BOClean has a serious flaw?

Discussion in 'other anti-trojan software' started by aigle, Oct 9, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I used to be much impressed with BOClean until I tried it. The day I came to know that I can try it free, I downloaded it and tried it against some malware files.
    I have many dissappoints/ concerns about it but the most impotant one i will discuss here. Off and on I install Antivirus for some of my friends, co-workers etc and I am thinking to add it alongwith Avast( ThreatFire is another option but the users are actually dummies so BOClean with silent mode might be a better oiption).

    This bug I have seen from the very first free version of BOClean and seems to be still present and seems a very serious flaw in BOClean,s protection. Using XP SP2, whenever I launch some malware files to test them against BOClean, BOClean off and on crashes while attempting to clean the infected file( crash happens only during file removal). Say I run a malware xyz.exe, BOClean detects it, kills its process and I get the message that do u want to remove the file also. When I say yes, it,s the time that BOClean crashes and I get the message about it. I have to restart BOClean each time.

    I noticed that this crash is rather frequent. Recently I tried 6 malware files and got this crash about twice. Also I noticed that crash is more freqent with complex malware( that copies exes and dlls here and there, changes registry more and install global hooks etc), rather than with simple malware( like a downloader just executing and trying to connect out).

    I don,t want to flare up any comodo/ BOClean fans but it,s a serious bug that renders BOCleans protection almost useless. I will post almost same thread on their forums or I will rather like to send an e-mail to the the developer( can anyone give me his e-mail address).

    Ordinary users might not notice this bug as they might not come across malware execpt once or twice. It seems very easy to reproduce. Just run about 5 to 10 malware samples and when BOClean gives prompt to clean the file also, say yes. U will see BOClean crashing( unless my findings are wrong or there is some conflict on my system).
     

    Attached Files:

  2. Nubiatech

    Nubiatech Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    50
    Location:
    IL, USA
    The author, Kevin McAleavey, is a member of this forum.
    https://www.wilderssecurity.com/member.php?u=8121
    It would be very interesting to see their response. Keep up the good work!:thumb:
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Let,s wait and see. The bug is not new. I am seeing it since I tried it( after becoming free).
     
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Is this bug common among anti-malware apps? because when I run SuperAntiSpyware free scan, if there are any infections( tracking cookies, in my case) detected and removed, a window similar to BOClean will appear each time.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t think that it should be common. It,s a serious bug making security application useless. It might be perhaps on some systems due to some conflicts. Not sure!
     
  6. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    It points out non-existant error handling for specific operations. (The thing you should check/verify after some operation failed; without proper error checking you ASSUME that everything went well and continue with invalid data that's why you see such crash screens.)
     
  7. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Thanks for your advice, but can you be more specific and perhaps to use layman's terms ? I am a cadet in Computer Science, some illustrations/examples will be very much helpful. Thanks.
     
  8. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    You can do NOTHING against this. It's up to the developer to fix that.
     
  9. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Thanks.
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I've seen this across several versions and nothing got fixed...:rolleyes:
     
  11. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    After seeing the good Inspector's post and due to the fact I encounter such little malware that trips up my security, this is likely a flaw that should be fixed. However I have had lots of experience with last several versions of OutPost tripping up with such crashes only to find I have a clean system. I use only a little security software to avoid conflicts so in my mind there is no excuse for malware free machines to get such screens. The more I see "sorry for this" the madder I get. :mad:

    I would say BOClean is not the only one security app. to suffer from this.

    However, the point here is well made. This should not be happening, protection software is not much use if this happens. :(
     
    Last edited: Oct 10, 2007
  12. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Ok since someone asked what i mean i give here a short example what i mean with error handling. (That most likely doesn't apply to the particular case of this crash but you'll get the idea what i mean)

    We want to create a file and write something into it.

    First we write:

    FILE * pFile;

    That tells our program that we want to use a Filepointer (for holding the handle)

    Then we open the file in write mode:

    pFile = fopen ("wilders.txt","w");

    After that comes now the error check:
    if (pFile != NULL)

    what basically means if the file could not be accessed/created then pFile will be NULL. So with checking using "!=" we check if it is NOT (!) null, that means the file could be created/accessed.

    ONLY THEN we are allowed to write something in the File!
    fputs ("wilders rocks!",pFile);

    If we don't do that check and ASSUMING that all went ok then we will get such a similar crash because we're trying to write to a non-existant filehandle (it contains NULL because there was an error!) in case the system could not create this file. (For example on a write protected media)

    Understood? :D
     
  13. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Update.... And for everyone who understood that we go one level higher:

    int *(*(*x)())[15];

    Guess what that means? (the answer is somewhere "hidden" in that post) :D

    means that the integer x is a pointer to a function returning a pointer to an array of 15 pointers to another integer
     
  14. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    the integer x is a pointer to a function returning a pointer to an array of 15 pointers to another integer ;) :D
     
  15. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I'm wondering what program out there would be able to deal with allowing all 10 samples to run and then try dealing with it after it executes¿ I try to go looking for malware in the wild by going all over the net just for some real life testing. Ill even download some unknown program(s) and try installing them 1 at a time of course. I believe I may have encountered a false positive similar scenario with the earlier version of this program when it flagged my virtual drive that I use to play games with, and it would prompt upon me launching the application, then ask if I wanted to remove the files, I would say yes but instead of crashing the icon on bottom right would disappear and BOC would shut down and service would no longer be in the task manager. Then I would have to launch BOC again to start it up then I would have no problems. Thats about it for my experiences, so far no problems with latest version, but I have not tried to run live samples of malware 5-10 all at once yet.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U can get same even with one to two samples. It,s frequent.
     
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi aigle,

    Did you post at the Comodo BOClean forum and/or did you send an email to Kevin?

    If so, where at that forum, and/or what was the reply from Kevin (full quoting of a private email is not allowed, but some way of informing here might be useful).
     
  18. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Yes, this happened to me too :doubt:

    @FanJ, this has been posted @Comodo some time ago and afaics no response from KMcA
    https://forums.comodo.com/comodo_bo...wn_everytime_it_blocks_a_trojan-t10720.0.html
    There are other threads @Comodo with similar

    Interesting that no-one from Comodo replied to that thread.
    Have to wonder how much "maintenance time" is being directed to CBOC now?
    I know it may not be representative of most users ( cf Acronis forum here) but scattered through the Comodo CBOC forums is a constant stream of 'I have issues...' posts that dont seem to get a lot of attention.
    I bet there is the usual inimitable KMcA explanation: why not give it?, every time he posts I learn something.

    Regards
     
    Last edited: Oct 12, 2007
  19. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    Just curious. The thread from the Comodo forum just mentions v. 4.24.
    Does this same problem exist with the current v. 4.25?
    Thanks :)
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, i might not post at their forums as my impression/ experience is that the posts at their forums often don,t get official responses, so it might be almost useless to post there. ( however my experience is based upon Firewall forums, may be it,s different in case of BOClean section of forums).


    I did not send e-mail to Kevin as I thought he might post in this thread, but I was wrong. I have no e-mail address for him. Can anyone provide me his e-mail address, and I will mail him and let u pwople know about the response.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    The screenshot I posted is with 4.25. Same thing I experienced with the very first free version as well.
     
  22. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    I run SuperAntiSpyware and have never experienced that problem.
     
  23. danny9

    danny9 Departed Friend

    Joined:
    Feb 18, 2004
    Posts:
    678
    Location:
    Clinton Twp. Mi
    Thanks for the response, aigle.
    And thanks for bringing this to everyones attention.
    I was totally unaware of this problem as I'm sure others were also.
    Hopefully they will have the courtesy to answer soon. :)
     
  24. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, Thanks for the feedback. I am not too concerned about it, since I use it as an on-demand scanner. But I will reinstall it at later date to see the difference. Take care.
     
  25. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    I've noticed this a few times, but I don't see it as a very big issue, simply because when boclean crashes, it has already terminated the malware. In my experience, it has only crashed after telling boclean to remove the file, not once whilst trying to kill it. Also, it's not like boclean simply stops running with no warning, you get the error message, that you have to interact with in order to make it disappear.
    I agree that this issue needs to be fixed, but it's more of an inconvenience that a security issue, IMHO.
     
Thread Status:
Not open for further replies.