BoClean and McAfee

Discussion in 'other anti-trojan software' started by JayTee, Jan 27, 2005.

Thread Status:
Not open for further replies.
  1. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Hi,

    Anyone has used BoClean with McAfee AV (the latest version) and not suffered any computer freezes as a result?

    I had a slight problem with Outpost and McAfee (which I have since resolved) when I tried to execute Outlook 2003 - McAfee has some hidden processes lurking in the background which was detected by Outpost and this froze Outlook 2003 and caused Outpost to crash. I have also read elsewhere that McAfee doesn't work well with Tiny 6.

    Thanks
     
  2. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    722
    Location:
    Cumbria, England
    Using McAfee and BOClean here with absolutely no problems.
     
  3. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    JayTee, is this the Home AV or the Enterprise Edition?

    If the Enterprise Edition, try disabling the Buffer Overflow Protection, which does not work well with some firewalls.
    Yes, but this does not help JayTee.
    If the Home edition, worth trying the McAfee Forums; http://forums.mcafeehelp.com/ or contact BOClean support who generally are very good; http://www.nsclean.com/supboc.html
     
  4. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Thanks. My version of McAfee is the Virus Scan Profession (for SOHO). I need something working upon installation and boot-up as it is not for me but my wife's partner in a remote location and I am unable to troubleshoot for her partner, if anything goes wrong, except to ask her partner to uninstall the software, which was what I did with Outpost and McAfee. Another option is ewido plus (which I have a subscription), but that is a resource hog, especially with McAfee. (Personally running AntiVir with ewido on my machine). Add in a firewall, Office2003 and iexplorer and I think the 256MB RAM will be used up pretty quickly. Yes, I know there is Virtual Memory but I'd like to try the extra-light option first.

    Cheers
     
  5. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    McAfee by itself gives very good virus and trojan detection. Therefore, unless your wife's partner is a high-risk surfer, this AV by itself should be sufficient.

    If you definitely need extra trojan protection, save your dollars and use the free Ewido as a back-up on-demand scanner. This will also solve the greater resource hit by Ewido's running Guard.

    So instead of thinking of a commercial AT, use a free one and IMO another 256MB RAM would be a better purchase, particularly if the OS is WinXP ;)

    Overall, nothing against BOClean as I am a very satisfied user, but in your case there may be other options to consider.
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I agree with Blackcat. McAfee is a VERY good virus remover (slightly better than Kaspersky) and good trojan killer (but cannot come close to Kaspersky). BOClean will help in fortifying your defenses, but McAfee has caught every Trojan I've thrown at it till date, so I feel BOClean is unnecessary.
     
  7. ---

    --- Guest

    " and good trojan killer (but cannot come close to Kaspersky)."

    Trojans:

    PESpin11.CC.Bionet318.exe
    PESpin11.CC.OptixLite05.exe
    PESpin11.DC.Lithium103.exe
    PESpin11.med.CC.Beast192c2.exe
    PESpin11.weak.CC.Beast192c2.exe

    SVKP132.AnalFTP01.exe
    SVKP132.Bionet318.exe
    SVKP132.DC.Sparta11.exe
    SVKP132.Lithium103.exe
    SVKP132.Oblivion01.exe




    Kaspersky (current sigs): only 1 trojan detected ( SVKP132.Oblivion01.exe )

    McAfee VirusScan for Win32 v4.40.0
    Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
    (40:cool: 988-3832 LICENSED COPY - Sep 23 2004

    Scan engine v4.4.00 for Win32.
    Virus data file v4421 created Jan 20 2005
    Scanning for 113669 viruses, trojans and variants.



    01/30/2005 19:31:15


    Options:
    TESTDIR\*.* /ALL /SECURE /L /PANALYZE /PROGRAM /REPORT Result.TXT

    Scanning D: [Data]
    Scanning D:\McAfeeEngine\TESTDIR\*.*
    D:\McAfeeEngine\TESTDIR\PESpin11.CC.Bionet318.exe ... Found the BackDoor-FK trojan !!!
    D:\McAfeeEngine\TESTDIR\PESpin11.CC.OptixLite05.exe ... Found the BackDoor-RS trojan !!!
    D:\McAfeeEngine\TESTDIR\PESpin11.DC.Lithium103.exe ... is OK.
    D:\McAfeeEngine\TESTDIR\PESpin11.med.CC.Beast192c2.exe ... Found the BackDoor-AMQ trojan !!!
    D:\McAfeeEngine\TESTDIR\PESpin11.weak.CC.Beast192c2.exe ... Found trojan or variant BackDoor-AMQ !!!
    D:\McAfeeEngine\TESTDIR\SVKP132.AnalFTP01.exe ... is OK.
    D:\McAfeeEngine\TESTDIR\SVKP132.Bionet318.exe ... Found trojan or variant BackDoor-FK.svr !!!
    D:\McAfeeEngine\TESTDIR\SVKP132.DC.Sparta11.exe ... Found trojan or variant BackDoor-AFC !!!
    D:\McAfeeEngine\TESTDIR\SVKP132.Lithium103.exe ... is OK.
    D:\McAfeeEngine\TESTDIR\SVKP132.Oblivion01.exe ... Found trojan or variant MultiDropper-BG !!!

    Summary report on D:\McAfeeEngine\TESTDIR\*.*
    File(s)
    Total files: ........... 10
    Clean: ................. 3
    Possibly Infected: ..... 7


    Time: 00:00.01


    See also: http://scheinsicherheit.mirrorz.com/example.htm
     
  8. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Thanks for the advice.

    cheers
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Oh yeah...Then search these forums for Firefighter's virus detection tests. You'll see that Kaspersky/eScan is way ahead of McAfee...The link you refer to shows how modifying an entry point can make a scanner NOT detect the malware...I guess its that type of files you're referring to. Kaspersky always detects it anyway through signatures (if there is such a file that changes entry point). No really, every other AV test out there proves Kaspersky IS better at Trojans. No flames intended, but this is the truth. If you do not believe me you can ask firefighter, our resident AV expert tester. Besides, if KAV cannot unpack certain packers such as Armadillo (which it does now), eScan has a memory scanner, so I'm better protected.

    Regards,
    Firecat

    EDIT:- This post is for that guest.
     
  10. ---

    --- Guest

    @Firecat I does not matter who is right or wrong. But it is important to figure out the truth. So let's continue:

    "I guess its that type of files you're referring to."

    No. I do not. The files I referred to are ordinary trojans that are compressed with PESpin ( http://pespin.w.interia.pl/ ) and SVKP ( http://www.anticracking.sk/products_svkp.html ). Hackers know that Kaspersky does not support these and many other packers.

    "Kaspersky always detects it anyway through signatures (if there is such a file that changes entry point)."

    This does not make sense to me. KAV does NOT detect such files BECAUSE it's signatures + scan engine is flawed.

    "Kaspersky IS better at Trojans. "

    You need to distinguish. Kaspersky detects more exotic zoo trojans because it's signature database is more comprehensive than McAfee's database. However, Kaspersky fails to detect many well-known ITW trojans because it's so easy to bypass this scanner with the help of minor modifications, "unknown" packers etc.

    Please note: there is no black and white. Kaspersky is not better or worse. That's why it is important to know what you are talking about. (Btw.: McAfee is also not perfect but suffers from different weaknesses.)

    "if KAV cannot unpack certain packers such as Armadillo (which it does now)"

    Again. I believe that this is not correct. KAV's unpacking engine does NOT support recent builds of Armadillo. In fact, it merely supports completely outdated builds like Armadillo 2.01 - 2.20. In my opinion, it does not support 2.8+, 3.x, 4.x. If you do not agree you will probably be able to show me an Armadillo compressed sample that IS detected by KAV. This would be a small surprise because I can show you dozens of Armadillo compressed samples that are not detected by KAV.

    "eScan has a memory scanner"

    I disagree again. In my opinion, eScan uses a simple file scanner which is incorrectly labelled as a mem scanner. Only a few ATs like BOClean, Ewido, TDS-3 and TrojanHunter feature a sophisticated memory scanner.
     
  11. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Are the sample files (uncompressed) detected by KAV?

    If so, it seems like one can do the same with a packer that Mcafee does not support and one that KAV does. And the results would be reversed.

    Or are you saying that more packers are supported by Mcafee?

    Do you know if Mcafee supports later versions of Armadillo?
     
  12. ---

    --- Guest

    "Are the sample files (uncompressed) detected by KAV?"

    Yes.

    "If so, it seems like one can do the same with a packer that Mcafee does not support and one that KAV does. And the results would be reversed."

    It seems. But things are slightly more complicated. McAfee score's is not better because it's unpacking engine supports PESpin or SVKP. By contrast, McAfee uses signatures from uncompressed sections of a file. Stupid trick ... but quite effective (unless you start to modify the resource section ...)

    "Or are you saying that more packers are supported by Mcafee?"

    Nope. KAV's unpacking engine is more comprehensive.

    "Do you know if Mcafee supports later versions of Armadillo?"

    Well ... it does not really "support" Armadillo. However, it detects many Armadillo-compressed samples because it uses signatures taken from the resource section. (At least that's what I believe.)
     
  13. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Ahh I see, thank you so much for the clarification :D
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    @the Guest (whoever you are),

    While reading your post I felt you were a bit heated up at me. I am so sorry if I did. We all make mistakes, and luckily we have people like you to correct us. However, I do have a few doubts which I hope you can clarify.

    First of all, in my eScan, my unpack.avc (I think) is divided into files like unp001,002 etc. and PESpin is included in the AVPDOS32 database through unp017.avc (unp most probably stands for unpack). Does this mean that eScan/KAV can now unpack PESpin?

    As I have McAfee on the other OS of my PC, I wouldn't speak bad of it. You mention that McAfee has different weaknesses. Could you point out a few of them? Because I'm going to replace the current McAfee, I wonder whether I should stick to McAfee or go to Panda.

    If the KAV engine is flawed, does it mean that I'm at risk and should shift to something like Panda or BitDefender as soon as possible? Or is eScan still good enough to give reliable protection? Also, I don't figure how KAV was even able to catch that one sample when it could not unpack SVKP?

    Thanks for the info about Armadillo, though. I do see that eScan's memory scan does scan everything running (files, DLLs, services, processes etc.) in memory, so isn't that all that's needed as a memory scanner?

    Please do clarify, and have a nice day! Why don't you join us?

    Regards,
    Firecat
     
  15. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    If McAfee runs well on your computer, with no slowdown or any incompatibilities, stay with McAfee. Overall, its engine is on par with KAV.
    Most AV's are not very good against modified malware, such as rebased trojans, tested over at Scheinsicherheit. Further, KAV does not presently support complex protectors such as Armadillo. But KAV is not unique amongst AV's in showing these 'vulnerabilities'. KAV and its clones have the best overall detection rate for any AV.

    So if Escan runs well on your system, its modified KAV engine will give you, IMO, very reliable protection.
     
  16. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    all you need to do to fool mcafee is hex some txt strings and change some icons with reshack, there is no need to repack, or seek for unknown packers


    or just file sigs from the compressed file, like kaspersky does for some a-dillo packed stuff
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Well, thanks for the info, blackcat and illukka.

    Do you have some idea about how good Panda and eTrust are (when it comes to detection, packers etc.)?

    Its just that I'd want the best defense around for me, and right now McAfee/eScan (through double OS) seems to be pretty good... I'm getting Panda Titanium at a very cheap rate and Platinum for about the same price as McAfee. What'd you say? Stick with McAfee or goto Panda? McAfee 7.0 is serving me very well right now.

    I like eTrust because I only have to pay 20-35% of the original price to get an upgrade...So please give me your opinions.

    Regards,
    Firecat
     
  18. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Firecat,

    You have answered your own question. If you are satisfied with your present AV, it does not affect the performance of your machine and it has given you good protection so far, stick with what you have.

    Version 7.0 would seem to be the best of the McAfee Home AV versions released of late, so if you are happy with this AV stay with this choice.

    The range of good Antivirus programs available now numbers about 20 programs or more. Once on these security forums, you read over the advantages/disadvantages of different AV's and that's when the dreaded disease takes over; you trial and purchase several different AV licenses and change your primary AV about every month. I know, because I have suffered from this same disease in the past!

    This disease is not treatable but the symptoms do improve with age!

    Since this thread is turning into an AV thread, maybe it is best to carry on over on the AV forum. But my views here are applicable to your new thread as well.
     
    Last edited: Feb 1, 2005
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Nautilus/--- and illuka: thanks for your contributions. Always nice to see some valuable technical input - and yours is :cool:

    regards,

    paul
     
Thread Status:
Not open for further replies.