Boclean Advantage

Discussion in 'other anti-trojan software' started by chaos16, Jun 5, 2005.

Thread Status:
Not open for further replies.
  1. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    4.12 is better/different in what way?
     
  3. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Database was encrypted per recommendations. More frequent updates (typically daily, often more). BOClean 4.12 is fully capable of handling spyware, as new RATs are few and far between these days, yesterday's "script kiddy" is getting paid for writing spyware now. The current crop of anti-spyware programs aren't capable of handling some of the most sophisticated stuff BOclean does, as evidenced by the number of HijackThis submissions here, there, and everywhere from people who are still infected after running the typical complement of AS software.
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Yes they should be covered at that firewall layer and Wilders is not a really good place to discuss in full either Erazer Lite V0.2 sinicizing version - fwb (penetrates firewall) or the Erazer Lite 0.1 :D yet if you do have copies you know how that Reviewer composed those graphic.

    And neither of those programs will go very far the way they are coded.

    Hope you and Forge get a chance to look at BOClean again..time to update some of the info you have there these days.
     
  5. -ntl-

    -ntl- Guest

    @Nancy

    "Everything you have said about BOClean is obsolete. You are discussing version 4.11, we released 4.12 back in January."

    This needs to be demonstrated. AFAIK PSC never released a proper change log re 4.12. In particular, PSC did not SPECIFICALLY say that any of our negative findings are obsolete due to changes. (Probably, PSC did not want to indirectly confirm any of our findings by making such a statement.)

    It seems to me that the following things have changed:

    1.
    Database is now encrypted.

    2.
    Text strings containing the name of the trojan are not used as signatures anymore.

    3.
    Increased use of resources (due to encryption of database).


    I believe that the following findings still apply:

    1.
    Still no working module memory scanner. No FULL memory scanning (i.e., code-injecting trojans like Flux cannot be detected whilst running in memory -- only the loader can be detected but not the trojan itself).

    2.
    Signatures are still based on text strings.

    3.
    Malware protected with the help of sophisticated protectors (/w memory encryption) like Obsidium can still bypass BOClean.



    For the following reasons I do not think that an update of the BOC report would be justified:

    1.
    It appears that there are no significant changes (except the encryption of the signature database).

    2.
    PSC would not accept our test results anyway.

    3.
    A report on the Ewido scanner would be more important. In particular, Ewido's claim relating to super strong signatures needs to be verified.

    4.
    Last but not least, the Scheinsicherheit Signature Quality Evaluation Series has not been finished yet.
     
  6. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    Well, depends on the definition of "infected" I guess. Are there any facts (other than the unspecified number of unspecified HiJackThis submissions by users running unspecified AS software) which may proove your claim, especially in regard to "sophisticated stuff", the difference in handling compared to other AS solutions and how you came to the conclusion that this would not have happened with BOClean installed?

    Edit: Oh, infections discussed in topics you or Kevin jumped in to request a sample of certain files in question do not qualify as fact... ;)
     
  7. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    Who cares what PSC would accept, maybe potential paying customers would be interested....
     
  8. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Instead of a continuing argument that serves any point, I thought it would be worthwhile to ask you a question or two....

    Why haven't you ever reviewed ANTS or A2? Those products surely have been around longer than Ewido, and Trojanhunter, as ANTS dates back to 1999 (and your first published test that I'm aware of). Is there a connection or some other relationship that hasn't been made clear?

    This is from your website, it lists exactly what you reviewed....

    Why are your tests still focusing on RATs that haven't been seen in the wild for at least a year now? You criticize our Flux detections (which were out days, even weeks ahead of most and served the customer just as well as, and much sooner than, those which met your approval) yet you have nothing to say about the time lapse involved in attaining those detections. Why have you never considered response times for database inclusion a test parameter? Isn't it just as important to have a detection which serves its purpose in a timely manner? Isn't coverage for what's really out there *now*, the CWS-es and ISTs more relevant than some RAT who's day is done, except in some lab somewhere. People want protection from what's really out there, IMHO.
     
  9. -ntl-

    -ntl- Guest

    @Nancy

    Your questions are valid (although they have been answered before).

    1.
    "Why haven't you ever reviewed ANTS or A2?"

    ANTS was already outdated when we started our reviews (no unpacking, no memory scanner). A2 was simply crap at the beginning (i.e., it was not worth being reviewed considering our limited resources). The same applied to early versions of Ewido.

    The improvements made in respect of Ewido 3.5 and the current version of A2 would justify a review. (A2: mainly because of the IDS. Ewido: because of the generic unpacking engine, the FULL memory scanner and the code-based signatures.)

    2. " Is there a connection or some other relationship that hasn't been made clear"

    Yes there is. And it has been made clear (on the front page of our website and also in various threads in our forum). There is no business connection whatsoever but a private one. I have simply chatted too many times with Andreas Haak. Therefore, I consider myself potentially biased and I will not review A2 unless MANY people ask me to do so (taking into account my potential bias). So far, only a few people have asked me to review A2 and a few people have also asked me not to review it.

    Btw.: I have already mentioned in our forum that the results of internal tests (running A2's file scanner against our standard archive) were as bad as those of many AV's w/o unpacking engine. I think the only interesting feature about A2 is the new IDS (which detects almost any of our modified trojans and also a few completely harmless applications ...).

    2.
    "Why are your tests still focusing on RATs that haven't been seen in the wild for at least a year now?"

    Apart from the fact that we also test with new RATs the purpose of our tests is NOT to determine whether a scanner has a comprehensive signature database or not. Therefore, it is irrelevant whether we test with Optix Lite 0.4 or the latest beta version of Erazer or some weird chinese trojans.

    Our tests do not replace but complement ordinary tests with huge malware archives. The purpose of our tests is to check whether an AT or AV scanner is affected by the techniques which are employed "in the wild" in order to make malware undetected. I believe that, for instance, it is more important to detect a modified Beast server (scrambled with the help of an advanced protector) than to detect an unmodified version of the Anskaya.a downloader (for which BOClean has apparently no signature).

    3.
    "You criticize our Flux detections (which were out days, even weeks ahead of most and served the customer just as well as, and much sooner than, those which met your approval) yet you have nothing to say about the time lapse involved in attaining those detections."

    I do certainly not criticize you for detecting malware prior to your competitors. On the contrary, that is/would be very good. Moreover, I did not say that BOClean is a bad scanner because it has certain difficulties with Flux. I am not interested in the detection of a single trojan.

    Flux was just an example to show that many AT used simple process memory scanners and, possibly, also module memory scanners but did not scan the entire memory. The result of our Flux report was that several AT software developers improved their memory scanners whilst other developers were just complaining about us...

    Btw.: in my opinion a module memory scanner (which can detect crypted DLL trojans) is still more important than a comprehensive memory scanner (which can also detect malicious code being injected into the memory space of a trusted application). This is because a system firewall like PG can protect you from such code-injections (but not from static DLL injections).

    4.
    "Why have you never considered response times for database inclusion a test parameter? Isn't it just as important to have a detection which serves its purpose in a timely manner?""

    I think that response time can be an important criterion for selecting a scanner. In respect of replicating malware (e.g., worms) response time is very important. In particular, corporate users require fast response times. With respect to non-replicating malware (e.g., trojans) response time is less important. This opinion is apparently shared by DiamondCS (e.g., they did not consider it necessary to create a signature for the well-known CIA trojan during the Christmas holidays).

    We do not test the responsiveness of AV/AT developers because (i) such tests already exist for replicating ITW malware and there is not much to improve in this area of testing and (ii) our limited resources would merely allow us to perform spot checks (but not a long-term check over several months).

    5.
    "Isn't coverage for what's really out there *now*, the CWS-es and ISTs more relevant than some RAT who's day is done, except in some lab somewhere. People want protection from what's really out there, IMHO."

    I agree that it is important to detect malware which is used in the wild (regardless of whether it is mentioned in the ITW list or not). Our tests are focused on RATs which are used in the wild (i.e., modified RATs). Our tests are not also focused on spyware. This is bad. I agree. The only excuses I can offer:

    1. RATs are really dangerous. Frequently, spyware is just a nuisance.
    2. There are already fairly good tests for spyware detection.
    2. Our time resources are severely limited.

    (Btw.: you are free to provide us with as many spyware samples as you like. It would be no problem to include them into a special spyware section ...)

    Another important shortcoming of our tests is that we do not perform comprehensive tests in respect of scanner's capability to REMOVE malware. This is an important area (although not as important as the detection of malware) which should be addressed by someone. AFAIK the "big" testers like Marx or Clementi do not generally execute malware and, therefore, nobody really knows about the removal capabilities of many scanners. We have only performed a few spot checks so far.

    Last but not least, I would like to evaluate the quality of a developer's malware analysis. For this purpose, I consider to anonymously submit trojanized software (which cannot be easily identified as malware) to several AV/AT developers in order to figure out whether they carefully analyse the samples they get. I feel that the results may be very interesting ...
     
  10. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    When? You say they are on your site, yet I do not see any references to this relationship anywhere. Cite a link within your English transalation (as PROVIDED on your site) where this is even mentioned, much less specified within any and all analysis (as an admission of bias) of any and all other software reviews you publish. It is crucial that people judging software based on your word know that you have a personal relationship with an author in the business anytime and everytime you evaluate any competitor. Any action below that bar is dishonest, regardless of professionalism in procedures or expertise. I am sure you would agree.
     
  11. -ntl-

    -ntl- Guest

    @Nancy

    1. Front page:

    http://scheinsicherheit.sc.funpic.de/introduction.htm

    "Our thanks fly to Dr. Seltsam (aka Andreas Haak) for his technical advice and support. Moreover, we would like to thank Suzanne Roman (Art for the web) for making freely available her background textures."

    2. Various forum threads:

    http://illusivesecurity.il.funpic.de/viewtopic.php?t=49
    http://illusivesecurity.il.funpic.de/viewtopic.php?t=50

    http://boardadmin.bo.funpic.de/viewtopic.php?t=28

    http://illusivesecurity.il.funpic.de/viewtopic.php?t=51 ( under IV. Affiliation of Scheinsicherheit with Emsisoft & others )

    There is also a very old thread @ dslreports where catseyesonyou "discovered" our affiliation to Andreas Haak. I can't find it anymore.

    3.
    I agree that people should know about this relationship. But I can't call it an affiliation if there is none. I have not chatted with Seltsam for several months ...

    Between other members of the Scheinsicherheit project and Andreas Haak there is no such relationship.

    Moreover, I would like to mention that most well-known testers (like Marx or Clementi) have very good relations/close contacts to one or more AV/AT companies. We are the exception because almost every AT/AV developer dislikes us.

    Contrary to certain amateur testers (not including Marx or Clementi) we avoid to join affiliate programmes which generate revenues. In addition, we do not generate money from adverts. In fact, we do not generate any money at all. And that's perfectly fine.
     
  12. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    What is a RAT?
     
  13. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Remote Access Trojan.

    Blue
     
  14. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Could you state your setup or would that be out of line? Im interested to know what programs compliment BOClean. Some have stated it does not play well with Process Guard.
     
  15. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    See here for my current setup. For the time being I'm just doing a with/without comparison regarding Process Guard. To tell you the truth I don't see a significant impact regarding the BOClean/Process Guard issue. On the task manager I can see the impact, but the spiking with my setup was quite modest above that expected for BOClean's design and as an operational matter it never manifested itself in degraded system response or performance. There was apparently a noticeable impact for a few users - I'd hazard a guess that is due to contention involving multiple non-native kernel level processes (i.e. beyond just PG and BOClean in the major instances). As with any collection of realtime monitoring processes, it is in the details of how they interact which is the key and why actual trialing is important.

    As it is, the configuration I'm now running is clean, reasonably lean, and very stable. I'll probably stay with it a bit.

    Blue
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I resisted getting BOClean because of the PG issue for a long time, but it's really not a big deal at all.. it's still very much the lightest of all ATs that I have/have tried, I don't see -any- system slowdown. Just as with most of the things people talk about around here regarding AVs and ATs, things in print don't reflect real-world experience in a lot of cases. I wouldn't let the PG issue dissuade you from getting BOClean.
     
  17. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Good to hear this, thanks for sharing. I understand. I had problems occassionally with a program and others theirs works perfect. o_O Who knows.

    Glad to hear there are some who can run both PG and BoClean together with out problems ;)
     
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I am running KAV 5, Ewido/or BOClean, and ProcessGuard on a XP SP2, 512 RAM, 2.5 GHz system.

    With my setup, it is possible to run BOClean, but there are definitely times when the system "stutters" when BOClean leaps into action. I do not notice the same problem with Ewido. Since, I feel that Ewido and BOClean provide comparable protection with my setup, I usually run Ewido and sometimes bring up BOClean to do a scan - usually taking it down sometimes afterward. It is definitely possible to run ProcessGuard and BOClean concurrently with my setup, it is just an unnecessary annoyance for me since I do have the Ewido alternative available to me.

    Rich
     
  19. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    -ntl-,
    could you please link to some of what you consider "fairly good tests for spyware detection"? Thanks,
    -hojtsy-
     
    Last edited: Jun 27, 2005
  20. controler

    controler Guest

    Hi richrf

    Why do you think there is any comparison between Boclean & Iwido?

    Just curious

    con
     
  21. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    There is no comparision it's just usermode ... software incomptability and in some cases ..

    but nevertheless there is just no comparision or whatever .. two different products right from the install till the uninstall. the only thing is memory scanner but that again isn't the same with Ewido nor Boclean ..
     
  22. controler

    controler Guest

    The ONLY software incompatabilty that I know of was between Boclean & PG
    & this was mentioned way before PG came out.

    It is & was a matter of the Ring 0 fight.
    It was stated by Kevin along time ago.
    It is & was a matter of who do you want protecting your Ring 0?
    That is the simpliest way I can explain it.

    So where do we go from here?

    con
     
  23. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    AFAIK, BoClean always stayed clear of ring 0, exactly to avoid any ring 0 fights.
    Do you happen to have a link for the statement of Kevin, please?
    -hojtsy-
     
  24. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    There are also some "incompatibilities" between the latest version of BOClean and some AntiVirus software/RTM's. This is seen with high CPU spikes.

    Kevin sent me a special build to counteract this.
     
  25. :-:-:

    :-:-: Guest

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.