BOclean?

Discussion in 'other anti-trojan software' started by -z3r0-, Jan 13, 2005.

Thread Status:
Not open for further replies.
  1. -z3r0-

    -z3r0- Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    74
    Location:
    Pittsburgh PA
    How is this for a Trojan defense?

    I am currently running NOD32 and just looking for something a little extra in the Trojan defense line.
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    It's an excellent choice. It's a solid AT program and they coexist very well.

    Blue
     
  3. -z3r0-

    -z3r0- Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    74
    Location:
    Pittsburgh PA
    Is this the same version as you buy off the website?

    Its on newegg for download at 22.99. I wander if you could still upgrade it to newer versions without paying like you can with the one bought from there site?

    BOClean
     
  4. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Purchase from any other source then the BOClean Website and you will run into problems with the free update and upgrade privileges. There was a post here a few months ago about this. Just do a search for BOClean here and read up on how it was resolved... :D
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    The short answer - yes.

    The longer answer, see here

    Primary differences - lag time to get into the vendor's database, details on money back return (you will be dealing with who you purchased from).

    I went with this type of deal through CompUSA.

    I haven't seen any difference in support. If you get caught between a major version change, lose your purchase documentation, etc., it may be a bit dicier, but PSC is a very customer focused vendor.

    Not sure it's for you? Buy direct from them and luxuriate in the iron-clad 30 day money back guarantee..

    Blue
     
  6. -z3r0-

    -z3r0- Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    74
    Location:
    Pittsburgh PA
    Thanks for the link to that.

    Sounds like its best to spend a few extra bucks and get it right from them instead of the other way.

    Thanks alot for the help on that guys.
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    If I were doing it again, I would go that route - in part to help fund that expected upgrade...

    Blue
     
  8. peachtreecity

    peachtreecity Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    15
    Location:
    Georgia, USA
    Would it be overkill to use BoClean if you already have PG3 & TDS-3?

     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To me, that's a hard call for a few reasons.

    I'll focus on TDS-3 only since PG is a somewhat different beast (which I also use).

    I use BOClean as my resource light AT coverage and TDS-3 as backup diagnostic arsenal. TDS-3 run demand only. BOClean is very light, set it/forget it, seemingly stable with everything I own, and has excellent vendor support and home licensing policies.

    This scheme fits well for me since BOClean has no file scanner, while TDS-3 fill that role for me well. It gets muddled if you look to the future. DCS seems to be positioning so that one module or variant of TDS will be along the lines of BOClean while BOClean is seemingly targeting inclusion of a file scanner in the next release. Down the road you may have a higher level of functional duplication that right now. Something to consider. I thought about it a while, considered the vagueries of potential release schedules, and quickly pulled the trigger on a BOClean purchase. Do you need it given the others? No. Is it sometimes useful to have both? Probably. Would I purchase both again? Yes.

    Blue
     
  10. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    z3r0,
    BoClean with NOD IMHO would be just fine. A set up I have considered on several occassions. Oh yea, just buy from the site. Worth it any problems I trust Owners will make it right. Super support.

    BoClean=Trojan Defense ;) ;)
     
  11. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I am currently using Nod32 with BOClean with no problems whatsoever. I'm running them on my WinME system. IMHO, if they can run together on WinME then they can run together on any OS. I also have Regrun Gold, Ad-Watch, ZoneAlarm Pro and cookiewall running with them and BOClean runs with no problems(in fact they all co-exist nicely). I think that a combo of Nod32 and BOClean is very nice indeed and very resource friendly as well.

    muf
     
  12. FanJ

    FanJ Guest

    and... another user: BOClean and NOD32 resident on W98SE :)

    And of course IEClean resident; TDS-3 and KAV on-demand; etc etc ;)
     
  13. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Probably wonderful, but it makes my system freeze. But who gives a flying turd, right?
    -
     
  14. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    I used to be a user and, to be honest, I wasn't terribly impressed.

    First, it is easily terminated from the Task Manager. I guarantee you a trojan will be able to as well.

    Second, it lacks an on-demand scanner. I do not feel safe using it. Would you rather fireproof something from the start, or rely on an extinguisher once the fire begins?

    Third, it lacks a trial version, which I feel is important in selecting a piece of software.

    This is in no way a flame, and I received a timely refund of the product price. I just feel that BOclean is a little on the outdated side, but certainly has the potential to grow in the future.
     
  15. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    quexx88,
    I understand your concerns. My thought on this is it will sit and wait for attack to start and kill it right away. Sooner or later AV is getting to kill the dormant file and if you have a firewall it to will prevent nasty from carting off your data. I get tired of scanning everything etiher manually or setting a schedule. But I can be wrong. I have lots of feathers and they grow back quickly :D Please correct me. ;)

    Again, as time goes on Trojan and nasties get tougher....I do see the need for scanner of some sort, if the slower to pick up on a trojan AVs do not kill it before harm is attempted. I know Kevin is hard at work on new product we will see. :)
     
  16. QBgreen

    QBgreen Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    627
    Location:
    Queens County, NY
    I love the combination. As has been already said, they do work well together. BOClean has nabbed a couple of trojans for me recently. I'm only curious as to whether or not NOD32 alone would have flagged them.
     
  17. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    This issue is NOT new - the first MAJOR trojan in the wild with "killer capacity" was a trojan called BioNet:

    http://www.nsclean.com/psc-bionet.htm

    The fact is "TerminateProcess" is a function in the Windows kernel itself as described here in Microsoft's lietrature:

    http://msdn.microsoft.com/library/en-us/dllproc/base/terminateprocess.asp

    The TerminateProcess call IS unconditional and absolute when invoked. It will stop everything from AVG to ZoneAlarm And *NO* program is immune to it without "illegally" patching the kernel, a concept that raises hackles among coders and administrators who find themselves now running a "patched" system. A technical discussion of how that might be done can be read in all its gory details here:

    http://66.98.132.48/fravia/harlequin_Kernel32.htm

    A handful of programmers HAVE done this as a last resort, but it has been proven over time to CAUSE more problems than it solves. We chose very deliberately not to hack the kernel, and while a small handful of less experienced programmers offering "competitive products" have chosen to do so, it's actually resulted in antivirus and other security programs to FAIL to function properly (as well as their own) because needed system hooks have been disrupted by these programs which employ these methods, PARTICULARLY those written in the Delphi language which make use of "Madshi's MADhooks" libraries.

    First off, the _bad_ news ... BOClean does not, nor are we planning to add the MADSHI libraries that are used by one competitor for it's "exclusive antitermination" DLL. We CAN'T, first of all because our commercial and government customers will not ACCEPT the use of such techniques as it can cause instabilities, as well as it interfering with other security programs. Secondly, the MADSHI libraries are used in a large number of trojans in order to do "process injection" and even more nefarious things. We've been put on notice by many of our customers that were we to consider doing this, they would no longer purchase BOClean.

    What is MADSHI?

    Madshi is a group of libraries for use with the DELPHI programming language that provide a number of functions of interest primarily to hackers. One "competitor" uses the MADSHI libraries for their "process protection" rather than having written their own code. The MADSHI libraries function as follows (the pages are SAFE to view) and are apparently used directly

    http://help.madshi.net/HowToUseMadCodeHook.htm
    http://help.madshi.net/Processes.htm

    So what's being done here is direct use of Madshi's functions to protect against TerminateProcess and TerminateThread. Wayne's "APT" exploits the seven items protected by Madshi to terminate a running process. In fairness, some trojans use Madshi to do the same thing and in reality, could just as easily unhook and then rehook and kill. Another method would involve sending mouseclicks to close a program in the same manner as a user would - in fact a number of other trojans have killed antiviruses and firewalls by sending mouseclicks to another program's window to accomplish just that. Curiously, another termination method wasn't used in the "APT" demonstration - sending a "WM_ENDSESSION" message to the program. This message is sent by Windows when it is shutting down.

    Completely blocking TerminateProcess is a BAD thing - if TerminateProcess and CloseWindow were blocked entirely, Windows could never shut down. So yes, TerminateProcess is permitted by BOClean, as well as our design in NOT hooking the kernel from the USER level as is done by a handful of "competitors." If you're going to do a "TerminateProcess" hook, it's best done from the SYSTEM level as a kernel mode driver and NOT from the "ring three user level" as doing so there can cause all of your other security (including firewall) to fail. If this issue is THAT important, Wayne of TDS has created a program called "Process Guard" which actually does it as a system driver. And having more than ONE kernel driver invites the same "too many chefs/hooks" problem as "user mode" solutions do. The more things there are mucking with the kernel, the less safe and reliable a system becomes. The way TDS is doing it with ProcessGuard however is nowhere near as significant as software that does it at the USER level, especially using Delphi code. Still, you want only ONE "kernel mode interceptor" and even ProcessGuard has its issues in hooking things and interfering with other security software. But if this issue is THAT important, I'd recommend ONE solution rather than many as far as hooks go.

    Should a nasty actually succeed at FINDING BOClean and knocking it down, one of the recommendations from NAI/McAfee involved renaming the executable for their scanner to another name whereupon it successfully dealt with one of the many other "process killers" ... that renaming of the file will elude nasties long enough to kill them and then put things back into place

    http://vil.nai.com/vil/content/v_99367.htm

    Renaming BOClean.exe to a randomly chosen name would have also worked. So what we have here is old hat, and there are literally thousands of "process killers" out there (and have been for years) which do precisely this. And while the contention of the author of that article may seem to make sense - "gotta catch it before it runs" - the authors of Beast and many others offer utilities that will scramble, encrypt and polymorph FILES so that they can slip right past any file checker. In fact THIS problem is so much more substantial, this is the REASON why we didn't include a file scanner inside BOClean, primarily because no matter what people SAY about the antiviruses, they're all pretty GOOD at catching things on file scans or as they arrive onto the file system from outside. And in the past year, they've gotten to be *so* good at it, there is conventional wisdom that you really don't NEED an antitrojan program anymore because the AV's have FINALLY gotten the message (look at how well NOD32 and Kapersky have been doing with nasties lately) ...

    Bottom line though - can we? SURE we could. But the philosophy around here is to enhance, rather than reduce security ... and hooking TerminateProcess is NOT a good idea ... it could prevent ANOTHER program from successfully stopping something that it DOES detect.
     
  18. --ntl--

    --ntl-- Guest

    In my opinion, termination protection is not extremely important. If you believe to need it you should install a system firewall like Process Guard. It does not make sense that Ewido, Kaspersky, Trojan Hunter etc. have their own termination protection:

    Firstly, the termination protection of AV/AT scanners does not reliably work (i.e., the scanners can still be terminated with the help of a tool like Kernel PS). A dedicated system firewall like Process Guard works much better and additionally offers protection against the real dangers like code injection etc.

    Secondly, it may result in a big chaos if you install several AV/AT scanners with termination protection plus a system firewall.

    Thirdly, the detection capabilities of almost all AV/AT scanners are still terribly bad. Every script kiddie can camouflage non-replicating malware and bypass such scanners. AV/AT software developers should therefore concentrate on the most important thing: the detection of malware.

    I therefore appreciate it that NSClean will not implement termination protection.
     
  19. controler

    controler Guest

    Nancy

    Thank you again for the wealth of info.

    I aggree with you about everybody wanting to use Kernel Mode Drivers.
    Everybody does now days. Even the newest keyloggers do.
    I dought you have them on your list yet but feel free to view this post.
    Not many so far have found it interesting enough to comment on yet.
    The new keyloggers are claiming by using their new kernel mode drivers, They can't be shut down.

    https://www.wilderssecurity.com/showthread.php?t=61984


    Bruce
     
  20. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Excellent. ;)
     
Thread Status:
Not open for further replies.