BOClean's memory scanner?

Discussion in 'other anti-trojan software' started by JRCATES, Jul 22, 2006.

Thread Status:
Not open for further replies.
  1. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    I've been reading quite a bit lately to learn more about BOClean, especially regarding the technique and capabilities used by BOClean to scan memory and all files, Dlls, etc. associated with processes running in memory.

    First off, from what I've read, BOClean apparently catches malware "on execution", where as most AVs will catch something on download or on access. But, since some malware tries to hide via encryption by using a runtime unpacker or by various other tricks by which the executable is virtually unrecognizable, will BOClean ever catch it BEFORE execution?

    Also, BOClean seems to spring into action when the malware package launches a small trojan downloader (generally a compact little package designed to download the real malware to the user's PC without their knowledge), but can it catch it in other ways as well?

    And lastly, some AVs appear to have fairly "in depth" memory scanning capabilties (i.e. - Dr. Web), where as others may not be quite as extensive (NOD32). So my question is, since some AVs seem to scan only processes and services, does BOClean scan not only the active processes and services, but any DLLs and files that are accessed by these processes and services, etc.? In other words, how extensive is the memory scanner of BOClean? And would it be a good compliment for an AV that only scans active processes and services in the memory, or does BOClean operate pretty much that same way?

    Thanks
     
  2. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Yes. BOClean will catch it once it unpacks, before it has a chance to execute.
    That's a misconception. BOClean will stop a downloader of course, but it will also stop anything the downloader does download as well. When we get a malware DL-er, we run it to see what it gets, and ensure *everything* is covered. In this manner, malware will be detected regardless of infection vector.
    Our memory scanning is extensive and thorough.
    We scan all, including the DLLs and files, in both active and inactive memory and now monitor the kernel as well.
     
  3. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Thanks for the detailed info, Nancy.....this all sounds really good. This is also pretty factually relevant type stuff that I think more users should probably be made more aware of. I'm a little surprised it's not more widely known by even the BOClean users (a few of whom I've asked this type stuff, but some were unsure and some responsed with a little different info). Perhaps maybe you and Kevin should make this type info a little more well known and clear through your web site. Just a thought......
     
Thread Status:
Not open for further replies.