BOClean vs. TDS

I am a registered user of both (BoClean & TDS-3).
I remember that once BoClean responded immediately when i installed AIM (the Wild Tangent stuff caused the alarm), and TDS-3 did not.BUT !! it could be that i hadn't yet exec protection on , on TDS-3 ( now i do have it on).
I have noticed that BoClean updates Daily (somtimes more than once a day) and that TDS-3 updates every day in the week but not on saturday + sunday.
BoClean is much lighter on my system but you can't do a full scan and TDS-3 has more options.
I am very satisfied and feel secure with both products.
The makers also both take the time to answer your e-mails when you have a problem.
I use also ZoneAlarm Pro and have no compatibility problems with these 2 antitrojans.

 

OK. TPF is very nice. I could not decide between TPF and ZoneAlarm. TPF could not catch all 14 (dns tester failed) but ZoneAlarm Pro could with some tuning. TPF probably could as well with some expert tuning but I can't do it. So, I finally settled down with ZoneAlarm Pro. [setting Program Control to HIGH and delete all trusted program list during shutdown]

 

Simple question:

The BOClean is also an AntiWorms, or just an AntiTrojan?

 

http://www.nsclean.com/trolist.html

(also includes several ITW worms)

 

Tiny Personal Firewall 5.5.1332. claims to protect from dns tester too. (14/14) Tiny software describes that the success message printed by dns tester is invalid, and if you check the actual outgoing packets on the wire, nothing escapes.Even if TPF claim is false it has 13/14 instead of the 8/14 points of ZaPro. Quite a difference isn't it.

Something else: I found a *mighty* informative review of boclean at http://scheinsicherheit.funpic.de/boclean.htm
-hojtsy-

 

I am just curious. How do you get 8/14 for ZaPro and what does it miss?

 

that was a good link for that review on boclean hojtsy.
it seems they might also have reviews for tds3 and trojan hunter.
i tried to look for them but everything else appeared to be in german.

 

anyuser,
8/14 is the number of passed test for ZaPro on the site http://www.firewallleaktester.com/tests.htm
By contacting the author of that site it turned out that I misinterpreted the results. He has very strict rules for putting the check mark into that table: a firewall only passes if it alarms only at connection attempt time and can identify the real initiator of the connection. ZaPro should alarm already at code injection time so it does not get the checkmark on that site for those tests. The same goes for TPF, it catches the code injection itself. It turned out that correctly configured ZaPro can actually defend from all the 14 listed leaktests, and a correctly configured TPF from 13 or 14. I know of no other single software which can provide that level of protection against these leaktests.

blabhead,
I used google translate tool to get a crude translation of the germain reviews for TDS and TH. Both of those reviews are in very critical tone, but finaly somebody who looks under the hood, and cuts the marketing. Unfortunately the TH review is very outdated. Note that the malware database used on the site is a special one: custom modified, hexedited, encrypted or repacked versions of existing trojans. Most of the "new" trojans are of this kind: only variants. This way they can evaluate how would the scanner handle a treat which is not yet directly in it's database. I find this a very good idea.

-hojtsy-

 

ok thanks for the info

 

Please forgive me, but I thought the topic was "BOClean vs. TDS".
IMHO postings/questions about firewalls do not belong in this thread and in this forum-section.
This is NOT meant to be rude !

 

Returning to BoClean:
Does anybody have any thoughs on what on earth could be meant by

Task Manager kills BoClean
APT kills BoClean

-hojtsy-

 

Guess what it means is:

The Universe favours least effort path.

1. If a trojan wants to kill BOClean, it must be known that BOClean detects this trojan otherwise why the effort? In that case, BOClean will nail it before it gets running. No problem

2. If a trojan will just kill all AT, AV and firewall on a pc, how does the trojan know the presence of BOClean? The list cannot go on forever, so the trojan writer has to choose the most likely protection present on a victim pc. BOClean will not be on the list because user base is not that big, i.e. not worth the effort. No trial version means even less user base. As a matter of fact, most average user do not even have a AT. No problem again.

3. Finally, if the trojan does target to kill BOClean and BOClean do not recognise it, it can easily kill BOClean. The watchdog thingy may help. But, if a trojan writer puts into enough effort, any anti-termination will be useless because you are targetted. In this stage, all you can count on is a layered protection and hope that trojan won't kill all of them.

BTW, how big is the trojan going to be if it tries to kill every protection layer of a pc?

just my humble opinion.

 

Isn't BOClean a memory scanner? So the trojan should be already running -> who is faster?

It's just another entry on the big kill-list and if remember correctly it's already on most lists ;(

There ARE ways to secure a process against termination!

Not big? Can be even very small...

 

This is a question of trusting memory scanner or file scanner or only if both presence. I believe in memory scanner and think it will run faster than the trojan. file scanner is pretty useless as in the case of AV industry. We have been fighting virus for how many years? Why do we still miss some? I believe AV has a root in file scanner. That's the reason!

Just curious to know, where do you get the info?

But it is useless. Lots of ways to break it. Many people choose to believe that it is possible to disable termination, but I choose not to. If your AT has to act like trojan/rootkit and penetrate into the system kernel, it would defeat the purpose because your AT is also a trojan. You just choose to trust that "trojan/rootkit". That alone is a no because Windows is flawed and a patched kernel may introduce more flaws. BTW, why do you trust AT guy while it may actually be a trojan writer himself? I am paranoid, I admit.

Any example?

 

What stops a trojan from setting it's own process priority to realtime with the first few instructions? After that no other user level process will have time slice to scan the trojan.

Search Google for the Beast. Download, start, you see the process list it tries to terminate. Current BoClean defeats the Beast, but not because BoClean is not put into the list. One should avoid that naive thinking about self-defense. The memory scanners are obviously the software which are first put into the kill lists. And what will happen with a new variant of the Beast? It will not match the memory signature, and left alone to kill anyone.

OK. Some food for a real paranoid: If you don't install kernel protection you are trusting everyone. If you install kernel protection you only need to trust the author of the protection.

It depends on what you call small. Actually size is not really important in my opinion. Ahh for example, Phatbot searches and kills 600 processes: http://www.lurhq.com/phatbot.html , and it is approx 100Kb. Is that small? Maybe not. Why is that important?

Please understand that I am not talking against BoClean. It seems quite professional, but not ultimate. I am just saying that you also need termination protection.

-hojtsy-

 

>BTW, why do you trust AT guy while it may actually be a trojan writer himself?

I'm sure you know you are not talking about TDS nor BOClean developers here?!
Know the sources, companies, their vision, products.

 

well woman say size dont matter but i think it a lie

well boclean vs tds

its hard to decide one over the other

but tds has a bigger data base and more goodys but it slow as hell and the exe protection only seems to work after you do a full scan and then you identifie the nasty then if you purposely excute thenasty the exe protection kicks in?

i donr this alot on purpose

boclean has smaller data base but extreamly fast also its hook works imidiatly after excuting a nasty done this to many times by acident lol

thats why i use both tds for a major scan of hidden trojans and boclean for fast ecution protiction

problem with me posting such things is i have both frinds in both products so telling it how it is is hard to do cause there quick to defend there product even if its personal experince in my opnione

if you want one over the other it depends

if you have money and fast ass 3.ghz p4 processor buy tds

if you have littile money but want fast protection easy to use and have a smaller pc of 700mhz processor and very littile ram get boclean

 

That’s exactly the trust, Mr Blaze. A person chooses to buy an AT not because it can do everything and is bulletproof but the performance of the AT is within his comfort zone.

hojtsy:
I admire your knowledge in AT :0)

Your answer on "which is faster" essentially claimed that all memory resident module is a joke. The only thing we can trust is the file scanner. But, I think all good AT vendors have already count in that factor in and I trust them, period. I believe these people have more knowledge in the inner working of Windows and thus they are AT vendors.

Just another curious, how does BOClean kill Beast?

Ok. About the anti-termination, I believe that if your AT does not patch the kernel, a potential trojan won't have to go to kernel to kill it and hence less damage. The next question is who is going to win on the race of digging the kernel? Or the trojan will use other methods and ignore the patched kernel?

Of course size does matter sometimes. If you have a huge unknown process running on your pc and you will straightaway notice the difference in response time. 100kb is not really that big :0), so less of a issue.

 

No termination protection -> AT, AV, FW killed -> spreading, leaking, destroying. You may need to reformat the drive. Is this the "less damage"? What could be more devastating then this? You could as well say: increase security by not wearing a bulletproof jacket, and then attackers may not try to shot you in the head, and you may survive a chest shot. Should suggest it to military: it would cut down on military cost, and certainly be whitin the "comfort level" of soldiers.

Nobody, it is a race withouth an end line. The only thing you can do is to always stay ahead of the level of most current threats.

Some trojan will surely emerge which uses some new unprotected termination methods. And termination protection will follow for that of course. But the same goes for AV and AT signatures: The possibility of being successfully attacked does not justify complete lack of protection.

-hojtsy-