Cleaner Prof Version 4 =Test & Evaluate

Paul:
I second your statement that posting should be a mature and respectul one. This is how we all learn and exchange ideas and help one another out. If I may say I have 20 plus years working with computers and testing software....I don't have all the answers and I am continually learning each and everyday. I respect everyones opnion and digest what is being said. Now for the record I made a statement that The Cleaner is No1...and I stand behind that statement based on the previous trojan applications I have tested. I am not bashing....or trashing anyone or any software this is a honest opinion based on my experience. Best to all and Wilders

 

I had intended to reply earlier but just as I was about to click "Post" Comcast went out...

1) PECompact support isn't in yet. When it is added along with several other packers and the database updated with their fingerprints that issue will be resolved.

2) The memory scanning is also being upgraded to support addional packers.

The major overhaul to version 4.0 this year has built the infrastucture needed to support new things like additional unpackers and additional kinds of trojans like spyware, browser hijackers and adware.

We've also improved the database format (faster, 3x smaller), improved the UI, opened new channeles for support, added support for quarantine and file submission, scheduling and made many improvements to the scanner at a low level.

Daniel

 

Just wondering how it can be said that I was "quoting from an old evaluation" when I didn't quote from *any* other evaluation except for the initial quote from musicman's first post?

My references to the older version and the past were of course about the past. I thought I was quite clear about that. It appears that the new Cleaner indeed still does use TCA and TCM and it appears they still are a RTM and a reg monitor. This is in addition to the on demand scanner of course. I did not say the product hadn't changed or improved.

As for any marketing hyperbole that stands. No AV/AT product can be 100% effective 100% of the time given all the variables, potential malware or exploits people might run into and new things coming out daily. Thus no AV/AT product that I'm aware of can really accurately provide such assurances. Security software is not a panacea and users should not be encouraged by marketing to engage in unsafe practices because they've been assured by a software developer that they need no longer concern themselves with such matters.

 

I'd like to mention that we have also added a Stealth Mode which hides the file names as well as identifying window titles and could be expanded to cover anything else the trojan authors key on. This renders all AV/FW killer type programs ineffective against The Cleaner Pro. I am not aware of any other AV or AT doing that yet.

Daniel

 

1.
The stealth mode feature sounds really interesting. Would it be possible to allow users not only protecting The Cleaner but also certain other apps of their choice (e.g., the firewall)?

2.
In theory, unpacking engines are mandatory (since they allow the identification of compressed malware before it is executed and can do any harm). Therefore, I always respected Kaspersky's AV scanner which is supporting more than 300 compressors.

However, in the meantime I am beginning to doubt whether it will ever be possible to provide reliable unpacking support. There are just too many compressors, crypters etc. Not even Kaspersky can handle modern protectors like ACProtect oder PCGuard.

Therefore, I believe that an additional mem scanner is even more important than a file scanner with comprehensive unpacking support: it would probably suffice if The Cleaner supported the most commonly used compressors in addition to its upgraded mem scanning capabilities. This is also because The Cleaner is an AT scanner and trojans usually do not destroy a computer immediately after they have been executed.

Moreover, it seems to me that a mem scanner has an additional advantage: if your scanner detects malware residing in the computer's memory you will be able to implement a heuristic scan engine which, for instance, identifies a trojan's password stealing capabilities etc.

3.
I will be happy to perform a more in-depth analysis of The Cleaner after the mem scanner has been upgraded. Such analysis would include an examination of The Cleaner's signature quality (e.g., whether it uses "weak" signatures based on text strings that can be easily edited /w a hex editor).

 

The stealth mode is not applicable system-wide. It has to be programmatically implented in each application.

A generic unpacker or some sort of help from Microsoft whatever that might be could help in this area. I, and I am sure others, are working on a x86 emulator to do this very thing.

The Cleaner uses a fingerprinting method I invented called FileSpect that does not use any attributes of the file in question including any strings, the file size, date or filename. I can't go into more detail as this is a proprietary technology.

Daniel

 

Wayne from DCS has mentioned that TDS-4 will have something like an emulation.

The beta version of the AT scanner called ewido security suite (www.ewido.de) already uses a working emulation which can unpack a couple of compressors and crypters.

It seems to me, however, that it is not easy to develop an emulation which can handle all the anti-emulation, OEP obfuscation and other tricks which are employed by modern commercial protectors.

Therefore, the development of a good mem scanner should be the first step (just my personal point of view).

 

Just a clarification:

1.
My statement "something like an emulation" does not suggest that I expect something inferior to an emulation. I know it is almost ridiculous to make such clarification. But there are so many paranoid people in the world ;-)

Wayne has already publicly replied in the TDS forum that we are welcome to speculate about the TDS-4 emulation but that he does not want to reveal any details, yet. If this has changed ... I will be happy to listen.

2.
I also hope that there will be a good emulation soon. My suggestion to start with a mem scanner was based on the following considerations:

There are already a couple of working mem scanners. It can't be that hard to code another one. It has been proven that mem scanning works fine.

The development of an emulation is complicated. There is no real good emulation yet. Even Tobias from ewido, who seems to have made the biggest progress in developing one, mentioned that it will be quite difficult to handle protectors like Armadillo, Xtreme Protector or the like.

Consequently, if you start now to develop an emulation you will have nothing for a very long time. By contrast, if you start with a mem scanner you can catch up with TDS-3, Trojan Hunter and BOClean relatively soon.

 

Yes emulation is a very complicated thing to do RIGHT when you try to apply it to unpacking. A combination of it and breakpointing is good, add memory scanning on top of that and some other things we can do is perfect.

So memory scanning is nice and we plan to use everything we have against trojans Included is the fact that you have to protect the scanner, hence Process Guard for us is a part of the whole system of defence - we will also need to ensure that OUR program can scan memory of a running trojan. There still remains the chance that without the proper driver below a trojan, this trojan could still protect its own memory space from being read. So for me there was no option but to take the path we have, every angle must be covered. Anything less and you might as well be trusting another "dumb" scanner.

 

hi,

i want to ask the developer of the cleaner if it is really a good idea to give the database in a zip archive, which is password protected. The password is not really the problem, and after that i can read the whole database it is also possible to make undetect trojans (if one know how to use these infos inside the database files), you should better try to encrypt these files inside this zip archive like tds it does.

 

The database doesn't contain any data usable by a human in any way. It is zipped and password protected to make it smaller and prevent curious customers from damaging their own installations.

Daniel

 

Does this stop something which has signatured (checksum or whatever) your EXE file(s), enumerates the process list and either checks the on disk file OR if you have locked that just reads from the process address space?

You might want to try a free program we released recently called APT (Advanced Process Termination) (http://www.diamondcs.com.au/index.php?page=apt) against your program. I think it is relatively safe to say that any malware will be able to identify something about any running EXE that will allow it to target it. Changing filenames/window titles, if random enough, will make it a little harder to target your program, but I wouldn't say it makes your program invincible against programs which may want to shut it down.

-Jason-

 

The current AV/Firewall killers use specific filename lists and some window titles. It is immune to those. I will take a look at your program, thank you.

Daniel