Can ewido clean parasitic trojans (eg. BEAST) ?

Discussion in 'ewido anti-spyware forum' started by Defenestration, Mar 20, 2006.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    One of TrojanHunter's biggest claims is that it can clean parasitic trojans (eg. The BEAST), even when they have injected themseleves into critical system processes (eg. explorer.exe)

    http://www.misec.net/papers/thvsbeast/

    Can ewido safely and successfully (ie. removed without crashing the system) remove these types of trojans ?
     
  2. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Yes, but for security reasons only after a reboot... Which should be no problem at all if you think about the severity of an infection like this...
     
  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    That's good to know! :)

    It would appear there is some disagreement between Magnus (author of TH), who thinks it is safe to disinfect these processes without the need for a reboot, and Yourself and Wayne (DCS) and Gavin (DCS and now also TH) who think it is unsafe (ie. security reasons and possible system instability) to disinfect these processes without a reboot.

    May I ask what the security reasons are for not disinfecting without a reboot ?
     
  4. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    One of the main security concerns with unloading DLLs is that most of these DLL trojans also do API hooking (which cannot be undone) and if you unload the DLL, the system will crash/hang...
     
  5. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    That's what I thought. Thanks for confirming.
     
  6. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    If ewido finds an infection like this and begins dis-infection, but you don't reboot when asked to do so by ewido, is it safe to continuing running (eg. if you're in the middle of performing a long task which cannot be interrupted) ?
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    If you call it safe to have such a trojan still running on your system, there should be no problem :)
     
Thread Status:
Not open for further replies.