BOClean, WMF and Limited User Accounts?

Discussion in 'other anti-trojan software' started by JimF, Dec 30, 2005.

Thread Status:
Not open for further replies.
  1. JimF

    JimF Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    54
    Location:
    Allentown, PA USA
    I have had BOClean for several years, but usually don't install it. Since I run Windows XP in a limited user account, I don't have to worry about software installing that I don't know about, and I don't install anything suspicious that might contain a trojan.

    But the new WMF vulnerability raises the possibility that some malicious software may run in a limited user account, even if it does not install. My question is, will BOClean (4.20.003) prevent a malicious WMF file from running, even if it is not installed?
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    BoClean, just like any other security program, has to be installed, and up and running in order to do any good.

    Acadia
     
  3. JimF

    JimF Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    54
    Location:
    Allentown, PA USA
    No, I don't mean BOClean. It of course has to be installed. I mean can BOClean catch a malicious WMF from running, even if the malicious WMF can not install anything (because of the limited user account). The distinction is between "running" and "installing".
     
  4. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    The exploit is a datafile that runs in WMP, at the system level so being a limited user isn't going to buy you anything. Tricks like this, using programs like WMP that are part of the OS now are how malware authors are getting around the confines of limited user.

    Due to the nature of this one, the delineation of responsibities is important here. BOClean cannot scan a datafile for an exploit. It's not designed to do that, you AV however is. Obviously, you don't want two real-time filescanners tripping over one another and letting the nasties through as a result, so BOClean purposely doesn't work that way.

    BOClean will step in should the exploit run and attempt to install a downloader trojan...menx-dl is the one we're seeing currently. Without stopping the downloader, it will then install LOP, IST (seen currently) or another trojan, leaving the user with twice the headache.
     
  5. JimF

    JimF Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    54
    Location:
    Allentown, PA USA
    Nancy,
    Thanks for the definitive response. I have been wondering about this with limited user accounts for some time. Since most people run as Administrator, this usually doesn't get asked.
     
  6. controler

    controler Guest

    Ya know? I can remember the period this whole don't run as admin fad came about and I have always run as admin. isn't that funny?

    Why you ask? well simple, you want as much power in ring0 as the maleware does ;)

    Actualy I am sitting back just smiling at the past 2 years.

    Here we go

    The run in usermode fad

    oh then of course rootkits are nothing, they are not a threat for 100 years.

    Isn't it funny how stuff happens?

    I have been one of the scorned every since I came here.
    Not many took any of my one liner advice now did they?

    Let me think, was it because I didn't write a 2 page letter with all kinds of usless info?
    I think yes.
    Use your common sence
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I do not agree with your comment! You are effectively saying that having an AV and file-scanning AT running together is un-realisitic due to them "...tripping over one another...". I could have worded my response more strongly, but for the sake of etiquette did not.

    It's simply not the case if the software has been developed properly, and tends to suggest you are making excuses for the fact that BOC does not have this capability (despite the fact that the new BOC 5/AMK-AntiMalwareKit is supposed to have this file-scanning feature).

    I am not the kind of person who intentionally dismisses another persons software/views/opinions for the sake of it, and do not work for any of the competitors, but comments like this, and others made by staff at NSClean, make me wonder how astute/good the staff at NSClean really is.

    Just so you know I'm not having a go for the sake of it, I received a year's free licence for a-squared, but no longer install it on my system due to them not fixing critical bugs in the software! All I heard was that the version 2.0 was recently being developed (despite being "developed" for over 2 years), and the only developer on version 1.7 had left the company. This smacks of irresponsibility and doesn't engender trust (which is essential for a security based company). This is currently the feeling I'm starting to get from NSClean! (and that I have already gotten from DiamondCS, after their TDS fiasco - I'm a paying customer of all their products, yet I'm still waiting for recompense. Is this customer service o_Oo_O??!!!!!!!)

    All this being said, I would say I'm still looking for a replacement AT, with my current preference being either TH or ewido, followed by BOClean. BOClean used to be my number 1 replacement, but I have lost confidence in the technical ability of the BOClean developer (Kevin being the sole developer, I presume).

    I hope to get a response to my post since I always believe it's fair for a person to put their point of view across, especially whenb I have have criticised them, but at the moment you have some serious convincing to do.

    I look forward to a healthy debate! :)

    PS. I wish everyone on Wilder's a Happy, Healthy, Succesful and Prosperous New Year! Make sure you do everything I wouldn't! (well..., at least not what I'd tell you about ;) )
     
  8. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Isn't there near universal agreement that running two AVs at once is a bad idea?

    Please don't speculate on future software version designs. It adds nothing of substance to the debate.
     
  9. Snowie

    Snowie Guest

  10. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Happy New Year!

    I would imagine so, things don't get placed onto this site unless they are for real. Since this isn't "one of ours", the correct person to ask for details would be a Wilders mod. They are the ones who have checked it out and can confirm exactly what to expect from it.
     
  11. Snowie

    Snowie Guest

    Nancy

    An a most wonderful and Happy New Year to you and Kavin as well.
    Thank you for the response..........your "guess" is good enough for me....
    Until next year.......have a good one.


    Regards

    Snowie The Snowman
     
  12. QuinnK

    QuinnK Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    47

    To be honest about it, Nancy's post makes more common sense than your response to it, in MHO. If you have so little respect for Kevin's technical ability and the quality of his staff, why not simply by-pass NSClean for whoever has your respect?... if anyone does measure up. Why should they work so hard to convince you of anything??

    Take care... Quinn
     
  13. jbob

    jbob Registered Member

    Joined:
    Dec 2, 2005
    Posts:
    10
    Location:
    Arkansas
    I have read that BOClean has had this wmf exploit/trojan downloader covered for at least a month now. I have yet to have anyone verify that fact or that it has indeed stopped it from happening. Can you Nancy if you're still around expound on what you have found out so far at NSclean about this latest threat?

    First I realize that BOClean is not a file scanner. So from what I am reading an infected wmf is downloaded onto ones machine by visiting one of several web sites. The wmf files then acts upon the windows flaw, whichever DLL file it ends up being. This in turn causes something(still trying to figure this out) to reach out to the appropriate server and now tries to download one of several variants of some trojan. This trojan is what is actually causing all the loading to go on whether it be adware or whatever. So can we assume that BOClean will stop the trojan from being downloaded onto the machine or does it just stop the trojan from running in memory?

    Now that the threat seems to have expanded a bit, as seen from this report: http://isc.sans.org/diary.php
    can we assume that BOClean will still be able to keep up with this threat as the real issue is the trojan that is downloaded and not so much how the exploit is affected?
     
  14. No boclean doesn't stop the download, Yes it only handles it once in memory.

    As we know everything has to work from memory, right?
     
  15. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    The WMP Scripting Fix tool would only prevent the exploit if a version of that exploit uses Windows Media Player scripting. (The standard version of this exploit will not be prevented.)

    The tool was made long before this recent WMF issue, to address a completely different problem. Of course, applying it anyway couldn't hurt. :)

    Best regards,

    -Javacool
     
  16. Snowie

    Snowie Guest

    HeyYA JC



    Thanks for the reply. Understood.

    Happiest of New Years

    Snowie The Snowman
     
  17. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    You're right about BOClean stopping the trojan. A large part of the mess we've seen recently are trojans related to this exploit.

    There is an alternate way to handle the exploit:

    http://djtechnocrat.blogspot.com/

    Guess that'll have to do until Microsoft actually fixes it.
     
  18. jbob

    jbob Registered Member

    Joined:
    Dec 2, 2005
    Posts:
    10
    Location:
    Arkansas
    Thanks Nancy...not quite as much of an answer as I would have liked but guess you guys are busy and it is New Years Eve. lol

    As a BOClean user I kinda see this threat as a way to promote your product. Since you guys have had this covered all along we could have just browsed along with little worries. Sure we might have an exploitable system but who cares as long as BOClean tags the trojan when it first executes in memory.
     
  19. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    Exactly my thoughts.
     
  20. What are you talking about?? What does this have to do with the thread?

    I disagree with the comments of deviladvocate2 too.
     
  21. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Agreed, but your original statement referred to running a file scanning AV and a file scanning AT together. Since the current version of BOClean is mainly geared towards process memory scanning, I can only assume you are trying to "paper over BOClean cracks".

    It is generally quite acceptable for an AV and AT to run together, whether file-scanning, or not.

    I'm not speculating, buit merely quoting comments from yourself about the next version of BOCLean. If you dispute you ever made this comment, I have the e-mail you sent me to back up my comments.

    While I have criticised you (NSClean) and the technical abilities of Kevin, my intentions were not to criticise just for the sake of it. It's just that from my reading's of various forum thread's, the responses by NSClean staff (Kevin and Nancy) has been left than convincing somtimes. BOClean is a pretty good product, but Jason (of Ghost Security) is technically more adept. And before you ask... I have criticised some of Jason's products where appropriate, but techynically, he seems to be up there with the best. Although reasonably talented, the same cannot be said of Kevin, I'm afraid.

    Customer service offered by NSClean seems to be second-to-none, from what I have read, which is (and should always be) a major factoir in determnining which software to purchase.


    How Nancy's post makes more common sense is beyond me, since she blatantly changes her point of view in her second post, and accuses me of speculating when I have an e-mail confirming exactly what I said about BOC 5/AMK.

    Admittedly, I have lost some respect for Kevin's technical abilities after reading several posts made by himself in reply to other peoples comments, and have not been persuaded by his argument. Some may disagree with me, and that is their choice, but while I have lost some faith in NSClean, I still consider BOC to be one of the best AT's available.

    That said, everyone is entitled to their opinion. I always try to read everyone's comments, no matter how much I may disagree with them, for the simple fact that, that is the only way to make an informed decision.

    Here, Nancy mentions a file-scanning AV and a file-scanning AT (ie. BOClean in this case) should not be run together.

    Here, Nancy switches her argument that 2 AV's should not be run together, and not an AV and AT. As Nancy mentions, it is not recommended that 2 AV's are run together in real-time, although if you know what you are doing, this is quite possible to do in a stable manner.

    Her second comment about me speculating, is well..... not true. What I stated is fact, and I have an e-mail from Nancy herself to back me up.
     
    Last edited: Jan 1, 2006
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    How about we all step back a a bit and try not to authoritatively discuss about matters of which we really have no direct personal knowledge? Things like technical credientials and the like?

    Regardless of your personal opinions, few of us posting here have any personal and direct insight into the matter. At best we have some vague impression based on an unknown convolution of product design choices/constraints, desired product functionality, and implementation specifics. Not really enough to have any sort of grounded discussion, so let's just leave it by the wayside.

    As always, let's try to remain on the nominal thread topic and create focused threads for additional topics as the discussion warrants.

    Thanks,

    Blue
     
  23. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I agree that my comments may have come across as being assertive (or aggressive, or downright rude :D , depending on your viewpoint), and I do not mean to create an argument for the sake of it (rather a healthy discussion).

    However, being a security focused forum, I do feel obligated to try to give a balanced opinion on whatever subject I may be discussing, and expect to be verbally jousted where I have made a strong comment.

    As with everyone, I can only make an opinion on what information I am given or choose to seek out. Therefore, since Kevin and Nancy are both active on many forums, which I happen to keep abreast of, I think it's not un-reasonable to make a judgement on the technical ability of either of them based on the comments they may make in these forums.

    It is not a personal attack, and I am happy to back up my comments.

    I do believe my comments have some substance and so should not be edited/removed/curtailed in any way, but if you (or any other Wilders Mods) would still like me to drop the subject after reading the above, then I will do so (although I may not necessarily agree).

    To lighten the mood a bit, I'd like to wish everyone on Wilders a very Happy, Healthy, Prosperous and extremely Successful New Year!

    If you didn't check out the fireworks in London, you missed out on something special.... No other display came close! They were awesome!!! :cool: :D :cool:

    All the Best! :D :cool: :D
     
    Last edited: Jan 1, 2006
  24. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Personally, I think that I would be very ill equipped to render any judgement of the sort based on forum posts, so we clearly differ in this point.
    It depends on what you are talking about here. As with any debate, occasionally the flow unfortunately turns from the subject matter at hand to the personalities engaged in the debate. Although this does make for engaging theatre, the subject matter does remain unilluminated when this occurs.
    Your comments have not been touched in any substantive manner thus far. I did edit the last two quoted sections since, frankly, you had an additional quote closure which made for a rather confusing read when all was said and done. That is all that was done. All words from both parties remain as originally presented.

    As for further discussion, there's plenty of topics available even within the confines of this thread.

    and a Happy New Years to you as well!

    Blue
     
  25. controler

    controler Guest

Thread Status:
Not open for further replies.