Cleaner Prof Version 4 =Test & Evaluate

         Cleaner Prof Version 4

To all of our members as most of you are aware the Cleaner Prof Version 4 has been released. The Cleaner is a trusted software application for the detection and removal of Trojans,Worms,malicous scripts. I have tested and wanted to share my evaluation of the Cleaner with the members. I welcome your comments and responses on the Cleaner.
_____________________________________________________________________
Download:
I downloaded and installed The Cleaner on my pers.computer. The installation was smoothed and there was no problems noted. My operating systems is as follows:
Compaq 5441
OS: 98SE
184RAMS
476 mhz
AMD K-6(tm) processor.

Resouces:
Upon installation and reboot my resouces were at 85%
Tc Monitor running in memory was at: 6340kb
Tc Active running in memory was at: 5692kb
This is very user friendly for older pc that are not running with a lot of memory.

Main Inteface:

Main interface is "user friendly" easy to understand for the novice to the advanced user. The five tabs on the main interface are self explanatory and easy to manuver without and problems. If there are questions about a given feature or function the "Help File" is precise and to the point. I was surprised how clear and concise the presentation is on the usage of the cleaner. There was very little effort in configuring the cleaner using the options tab on the main interface, its quite clear and to the point.

Tc Monitor and Tc Ative Module's:

These 2 modules are quite unique and I was very impressed with the capabilities.

A.) As a starting point I activated a trojan simulator which triggered the "Alarm" giving me the options as to what I wanted to do. This is a extremley important feature that is incorporated within the cleaner. I was expecting the cleaner to allow the trojan simulator to activate and would have detected it upon reboot/and or upon scan of my C drive.
B.) This in itself is a valuable asset for prevention of a trojan application starting and causing damage to ones pc

Scanner:

The scanner is extremly fast. On my pc The Cleaner scanned 13,296 files in 15min - 10s. .....but what is most impressive is the capability to "unpack" compressed files!!!! The issue on unpacking compressed files is important from my standpoint whether its a Trojan or Antivirus Software. Based on previous trojan software's I have tested the scanner ranks as one of best from my test results.

Detection:
Based on previous reports on the Cleaner, the cleaner ranks number 1 on total amount of trojan/ and variants detected.
A.) What was interesting is I attempted to install (5) different trojans on my pc and the cleaner alarm was triggered alerting me of the changes and offering me options.
B.) I expected this to happen as these trojans are listed in the data base...however...the Tc Active and Tc Monitor modules re-affirms and strenghtens the position how valuable the detection process is within the cleaner.

Conclusion:
The Cleaner Prof in my opinion is one the best "well rounded" Trojan Software on the web today. Its easy to use for novice and the advanced users. There are numerous Trojan Software on the web today.....however the Cleaner in my opinion ranks in the top 3, if not the best!!!
http://www.moosoft.com/

 

From the homepage:

Never again worry about e-mails you open, or programs you run -- The Cleaner Professional detection system will take care of business so you don't have to!

---

I really doub't that.
So just open a HTML Virus or a polymorphic virus attachment and the Cleaner will take care of it ?
LOL sorry but such statements "Never again worry about e-mails you open" is the KO-Statement for this wannabe Scanner.

Regards,
Michael

 

"Detection:
Based on previous reports on the Cleaner, the cleaner ranks number 1 on total amount of trojan/ and variants detected."

I'm not trying to start an argument, just wondering what and where those previous reports might be (other than the moosoft site, I mean). Do you have any links to those reports readily at hand? I admit I haven't been hunting down reviews of The Cleaner 4 but (that I recall) I haven't seen much discussion in the few places I do hang out about the new version. I'd have thought there would be more interest and discussion regarding this product than I've seen to date (or perhaps I've just not paid sufficient attention).

Also, is that #1 primarily based on the number of definition database entries? (Frankly I've always been a bit dubious when any claims are made about an AT product primarily based on the number of sig defs since as I recall not all products count uniques and variants in the same manner or at least they didn't used to.)

Don't get me wrong, as a former user I wish The Cleaner well, but as Godzilla noted, they've always have had a bit of unsupported hyperbole in their claims (not that they're exactly unique in that respect), even when they went through a bad patch some time ago and quite seriously lagged behind other vendors in the maintenance and support of their product. Reportedly they've pulled themselves out of that bad patch, and I'm glad to hear it, but they did lose a number of users as a result.

BTW, just to clarify in case anyone is unfamiliar with The Cleaner, the TC Active and TC Monitor are not new to the product; they also were part of version 3 for quite a long time. One is a real time monitor and the other alerts to any changes in the registry as I recall (can be a useful tool, I suppose but it can also be a bit of a PITA if it's running while installing legit software ). It sounds as if they've kept the basic components (scanner, RTM and reg monitor) but improved upon them and their capabilities. And The Cleaner was always user friendly IMO so it sounds like that hasn't changed.

Again, I'm not trying to start an argument, just wondering if more 3rd party info is available and hoping others who might have put it through their paces will be encouraged to also post about their experiences. So thanks for the post and hope I haven't offended.

 

@musicman I agree with the first part of your description. The Cleaner looks really nice.

The problem is that The Cleaner does not properly do its job --> the detection is bad.

For example, it seems that The Cleaner does not have a memory scanner or a working unpacking routine. In consequence, The Cleaner is unable to detect a common Bionet trojan which is compressed with PECompact (i.e., The Cleaner is almost useless since trojans are generally compressed by the attacker).

I believe that TDS-3 and BOClean are far from being the perfect AT scanner. But The Cleaner is really below average.

___________________________________________
Computer Name   ANO   
User Name   ANO1   
      
Reported OS Version   Windows XP Professional (SP1)   
      
Drive A:\   Removable   
Drive C:\   Fixed Media - 1,48GB free   
Drive D:\   CD/DVD   
Drive Z:\   Network Media   
      
The Cleaner Professional   4.0 BUILD 4140   
Database   Database v3431, dated Dezember 19, 2003   
TCActive!   3.0 BUILD 3040   
TCMonitor   2.0 BUILD 2024   
MooLive   2.0 BUILD 2019   
TCMode   1.1 BUILD 1019   
____________________________________________

 

snipped

(If this link is in violation with the TOS please delete it.)

comment: indeed it is in violation with the TOS

 

Paul,

would it be possible for you to verify that the mini test archive with the visible bionet trojans is completely harmless?

After the verification the link could be posted again so that everybody can verify that The Cleaner does indeed not detect these common trojans?

 

Moreover, I would like to explain why I believed that my link was not in violation with the TOS.

The TOS does not permit posting links to sites containing malware. Kaspersky inter alia defines malware (trojans) as programs which start invisible.

By contrast, remote administration tools which are visible to the user and can be easily terminated are not considered malware.

Since the three bionet servers contained in my test archive are visible, do not copy themselves to the root directory, do not register autostart entries and can be easily terminated by using the terminate button I did not consider them malware.

 

"but what is most impressive is the capability to "unpack" compressed files!!!! The issue on unpacking compressed files is important from my standpoint whether its a Trojan or Antivirus Software. Based on previous trojan software's I have tested the scanner ranks as one of best from my test results. "

This statement is completely wrong or at least misleading: there are compressed archives (like WinZip and WinRAR) and there is runtime-compressed malware. It is important to detect runtime-compressed malware. And this is where The Cleaner performs very bad.

I have just done additional tests with common runtime compressors like UPX 0.84 and ASPack 2.12. The Cleaner simply fails to unpack trojans compressed with these packers ...

 

Paul,

I do not want to register because I always forget my password ... ;-) In any case it will be safer if you download the files directly from the source. (In theory, I could send harmless files to you and upload nasty files to the website.)


Therefore, I suggest that I sent to you via e-mail the link to the website which I have already posted. (I assume that you do not remember it anymore.) Is this o.k.?

 

Paul

I sent a PM to you since my mail client failed to deliver the email to you.

 

Ok fellows!!!! Lets try to put this into perspective. Here is a reply from the developer on your replies. Now let me say this I am current working and testing the new version of The Cleaner Prof, and I find nothing to the contrary on what you have stated. The best way to support your statements is download the new version and test it yourself....than make your statements with substance. Don't want to cause a agument, just trying to be fair without bias. give it a try first and reply. Here is the developers statement.
------------------------------------------------------------------
Godzilla is wrong about polymorphics, The Cleaner can detect them.

Sig is quoting from an old evaluation, not for The Cleaner Professional.

"Ano1" is wrong also, The Cleaner Pro scans memory (always has), unpacks
files (UPX and Aspack both), TCActive! processes in memory also.
--------------------------------------------------------------------
Conclusion: the statements are made on past versions. The new version just came out....I have been running tests on it...and so far the Cleaner has scored a "A"

 

@musicman

"Ano1" is wrong also, The Cleaner Pro scans memory (always has), unpacks
files (UPX and Aspack both), TCActive! processes in memory also."

I am happy to correct my statements if they are wrong. Howeover, this requires a substantiated answer from you or the developer.

The developer apparently says that The Cleaner is able to unpack UPX. This statement is too general. I agree that The Cleaner can unpack newer UPX versions which can be simply unpacked with upx -d. I was talking about UPX 0.84.

Moreover, I cannot confirm that The Cleaner is able to unpack ASPack 2.12. At least my samples were NOT unpacked.

In addition, the developer avoided to talk about PECompact ...

Please note, that UPX, ASPack and PECompact are the most commonly used packers.

Finally, it may be true that The Cleaner somehow scans the computer's memory. But it does not do it effectively since my packed samples were not detected. Probably, The Cleaner works in the same way like Pest Patrol: First, it determines which applications are running. Second, it uses the file scanner to scan these application. I would not call this a real memory scan ...

In any case, please tell me why my commonly used and widely-spread trojans are not detected ... And please also tell me which version is the latest. If have intentionally posted the version information in my first post!

 

In reply to your statement the developer asked to please send your undetected trojan/trojans to trojans@moosoft.com so they can be analysed ...or better yet how to get the files.

 

We do not yet support PECompact, it is being added soon. Is he going to
keep added packers on until he wins? There are hundreds

The Cleaner scans processes and examines the files associated with those
processes. We do not have a machine emulator.

As to why his trojans aren't detected. Operator error? Modified to evade?
Genuinely missed? I can't really say until I see them.

 

@musicman

I sent a private message to you detailing the location from where the samples can be downloaded.

Possibly (though unlikely), a hardware/software conflict prevents The Cleaner from detecting my packed samples. In such case I will be happy to correct my statements.

On the other hand, I would be grateful if you or the developer could correct your statements if the samples are not detected. I believe that would be just fair.

And please do not add special signatures for the packed samples. This would be cheating.

 

I have forward info to the developer...this will be a fair assesment and will post back the results on this forum. If The cleaner does not detect...we we retract our statement. We appreciate all the input and posts on this new version.

 

@musicman

O.k....I believe we now say almost the same.

We agree that PECompact is not unpacked by The Cleaner.

We agree that UPX is unpacked by The Cleaner. In addition, I say that this does not apply to UPX 0.84 and other old UPX version. This has still to be verified.

In respect of ASPack we are still not in line. This has also to be verified.

In respect of the mem scanner I am not 100% sure about your statement: "We do not have a machine emulator".
I am not talking about a generic emulation but a memory scanner: in theory & practice, it is possible to detect compressed trojans by scanning the memory itself (like TDS, BOClean or Trojan Hunter do). Since my packed samples were not detected I believe that The Cleaner's mem scanner (if it exists at all) does not work efficiently, yet.


EDITED: Since my archive does merely contain trojans compressed with PECompact I will upload a second archive containing trojans compressed with UPX 0.84 and ASPack 2.12.

 

Ok here is the answer on the test forwared to the developer.
======================================
Well, he compressed them with pecompact which, like I said, we don't support
yet. However, the original was detected and now I will add these two so no
PECompacted bionet trojan can ever be undetected again.

Cheating? It's protecting the customers. I admit, he got them past with a
program that hides files. But that is the nature of the business and when
they are found, they are added and the threat is removed. That is the way
it works.
___________________________________________
Conclusion: From my point of view....this is the nature of the business....whether its Trojan Hunter.....Tauscan...TDS.......the files can be hidden with a program...... this also applies in the same prin ciple to antivius softwares........

 

No. The conclusion is wrong. It just confuses people.

1.
The trojans were not detected by the filescanner because there is no decompression support. This issue can be solved by adding decompression support for PECompact.

The issue cannot be solved, however, by adding special signatures for my zoo samples. This is because special signatures will not help to detect other trojans which are compressed with PECompact. (The customers do not need to be protected from my harmless zoo samples. They need to be protected from any real trojan compressed with PECompact.)

2.
Although the packed samples passed the file scanner they should have been detected by the mem scanner (if it exists at all). The file scanners of TDS-3 and Trojan Hunter frequently miss packed samples but the mem scanner usually detects them as soon as the trojan has been executed and resides in the computer's memory. Apparently, The Cleaner does not have such a mem scanner.

3.
Yes ... it is possible to outfox almost every AT/AV scanner. But it is particularly easy with The Cleaner. Therefore, The Cleaner must still be improved before it can be considered #1 (like it is suggested in your post and on the developer's website).

 

Just for the record: my intention is not to bash musicman, Daniel or The Cleaner.

I hope The Cleaner will be a strong player in the market, soon. But please do not call it number one, yet. (Calling it #1 was the sole reason why I made my comments.)

 

Hi, so heard there was some discussion of The Cleaner Pro going on!

I think most of Ano1's questions have been addressed already. Are there any more questions for the programmer and chief researcher?

Daniel