Boclean is Catching nasty things

Discussion in 'other anti-trojan software' started by jordi.c, May 5, 2006.

Thread Status:
Not open for further replies.
  1. jordi.c

    jordi.c Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    36
    Hi Guys,

    First i was a bit suspicous about installing an extra anti trojan scanner because i already have a good Anti Virusscanner like NOD32 and i thought it will just sit back the whole time.


    But after installing Boclean last week and downloading some files he caught a nasty file.

    boclean1vi.png

    NOD32 didn't see anything so i can recommend this product to everyone for extra layer when NOD32 don't catch it.

    GOOD WORK Nancy & Kevin. :thumb:

    Regards
    Jordi

    Edit:

    Looks like it is a flase positive because it is packed with MEW 11 1.2. If I pack Notepad with MEW and execute it, BOClean also flags it as a trojan.
     
    Last edited: May 5, 2006
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Having an extra shield against nasties is always worth having, especially one with a solid 10 year reputation behind it like BOClean

    Did you click Ja or Nee ? If Ja what has happend with POWERDVD ?

    I hope that you sent the info to BOClean so they can take a look at it, and if it was a FP they will fix almost instantly ! It's not very often there are FP's with BOC, unlike some others.

    I use BOC and wouldn't be without it, and has been invaluable in my system.


    StevieO
     
  3. controler

    controler Guest

    NOD's advice is always to use Blackspears settings.
    You have to go through a million setting to set it up the correct way.
    I have a thread going on an old bagle worm and there are some issues even after setting up Blackspears settings.
    Guess they don't want to read what I am typing.
    What I do not understand is Boclean don't do anything when I open this e-mail either or when I click on the ZIP file.




    con
     
  4. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    MEW does not provide unpacking. Therefore, if it's packed with MEW, it's suspicicous. LEGIT stuff doesn't USE Mew. If you're bold and want to take the risk, then exclude it, but if it's packed with MEW (first trojan to use it was "Bushbot" in 2001) and if the POSITION in memory matches, then it's like unpacking UPX with the warning "hacked, beware!" ...

    Might be an FP, we don't care as far as that detect goes - just to be honest - anyone who packs with MEW and has it land in THAT condition is *NOT* to be trusted, regardless of any claims. It's not just MEW, it's the dithering which raised the flag there. :(

    And I thought "open source" was to be "trusted." Nope ... if they pulled THOSE tricks, DON'T run it! A Bushbot match is a Bushbot match. Find a source with some integrity.

     
  5. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Perhaps I'd better explain it a bit better ... when it comes to MEW, it's a commonly used trojan packer because it's unpredictable for file scanners. When you diddle it in a certain way, it occupies a specific memory image and location similar to that of the first abuse of MEW - "Bushbot" from back in 2001. Normally when anything "semi-legit" is packed with MEW, things land in different places. Not so if it's been "messed with." One of BOClean's strengths is its ability to spot "zero day" stuff based upon the behaviors of packing and other diddling. For this item to actually MATCH "Bushbot" it means that we have a rather devious author here, regardless of what the "toy" might be. They USED MEW in a similar manner and should not be trusted on that basis alone. Just wanted to explain WHY we slapped it, and stand behind the slapping regardless.

    But if you REALLY wanna mess with that toy, you can exclude it and BOClean will let you do it, regardless. But we're not giving up so obvious a trick as is used by hundreds of nasties on a "heuristic" as was apparently done here. Just wanted to explain a bit better as to why ... MEW isn't something used by legitimate authors unless they're completely clueless. :(
     
  6. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    I would be suspicious of any waning from BOClean that read Winall-CRACKEDEngine!
     
  7. controler

    controler Guest

    Hello Kevin

    Thank you so much for your insite thru all the years. I feel I have known you for a long time. I hope you are not begiled by the knights Templer e-mail I sent you.

    It is good reading and NOT fiction.
    Bruce
     
  8. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538

    This is the program I am leaning towards as well. However, one reviewer of the most recent version commented that BOC was easy to disengage. I haven't yet heard definitely from the BOC develpment team in their forum to dispute the claim. The reviewer worte:

    ". In my test, I found that it was extremely easy to kill the two processes of boclean using a simple "ProcessClose command" from Autoit. After which I noticed that there was no protection from Boclean whatsoever. Whats surprising for me is that on Boclean's website it says that it can protect itseft from Trojans, but what about the simple close using TaskManager or using simple codes to close it".

    Could the above be done by a virus or a trojan? If so, this is a huge hole in this program. As the last line of defense, it needs to be rock solid as far as always being on and not being able to be shut down.

    Can anyone with more technical knowledge than myself comment? I actually REALLY like the boclean concept. But this is one flaw that I could not live with.
     
  9. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
  10. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    You probably won't believe that I'm saying this ;-)

    But it seems to me that BOClean is the ONLY scanner in the entire world that can reliably detect Armadillo 4.x or Themida protected malware samples.
     
    Last edited: May 13, 2006
  11. modano

    modano Registered Member

    Joined:
    Sep 19, 2005
    Posts:
    32
    Location:
    latvia
    ja, ne sounds like latvian o_O powerdvd comed whith crack mybe the crack was a viruso_O
     
  12. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Fellow Creatures,
    A fine example of why I use and trust Boclean. I can not take risks with what I do on my personal machine. I do personal business on it. My machine is not used as a "toy". BoClean is my final line of protection, if all others fail to detect and kill. If Boclean detects malware ...kill it please! :)

    My machine is mission critical.

    BoClean=Trojan Defense:thumb:
     
  13. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I think that's exactly how a real-time AV/AT protection should be looked at, the "final line" of protection. The problem is, too many use them as if they're the first (or the only) line of protection.
     
  14. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    I think you are probably correct. "Why be careful I got protection" o_O
     
  15. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129

    That's great news. I'm glad the McAleavey's efforts payed off.
    Thanks for testing/posting this.
     
  16. comma dor dash

    comma dor dash Registered Member

    Joined:
    Jun 5, 2005
    Posts:
    146
    Well...I tested this with BOClean 4.11 (!) & 4.12. Therefore, I believe that it has nothing to do with any technological changes but with the good 'ol concept of using string-based signatures. (Since the signature database of BOClean is now encrypted it has become more difficult to figure and hex-edit such strings which is also good.)
     
  17. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129
    You can use a program like PG to protect it and all your other vital programs from being shut down.
     
  18. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    I like Boclean's idea of being a last line of defense. By design, this means that it should be used in conjunction with other products. The best approach in my opinion is to layer your security.

    1. First start by preventing the malware from getting on the system.

    2. If it slips by this, you want to be able to detect it and clean (with some sort of scan).

    3. Finally, if the scan misses it too, you want to be able to protect the malware from functioning at the application level. This is where Boclean comes in.
     
  19. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Exactly! I couldn't have said it better, which is why I did not even attempt to do so! :thumb: :D
     
Thread Status:
Not open for further replies.