Another BOClean query

Discussion in 'other anti-trojan software' started by Longboard, Nov 26, 2005.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    I have installed BOC with default settings and run GRC Leak Test to "see" the warning and experience BOC in action:

    I have posted elsewhere about the results and had little interest so far:

    As noted BOC will delete hosts file, yes.

    I didn't immediately appreciate what this might mean!!

    So, when I ran the leak test from GRC to see the warning in action...

    When the "Automatic cleanup of winsock connectivity" checkbox is checked, upon a detection of a nasty, BOClean will completely delete the HOSTS file from its location in order to circumvent corruption of the data present. The HOSTS file if used, will have to be replaced with a good copy. For anyone using a HOSTS file, it is therefore recommended that a backup copy be kept in order to replace the original if "file not found." This function ALSO removes any settings that are placed into the "ZONES" registry keys for "Domains," "Ranges" and "Protocol Defaults settings since these are often populated with redirects to bad places or worse.

    Does this mean Spybot S&D host file also, and/or the IE Spyads file for IE, what about SPywareBlaster, Spyware Guard

    What has this done to any IE "zones"
    What about blocked sites in FFox?

    I also immediately got this message from SS&D TeaTimer; 20/11/2005 10:58:18 PM Allowed value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!

    WHat was that?

    Also ran SS&D after the test and was told I had CWS and Smitfraud in my Zone registry entries. Never had before. No recent foolish surfing. CWS did not find infection.

    Sorry, I have a lot of faith in the product and the back-up.

    I just want to know more about what I might have to reset in the event of detection and removal of malware by BOC.
    Thankyou



    AND:

    Irecently added BO clean to my system and had not appreciated what happened to the hosts file.

    I "tested" bo clean with GRC Leak test with the standard configuration of BOC and

    The fifth, and last item on the right hand side is ALSO new in BOClean 4.12 and is marked, "Automatic cleanup of winsock connectivity." This item, like the above cleanup, is turned on by default as well. However, this checkbox controls a number of additional cleanups which reflect the latest tendencies to corrupt the winsock "Layered Service Provider" (or "LSP") stack as well as the winsock itself. In addition, numerous malware tampers with security permissions and profiles, and populates a HOSTS file with redirects which prevent users from getting to their antivirus or other important locations.

    When the "Automatic cleanup of winsock connectivity" checkbox is checked, upon a detection of a nasty, BOClean will completely delete the HOSTS file from its location in order to circumvent corruption of the data present. The HOSTS file if used, will have to be replaced with a good copy. For anyone using a HOSTS file, it is therefore recommended that a backup copy be kept in order to replace the original if "file not found." This function ALSO removes any settings that are placed into the "ZONES" registry keys for "Domains," "Ranges" and "Protocol Defaults settings since these are often populated with redirects to bad places or worse.

    This caused my system to FRITZ!!

    SS&D started showing multiple CWS entries on the scanner.
    Never happened before.

    I had to re-enable Spyware blaster
    Hosts file in IE restricted zones from IE-Spyad had to be re-installed
    SS&D protection removed and had to re-immunize
    MVPS host file had to be reinstalled

    and possibly worst of all I reflexively dissallowed a Tea -Timer pop-up:
    Allowed value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!

    I am now sure that this was likely a "good" thing which I have deleted, but can't remember what it was!

    I've reset and rebooted and rescanned: all seems ok.
    The Start-up list in SS&D doesn't show any recent changes of note.

    BUT:

    SS&D now is stuck in full screen mode.
    The scanner does not start with "registry integrity checking", rather "unknown"

    I am sure that BOC is good softwaere and a useful tool, but I really dont want to do all that again.
    I've never to my knowledge had a trojan before and BOC has not sounded off yet. I was just trying to be careful.

    Any idea how to avoid this in future?
    What start-up have I changed?
    Why is SS&D playing funny
    Anybody else have this problem.
    I want to keep BOC and SS&D is this possible?

    Thanks


    I hope the problem is apparent!!

    Reinstall of SS&D and BOC and hosts files etc etc etc fixed problem

    I guess the question now is will this happen again if I get hit by a trojan.
    Can I run BOC with that particular function turned off or is it pointless.

    BOC certainly does what it claims!!

    Regards.
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: Another BO Clean query

    Longboard,

    Since I don't use any of the other products mentioned (Spybot S&D host file/TeaTimer, IE Spyads file for IE, SpywareBlaster, Spyware Guard) it's difficult to comment.

    The actions with the HOSTS file is as described in the BOClean online documentation.

    Obviously, if some of these actions present a secondary conflict with other applications that you are running, the simple measure is to disable this feature within BOClean. This is useful for cleaning up some of the aftermath of an infection. Assuming BOClean has handled the malware appropriately prior to infection, this step really shouldn't be needed, but I do appreciate the conservative approach taken by PSC in configuring BOClean in this manner.

    Blue
     
  3. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Re: Another BO Clean query

    @Blue Z

    Thankyou.

    Stephen.
     
  4. controler

    controler Guest

    Re: Another BO Clean query

    Hi

    her is a good example of a go back type program doing good. Sure, you can have BC running and catch the nasty real time but at least when you are running a deepfreeze type program, your reboot will bring your hosts file back again ;) Since all rootkits create some startup point, that will be gone also.


    controler
     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re: Another BO Clean query

    I don't understand the problem. I ran GRC's Leak test repeatedly and all that happened was I saw, if I didn't blink, something...so fast...I have no idea if it was warning or what. :) But I didn't have Spyware Blaster stop working or anything happen other than the window that flashed in a eyeblink when I ran the test. I ran Spybot after the test and it found nothing as usual. So, I was supposed to have my computer go crazy and all sorts of applications not work after I ran this testo_O??
     
  6. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Re: Another BO Clean query

    Wow ... SORRY to hear that! :(

    I find it remarkable that programmes are so unsophisticated that they depend on HOSTS files for their functionality. For many computer configurations, HOSTS files aren't read at all by the operating system unless certain configuration parameters are met, and HOSTS files are readily defeated by malware simply pointing to a HARD IP address. So I'll simply say that the days of "security by HOSTS file" ended several years ago even if it still works on SOME setups. Bad idea.

    With respect to the zones, that's a bit trickier. The problem for us when we did this in 4.12 was that about 75% of all "spyware" will add dozens of hard-IP entries as "secure" to those listings, will alter or weaken others and because they install hard IP's and various wildcards, it's nearly impossible to remove ONLY those suspicious listings. When a trojan is detected, the only pro-active course of remedy is to just remove them ALL and reset all of the zones, security settings and other things (like firewall settings) back to the windows defaults ala SP2. We determined that to be the safest course of action without causing BOClean to become as bloated as many antiviruses of late. That's the reason why we recommend in our documentation that folks back up any custom settings that they insist upon even if WE think diddling those things and using a HOSTS file is a really bad idea, and any PROFESSIONAL vendor which relies on those methods ... well ... I'd better not go there. It'd be "unprofessional" for ME to say that. :(

    When we came about doing this (remember, the only reason why BOClean is so free once you bought in, even in 1997 is that we have to answer to large industrial/institutional/government customers who pay our insane costs for the individual users) we were requested NOT to do that. Seeing no alternative, we were able to satisfy our "big customers" by making that a configuration option entitled "internet connectivity" ... if that box is NOT checked, then all the zones, settings, hosts file as well as winsock REPAIR will be turned completely off if you're willing to depend on your other favorite vendors.

    When "internet connectivity" repair is ENABLED in BOClean, then we will restore everything to a "known state" which is equivalent to reinstalling Windows without you suffering the loss of all your data or the ability to connect. We considered that a necessary benchmark (evil?) in the original design. Most folks wouldn't know how to run "LSPFix" properly anyway. But that's why we did that, as well as made it an option NOT to do that. My apologies for the "unexpected result" there - there's actually no assured means of picking and choosing what might or might not have been tampered with and that's the reason why we did what we did.

    But untick that if you must, that'll prevent a recurrance. We still STRONGLY recommend not doing so. If you believe in "hosts" ... back it up and if you collect a nasty, once BOClean's whistling green flashes once again, you can always copy your backup back to the original location and get on with it. :)
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Wow!

    Thanks for the detailed reply.
    Very nice of you to make such an effort to bring me up to date.
    Reflects your commitment:)

    With the greatest of respect...
    Are you suggesting I can dump "host file" level of protection with BOC
    ie:
    IE-SpyAd
    MVPS Hosts
    Spyware blaster
    Spyware Guard

    How willBOC play with HIPS/IDS apps such as OnLine Armour, App Defend, PGuard

    Just off to dl BOC4.2

    Regards.
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    On a quick and casual challenge test (1-a few days of use), I didn't notice any unfortunate conflicts.

    Blue
     
  9. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York

    Ah well ... before I mosey off home, I'll hit it. :)

    I've never heard a good word about "Spyware Guard" but we've been *SO* busy here lately, I really have NO idea as to what any potential "competitors" have been up to in a while. I'll admit that I'm often amused by emails saying "Why did BOClean nail this trojan, it's files and its startups" and yet when I ran ... SpySheriff, whatever, it says it found MORE of it?

    Simple answer? Lots of nasties add qwap to the registry. All *WE* worry about is losing the running or not nasty, and from its memory image we can trace back only so far - usually to its startup and whatever its "dropper" is. But beyond that, we don't bother because so many "cookies" and "registry entries" that don't have anything to RUN anymore are just garbage remaining and pose NO threat ...

    Now if folks want BOClean to get more bloated with database entries that remove garbage, then we can definitely blow ourselves up to "Ewido or Norton size" if that's what folks want. But we're already embarassed at the CPU time we need on today's uberfast machines just to go through all sorts of new possible startups and tracking so many other "maybe" items, that it just scares me off wanting to make BOClean do any more than necessary to stop it, NOW ... NOT when you scan, but NOW.

    And my OWN motivation is the more B.S. we have to look at, the longer it will take while the system is busy to intercept a new nasty. I worry about response time as our database continues to grow at exponential levels. EVERY CPU cycle is precious, and taking out the garbage which is NOT a threat? Maybe down the road, we'll claim credit for discovering acne ... but for now, we deal ONLY with "real" threats, not the corpses. :)
     
  10. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Whoops! Didn't answer your OTHER questions ... *If* HOSTS files work on your box (I'll bet you've checked, confirmed and it DOES) ... then by all MEANS, continue to use it! After all, not getting infected in the FIRST place wastes a whole lot LESS time than cleaning it out. Heh.

    All ya gotta do then is make a backup of your "perfected" ... have it ready at any time it needs to go back. On MOST systems, that HOSTS file is read ONLY when the system is booted. Once it's up, it never gets read again. So if BOClean nails a nasty and DOES the winsock repairs (you CAN turn it off successfully once everyone has the 4.20.002 build later today) then just copy it back and give it a boot.

    But yeah, the more chances you have to win, the better your chances of "a dollar and a dream" ... and as far as tinfoil helmets go, HOSTS is better than some of the other popular (ahem, kaff!) "solutions. I have a few places in my OWN HOSTS file ... my point being that HOSTS files didn't work under MOST versions of Windows unless "DNS resolve" was enabled and something ELSE got it read too, but can't remember what it was ... for MOST people however, write all you WANT to the HOSTS file, Windows will NEVER read it. :(

    And as far as "playing nice in the sandbox with the other kids," that was the PRIMARY reason for 4.20 ... got TIRED of hearing from folks who's been using 4.12 for nearly a year whining in MY face about "I have PG and NOD32 and your spikes are making me bleed" ... or "BoneAlarm says you're a keylogger, remove me from your mailing list" ... or KIS2006 says that we're a virus and all the OTHER "ROOTKIT" whoopsies.

    Just got tired of being blamed for everything from sunspots to acne. :)

    But yeah, we play nice ... wish EVERYBODY ELSE had programmers who knew what they were doing, and could not only WRITE their own, but also FIX their own. Alas, we've got "script kiddy l33t h4xx0rs" writing security qwap. :)
     
  11. controler

    controler Guest

    Oh Now Kevin you know dat was not me complaining about CPU spikes. I never did. MAybe this goes to democrats LOL
    Far left opppsss
    I for one like your approach to the hosts file. Nuke the Dam ting.
    It does sound like you don't like bloat either.

    I am however surprised at your comments on Javacool. I feel he also has a good handle on Windows.

    I do think he provided a void where none else gone for the simple home user.

    controler
     
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
Thread Status:
Not open for further replies.