Cleaner Prof Version 4 =Test & Evaluate

Discussion in 'other anti-trojan software' started by musicman, Dec 20, 2003.

Thread Status:
Not open for further replies.
  1. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
             Cleaner Prof Version 4

    To all of our members as most of you are aware the Cleaner Prof Version 4 has been released. The Cleaner is a trusted software application for the detection and removal of Trojans,Worms,malicous scripts. I have tested and wanted to share my evaluation of the Cleaner with the members. I welcome your comments and responses on the Cleaner.
    _____________________________________________________________________
    Download:
    I downloaded and installed The Cleaner on my pers.computer. The installation was smoothed and there was no problems noted. My operating systems is as follows:
    Compaq 5441
    OS: 98SE
    184RAMS
    476 mhz
    AMD K-6(tm) processor.

    Resouces:
    Upon installation and reboot my resouces were at 85%
    Tc Monitor running in memory was at: 6340kb
    Tc Active running in memory was at: 5692kb
    This is very user friendly for older pc that are not running with a lot of memory.

    Main Inteface:

    Main interface is "user friendly" easy to understand for the novice to the advanced user. The five tabs on the main interface are self explanatory and easy to manuver without and problems. If there are questions about a given feature or function the "Help File" is precise and to the point. I was surprised how clear and concise the presentation is on the usage of the cleaner. There was very little effort in configuring the cleaner using the options tab on the main interface, its quite clear and to the point.

    Tc Monitor and Tc Ative Module's:

    These 2 modules are quite unique and I was very impressed with the capabilities.

    A.) As a starting point I activated a trojan simulator which triggered the "Alarm" giving me the options as to what I wanted to do. This is a extremley important feature that is incorporated within the cleaner. I was expecting the cleaner to allow the trojan simulator to activate and would have detected it upon reboot/and or upon scan of my C drive.
    B.) This in itself is a valuable asset for prevention of a trojan application starting and causing damage to ones pc

    Scanner:

    The scanner is extremly fast. On my pc The Cleaner scanned 13,296 files in 15min - 10s. .....but what is most impressive is the capability to "unpack" compressed files!!!! The issue on unpacking compressed files is important from my standpoint whether its a Trojan or Antivirus Software. Based on previous trojan software's I have tested the scanner ranks as one of best from my test results.

    Detection:
    Based on previous reports on the Cleaner, the cleaner ranks number 1 on total amount of trojan/ and variants detected.
    A.) What was interesting is I attempted to install (5) different trojans on my pc and the cleaner alarm was triggered alerting me of the changes and offering me options.
    B.) I expected this to happen as these trojans are listed in the data base...however...the Tc Active and Tc Monitor modules re-affirms and strenghtens the position how valuable the detection process is within the cleaner.

    Conclusion:
    The Cleaner Prof in my opinion is one the best "well rounded" Trojan Software on the web today. Its easy to use for novice and the advanced users. There are numerous Trojan Software on the web today.....however the Cleaner in my opinion ranks in the top 3, if not the best!!! :)
    http://www.moosoft.com/
     
  2. Godzilla

    Godzilla AV Expert

    Joined:
    Nov 1, 2003
    Posts:
    63
    From the homepage:

    Never again worry about e-mails you open, or programs you run -- The Cleaner Professional detection system will take care of business so you don't have to!

    ---

    I really doub't that.
    So just open a HTML Virus or a polymorphic virus attachment and the Cleaner will take care of it ?
    LOL sorry but such statements "Never again worry about e-mails you open" is the KO-Statement for this wannabe Scanner.

    Regards,
    Michael
     
  3. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    "Detection:
    Based on previous reports on the Cleaner, the cleaner ranks number 1 on total amount of trojan/ and variants detected."

    I'm not trying to start an argument, just wondering what and where those previous reports might be (other than the moosoft site, I mean). Do you have any links to those reports readily at hand? I admit I haven't been hunting down reviews of The Cleaner 4 but (that I recall) I haven't seen much discussion in the few places I do hang out about the new version. I'd have thought there would be more interest and discussion regarding this product than I've seen to date (or perhaps I've just not paid sufficient attention).

    Also, is that #1 primarily based on the number of definition database entries? (Frankly I've always been a bit dubious when any claims are made about an AT product primarily based on the number of sig defs since as I recall not all products count uniques and variants in the same manner or at least they didn't used to.)

    Don't get me wrong, as a former user I wish The Cleaner well, but as Godzilla noted, they've always have had a bit of unsupported hyperbole in their claims (not that they're exactly unique in that respect), even when they went through a bad patch some time ago and quite seriously lagged behind other vendors in the maintenance and support of their product. Reportedly they've pulled themselves out of that bad patch, and I'm glad to hear it, but they did lose a number of users as a result.

    BTW, just to clarify in case anyone is unfamiliar with The Cleaner, the TC Active and TC Monitor are not new to the product; they also were part of version 3 for quite a long time. One is a real time monitor and the other alerts to any changes in the registry as I recall (can be a useful tool, I suppose but it can also be a bit of a PITA if it's running while installing legit software ;) ). It sounds as if they've kept the basic components (scanner, RTM and reg monitor) but improved upon them and their capabilities. And The Cleaner was always user friendly IMO so it sounds like that hasn't changed.

    Again, I'm not trying to start an argument, just wondering if more 3rd party info is available and hoping others who might have put it through their paces will be encouraged to also post about their experiences. So thanks for the post and hope I haven't offended. :)
     
  4. ano1

    ano1 Guest

    @musicman I agree with the first part of your description. The Cleaner looks really nice.

    The problem is that The Cleaner does not properly do its job --> the detection is bad.

    For example, it seems that The Cleaner does not have a memory scanner or a working unpacking routine. In consequence, The Cleaner is unable to detect a common Bionet trojan which is compressed with PECompact (i.e., The Cleaner is almost useless since trojans are generally compressed by the attacker).

    I believe that TDS-3 and BOClean are far from being the perfect AT scanner. But The Cleaner is really below average.

    ___________________________________________
    Computer Name   ANO   
    User Name   ANO1   
          
    Reported OS Version   Windows XP Professional (SP1)   
          
    Drive A:\   Removable   
    Drive C:\   Fixed Media - 1,48GB free   
    Drive D:\   CD/DVD   
    Drive Z:\   Network Media   
          
    The Cleaner Professional   4.0 BUILD 4140   
    Database   Database v3431, dated Dezember 19, 2003   
    TCActive!   3.0 BUILD 3040   
    TCMonitor   2.0 BUILD 2024   
    MooLive   2.0 BUILD 2019   
    TCMode   1.1 BUILD 1019   
    ____________________________________________
     
  5. ano1

    ano1 Guest

    snipped

    (If this link is in violation with the TOS please delete it.)

    comment: indeed it is in violation with the TOS
     
  6. ano1

    ano1 Guest

    Paul,

    would it be possible for you to verify that the mini test archive with the visible bionet trojans is completely harmless?

    After the verification the link could be posted again so that everybody can verify that The Cleaner does indeed not detect these common trojans?
     
  7. ano1

    ano1 Guest

    Moreover, I would like to explain why I believed that my link was not in violation with the TOS.

    The TOS does not permit posting links to sites containing malware. Kaspersky inter alia defines malware (trojans) as programs which start invisible.

    By contrast, remote administration tools which are visible to the user and can be easily terminated are not considered malware.

    Since the three bionet servers contained in my test archive are visible, do not copy themselves to the root directory, do not register autostart entries and can be easily terminated by using the terminate button I did not consider them malware.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ano1,

    If time permitted, we surely could verify your archive. This cannot be done right away, so it would take some time.

    That's Kaspersky's definition indeed. Ours goes somewhat further, if only to protect our members/visitors/lurkers.

    I'm far from questioning your opinion. Nevertheless, indeed we would need to verify the files ourselves first. I do propose you register as a member over here, and email me the file (preferably zipped) files for examination (my addy is in my profile, visible after member registration). We'll move on from there.

    regards.

    paul
     
  9. ano1

    ano1 Guest

    "but what is most impressive is the capability to "unpack" compressed files!!!! The issue on unpacking compressed files is important from my standpoint whether its a Trojan or Antivirus Software. Based on previous trojan software's I have tested the scanner ranks as one of best from my test results. "

    This statement is completely wrong or at least misleading: there are compressed archives (like WinZip and WinRAR) and there is runtime-compressed malware. It is important to detect runtime-compressed malware. And this is where The Cleaner performs very bad.

    I have just done additional tests with common runtime compressors like UPX 0.84 and ASPack 2.12. The Cleaner simply fails to unpack trojans compressed with these packers ...
     
  10. ano1

    ano1 Guest

    Paul,

    I do not want to register because I always forget my password ... ;-) In any case it will be safer if you download the files directly from the source. (In theory, I could send harmless files to you and upload nasty files to the website.)


    Therefore, I suggest that I sent to you via e-mail the link to the website which I have already posted. (I assume that you do not remember it anymore.) Is this o.k.?
     
  11. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    Paul

    I sent a PM to you since my mail client failed to deliver the email to you.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ano1,

    Thanks for registering. You'r Im has been answered in the meanwhile.

    In order to avoid members/visitors/lurkers to possibly get alarmed and/or confused using the files in question - and that's one of the obligations we do have - posting the link to obtain the files in question is not allowed.

    Those who feel the need to obtain the files in question explicitely at their own risk are advized to contact ano1

    regards.

    paul
     
  13. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    Ok fellows!!!! Lets try to put this into perspective. Here is a reply from the developer on your replies. Now let me say this I am current working and testing the new version of The Cleaner Prof, and I find nothing to the contrary on what you have stated. The best way to support your statements is download the new version and test it yourself....than make your statements with substance. Don't want to cause a agument, just trying to be fair without bias. give it a try first and reply. Here is the developers statement.
    ------------------------------------------------------------------
    Godzilla is wrong about polymorphics, The Cleaner can detect them.

    Sig is quoting from an old evaluation, not for The Cleaner Professional.

    "Ano1" is wrong also, The Cleaner Pro scans memory (always has), unpacks
    files (UPX and Aspack both), TCActive! processes in memory also.
    --------------------------------------------------------------------
    Conclusion: the statements are made on past versions. The new version just came out....I have been running tests on it...and so far the Cleaner has scored a "A"
     
  14. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    @musicman

    "Ano1" is wrong also, The Cleaner Pro scans memory (always has), unpacks
    files (UPX and Aspack both), TCActive! processes in memory also."

    I am happy to correct my statements if they are wrong. Howeover, this requires a substantiated answer from you or the developer.

    The developer apparently says that The Cleaner is able to unpack UPX. This statement is too general. I agree that The Cleaner can unpack newer UPX versions which can be simply unpacked with upx -d. I was talking about UPX 0.84.

    Moreover, I cannot confirm that The Cleaner is able to unpack ASPack 2.12. At least my samples were NOT unpacked.

    In addition, the developer avoided to talk about PECompact ...

    Please note, that UPX, ASPack and PECompact are the most commonly used packers.

    Finally, it may be true that The Cleaner somehow scans the computer's memory. But it does not do it effectively since my packed samples were not detected. Probably, The Cleaner works in the same way like Pest Patrol: First, it determines which applications are running. Second, it uses the file scanner to scan these application. I would not call this a real memory scan ...

    In any case, please tell me why my commonly used and widely-spread trojans are not detected ... And please also tell me which version is the latest. If have intentionally posted the version information in my first post!
     
  15. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    In reply to your statement the developer asked to please send your undetected trojan/trojans to trojans@moosoft.com so they can be analysed ...or better yet how to get the files.
     
  16. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    We do not yet support PECompact, it is being added soon. Is he going to
    keep added packers on until he wins? There are hundreds ;)

    The Cleaner scans processes and examines the files associated with those
    processes. We do not have a machine emulator.

    As to why his trojans aren't detected. Operator error? Modified to evade?
    Genuinely missed? I can't really say until I see them.
     
  17. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    @musicman

    I sent a private message to you detailing the location from where the samples can be downloaded.

    Possibly (though unlikely), a hardware/software conflict prevents The Cleaner from detecting my packed samples. In such case I will be happy to correct my statements.

    On the other hand, I would be grateful if you or the developer could correct your statements if the samples are not detected. I believe that would be just fair.

    And please do not add special signatures for the packed samples. This would be cheating.
     
  18. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    I have forward info to the developer...this will be a fair assesment and will post back the results on this forum. If The cleaner does not detect...we we retract our statement. We appreciate all the input and posts on this new version. :)
     
  19. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    @musicman

    O.k....I believe we now say almost the same.

    We agree that PECompact is not unpacked by The Cleaner.

    We agree that UPX is unpacked by The Cleaner. In addition, I say that this does not apply to UPX 0.84 and other old UPX version. This has still to be verified.

    In respect of ASPack we are still not in line. This has also to be verified.

    In respect of the mem scanner I am not 100% sure about your statement: "We do not have a machine emulator".
    I am not talking about a generic emulation but a memory scanner: in theory & practice, it is possible to detect compressed trojans by scanning the memory itself (like TDS, BOClean or Trojan Hunter do). Since my packed samples were not detected I believe that The Cleaner's mem scanner (if it exists at all) does not work efficiently, yet.


    EDITED: Since my archive does merely contain trojans compressed with PECompact I will upload a second archive containing trojans compressed with UPX 0.84 and ASPack 2.12.
     
  20. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    Ok here is the answer on the test forwared to the developer.
    ======================================
    Well, he compressed them with pecompact which, like I said, we don't support
    yet. However, the original was detected and now I will add these two so no
    PECompacted bionet trojan can ever be undetected again.

    Cheating? It's protecting the customers. I admit, he got them past with a
    program that hides files. But that is the nature of the business and when
    they are found, they are added and the threat is removed. That is the way
    it works.
    ___________________________________________
    Conclusion: From my point of view....this is the nature of the business....whether its Trojan Hunter.....Tauscan...TDS.......the files can be hidden with a program...... this also applies in the same prin ciple to antivius softwares........
     
  21. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    No. The conclusion is wrong. It just confuses people.

    1.
    The trojans were not detected by the filescanner because there is no decompression support. This issue can be solved by adding decompression support for PECompact.

    The issue cannot be solved, however, by adding special signatures for my zoo samples. This is because special signatures will not help to detect other trojans which are compressed with PECompact. (The customers do not need to be protected from my harmless zoo samples. They need to be protected from any real trojan compressed with PECompact.)

    2.
    Although the packed samples passed the file scanner they should have been detected by the mem scanner (if it exists at all). The file scanners of TDS-3 and Trojan Hunter frequently miss packed samples but the mem scanner usually detects them as soon as the trojan has been executed and resides in the computer's memory. Apparently, The Cleaner does not have such a mem scanner.

    3.
    Yes ... it is possible to outfox almost every AT/AV scanner. But it is particularly easy with The Cleaner. Therefore, The Cleaner must still be improved before it can be considered #1 (like it is suggested in your post and on the developer's website).
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Personaly, I tend to agree with ano1 as for his last comment right above.

    Musicman,

    Daniel is most welcome over here to join the discussion as he is the developer from The Cleaner ;)

    regards.

    paul
     
  23. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    Just for the record: my intention is not to bash musicman, Daniel or The Cleaner.

    I hope The Cleaner will be a strong player in the market, soon. But please do not call it number one, yet. (Calling it #1 was the sole reason why I made my comments.)
     
  24. moosoft

    moosoft Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    6
    Hi, so heard there was some discussion of The Cleaner Pro going on!

    I think most of Ano1's questions have been addressed already. Are there any more questions for the programmer and chief researcher? :)

    Daniel
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ...and that has been and always will be a number one rule over on this board: no bashing allowed.

    I expect to see this (and for that matter any) discussion to be a mature and respectful one.

    regards.

    paul
     
Thread Status:
Not open for further replies.