the mozdev thread?
    Heh; in terms a small child can understand. :(

    Regards.
     
  10. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    I'm curious if the folks at Privacy Software Corporation (BOClean) and the folks at Firefox (Mozilla) have been in contact with one another over this one o_O
     
  11. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Based on the PSC Letter they did welcome others to look at the issue and who better then FF team to engage to bring about resolution. ;)
     
  12. jiznrxry

    jiznrxry Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    2
    [Looks like the forum ate this when I tried to post it earlier. Sorry if this ends up as a double post :/ ]

    Hi mercurie, thanks for the welcome. I'm not quite new, I've been lurking 'round these parts for quite some time :)

    Anyway, allow me to explain my reaction above by going through the newsletter claim-by-claim:

    "The submission was reviewed by one of our own malware analysts and was determined to be extremely suspicious because it modified the Windows registry "trusted certificates" store and that's always a "no-no.""
    Mozilla does not modify the Windows cert stores in any way. This can be verified either by using a registry monitor or inspecting the relevant source code.
    NSS: http://lxr.mozilla.org/mozilla1.8/source/security/manager/ssl/src/
    Installer: http://lxr.mozilla.org/mozilla1.8/source/browser/installer/windows/nsis/

    The 'QuoVadis' in question is a reputable CA with operations in Bermuda, Switzerland and New Zealand. QuoVadis meets both Microsoft's and Mozilla's policy for CA inclusion. QuoVadis' CA was actually pushed out via a Windows update several months before it was ever included in Mozilla. You can view QuoVadis' request for inclusion on Mozilla's bug tracker.

    "Mozilla's NSSCKBI.DLL file contains a number of "secure sockets layer" (SSL) certificates, including certificates from several unknown and possibly dubious "certifying authorities.""
    Because Mozilla ships software worldwide, it includes root certs from reputable international CAs. Just because one may not recognize the name of a particular CA doesn't make it unknown or dubious. Getting a root cert included in Mozilla is not a trivial process. The process takes several months, is fully viewable by the public (who can comment at any time, even after an approval with reasons why a cert may be dubious) and requires a third-party audit by WebTrust or an equivalent. To maintain their inclusion status, CAs must continue to meet the terms of Mozilla's requirements (link in first paragraph).

    "It is our opinion that there are some questions raised by the presence of this module and in particular its contents and its ability to modify the machines of users of Netscape, Mozilla and Firefox."
    Again, this static file is the default CA store for Mozilla products and Mozilla products alone. It, nor the Mozilla product being run, modify the Windows cert store. It wouldn't make much sense to modify the Windows store anyway as Mozilla is a cross-platform product and when run outside of Windows, it would require additional unnecessary code to form an alternate solution. Also, the only modifications done to the Windows registry by Mozilla products are the default browser settings and a 'Mozilla' subkey of the HKCU\Software.

    "The "issue" as we see it is that the end user is not presented with the ability to accept or decline certificates by these unknown quantities, and once a certificate is "stored" on the machine, then any certificate granted by these authorities to others is now considered both "valid" and "safe.""
    This is a very tired argument and has been brought up against just about every piece of software that ships with default CAs. Giving the user the ability to select which are included upon install is not the answer to this issue. And as I said above, these CAs are not unknown entities.

    "Further, the option to VIEW the existing certificates is not available to the user through Netscape/Mozilla/Firefox and is instead hidden in the Windows registry in a difficult to view and modify means."
    Considering the certs never leave the dll, finding them in the registry is going to be next to impossible. In Firefox, you can view all CAs and their respective certs by going to Tools -> Options -> Advanced -> Security -> View Certificates -> Authorities. Not only can you view them (in full detail) but you can also set individual cert's trust bits or mark them as completely untrusted using the delete button (NOTE: As the DLL is a compiled file, the certs cannot be removed from it - but once all trust bits are gone, the cert will no longer be used and will show as such if you press the edit button).

    "We feel that this is a serious security risk since some of the "certifying authorities" embedded in this file are known to be used by a number of malware programs"
    Certs issued to individuals do not imply safety or that the individual does not have malicious intent. Certs merely show that the person who applied for it had a valid name and address at the time. Anyone with a valid name, address and enough money to purchase a cert can do so.

    "and because any download "signed" by any of these questionable certifying authorities would be downloaded, installed and run without warning because of the successfully "signed certificate.""
    From within a Mozilla product, no file, signed or not, may be downloaded, installed or executed automatically (extensions included). And considering the DLL's certificate store is only used by the Mozilla product that included it, the certs contained in it have no effect on what the operating system trusts.

    "The file itself seems to originate with Netscape Communications (part of AOL/TimeWarner) rather than Mozilla.org"
    The Mozilla project was founded using the code Netscape open-sourced in 1998 before being bought out by AOL. To maintain API compatibility many items within the source still retain traces of Netscape. For instance: the security module is still named NSS, or 'Netscape Security Software' and most classes have a prefix of 'ns' (i.e. nsFooClass).
    Since it fully attained its status as a separate entity in 2003, Mozilla has had no ties to Netscape, AOL or TimeWarner. The NSS module is actively developed by Mozilla alone and all of the certificates included in the file meet Mozilla's CA inclusion policies.

    "The "root certificates" which this file places go into the Windows registry in the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

    and exists as "subkeys" of the above with GUID numbers to identify each subkey. Names are not used. The data for the various root authorities is unfortunately coded as "binary" rather than text, making viewing of the contents challenging, and no "viewer/editor" within Netscape/mozilla/Firefox is apparently available for their contents. Once "Certificates" are installed to the registry here, uninstalling the program which placed them will NOT remove these certificates. They go in, and they stay. And Mozilla will put them right back if you delete them yourself. They stay. "
    Entirely unsubstantiated. The certs in the reg key in question aren't placed there by Mozilla's software. The viewer/editor DOES exist in easily accessible UI and within said UI, they are not presented as binary. As I've said multiple times already, Mozilla software doesn't touch the Windows cert store. There are numerous ways to research and confirm this fact, two of which I listed in the few paragraphs.

    "Then there's the 'signers" no one's heard of. And that again is the problem. WHO are the unknown people saying, "you can install this silently without telling the customer because you're ... 'trusted.'" BY WHOM?"
    WebTrust et. al. seem to find all of the certs included in this DLL to be reputable, as does Microsoft (that's why they're in the registry store - QuoVadis included).

    "And "tinderbox" in the official name for this code is highly unfortunate too."
    Tinderbox is Mozilla's automated build software and as the path in the file indicates, is installed in c:\builds\tinderbox\ on the "Fx-Mozilla1.8.0-Release" Tinderbox and creates a "WINNT_5.2_Depend" build. You can even find the status of this machine on Mozilla's site: http://tinderbox.mozilla.org/showbuilds.cgi?tree=Mozilla1.8.0

    Upon seeing the inital alert of this 'QuoVadis malware', I did my own research and found all of the above information quite easily and within a few hours. What rubbed me the wrong way about the newsletter is that barely any of it is backed by fact that is extemely easy to find and that it has been picked up by various tech news outlets, who are now spreading FUD to the wind about a complete non-issue.
    The easily obtainable facts missing from the newsletter are what irks me and in my view tarnishes PSC's otherwise solid reputation.

    Quick disclaimer: Netscape and Mozilla are no longer related. Netscape may use parts of Mozilla's source code, but they may make any modifications they wish and may have components which are not open source. My above analysis covers the source code of Mozilla products (Firefox, SeaMonkey, the Mozilla Suite, Thunderbird and Sunbird) and products which distribute unmodified NSS libraries (Songbird and Flock). If Netscape's doing something funky, then may I extend my humble apologies in advance to PSC for doubting them :)
     
  13. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Thanks for the post jiznrxry.

    Quite a few inaccuracies in the newsletter there.
     
  14. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Thanks jiznrxry for posting back your reply. You have obviously taken some time to explain. I will read more completely this evening. Time for me to provide for the family now. ;)

    By the way I lurked for a long time too before joining. So I understand about that too. ;)
     
    Last edited: Jul 27, 2006
  15. jbob

    jbob Registered Member

    Joined:
    Dec 2, 2005
    Posts:
    10
    Location:
    Arkansas
    I'd just like to comment on the naysayers here. Some seem to read the PSC newsletter and only key on the items that are perceived to be wrong. Others posters in other forums seem to be doing the same thing. A few have seen this as an opportunity to trash the team at PSC(I wonder why that is?). It's funny but the part of the PSC newsletter that stands out is this one:

    "It is our opinion that there are some questions raised by the presence of this module and in particular its contents and it's ability to modify the machines of users of Netscape, Mozilla and Firefox. Therefore, we hope some external and independent parties and other experts might examine this further, independent of us, to determine whether there actually is a concern here."

    Seems to me that PSC was saying there weren't sure and even asked for a sanity check from others. But a lot of what they've got is stones being thrown in their direction including from a competeing vendor I might add. At least some responders here and elsewhere seem to be answering the questions with less distain and more information.

    From my perspective some need to lighten up.
     
  16. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA

    PRECISELY. We just wanted to see some clarification on this. Thank you.
     
  17. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    181
    jiznrxry !

    1] Thanks for an excellent rebuttal, with links to superb replies in mozdev groups on this issue - a real eye-opener for me.

    2] >...searching for alternatives... (to BOClean) <
    Are there ANY which do what BOClean does ? I too
    look for such programs - can you suggest any ?

    SKA
     
  18. controler

    controler Guest

    Any of you using SSM or Regdefend can easily verify this one way or another.


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates


    con
     
  19. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    LOL
    NO.
     
  20. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    ;) Not for this bird either ;)

    Boclean will continue to protect my machines.
     
  21. gates

    gates Registered Member

    Joined:
    Sep 2, 2005
    Posts:
    59
    I just bought Boclean to my new laptop. :D Works like a dream :cool:
     
  22. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    I have it protecting 3 PCs for my kids, my wife's laptop and my main desktop. Works quietly, runs light and onobtrusively and never has a problem updating - not like some top AVs I know :cautious:

    When all my home AV licenses expire and I probably switch all the household PCs over to AntiVir (well I might still keep a paid AV for my main desktop), BOClean will be the only non-freeware security app that I will be using, mostly because it is such a good product but also because it has sensible licensing that covers all your home PCs with the one license.
     
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I think BoClean is great and I recommend it all the time. BUT if I was using it and it trashed Fx and SeaMonkey I would be more than a little miffed. I can understand some of the puzzlement that PSC described in the newsletter because I, a long term Phoenix/Mozilla/Firebird/Firefox user was also confused regarding Mozilla based browsers ability to delete and/or disable particular Certs as can be seen by my posts in the mozdev group and my post in the dslr thread.

    However, that confusion on the part of PSC doesn't bother me since even I was confused about it. (Although once Frank Hecker told me to look at the edit button and I did, I then recalled that a couple of years ago, I had the same thing happen...deleted a Cert, had it come back, was puzzled and finally learned that the answer was on the edit button and I forgot that after a period of time). What I do find a little worrying though is that PSC did not seem to even know that a Mozilla based browser user can easily access the interface to the storage of the Certs. That makes me think that they don't know much about Mozilla based browsers. This makes me a little hesitant regarding recommending BoClean, in the future, to users of Mozilla based browsers unless they are "power" users. I also find it a bit unsettling that PSC did not know that the registry key referenced had nothing to do with Mozilla based browsers. I knew that!

    What is good about all this is that a bug has been filed by a MoFo member (thus ensuring it will receive attention) regarding the confusion about how to disable a Cert in a Mozilla based browser.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.