BoClean and TDS-3?

Discussion in 'Trojan Defence Suite' started by Kegel, Oct 29, 2003.

Thread Status:
Not open for further replies.
  1. Kegel

    Kegel Registered Member

    Joined:
    Oct 28, 2003
    Posts:
    159
    I have been a long time user of BoClean and have recently been reading a lot about TDS-3. I read so many good things about it, I purchased it last night. My question is: Is there ANY reason or advantage to run both TDS-3 and BoClean? I am not running TDS-3 all the time, just as an on-demand scanner. BoClean runs all the time as it uses much fewer resources. I guess my question is should I just ditch one or the other? Seems like it might be overkill.

    My Security Software:

    BoClean (resident)
    TDS-3

    AdAware Professional
    AdWatch (resident)

    PGP 8 (resident)
    McAfee Virus (resident)
    Anonymizer Total Net Shield (resident)
    ZoneALarm Pro (resident)
    Spybot Search & Destroy
    HiJack This!
    Evidence Eliminator (great program no matter what you think of their ad campaign)


    Bases covered?
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi
    one thing that you benefit from having boclean on is the real time memory scanning of it.. a feature which tds doesn't have. sure it scans memory mutexes when executed, but bocleans memory scanning is constant.
    and your boclean benefits from tds, because it doesn't have a filescanner..

    so basically this is a nice setup, although a bit overkill IMO..

    it is possible to get a trojan past a filescanner(which tds's execution protection basically is), but when it's executed, the memory scanning of boclean will nail it(if it's a known trojan)..

    wait till you see the next versions of both tds and boclean, when they're out there will be no need to use both.. then tds will have better resident protection ( not bad now..) and boclean will have a filescanner...

    in addition to your at proggies your mcafee virus scan is one of the best av's in trojan detection( top3 IMO). your trojan protection is awesome... while no software is 100% protection/ or fool proof it would take a hacker considerable amount of work to get a trojan past your pc walls...

    if i were to add something to your setup, it would be javacools spyware blaster.. that would compliment the adwatch component of your adaware..
    spywareblaster is an utility that sets kill bits for known spyware in your registry, preventing spyware from ever installing.. http://www.javacoolsoftware.com/spywareblaster.htm
     
  3. Kegel

    Kegel Registered Member

    Joined:
    Oct 28, 2003
    Posts:
    159
    Is that feature of SpywareBlaster you mentioned similar to the immunize function of Spybot Search and Destroy? I already have that.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Kegel,

    Yes. It is similar, but SpywareBlaster´s database is a lot bigger.

    Regards,

    Pieter
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    here you can see what spybot's author PepiMK thinks of spywareblaster...from the immunize page of spybot s&d
    edit: see where the line makes a strange curve? my cat wanted to sit on the laptop i'm using....
     

    Attached Files:

  6. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Yes I agree with Pieter Arnts in having Spyware Blaster in addition to Spybot. I also have Spyware Guard which guards and protects your browser and settings. The three together; Spybot, Spyware Guard and Spyware Blaster, I call the Three Musketeers of Spyware Prevention and Elimination.
     
  7. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I'd say that if you were only going to keep one anti-trojan product, it should be BOClean, hands down. I'll tell you why: If you should ever fall victim to one of the many buffer overrun vulnerabilities that occur in Windows and the applications that run on it, TDS will not help you until it's probably too late. Buffer overrun vulnerabilities let code execute without it ever being accessible to file scanners.
     
  8. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Yes I am leaning toward getting BOClean 4xx and the hell with 5.0. Also will probably get IEClean. After reading all the replies on GRC.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Nameless, will BOClean prevent buffer overruns?
    Thought that was a part of windows protection updates to avoid that as much as possible and ALL software has to deal with it?

    If they would be part of trojans, it's the TDS exec protection stopping any trojan before it can even execute, in the current TDS-3 already.

    I think you come to other conclusions when you see the TDS-4 Active Guard and the other TDS-4 elements.
    The largest trojan databases already and other nasties detection.
     
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    A buffer overrun/underrun will not usually insert a complete program. If an exploit like this is found, what usually happens is they get their overrun code to download/run another program which in turn does what they need.

    In this likely case, TDS's execution protection will scan the file the overrun tries to run/download and hence no infection will occur. TDS also has an "on demand" memory scan (roughly the same thing BOCLEAN does) just it isn't running all the time, only when you scan.

    TDS's execution protection (which is automatic) also SCANS files before they are executed which means if TDS detects it is malicious it won't run the file, whereas with BOCLEAN the malicious code is actually running before it kills it.

    By the way there havn't been any successful "anti buffer overrun" programs, that is programs which protect from buffer overruns. So all anti-trojan/anti-virus software are susceptible to these style of attacks. These attacks however can only exist in software which has flaws in it. No DiamondCS software has had a buffer overrun/underrun vulnerability ever.

    When a buffer overrun exists in a popular program like Outlook, IE, or Windows, that just means there is a possibility that a malicious program/user could inject code into that particular process and get it to run. So everyone who runs software that has buffer overrun vulnerabilities in it, is susceptible to these attacks. The only solution thus far is to not run software which has these vulnerabilities and make sure to update your operating system if one is found in it. TDS, BOCLEAN or any other anti trojan program isn't going to protect you any more or less in regards to buffer overruns.

    -Jason-
     
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Of course BOClean can't prevent buffer overruns. The problem isn't restricted to Windows itself; it can happen (and has happened) with third-party applications as well. And some Windows and Insecure Explorer holes remain unpatched. Even when they are patched, the problem is often only partially solved (because Microsoft doesn't appear to care). Patching is not a panacea; I think we all know that.

    Not if they aren't saved and run on disk.

    Where can I download TDS-4? Oh that's right, I can't.
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    If malicious code is injected into process memory, why wouldn't a utility that could scan the memory of that process be able to catch it, assuming the malcode was known? Unless the Kaspersky and PSC folks are lying, or I misunderstood, this is what the "Scan memory" setting in KAV is for, and what BOClean is all about.
     
  13. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    TDS4 is the single biggest anti-trojan project ever undertaken, even other anti-trojan developers wouldn't dispute that, and it's the culmination of over half a decade of anti-trojan research/development by no less than 4 people (myself, Jason, Gavin, Rod), as well as countless contributors. It can't be produced overnight, and to make it as strong as we planned we've had to do a lot of unique research and development in areas that most coders rarely dabble - there's no documentation for any of this so we're very much programming in the dark to make these things possible. To see some of the work that is a direct result of TDS4 research/development feel free to take a look at these programs:
    http://www.diamondcs.com.au/portexplorer/
    http://www.diamondcs.com.au/openports/
    http://www.diamondcs.com.au/processguard/
    http://www.diamondcs.com.au/index.php?page=apt
    http://www.diamondcs.com.au/index.php?page=dellater
    http://www.diamondcs.com.au/index.php?page=apm
    http://www.diamondcs.com.au/index.php?page=asviewer

    No, but you can download TDS3 as well as all of the above utilities, each of which has 'donated' technology to TDS4. Then consider how many programs and unique technologies other anti-trojan companies have released over the last couple of years, and I think you'll be able to understand why it takes so long to develop a program like TDS4 (which will actually be three programs).

    It seems you've misunderstood, as the good folks at Kaspersky and PSC wouldn't lie about such a thing. There is a big difference between memory scanning and buffer overflow detection/protection, which is where you seem to be getting confused about this. TDS3 has memory scanning capabilities, more than any other anti-trojan (including process memory, resident mutexes, window/memory objects, etc etc), but these are currently on-demand features. TDS4's Guard will use these capabilities proactively.

    Hope that makes sense. If you're still not sure, I know Kevin from NSClean would happily clarify BOClean's memory scanning for you or any other questions you have about his program, but, this is the TDS forum, not the BOClean forum, thanks.

    Best regards,
    Wayne

    PS. IF a program ever did have such buffer protection capabilities, you can be assured it would be driver-based, which very few programs are :)
     
  14. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    It would take a 3.0GHz machine roughly 30 seconds to scan all the virtual memory on a machine with around 50 processes and compare it to something else while it is doing this. And then you have to decide what is an overrun and what is normal "writing" behaviour. So unless you have some actual "proof of concept" that I have not heard of, it isn't feasible to detect these exploits currently.

    Luckily though there is a fix in sight. Microsoft in its upcoming Service Pack 2, along with new CPU's from AMD and INTEL will be able to stop the majority of buffer overruns from occuring.

    On an x86 CPU currently there is no difference between memory which is marked as READ or EXECUTE. Any memory marked as read can be executed, and vice versa. This is why these exploits exist. Memory which is MARKED as read and write only (not execute) is overwritten by an exploit in buggy code, then because this code is marked as READ (and hence on our CPU's it can also be executed without causing a problem) the CPU then executes this foreign code.

    Windows XP SP2 and a new cpu will stop 99.9% of buffer overflows and exploits from occuring, so it may be a worthy addition finally. :) . Basically the only way you could get a buffer overflow to occur in this situation would be to have memory marked as execute on purpose. Since nearly all the arrays, strings, etc, you use as a programmer are only marked as READ and WRITE, not EXECUTE then this will fix nearly every program, even poorly coded ones from being exploited. They won't need to be recoded either, they will be fixed by default. Microsoft are putting more buffer overrun protection into their compilers to warn programmers when they occur, so these two things combined will only enhance the security of software in the future.

    I hope this has been worthy to your knowledge nameless. :)


    By the way, there is a difference between injecting by buffer overrun, injecting a DLL, and writing to the process memory of process through an API call. They each have the same goal, to modify the target process, but each is different, with some not to hard too detect and others impossible.


    -Jason-
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Everyone missed the most important point :D

    If you install Process Guard on a known clean system and configure it correctly, you get rid of the biggest danger - NT rootkits and forced code injection. NT hiding is the buzz in trojan writing circles and there are lots of "rootkits" both released and on the way. We thought it responsible to give the user a real solution.

    Lets put it this way. Process Guard removes the powers of rootkit trojans and DLL injectors at the source. Beast was one of the well known popular ones ? cant even run it on a protected system.

    But what about the beta of trojans like "Sinique" Those beta testing these tools are using them on someone arent they ? totally undetected. Once something is properly hidden by these trojans you wont find them for years.

    Power to the user, Process Guard is the single most important Win2K/XP/2003 security tool for the average user - dont forget installs then works silently using basically NO resources. Measuring resource usage is hard too :)
     
  16. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Thanks. By the way, I'm your customer, not your enemy. I bought licenses for WormGuard and TDS-3 eons ago.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As noted :)
    An enemy never would have got so much thorough information i guess, imagine how much time the DCS team has given to explain it for all of us. All education we pick up in our life experience for our computers.
    Another reason why we all love DCs so much, with the products, support, education, family, forums, security, and fun!
     
  18. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    nameless,
    And we look forward to offering you free upgrades to both TDS4 and Wormguard4 :). Anyway I hope you have a clearer understanding of buffer exploits and memory scanning, if you still have any questions don't hesitate to ask.

    Cheers,
    Wayne
     
  19. srfox

    srfox Registered Member

    Joined:
    Jul 25, 2003
    Posts:
    86
    Location:
    Los Angeles
    Well, I haven't decided between BOClean and TDS yet. The trial run I gave TDS was certainly good. And if I understand right TDS-4 will have memory resident detection that can be turned on?
    I plan on installing process guard soon and trialing WormGuard, I already downloaded it. In the meantime I have System safety monitor which has saved my bacon a number of times.
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS-4 Active Guard you mean yes, which includes also the current exec protection besides that, so malicious code if it were there anyhow can't execute at all.
    In TDS-3 at the moment we have the memory scans etc. with a press of the button or maybe somebody created a script with a timer to do it automatically more frequent.

    Expecting to be able to try the AG out soon now.
    Happy trialing the wonderful tools. It's a great combination!
     
  21. ArchAngel_8

    ArchAngel_8 Registered Member

    Joined:
    Dec 25, 2003
    Posts:
    89
    Location:
    US
    Hello all.... I just purchased the "Action Pack" as well as Proccess Guard from DiamondCs yesterday. I guess I have to wait until Monday to have my order proccessed? Anyway.. I just wanted to know if when TDS-4 is finished, will it have a "Resident" and "On Demand" scanner? I know you all explain this to members of the forums a million times but I guess after reading so many threads I am still a little confused :rolleyes:..Sorry! And in regards to this thread... I have ZAP, NOD32, Adware 6, XCleaner, and soon :D TDS 3, Worm Guard3, and the other cool programs included with the "action Pack" , and Proccess guard. I thought I would be Ok..with those programs.. but the Member who started this thread seems to have 3X the protection? o_O
     
  22. ArchAngel_8

    ArchAngel_8 Registered Member

    Joined:
    Dec 25, 2003
    Posts:
    89
    Location:
    US
    :rolleyes: :rolleyes: oh.. and I forgot to mention I use Firebird and Thunderbird instead of IE and Outlook.... :D.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi ArchAngel_B,
    at the moment the resident part in TDS is the exec protection, scanning each executible before it is allowed to run and the various on demand scanners.
    We don't know the design of the various TDS-4 components, but there will be an Active Guard as a resident scanner/protection, the Ppro and another Scanner. With those three you are complete in detection and protection for that part, in trojans, keyloggers, etc etc, WormGuard for the worms, scripts, PE for all connections, put with it the Process Guard you already did for protecting all programs on your system, and don't forget the CryptoSuite to protect the data and communicate in the safest way on internet.
     
  24. ArchAngel_8

    ArchAngel_8 Registered Member

    Joined:
    Dec 25, 2003
    Posts:
    89
    Location:
    US
    Hi Jooske... Thanks for the info... I am really new to AT, AW, and programs like proccess guard. I only recentally got rid of a combined security solution (Norton Internet Security 2004) and have been setting up the "layered" security with dedicated programs for FW, AV, AT, ect. I am just amazed by how many people seem to run multiple prorams as back-up ... I have seen threads where people have three or more adware/spyware programs , two AV's...ect :rolleyes: I was just wondering if one of each is sufficient? ;) Anyway Happy New Year to You and the other Members! :D
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, and a happy new your to you too!

    Each scanner has their own databases and ways of detection, so people probably want to make sure if the one misses something there is still another change of a nastie to be caught, as long as the scanners are not keeping themselves busy scanning each other's databases.
    You might like to have a look at JavaCool's tools as well for browser protection and more.
    The good part of this forum is free tools are recommended where possible and where necessary shareware, but in all cases you know the programs are worth their money and really useful as well you are very close to support for them.
    Somehow many computers these days turn into systems with a growing amount of security programs as the current time urges us to install.
    And besides the installed scanners people go for online scans as second opinions etc.
    You don't have to run all scans each day again: some good resident protection and the one tiime using the one program and the other time another for your scans, about once a week a TDS full system Scan and if nothing strange happens you should be ok.
    You uninstalled the Norton 2004 total solution? Didn't you like it and feel better with the new programs?
     
Thread Status:
Not open for further replies.