BOClean same story that TDS ?

I think what he means by that is that the methods of memory scanning that BoClean currently uses for detecting malware will no longer work in Vista.

I think Kevin also mentioned somewhere that many security programs might be "broken" in Vista. It will be interesting to see how things evolve.


Starrob

 

Wow ... you guys have been twirling OVERTIME. Heh.

OK ... right now, MSDN has released "Longhorn Beta 1" ("Vista" or "Blista" as some of us have called it) ... so far, everything we do works just fine. My ANTICIPATION is that when they do the final release based more on Microsoft's claims that "this will be the most secure windows ever" (we've also heard this about '98, MiniME, 2000 and XPee ... we'll see) I'm just being cautious as always and anticipating ahead under the rash assumption that they might actually close off some of our useful tricks. Or at least screw them up.

The final release of XP bore little resemblance to all of the previews and made QUITE a mess for a number of vendors, not so much for us. So far, so good though - no need for changes even with their current IA64/X64 mess and their "peekaboo WOW64 folder trick" ... but will it LAST? That's why I said that.

FU_ROOTKIT is VERY easy to spot, even more so from ring 3 than from ring 0. I'm not going to give away secrets beyond what I said before - you look for what's MISSING. Stands out like a lighthouse in the middle of the Pacific. I won't diss HIPS *too* deeply, but bear in mind that conceptually for it to WORK, your machine must ALREADY be squeaky clean. Snapshotting a system that has an infection protects that infection as it's put into the "happy database." HIPS is obviously a good thing *IF* you're absolutely positive that you've got a perfectly clean machine. Not so if you're not. But it still helps if anything *NEW* lands.

Memory scanning CAN be thrown off by a nasty if you use the general Microsoft functions to examine processes, threads and memory. ANYTHING that can hook any kernel function and send it on a sidetrip around the block is capable of returning spurious results. However, there are functions in NTDLL that can be gotten to for a CORRECT answer regardless if you know how to get at them and make sure that you've got a proper match.

When I talk about "stupid things" I won't name vendors, but there's a good number of them lately (used to be just one or two) and it seems as though everybody's jumping on the "patch the addresses of kernel functions and point at MY software instead" which is why things like "SDT RESTORE" would have been *THE* answer to all of the rootkit problems in the world were it not for other vendors deciding to "patch the kernel." There's dozens doing it now. So something USEFUL like "SDT RESTORE" now BREAKS errant security software that patches the kernel. See why that's a BAD thing?

Among other stupid things pioneered by the second tier antiviruses is a phenomenon known as "debug hook, suspend process" to let them have a wiffy-sniffy with their neato file scanner before letting a program run and being able to take all the time they need to do so. That's one of the reasons why WE didn't do that in BOClean simply because ONE proggie doing that works OK even if it slows things down quite a bit. But have two or more proggies suspending a process and "deadlock" ("system hang") becomes more and more inevitable. Nowadays, it's not unusual for four or more programs to be suspending threads. When we get up above 10,000 to 12,000 uniques, I foresee our need to do that also and like so many other "what if's" that we contemplate all the time, I just see the need to buy us more flexibility. But we're not at that point yet on any of these fronts, I just see it coming. And if WE step in there, we have to be prepared to clean up OTHER vendors' messes lest WE get blamed for the stupidity like we are with a certain firewall's new version. Last I checked, "mutation" was not a feature in BOClean.

I wish I could go into more detail, but I don't want to give away the store. I'll just say that there are other "private builds" of BOClean for special customers who don't want the GUI or want to tie it into something of their own, and once a new project is done, most of what we've done will find its way into the next version and it will be quite different "under the hood" and quite the same as far as the screen goes. Gotta leave it at that for now though or I'll probably get slapped. But like I said, the best is yet to come. And fairly soon.

 

This I understand. I might be wrong but I think this is what the program Samurai does (With SDT RESTORE). This appears to be why Samurai "breaks" a lot of security related programs.

Thanks for your answers. I am not fully knowledable about security software but I do know a "few" security professionals on this board and usually by asking several pointed questions I am able to understand some of the things going on under the hood. It helps me make decisions about security arrangements on my computer.

I understand why you don't like to mention certain products names. I think sometimes in your "exuberance" you say some things that you maybe shouldn't.

I will take this away from what you are saying. Using too many security products that patch the Kernel or use the "debug hook, suspend process" could severely slow the computer down and/or cause lots of conflicts. Is that true?

I personally want my computer to speed up and not have conflicts. That is why I am looking for solutions that will keep my computer fast, not cause conflicts in the OS, provide good protection, and retain ease of use.

I am looking for those solutions on my own computer and that is why I ask these questions. I am avoiding putting software on my computer that I don't understand.

I might have more questions in the future as I digest what you have written.....I usually decipher things over time.


Starrob

 

Starrob - I believe you are right on regarding Samurai. It does what it says - some may not like the results but thats too bad.

If you'd like a good, head splitting read - i would recommend this pdf:
http://packetstorm.security-guide.de/hitb04/hitb04-chew-keong-tan.pdf
Includes very specific examples and techniques.

 

Yes, I am reading that article now. I just got down to the part that says:

Restoring Hooked Entries

Restoration of hooked entries can be done by

1. loading a driver

2. directly from user space by writing to device/physicalmemory

*Access to device/physical memory allows a user space program to read/write to physical memory, including kernel memory.



Starrob

 

I thought you might find that part.

 

Yes, articles like that help me decipher a lot of talk by a lot of developers. That article also helped me understand why DCS was in such a hurry to "protect physical memory" in PG.

I also see a little more why if PG is not configured properly then it can conflict with what BoClean is doing.

Not only PG....I can now see a little more about how and why there are a few companies doing things that might conflict with the way BoClean operates.

This is the type of information that helps me determine which software that I want on my computer or if some software is even necesarry at all.

Thanks for the info.....



Starrob

 

Developers are "patching the kernel" because it allows them to extend the features of Windows. First tier antiviruses do it, big name firewalls do it, nearly everyone is doing it. Except you of course...

All the rootkit authors out there are taking advantage of features in Windows that Microsoft have provided (but mostly don't support), so why shouldn't security developers if it helps protect the system better? Security solutions should stay up to date with the current malware practice, regardless if they "share" certain attributes in technicality.

"Patching the kernel" , or specifically the Service Dispatch Table, used to be a "risky" thing to do 5 years ago, sometimes resulting in blue screens and other issues. With time, comes understanding. With proper care and understanding of the kernel you can write safe code to take advantage of everything it has to offer without risking end-user stability. This includes working with other SDT patchers.

Just so you know, firewalls are the biggest offenders of patching the kernel in even more non standard locations than your average SDT patching security application (with ZoneAlarm and a few others also patching the SDT).

In my opinion, constantly polling the system for updates (like what BOCLEAN and a lot of other software does), is not only insecure, but inefficient. A lot of other developers share my opinion which is why they are heading down the "interception" path rather than "reaction" one.

 

If Microsft leaves the gates open for the "bad guys" to come through, the only recourse for users and their security vendors is to try to close (or guard) the gates. Unfortunately, this requires working with the "kernal", but MS leaves no alternative. It is poor operating system design that essentially creates the problems to begin with - and I mean extremely poor design.

This is also how I look at things. Reacting is already to late. The "bad guys" are in the house and ransacking it. The only long term approaches are to intercept the "bad guys" before they get in, or better yet for Microsoft to close the gates down tight (something they will not do, because it is not to their own interests).

Looking forward to your future products Jason.

Rich

 

Well said Jason and richrf. I agree with both of your statements. That is how I feel about security and how it should be handled in this day and age.

As for BOClean, it's good to hear from Kevin and that it will be around for at least another 3-4 years. I know that I am happy with mine, and have no plans what so ever to take it out of my arsenal of security related products.

Regards,

Jag

 

I agree, Jag, those were both very well stated posts by Jason and Rich. And while I can't speak for BOClean because I have never used the product, I do agree with Randy in his earlier post and Notok also when he said while it may very well be an excellent product, "customer relations is something that does factor into decisions regarding where I'm going to spend my money" as well.

 

@ Jason_R0

I always wondered..is that something they get away with in the Home User Market..or also in the Corporate and Business Market for their applications ?

 

Kevin's relations with this customer have been excellent thus far. I consider my money well spent.

 

I don't really think I missed anything here except, some that posted keep forgetting Boclean is now more for corporate-government where patching is NOT allowed. I have no doughts Kevin can patch the kernel.
You need to reread his posts. He said he DOES make speciality versions also.

I would think though the Gov versions could stay the same & the public versions can have a patch. I wouldn't mind.

Since I have bought , Jasons, Waynes & Kevins software, That says alot !!!!

Kinda funny but seems like the only software I ever bought was software I was never allowed to Beta.

I will also say I never like Mcafee or Zone Alarm.

I think the next two years are going to be very interesting.

Yes I was excited about TDS-4 comming out and yes that was a factor in my decision to buy TDS-3 but I am not a hater and know that DCS with grow
if allowed. Only a fool would think PG was not a intime program.

controler

 

I wasn't talking about his relations with his current customer base......because I would imagine that is excellent. Rather, I was talking about the way he expressed and handled himself in the TDS thread in general and in relation with "potential" customers. Getting into a verbal altercation with a competing vendor in a thread simply because that competing vendor showed up to answer a question that somebody (Jaws) asked directly about TrojanHunter is both unacceptable and unprofessional. Granted I don't know the whole history there between these two, nor do I really care...that was irrelevant to the topic at hand. But even when the TrojanHunter author remained calm and tried to diffuse the situation by attempting to take it away from the thread altogether, that only seemed to encite Kevin to become even more belligerent. That's what I mean by "customer relations"....because I've seen quite a few people post that his outburst that day really didn't do him any favors by casting him in a somewhat negative light.

 

For me the approach has to be somewhat cold with the absence of emotion. Does the program do what I need it to do and do it well? The author could be a complete mad hatter not that I'm suggesting Kevin is. I'm looking for something to do a job and protect my computer thats all. A timely response to any problems I have would be nice though, and Kevin has provided that and some humour as well when I've had to email him.

 

kevin you said that you have corporate customers to "fall back on" so you have to keep boclean going but corporate customers still only pay once up front like everyone else does so how are they any different to regular customers?

 

Yes, I'll have to agree that came off in unintended ways ... but the PROBLEM was that I *wasn't* talking about MAGNUS AT ALL! It was ANOTHER "vendor" I was referring to who has decided to light fires causing Magnus, Wayne and I to get all over each other for no good reason while they hid behind "guest." And while I may not have helped things, Magnus stepping in still thinking I was talking about HIM didn't help matters either. We were ALL being "gamed."

And Gavin ... the so-called "problem between BOClean and Process Guard" turned out to be NEITHER! That's why so many people who use BOClean and PG replied to all those messages with a humongous "huh?" if you think back. No, the actual problem turned out to be a few ANTIVIRUSES that those people were using that do unguarded thread suspends which naturally caused PG to say "wha?" and do one also.

I admit that we do some unusual things, but for VERY good reasons, and by NOT hooking the kernel to do so, we can usually stand clear of those unless somebody else decides to resniff too. My only complaint if any is that there are better ways to cover those things and what I was waved off on years ago was doing kernel hooks in that direct method of "patching addresses" in the first place, and if more than *ONE* entity does it, it's a "slippery slope into VXD hell" as was the case in the Win98 days. But the "problem" was never between PG and BOClean as it turned out.

And finally, as to BOClean's "intended user base" it was ALWAYS intended for institutional and government users, that's why it was designed as "set it and forget it and just back up Norton when it misses something or is unable to stop it." Most importantly to our original customers, the "desktop user" should NOT even know it's there (invisible running) or ever be asked what to do when a nasty was found - kill it, and move on QUIETLY. That the public wanted some of that for themselves is always welcome, but the original design until the end of our first 5 year contracts on what we built couldn't be changed during that time. When the "single owner" license was made available, even there it was more designed to put on "mom's computer" or those who kept calling you in the middle of the night to come over and fix their machine. That's what we've continued to focus on all these years.

There IS a "home version" in the works, but it's not a priority here because frankly we just don't sell enough copies to stop what we're doing which keeps us "alive" unless those sales are greater than they've been. The home version when it's released *WILL* have a thoroughly USELESS "file scanner" because people insist that they have to have it - I'd expect detection success however to be no better than any other file scanner, somewhere in the low single digits of all samples. But people want it, it will be there along with other toys to play with, a veritable "Fisher-Price busybox" if that's what folks want ... heh.

But we've got other things to do first ...

Hope this helps, but if folks would just take a few minutes and read what *I* type instead of putting other people's words into what my fingers leave behind as bread crumbs, maybe all of these misunderstandings would never have been painted. Have we had antagonistic relationships with others? You betcha. But none of that was ever OUR choice ... sometimes "competition" can be a BAD thing. Too many "experts," too few clues.

 

Just remember everyone that even the author of A2 said their scanner is something of a gimmick with the strength of the program being elsewhere and I've already got one AS program that only seems to turn up cookies because I've got a good AV, Nod. https://www.wilderssecurity.com/showthread.php?t=89620 post 11.

 

Kevin, it's one thing to publicly attack another vendor who wasn't even addressing you. In my view, however, denying you've ever attacked anyone in the first place is something most people would probably see through and find even more disturbing than the original post.

 

Oy ... and YOU just demonstrated my point. This gains this forum _what?_ Fast English lesson - if it was all about you, as you claim, I would have said "THE" reason, not "One of" which indicated that there were others of greater significance or you would have received the "top billing" you claim.

But if folks wonder where the animosity comes from, we have another "back and forth" to prove it.

 

Ah, right - I must have misunderstood what "not talking about someone AT ALL" means.

 

To all:

This thread does have a nominal topic. Please stick to it and take any discussions of an unrelated personal nature offline. Thanks.

Blue

 

Hi Magnus and all,
This be Primrose, Hunter, Name Game and a few other nick some of which not many know..with no particular AX to grind towards any programmer or vendor..I also do not personally use any of their products over the years. But over the course of those years, I carry lots of dirty laundry and dirty trick and keep them "in the closet" for a "few" of them , rather than airing them in public forums..that includes Wilders. I hate gossip since the real facts rarely come out or it takes just too long to get at the "truth" as people stand around guessing...or playing Public Relations or damage control.

I don't have to guess..or travel on an Airplane to get to the truth. I do like pizza and bier.. but not food frenzy fights.
Kevin at times talks in riddles that a few of us do understand ..even the "Guest" who chime in do understand..while chuckling in the background behind their puter screen. It confuses many regular members of forums since they can't understand the "double speak" or the fact there is a whole other conversation going on between various parties..but they are curious.

I ask you only now to bury the Hatchet..take care of your user base..continue to help the community with your Program(s) as we move into the next phase of Microsoft releases.

There is room for everyone..if they just stick to working on their own Products..rather than physically or literally attacking the other or his coding.

Be well and good luck,
John

 

Well, I am not a expert. I am one that likes to learn. Most of the ones that I learn from on this board I prefer to call security "Professionals". I have a disdain for "security experts" because a "expert" in most cases thinks they know everything there is to know about a given subject and they don't have room to learn new things and innovate.

If the public had listened to the Whale Oil Industry then Edison would have given up and never have invented the light bulb.

By the way....I am not calling any one particular person a "expert" in this forum. Anyone that thinks I am has a unhealthy dose of paranaioa. The only "experts" I know is the ones that think they are.

It is easy to talk and make people feel "inferior". There are many people that tend to do that in this forum. Sometimes, I feel like I do that myself and I have to stop because I feel it is a weakness of mine. It is not my purpose in life to make people feel inferior but to try to help and teach others.

Most of the times I prefer to do this by asking questions because it is most of the time through questions that knowledge is revealed.

Yeah, there is no conflict between PG and BoClean. You are right about that. So I'll ask a question. If I protect physical memory in PG and do not allow BoClean access to physical memory would that interfere with the operation of BoClean?

There is one or two vendors I know that if I ask a similar type question about their product or products, then they would give me a yes or no answer either in public or private and many times both. Many vendors, however like to give long winding answers that sometimes sidetrack the issue. "Pay no attention to that man behind the curtain", it was once said.

For me, this is a new age. I am going to mostly stick with vendors that answer questions about their product. I doubt I can ask a question that would reveal all the inner workings of any product because I am not a "expert". I work as a ship engineer in real life. In September, I will leave for my ship and I won't even be thinking about security or Wilders for 4 months. Most of the questions that I ask come from readily available public knowledge. Any script kiddy or "other vendor" could go out there and find the things that I find on the internet. So why the secrecy?

There are certain government agencies that like classifying everything secret not so much to keep the "enemy" from knowing......for the enemy many times very easily obtains the "secret information" from publicly available sources but more so to keep the public in the dark. The politicians get out there with their long winding speeches to sidetrack people from the real issues.

I am not really directing this at you Kevin because I never really had the opportunity to ask you many questions about the operation of BoClean.....but I will say that if vendors choose to be indirect and evasive ....well, I can play that game too......by keeping my wallet in my pocket. We can play hide the wallet.....and I can be very evasive.....

I will wait to see what the next version of BoClean is like. I am observing many products now to find the correct security set-up on my own computer. I want to see the vendors that can truly innovate.

By the way...I am also waiting for the DCS products to come out because I have not given up totally on that company.



Starrob