BoClean review by TechSupport

As an old timer, who knows -let's put it this way- a little bit about the case Lockdown vs PCHelp, I protest against this "analogy".

For now I leave it to that.

 

Personally I have not commented about that because it is old news, many other security products can be terminated but I have a layered defense. I am sure you have much more knowledge than me in this field and experience the malware that targets Boclean when you use your computer, but I dont so that is not a big problem (hence no comment about it) The bad guy has to have a quite big database if he is gonna terminate all the possible combinations of a layered defense.

Thanks for explaining your motives on using HIPS test tools on a anti trojan software, even though I dont buy it.

Sure you dont criticize for failing the HIPS tests with direct words, but anyone who can not see the difference between a anti trojan and a HIPS (tbh, who else than us geeks can see the difference?) could easily think that all those "FAIL" actually means something important.
If you tested those useless (together with BC) tests for your own pleasure, whats the point of mentioning it in your review together with the security issues that you feel is relevant? What has that to do with a Boclean review? It just doesnt seem very professional to me.

I am sorry for all the heat you get, there are some comments that could be more diplomatic, but personally I think you deserve some criticism when you choose to publish your review in that manner.

 

This speaks volumes! You run tests that are totally inappropriate for the product being tested, admit that you have, but still publish the results.

That is not only misleading, it's tantamount to lying.

 

I think this is a first time that I have heard of that a forum has had that kind of effect on someone.

 

I totally agree, and I couldn't have said it any better!!!

 

Refilling toner cartridges?

 

Who cares about checks, pay-offs, and whatever else happened in the DISTANT past. This is all about the here and now and regards specifically BoClean of now COMODO firewall fame. What's wrong with taking ANY so-called security program to task?

Methodology? What methodology? Provided putting a memory-only scanner thru a HIPS test is a rather extreme measure with obvious outcomes which are bound to show thru, the single point i think which should be made here is that it's EASILY TERMINATED, period.

Maybe that and other like issues would proved more useful if instead brought up for attention in their forums for review/discussion. So on the one hand i agree wholeheartily it does has severe limitations in it's current state, but the review made is not flawed at all, it just shouldn't have been done at all before first bringing those flaws to the attention of the developers first! IMO.

 

Although this discussion will be old news as a new version will be released soon. Here is Kevins take on the termination test. By the way, I'm not using BOClean, but have followed along since reading the ravings here at Wilders and the rantings when it turned free.

http://forums.comodo.com/index.php/topic,9105.msg66629.html#msg66629

 

Does that mean that Process Guard is not a good program to have in a layered defence (irrespective of the fact that it is not being updated anymore)?

 

Wayne would disagree with Kevin about the hooking. Makes me yearn for "the good ole days" when Kevin and Wayne frequently went at it passionately but goodnaturedly, of course, (they are friends) over at dslreports security forum.

I use PG with XP Pro and wouldn't be without it. Personally, I got PG precisely because it DOES hook the kernel. I value that tremendously. I like that I have control that Microsoft doesn't want me to have and tries to totally forbid in Vista.

As for what was meant by the remark that the reason PG went away (lot's of us still use it so where has it gone?) was because it could not be used in Vista...both Wayne and Gavin posted that PG worked in Vista. I don't have Vista, didn't do the Vista beta, don't plan to ever get Vista so I have no idea if it worked at one time, stopped working with a later beta, works currently or what. I'm puzzled by Kevin's remarks and I can't ask Wayne anything...frustrating.

 

Just pointing out his own logical inconsistency, its the old state trooper in me...

 

Usually i don't post towards such threads, HOWEVER, it's saturday morning and i'm sitting relaxed in the bathtub atm

Testing with "Simulators" makes *only* sense together with "Behavior Type Applications". *NOT* with Antitrojan, Antivirus, Antimalware Applications.
I've explained that over and over again, last time i mentioned that was 2 weeks back, during the AV Tester Workshop in my presentation.

There *are* 4 groups of "files": Non-Malicious, Malicious, Malicious only together with other components and Simulators. ( See my powerpoint slide for more info )

Testing for example Simulators against signature or heuristic-based apps doesn't make the slightest sense. Why? Because numerous of clean, legitimate programs having exactly the same behavior. Especially Autoupdaters. They copy themself into system folder, add a registry autostart key and connecting to several servers in order to determine if a new version is available. Quicktime Updater, several burning apps updater for example older nero versions and so on. Next thing is: If one of the simulators would be *really* malicious don't you think that *everyone* would include it as well with signature detection to prevent any *real* harm?

The major goal of all apps is to detect REAL malicious software. There is no need to focus on "intended" things. Otherwise you would have to flag a program that displays a messagebox "This could be a virus" and does nothing besides that.

Edit: just found a picture of exactly this: http://www.flickr.com/photos/vircop/514497087/
_________________________

Ah yes, i forgot one thing. In case you're visiting Reykjavik sometimes, spend attention where you park your car and that the parking meter has still time left. Otherwise you might end up like this: (that picture is NOT faked)

Edit: just added one more pic...

 

very nice Inspector!

To Easter2010 i'd like to ask:
for all the consideration i have for your knowledge i am surprised you just dismissed BoClean because it came out wrong with the first installing attempt. Probably some software of yours went in the way, as a remote eventuality why not considering a mistake on your part,or a corrupted file, as usually Bc installs like a breeze.

Regarding the termination of BC- using ProSecurity or SSM like you do you could always protect BC from termination quite easily,dont you agree?

 

You're quite right to be surprised of my dismissing it. I was just as equally surprised and frankly very peed off after all this hoopla la only to find it in the condition it was in when released. From my end it almost boarded on a joke program if not for the fact it was actively scanning/polling every so many seconds or so. The GUI is so out dated it's not even funny. All that aside, yes i had a terrible time just getting it to run stable enough to test it awhile but that didn't happen. I keylog myself 24/7. It's one of the oldest keyloggers in existence which was put in AV databases way back in 98 days. It serves a very useful purpose of keeping a journal of my own activities as well as any problems i happen to run into.
Comode Bowl wouldn't accept it even though it showed in the EXCLUSION list, but repeatedly kept nagging over it since it does run in memory. No one can't continually keep being bothered by annoying alerts continuosly, that are supposed to be suppressed by an EXCLUSION feature in the first place. Not only that but the app stalled several times requiring a Hard Reset to dump it out of memory where it resides to monitor. "BUGS?" Yes, but don't they have enough lab machines in-house to have ironed at least some of those out b4 release? I guess not. And theres that rather old-fashioned Windows 98 box at the top of your screen. My Windows 98 doesn't even have those old grey frames anymore, i customize everything drab looking to bring them up to modern standards. After all, this is the 21st Century and not 1981-1998 as so many of Windows have been branded before.

Nothing turns you off quicker than an app that straighway causes issues and i don't tolerate ANY software program that seizes up my screen. It's shown the way out quickly via Add/Remove Programs.

 

My 2 cents:

1.
I am happy that (1) BoClean has no termination protection, (2) does not protect memory space or block process injection, or (3) has no other HIPS features. This is because it's not a good idea to simultaneously run too many HIPS, system firewalls etc. on your computer. Your comp may crash if you try to do so.

Because there *are* already nice system firewalls (e.g., system safety monitor) it's good that BOC is inobtrusive & does not create any conflicts but concentrates on malware detection.

2.
Notwithstanding the above, I believe that BOC's scan technology is rather outdated and that AVG/Ewido's mem scanner is better/more functional.

3.
However, BOC is free. And it is still quite useful because it detects compressed malware that is not detected by Kaspersky, NOD32, and other AVs (w/o a working mem scanner).

4.
What I really hate about BOC is the new licensing agreement. You cannot print it out. You cannot copy it. The letters are too small to read it. Why is this?

Well...probably because it's insanely drafted:

"Comodo has the right to gather information regarding the use of the Program, including, but not limited (-> This means they reserve the right to get any information they want) to, IP Address, MAC Address, and admin email address to guarantee the proper use of the Program as granted by this Agreement."

I would call this a very broad "spyware clause".

5.
I find it very odd that Kevin admits that he is/was prepared to *pay* for favorable reviews. That's certainly not what I expect a developer to do!

 

Agreed ,.- - Well summed.

I would like to hear how Kevin plans to overcome No.2 as well as his comments on No.4 and 5.

 

A ringing endorsement from ,.- : well close anyway
Not bad from one of PSC's stronger critics in the past.

We are aware , now, of the strain PSC was under and are looking forward to the "new" BOC. ( thanks to Melih, we may get it !!)


I dont want to get into a slanging match here and others may ( will) know more than me.

FWIW I dont think gizmo has deserved the flaming he has had here.
He has answered every accusation thrown at him here and by association at Comodo where there have been some pretty hot shots taken and Kevin is on the warpath.

His website is open and honest.
He has made credible attempts to test several HIPS and sandboxes.

And let me tell you I know of a friend who parleyed a home garage toner recycling business into a multimillion office supply co. Nothing to s****** at.

I dont pretend to know the full background refered to in the "pay for reviews" accusations, and there is obviously some history there, but gizmo has made his position clear.

I suspect know the methodology of some of the testing is not appropriate for a memory scanner as we know, nonetheless a creditable effort to put some standardised testing to BOClean. All users appreciate the problems inherent in testing mem. scanners.

Very few have done so and often with confronting results: (outdated prolly by now)
http://www.morgud.com/interests/security/faceoff-2006.asp
http://scheinsicherheit.pytalhost.de/decompdelay.htm
http://illusivesecurity.pytalhost.com/viewtopic.php?t=134

Disclaimer:
I regard KMcA as a certifiable genius. I have had BOC for years.
I have had some very generous e-mails from K.

I have perused and used gizmo's website for some time and am a subscriber to the newsie ( not paid version) I have corresponded with gizmo and had perfectly reasonable responses.

Regards.

 

I've been watching this and the matching Comodo thread with some interest
My only conclusion is 'a plague on both your houses' ....

I don't pretend to understand all the arguments regarding methodology but I do think there are some salient points that arise:
For the BOClean team I am disappointed they felt a need to allegedly 'pay' for a good review for BOClean early in its life but only mention it now after a bad review for CBOClean from the same/ similar team.
Would they have continued to 'pay' if they could have afforded it?

Regardless of the validity of Gizmo's methodology this leads me to put a very large question mark over a product I have paid for and used for some time.
If I was Kevin McA I certainly wouldn't use this info. to disparage the reviewer, as whether true or not I think it reflects as badly on PSC as the recipient.....

That said Gizmo's review was unpleasant and misleading. Clearly his methodology is at best questionable and he fails to represent that he has positively reviewed BOClean comparatively recently.
I've subscribed to the techsupport newsletters for a number of years now but as I'm no longer convinced of his impartiality (which he has failed to fully address) I will let that lapse.

Its always a huge disappointment to see innovative products such as PG, TDS, ewido and BOClean get swallowed up by larger companies or be left behind as the computer security world evolves.

We as consumers/ proponents can get 'hurt' financially (step forward and take a bow DiamondCS and AVG/ewido) and even at times emotionally as products we have supported/ trusted fail or disappear but in reality the writing has been on the wall for RTS/ anti-trojans for some time now as AVs get better and more recently more of us move towards sandboxing and virtualization.

Unfortunately I think Gizmo is right - but for all the wrong reasons - BOClean is past its best - not because it is not effective but simply because 'blacklist' scanners are the past not the future of PC security.

 

I disagree just as much as my statements border on the expressions my opinions of Comode Bo as some critic.

It simply cannot be completely dismissed entirely. It just needs to be layed out on the blueprints again and resfashioned. Nothing so hard about that if you have resources (COMODO) and a research/coding Team, Lab, etc.

As-is, it might make me puke, but i seen programs before in such a sorry state and behind times completely revamp again and excell beyond all past limitations into a quality product worthy of recognition and satisfaction.

The point here is when will they start to turn it around and bring it up to more modern expectations. Then they can take the critics to task as well as earlier poor reviews. Gizmo has a great point! You have to move on with the times and ANY security program cannot just rest on past morals or successes but press forward and meet the competition head on. Not live in the past and wallow over old grievances. Theres no time for that.

 

Damn fine post and from a Nod32 user no less...................

I couldn't agree more, there is a fair bit of rearend smoke from both sides in this story, but the most important info was that BOClean payed for good reviews by their own admission.............and they even have the checks to prove it according to Kevin!

I said 1 year ago that 2-3 AT's would survive and be around in 2-3 years in a healthy state, 1 year later i do not even think there are 2. They simply do not have the manpower to keep adding signatures and developing their app's at the same time to combat the flood of malware.

I always liked Kevin and found him entertaining (& helpful when contacted) when he went balistic against who he saw as responsible for the hard times in long posts which at least were entertaining, but the writing was on the wall for BOClean for a while with no real improvements at all to an aging program and only just being able to add signatures, it could only end like it did or completely shutting it down. It will be interesting to see if there will actually be improvements (& not just patches to an aging program) coming now that he allegedly have more resources at his disposal.

 

Same observation here.
I really wanted to like this app, but after seeing added apps routinely missing from the Exclusion list and the freezup of COBOC, it saw the way to the proverbial Commode Bowl as well, but didn't go peacefully as there was no automated uninstall that removed it all.
As far as the drama of how it was tested, who did or didn't pay for positive reviews, etc. is of lesser significance (although entertaining), to me at least.

 

yes!

Back in the early days, life was simple.
you had virusses and trojans and spyware.
And you choose a AV-only a AT-only and a AS-only
But AV-only's are long gone, they all became AntiMalware tools
To protect your system against all kind of malware (virus/trojans/spyware and all kind of hybrids of those). And so did the others.
Ok you can still find a firewall-only that you can add on to your Windows built-in and the one in your broadband router.

An AntiTrojan only is just as usefull now, as a a product that
only protect your pc against stealth virusses.
And no Other kind of virusses like poly-morphic or Meta-morphic etc.
With what kind of product would you like to built up your layered defense
now?, as we called it many years ago..

SO for me it is not surprising that TDS is gone and BOCLEAN is for free now.
and what happened with Ewido.

The problem with boclean was always that you can't compare it with any other product, because it can not scan a disk, or isn't a hips.
So by default, all tests with it and others, are not good.
Please refer me to any recent test, with Boclean and other products,
that is ok...

But for the avarage user, it doesn't make any difference if his computer was infected by a virus, a trojan or dialer or a backdoor a worm or
spyware or addware or a octopus or a rabbit or rootkit.

He only wants to have is system protect from all of these things.

The sad thing of course is, that Microsoft doesn't solve these kind of security problems in their OS, like other OS-makers do.

Yesterday i talked with someone who had his vista pc reinstalled,
because he had a virus that is around for more then 6 years !!!

The first outlook version (version 0.0 Beta :>) had a security bug that made it possible for malware in the body of the mail, to use the addresses in the addressbook to replicate itselve by sending infected mail this way.
Even now (2007), massmail worms use these same technique ?!
AND in very large numbers! (Micosoft!!! Vista Ultimate is more expensive then a OS for a Supercomputer with 128 CPU's?!)

Do you have any idea how many virusses and other malware there are out there, for many years, that still are able to infect any Windows XP or Vista
with the latest patches?

 

Dam,nobuddy said there was gonna be octopus's n' rabbit's on this here internet. Off in search of more scanners then. Or maybe he meant a rabbit octopus.

 

BOClean is one piece of a total security solution and nothing is perfect or will protect you all of the time from everything.

Ewido is now part of AVG and I believe is also excellent choice for those who do not trust BOClean for their needs. I'll stop now...