Criteria for Trojan scanner selection

I am just wondering what criteria do people use to choose the particular trojan scanner they are using. I just want to see what features other people consider most important in a scanner.


Starrob

 

For me the biggest feature is update frequency.
As long as a program updates at least 3 or 4 times a week that's o.k.
Daily is better.
Of course the A/T program has to function properly scanning etc..

 

Hi Starrob,

I have several scanners, but the two I depend upon most are:

1) TDS-3 for its comprehensive on-demand detection and cleaning cabiliites. It has, in my experience, found trojans and other malware that ATs, AVs , and ASs, miss.

2) Ewido for its frequent updates and its "good neighborliness" when running in real-time. It does not conflict with either ZoneAlarm, PG 3.0, and KAV 4.5, or Giant AS. It is tough to guage its detection capabilities since my system has been pretty free of trojan problems once I moved from NAV to KAV 4.5 and changed my browsing behavior. It catches a few cookies while TrojanHunter and BOClean come up empty. Its nice to have around.


Rich

 

to answer to the question directly, isn't easy, that is what they told me, is the dll injection at the direct moment (excuse me for not translating it right).

I never tried boclean but I am a licenced member of GDATA, tds3, TH4.1, ewido, giant, nod32, and you name all the pre-future proof goodies. I am considered to be a wonderer about zero day atack. and one thing I question myself. Ewido is good, tds-3 is good but what about at's that protect against zero days' attacks. something like nod32 advanced heuristics, doesn't need sigs to get the malware....hope you know what I mean... just that minute or second is important...here we are at the end...processguard...best thing at the end...or system safety monitor... that is what I am looking for, not the best or the frequent updater (all options in my point of view, good options that is true,... but at the final moment...I need to feel secure...dll injection eventhoug PG is protecting me...this is the most critical thing at the moment for me like leaktests, and memory injection, last day I injected myself 'again' just to try something and to get around another thing... I learned a lot, and I am eventually a newbie... I must confess.

dll injection is one of the most difficult things and even if you have processguard, you cannot be sure enough.

I am waiting till the day Ewido (sorry but at the moment...) builts in heuristics like they did their whole program which was innovative, was...is...I don't know anymore but I believe in innovation...I believe if one program is getting better, they cannot stay behind. I wouldn't. no one wouldn't.

somebody things about money, another one things about security. another one changes their prices to compete with their selves, another purchases another product, just to feel secure. that is the way I see it.

to answer your question more clearly Starrob, again, good question, is the constant memory/exe/dll/... scanning at the moment we are using it (directly or indirectly/spawning)

have a nice evening you all

Inf.

 

My criteria is to find a trojan scanner that doesn't piss me off.

I'm still looking.

 

Light on resources, Simple to set up, easy to use, no flash or fancy graphics, runs in the background, frequent updates, leaves no trash behind, good support........... Well...BoClean=Trojan Defense. (there is no special order in the above)

No yearly update fees

 

For me, one of the most important features of a scanner is how it is well I percieve the company that makes the scanner is doing toward developing a scanner that detects future threats.

In my opinion, currently, there is not a real huge difference in the detection rates of maybe the top 4 or 5 scanners. As of this date, I believe most of the AV/AT scanners are heavily dependent on signature based scanning. I am not a big fan of signature based scanning because it is mostly a reacting type defense.

I am looking for a scanner that is developing pro-active solutions to threats like Rootkits, Static DLL injection, Dynamic DLL injection and other threats that are currently being developed by the malware industry.

I am looking for a company that is actively researching potential future areas of attack and closing them before they can even be used by Malware authors. I believe signature based scanning will lose more and more relevance over time until it simply becomes just a small auxiliary tool in a larger arsenal of weapons.

I am looking to see the development of more advanced heuristics...more advanced detection techniques....more advanced behavioral detection and blocking techniques.

I know sometimes I rant and rave. I actually expected a few times that a few AT represenatives would come and challenge me against my rants against signature based scanning. I think there is two reasons that they have not. I believe most if not all the AT companies are most likely developing alternative methods to detecting the presence of malware that do not depend on signature based scanning.

I could be wrong but I think a few have come to the realization that signature scanning is a losing battle. The speed that malware is being put out nowadays is frightening and the signatures can't keep up. I remember the days when all you needed to do is update your AV maybe every week or two. Now there are some companies that update at least 4 or 5 times a day or more. It is likely that it will only get worse. Will there be a day where you must update every hour or every minute to feel secure? No...signature based scanning is not the answer for future threats in my opinion. I want to get off the update addiction. Some companies are feeding signatures to the public like a crack addict.

I think another reason why AV/AT companies have not challenged my rants is because I think all of the companies have got experienced over the years by dealing with many different people on forums. It is better to let people that might not be as knowledgeable on a subject to rant then to challenge them and get into a argument with a potential customer.

I do welcome corrections from experts on some of my opinions. I do like to learn.

I am a ship engineer in real life. I like working on and fixing machinery. I like looking underneath the hood. Some people maybe be fascinated with the GUI but I am fascinated with how a thing works and how effective it is.

I look at everyone's opinion but if the opinion is at the level of "Wow, the GUI is really great" then that opinion is rated far lower than another opinion that can tell me specifically how something works and the reasons why things were made in a certain way.

Ok...I am getting tired of writing.....I look FWD to reading more criteria people use for determining which scanner they use so I can know better how to make a choice for my computer.


Starrob

 

I'll be sure never to comment on an interface. Don't want to sound like a drooling idiot or anything.

 

Nah, the GUI is very important to many people. Maybe there are those that will get greater value out of the coment than me OR I might be surprised and actually learn something from a interesting comment.


Starrob

 

I look for:

• Operational robustness - does it play well on my system, with my other applications
• Speed/light resource footprint
• Cost - there are 5 PC's at home and I'll be outfitting them all
• Ease of use - maybe connected to a well conceived UI, not necessarily flashy GUI. I can deal with complicated, but the rest of the family can't.
• Most comprehensive coverage possible
• Auxilliary tools to deal with problem instances.

This is why I have 2 AT's on my PC's - BOClean for realtime action and TDS3 for comprehesive coverage - no single tool really provides for all of my criteria at the present time. Purchasing both at this time wasn't a major issue since neither currently has continuing subscription fees and BOClean has very generous licensing with respect to home usage.

I agree with virtually all the sentiments mentioned by Starrob. Signatures are a losing battle. They are the best current solution, but future solutions must evolve beyond them. At some point, signature database mass will simply push performance to a level that isn't acceptable to me. The explosion of number of distinct threats also threatens the ability of any of the AT vendors - all of which are small operations - to keep up. Currently, I think they all do a simply amazing job.

Some of the more pre-emptive protection schemes exemplified by ProcessGuard, Prevx, SSM, and so on are extremely powerful, but currently depend on a level of user knowledge that will inhibit mass market penetration and can yield system instabilities that a casual user could have difficulty easily recovering from. Consider the types of questions posed by acquaintances who are casual PC users versus what needs to be appreciated to effectively utilize these approaches and do the math. Niche opportunity for advanced users and maybe a path to some of the broad future solutions, but not a general solution at the present.

I support a couple of vendors with my business to help provide for the future solutions and will continue to do so. I realize that progress isn't easy given the long gestation periods of these products, TDS4 and BOClean 5 both come to mind. I've put my eggs into their baskets for the present, but do pay ongoing attention to the activities competitors such as Ewido and TrojanHunter in the event that a future shift is warranted.

Blue

 

Very nice opinion
Just useful as bugs in the garden

You can update for years on a daily basis let's say 6000 Dos Trojans.

Let's make a simple calculation...
365 days / 6000 equ around 16 Signatures per day.
From a statistic point of view u will not have every day 16 new signatures.
Let's assume 8 new signatures per day. That would give in our small example 2 years non-stop updates. ;-)

That means not that the AT Vendor is up2date and knows what is currently a threat and what is not detected by common AV software.

The job of AT Software is to SUPPORT existing AV software.
Therefore you have to know what is new and what is badly detected by AV software.
That means a much deeper research than just adding lot's of signatures.

The AT vendor has to know what's going on. In the trojan-scene i mean...
Otherwise it's impossible to be the first who catches new trojans before the AV software vendors including it because it turned then already into a wellknown trojan.

Cheers

 

I think it is taking a long time to develop many of these products because I think many are using expiremental techniques that have never been used before.

It may be that they are having difficulty implementing some of these techniques or having difficulty making them user friendly or both. With something like heuristics....Probably one of the big problems with developing heuristics is the false positives. If a AT company gets too many FP's there will be much weeping and gnashing of teeth.

As far as I know, only DCS has hinted at one advanced feature called Port to Process mapping which sounds interesting but they will probably need a big help file to help people learn how to use it because someone like my father doesn't even know what a port or a process is. It will either need a huge help file or be made very user friendly . It will have to be something like you will get a "POSSIBLE TROJAN ALERT" with a explanation that a suspicious process is attempting to access a possible trojan port or maybe even possible trojan IP!?!? Don't know if that is possible because that would require a huge database filled with Trojan ports and/or IP addresses all of which are constantly changing.

Any way, I am sure most of the AT companies are developing ideas that are just as complicated. I am waiting to see which company will be the most effective in their implementation in the future.

That is why I am not married currently to any of the signature based scanners. All of these programs are probably about to have big changes and the one's that provide a good solution currently may not have the best solution tomorrow because a competitor may implement a better solution.

I don't know software law but if the solution is unique enough maybe some companies may patent a few of their solutions. This could possibly make one or two scanners stand out far above the others because competitors can't use copy cat solutions.

Also, maybe the new techniques maybe so evolved it would take many months or a year for another company to catch up with their newest features. The AT industry is so competitive that if one or two scanners are too much better than the others, it might force a few of these AT companies to close their doors or maybe even merge with competitors to compete?!?! I am not sure about merging, though...LOL...some of these companies have very bad blood between them...LOL.

I think this is why many AT companies are mum about what they plan for the future. They want to get out ahead of both their competitors. One competitor is other AT companies. The other competitor is the Malware scene who will seek methods to get around the new techniques.

By the way...all that I have written is either just guesses of mine or opinions....they could all be very wrong.

Ok..let me eat breakfast.


Starrob

 

Hi Starrob et al,

It is interesting to compare "signatures" to "heuristics". For me, the differences are not so black and white - more of a gradation.

There are all kinds of signatures. Some are very, very specific and will almost never give, what is called, a false positive. Others are a bit more general (such as the ones that Giant AS uses) and will give more frequent false positives. Why? Because as the signatures become more "generalized" - that is, the "patterns" that the computer system is looking for become more generalized - they are more likely to alert the user to more false positives. More false positives means that the user must be increasingly more knowledgeable.

Software, such as ProcessGuard, use very general pattern detections. For example, any time a new,"unknown" process starts up, it will give an "alert". In as sense, this is in most cases a "false positive", and and the user must decide whether to accept the process or not. Based upon the what the user is doing, and the user's knowledge, the user will decide whethr or not to allow the process to execute. In most cases the decision will be correct, if the user understands the processes, but in some cases the decision will be wrong. It is the nature of "human error" - because humans, like "software heuristics" make decisions based upon "learned patterns".

It is possible to reduce "false positives", when generalized "pattern matching" is done, by providing an exception list. For example Giant has a list of "allowable registry changes" so that it will automatically accept certain registry changes made my certain allowable programs. What this does is that it cuts down the number of times that a user has to intervene. However, it may allow certain registry changes through which should not be allowed. Other programs may trap all registry changes which means more user interactions.

So the engineering challenge for "heuristics engines" is how to detect more and more generalized patterns without letting through the "bad guys" and at the same time not taxing the user's own knowledgebase too much. This will always be a problem since the programs own "knowledgebase" or "expert system" is limited by the knowledge of the designers themselves. This is why it is possible to see malware seep through NOD32 (as I have seen on http://virusscan.jotti.dhs.org/ just this morning) and not KAV.

I believe that both type of software will always have their place (general vs. specific signatures) as long as the primary problem remains unresolved. And that is that Windows has a terrible security design structure. Why? Because it was designed to let Microsoft into each individual's system. In other words, it was designed with a lock that can be easily opened from the inside and outside. Sort of like a key left underneath the door mat. Until this is fixed, then it is simply trying to guard the door as best a user can, knowing that a key has been left somewhere for someone to find. My insurance policy is my "image copy" which I hope works when I need it.

Rich

 

I have to agree with Blue and Rich.

There is still currently NO solution for limiting the errors that are likely to be encountered by users from behavior based detection. Whether you call it user error or false positives or whatever else, it seems to be a very legitimate flaw of behavior based detection methods today. Programs like ProcessGuard have made a lot of headway in making their program easier to use for the public, but the ultimate decision of whether a program will be allowed to run or not is still the choice of the user. And face it, not many users can say they have the knowledge of the people who create AT programs and who analyze malware every day. While we maybe moving onto these types of detection methods for the future, I for one would hate to do this if this single issue is not resolved.

Port to process mapping is what you see in DCS' product Port Explorer. Currently Port Explorer will show possibly dangerous sockets in red which will help users recognize that this socket might be dangerous. Unfortunately when a socket is marked in red, it does not necessarily mean it is dangerous. It just means that the socket is linked to a process that has hidden windows. Which can be found in legitimate and illegitimate programs. Once again we have the same problem as we do in the above scenario. A user can socketspy on the socket to see if it will reveal any additional info. But this again requires some amount of knowledge to determine whether the info gathered is indeed dangerous. Rootkits also have the capability to hide ports and processes.

I look for many things when looking into products, a lot of which has already been mentioned. But I would also like to emphasize the importance of technical support.

 

I've had plenty of FPs from heuristics and sigs both. When using [product name removed to prevent upsetting die-hards], the heuristics were the problem where FPs were concerned. Never had heuristics save me from anything, except the danger of a sanity-filled afternoon.

As a result, I despise heuristics. Wake me up when someone perfects it, and stops wasting my time with it as if I am an employee of their company, forever submitting FP samples to them in order to do their beta testing.

 

nameless,

The secret is being able to discern cutting-edge from bleeding-edge technology. I'd say the jury is out on some of the commercially implemented heuristic solutions at this point. You do have to love those lead-adopters though, imagine where we'd all be if they hadn't vetted the products to at least some level of operating stability.

Blue

 

I imagine we'd all be more productive.

 

If "zero-day exploits" are what concern you, try using either ShadowSurfer/ShadowUser ( http://www.shadowstor.com/default.asp - for XP ) or DeepFreeze ( http://www.faronics.com/html/deepfreeze.asp ) should help you out.

Whenever I leave my computer for other family members to use, I simply put it into ShadowMode (I'm using ShadowUser here) - that way, I don't have to worry about where anyone goes or what they do on my computer, they can't hurt it.

As soon as I re-start and come out of ShadowMode, everything they've done is gone - and they're unable to make or save any changes to the computer.

Works like a champ and has given me endless peace-of-mind about having anyone else on the computer. The rest of the stuff I have on here (for when I'm running in my own profile) has been more than sufficient to keep me from having being infected with anything for years. Pete

 

That's really handy, and I do the same thing with Image for Windows. But it won't help with a zero-day trojan (or simply lousy trojan detection). Once your private info is out the window, you can't roll it back. And it's not like you're going to be randomly rolling the system back just in case you have a new trojan on there.

 

Pete, I could never get ShadowSurfer or ShadowUser to work properly when I tried them in the summer, despite support's best efforts. Have they updated these programs of late? They seem perfect in theory.

Deep Freeze did work for me, however!

 

Good morning, nameless. I'm not really sure about that (at least here, anyway). All the defensive programs I run are also running in the family profile. Also, there is no "private info" on the family profile (no one here uses the computer for business/banking purposes, it's simply an Internet machine).

On the contrary - as I stated above, I put the machine into ShadowMode when I leave it for the day - it runs that way when on the family profile. When I come home, I take it out of S/M and re-start it, so the computer does then start from a clean state (the way I left it). Everything done on the family profile is gone everytime I come home and do the re-start.

Blackcat - As far as I know, they haven't yet re-written the program. All the suggestions that were made and the few glitches that were discovered (that only affected some people) require a major revision that hasn't thus far appeared. I was lucky enough not to have experienced any of those - the program simply works here. I'm glad that DeepFreeze worked for you.

Does DeepFreeze recommend re-starts (with return to the "clean" state) at every log-off, and provide a scheduler to do so, like ShadowUser does? Pete

 

My gosh...a program like ShadowSurfer/User has been a dream for ages
to me ! Unfortunately I'm a poor woman and x-mas is almost here, so I need to watch my pocketmoney.
My question...is there a software similar to that one, that you can dl for free..... ? Hmm..is there ?

 

Yes, scheduler is present and you can decide when you want to 'wipe' everything clean.

With both ShadowSurfer and ShadowUser, coming out of Shadow Mode did not clean everything off my system as it should have done. Even Favourites remained on my system!!!!!

And the exclude would not work for me either in ShadowUser. Maybe it was my system. I will give them another go.

I tried about 4-5 of these roll-back programs in the summer and on my systems Deep Freeze seemed to work the best.

 

Sounds like an ideal solution for a computer with no real data on it, which never has new software added to it. I'll remember this if I ever open my own library.
-