Anti-trojan 5.5???

Discussion in 'other anti-trojan software' started by Q-ball, May 3, 2003.

Thread Status:
Not open for further replies.
  1. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Anyone heard of this program.Im trying it out right now,my pestpatrol is coming up for renewal and i dont plan on renewing it. But i havnt heard anything about this 1.

    I would like others here to try it out and let me know what they think.

    it comes with a 14 day trail but is fully operational.


    http://www.anti-trojan.net/
     
  2. Ph33r_

    Ph33r_ Guest

    Anti-Trojan Software surely impressive, thing grew in Definitions considerably to it’s Time of existence compared to “The Cleaner” and it’s existence well before and already Anti-Trojan’s Definitions are well ahead making “The Cleaner” Software eat dust…

    I must have a soft-spot for “The Cleaner” because I installed Anti-Trojan and kept “The Cleaner” installed. I’m very pleased with Anti-Trojan Features, I highly recommend you giving it a try and see what you will come up for conclusions. ;)
     
  3. Ph33r_

    Ph33r_ Guest

    And before others has chance to Recommend, I also Recommend trying out TrojanHunter (I don't personally use it but i know it's quite popular).... :D
     
  4. controler

    controler Guest

    I must give this program two thumbs down :mad:

    I downloaded it, ran the ful scan and it deleted a Lockdown file Of mine without giving the option to delete it or not. Any program that installs by default to delete a file without your permission is BAD.

    The following trojan files have been found:

    Trojans found: SubSeven2.2
    Path: c:\Program Files\LockDown Millennium\ldmod32.dll

    Trojans found: SubSeven2.2
    Path: c:\System Volume Information\_restore{FE9C7AD2-91D5-4C9C-9C3A-1D5559EA1B8F}\RP228\A0088826.dll
     
  5. Ph33r_

    Ph33r_ Guest

    Hey controler

    Could you E-mail that file? Ph33r_@hotmail.com

    Thanks
     
  6. controler

    controler Guest

    The program not only deleted the file but when i look in the backup folder all I see is a txt file and here is what that says.

    The password for the backup zip files is infected
     
  7. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Anti-Trojan is not really a good program. It is not able to handle packed/crypted trojans. Which means that there is no unpacking engine or process memory scanning (at least it wasn't the last time I looked into AT).

    Also you can check on http://www.anti-trojan.net/de/download.aspx how often they update their software with new signatures. You really should compare their frequency against the AT programs that post update alerts in our Update forum.

    wizard
     
  8. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Nope, still no memory scanning. A worthless program in my opinion.
     
  9. Ph33r_

    Ph33r_ Guest

    I absolutely agree its Archive Scanning aka "Search in Archive files" Feature is totally false advertising in that product, however I wouldn’t pass judgement just because it can’t handle Archived files too well. Not saying Archive Scanning isn’t important but not entirely necessary, when I manual scan, I scan for Trojan “Infections” and the last time I re-called anything compressed up isn’t what we class “Infections”…

    And as for the Signature Updating; I see how more-so frequently they release compared to other Anti-Trojan Cleaners and not to mention with great numbers of new definitions Added.

    And as for the process scanning what the heck you call “Anti-Trojan Watch”, that all goes to show one shouldn’t always believe what they hear…

    Regards,
     
  10. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    I'm not so sure Anti-Trojan Watch actually does scan memory instead of scanning the files of the running processes on the hard drive (like Live Process File Scan in TDS-3). I see no mention of memory scanning at the site of this program, so that's why I reached my conclusion. However, if you do know for certain that Anti-trojan does memory scanning, then please correct me. My memory isn't the best in the universe - actually, it's probably one of the worst in the universe. ;)
     
  11. Q-ball

    Q-ball Registered Member

    Joined:
    Apr 29, 2003
    Posts:
    60
    Well the program works great,but i did have some concern myself on memory scanning.

    Im running the trail to the program right now and i do have the at watch on .

    I thought that it was scanning your memory on all exe. files that are running right now??
     
  12. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Okay I made a quick investigation of AT-Watch with FileMon from Sysinternals. AT-Watch does not scan process memory. It just scans the files saved on disc and not in memory.

    Therefore I consider AT to be useless like most antivirus software against backdoor trojans because it has no unpacking engine and no memory scan. So how does it protect against packed/crypted trojans which are more than common these days?

    AT is IMHO just an old fashioned anti trojan program where runtime packer were not used at all and the files remain "static".

    wizard
     
  13. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Thanks for clearing that up, Wizard. :)
     
  14. xor

    xor Guest

    For AT's is a unpack engine and/or Memory Scan very important.
    A unpack engine makes sure that the file is not executed if it is packed and infected and the memory scan can find/terminate such trojans which are crypted/packed with a unknown or unsupported packer/crypter.

    You can here do several useful tricks to make this "most advanced", for instance you can make a kernel hook of CreateProcess A/W and ShellExecute API's, then you store the PID's and some other data of the process which is to start. After admitting this process you can directly scan this new process with the PID you did store temporarly in a memory value. So you do not need to make timed "full memory browses" all x seconds. With this method you have a chance to kill the most AV-terminating Trojans. Because they have a timer-event (most timed to 5 or 10 sec) to look if a av is running. If you scan/terminate them direct after the execution you have a pretty fair chance to kill it before they can harm you :D
    There are other methods to do this, with some tricks you can also "hold on" a process until you admit that he can run continue... :D

    Michael
     
  15. Ph33r_

    Ph33r_ Guest

    People definitely will go far out to trash something they have very little kn0wledge of….

    All I’m going to say on this matter is, Trojan Simulator….
    Anti-Trojan “AT-Watch” has the capabilities of detecting the very mil-sec upon Execution of this Trojan Simulator created by Magnus aka TrojanHunter Author…. http://www.misec.net/trojansimulator/
    http://www.misec.net/products/TrojanSimulator.zip

    Now I say this is pretty good considering other AT Systems cannot even detect within 2-5 seconds after Execution…

    And ones here should really Look up the meaning behind Process Scanning… ;)
     
  16. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Looks like the lack of kn0wledge is on your side this time. ;)

    Yes, but here is the deal how this works: You start TrojanSimulator.exe. After 5 seconds (or less depending on the configuration) AT-Watch recognizes a new process and than the Anti-Trojan scans the file on your hard drive which is related to the new process.

    I redid the test with the following simple example: I packed TrojanSimulator.exe with UPX. I also unpacked TServ.exe which was already packed with UPX and repacked it with a different compression option. I redid a file with Anti-Trojan and both files aren't detected anymore. Than I started TrojanSimulator.exe and nothing happens. If there was real process memory scanning involved it would have picked up TrojanSimulator but it didn't. This means that there is no real process memory scan. Just a simple file scan.

    No it's not. A normal antivirus program would have already prevent executing that file. The reasons why we recommand Anti-Trojan software as well besides AV programs is that most av products have the same weakness: they are not able to handle packed malware properly.

    Yes I look it up. Any more questions?

    wizard
     
  17. Ph33r_

    Ph33r_ Guest

    Wizard

    Apparently one here cannot comprehend what I had said and hadn’t said, and what I hadn’t said was to trash your Anti-Virus Systems because this Anti-Trojan 5.5x Software is coming through. What I basically saying was this is a neat Anti-Trojan System compared to many OTHER Anti-Trojan Systems….

    Now why don’t you get your head out of the ground and stop trashing Software you have very little knowledge of and recommend this guy an Anti-Trojan System you think is more suited then Anti-Trojan 5.5x for more efficient Jobs…

    Asking Questions? No I didn’t ask any questions and I’m not about too…
     
  18. xor

    xor Guest

    LOL are you changing sides to the evil darks wizard eh ? :D :D :D

    right

    right too.
    For a working memory scan you need PLAIN UNPACKED SIGNS otherwise the memory scan would be worthless. This means all backdoors/trojans must be added with unpacked signs too. This is because the programs running always unpacked flat in the memory. If you scan here with packed signs you will find nothing - because the program is in the memory unpacked and does not more match the packed signs / fingerprints or whatever.
    You can of course resolve the file and the path for a just started file and scan this file after execution directly. But this does not mean it is a true memory scan - this stills a simple filescan on demand if something is started.

    Trojan Hunter or TDS, both does have real memory scan for instance beside a file scanner - BOClean only a memory scanner.

    So AntiTrojan is not really the best choice - even if they add many things with packed patterns. You can have luck that you get a trojan which is excatly in this way packed as they have in the pattern, but i would not trust on that ;)

    yes. most of them ;)

    Michael
     
  19. xor

    xor Guest

    BTW if you dont believe what wizard says download this small testset here and scan the files after installation (they are all harmles) with AntiTrojan :D

    http://www.gladiator-antivirus.com/downloads/gavtest-setup.exe

    This Setup File copies some versions of the Trojan Simulator and the GAV Test "Virus" into the install folder.

    Michael
     
  20. Ph33r_

    Ph33r_ Guest

       I’m not stupid I know what WiZard and you says are true (or at least large % of what WiZard says), didn’t doubt or say anything about it being not so, I just don’t share his opinions that it makes the product sucks just because it lacks, I haven’t seen anything specifically to Anti-Trojan System that didn’t lack in some area…

    In any case unless one of you can recommend Anti-Trojan System that doesn’t lack in some area I still highly recommend the user to test out Anti-Trojan v5.5x Software…

    And because I personally like this Anti-Trojan product I’ve E-mailed them tis morning and going to assist in repairing it all up… And unless they don’t choose to-do anything about it then I’ll agree the product sucks, until I don’t agree… ;)
     
  21. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    [​IMG] If more people did this type of thing, we'd all be running much better security software than we usually end up with. Thanks!!
     
  22. ATN

    ATN Guest


    Anti-Trojan only deletes files if you checked the option "Remove identified trojan files" at the search tab.

    You can additionally check the option "Make backups of removed files" at the options tab to get a zipped backup of each trojan file in the backup folder. The password for the zip files is "infected".

    ATN
     
  23. controler

    controler Guest

    Hi

    I didn't have the program set to delete files and did have it set to make a backup. I guess I missunderstood about the password?
    Where is the backup kept? It sure isn't in the backup folder.
    One thing I must mention. I ran the scan and left to come back later and see gthe results. I am guessing the scaqnner finished and
    timed out on asking me if I wanted to delete or not?
    I DID recheck and I have not enabled deleting found files and I DO have make a backup enabled.
    I do like the port scan and process viewer :D
    Is there something else I am doing wrong? Is there another Forum on this AT ?


    Thank You
     

    Attached Files:

    • AT5.jpg
      AT5.jpg
      File size:
      39.4 KB
      Views:
      1,047
  24. Ph33r_

    Ph33r_ Guest

    Hey controler

    I see "Make backups of removed files" Feature not "Make backups of Detected files" Feature ;)…Upon Trojan delete it will place backup’s in \Anti-Trojan-55\BackupFiles\ Location…
     
  25. ATN

    ATN Guest

    Anti-Trojan doesn't delete any files without asking. There is no prompt while scanning to select if the file should be removed or not.

    Can you reproduce this error?

    If the backup function is enabled, all found trojan files are zipped to the BackupFiles folder of the Anti-Trojan installation folder. The password for the zip files is "infected".

    Anti-Trojan Network has also a forum for support etc.:
    http://www.anti-trojan.net/en/forum.aspx


    ATN
     
Thread Status:
Not open for further replies.