Do scanners just provide a illusion of security?

During my travels of some blackhat sites, I found that one of the favorite trojans of the script kiddies on the particular board I was reading was Flux. Many on that board were considering trojans such as Optix getting slightly outdated.


Then, I recently ran across this thread:

http://boardadmin.bo.funpic.de/viewtopic.php?t=43

In that thread, supposedly all of the scanners out there have problems detecting Flux in memory. Many scanners have difficulty detecting compressed versions of Flux.

My question is there any scanner out there that can reliably detect FLUX running in memory? I really want a scanner that can perform against modified trojans that the script kiddies are actually using. Who is going to step up to the plate. TDS? Ewido? TrojanHunter? BoClean? A2?

As far as I am concerned this is another reason to have either ProcessGuard or SSM installed.

I am not here to start arguments....I just want a good scanner that provides security and not a illusion of security because according to this forum:

http://boardadmin.bo.funpic.de/viewtopic.php?t=43

A expiremental scanner has already been built that can detect FLUX. How come I don't have that detection in my favorite scanner?


Starrob

 

Hi,

We released the advanced memory scan enabled engine yesterday so Flux memory detection is available in a² (stable and beta tree):

http://updates.emsisoft.com/flux.png

For people not using a² we offer a little stand alone tool that detects and deactivates Flux in memory so you can clean the Flux loader by hand or using your favorite anti malware program. You can find the tool here:

http://forum.emsisoft.com/viewtopic.php?p=11077

Or for direct download:

http://download1.emsisoft.com/fluxscan.exe
http://download2.emsisoft.com/fluxscan.exe

 

I am positive that ewido will detect that in the future

 

Well ... maybe you are right, maybe you are not ... but thats what Peter said about that issue:

http://boardadmin.bo.funpic.de/viewtopic.php?p=91#91

 

A2 has been bringing my system to it's knees for the last two days, every time I try and use it everything freezes!

It's a great pity 'cos I never had any problem with versions 1.0 and 1.2, it is just this new version that is crippling me.

 

While starting it?

 

Live and learn. I guess we can never escape technological compromises. It seems with Ewido the issue is "trojan detection within performance limits". Does BOClean detect Flux? I have both running as we speak. I would hope one does it.

Rich

 

Look at http://boardadmin.bo.funpic.de/viewtopic.php?t=43 - i guess Nautilus tested BoClean, too.

ronjor, topperID:
Well I guess I fixed the problem. Do one of you want to test the new kernel? Would be quite helpfull .

 

Ouch.

Rich

 

I personally think you canno compare the two yet with eachother, it is too soon for it...but it looks promising, I wish you all the luck Andreas Haak

 

Andreas, I'd love to, but how?

I've tried updating, which said it had fixed some 'minor' bugs , but not this one!

It doesn't matter whether I start the scan from a right click or the interface, everything grinds to a halt for a couple of minutes (while the Sigs load).

 

Hi all,

A poster on dslreports directed me to BOClean's Covered Trojans files which lists Flux and Flux2 as covered trojans. I am not sure whether this covers all Flux version - e.g. compressed and uncompressed.

Rich

 

It has to uncompress itself to run, then it will be caught in memory.

 

This is how BOClean works.

"There are a multitude of compressors, encryptors and wrappers that can elude filescanners. BOClean's MEMORY scanning is INSTANTANEOUS. Any time any process or dependency is started, BOClean stops the program (momentarily) the moment it's ready to actually start running. This allows the program to UNPACK (unwrap, decompress, etc.) in memory whereupon BOClean halts it, sniffs it and if it ISN'T a nasty, then lets it proceed. If it smells like a nasty, BOClean halts it completely and then throws up a box asking if you want to remove it and its entrails completely."

 

Please allow me to get for a minute off topic :

Due to my bad eyes it is almost completely impossible to read any word on that site http://boardadmin.bo.funpic.de/viewtopic.php?t=43



Sorry for getting off topic.
Please go on with it.

 

What good will ProcessGuard do you? You have to disable it when installing software, much of the time. DCS even recommends doing so in the documentation:

Maybe I am missing something, but I fail to see the benefit of something that needs to be disabled during the most-risky events your system undergoes: The installation of new software.

 

It's a matter of judgment - if its a new program that I'm not familiar with, SSM stays on. If it's a matter of updating apps already on my system, SSM can be shut off - when it comes back on, I get asked about excepting new/changed exe's anyway or additional startups.

NAV for instance likes to sneak in new startups on non-virus def updates, got one with the WMI update this morning which I disabled.

Regards - Charles

 

There are, of course, exceptions to every generalization BUT --- whenever I surf to a site with blue & gray letters on a black background, I immediately exit. I do so for reasons of health (and I do not mean my eyes).

 

Looks nice Andreas . Is this advanced memory scanner operating in the background for real time protection? Thank you for the free utility too.

Perhaps copy and pasting the text to word or wordpad will help in such situations. There are definitely sites I have a harder time reading as well but usually it is because of bright fonts I actually like the color scheme at Scheinsicherheit, but I guess it is all a matter of opinion

ProcessGuard can be a very powerful tool in capable hands. But I can definitely see where you are coming from with this argument. And it just happens to be a very common "flaw" with today's behavior based detection methods. Perhaps what one can do (in ProcessGuard's case) with an unfamiliar exe is to block it once and do some research on the file before further action is taken?

I have not used SSM for awhile now, but even if SSM stays on wouldn't it require user interaction to determine whether the exe should be allowed or not? For example a user could mistakenly allow a malicious exe to be run with SSM in the background, simply because it might be binded to what a user might think as a trusted/harmless/non-malicious exe and so it is given permission to execute by SSM.

 

Trojan Remover (http://www.simplesup.com/) Detects and removes Flux and Flux 1.0.1.

 

I have held off looking at A2 up until now but I will begin giving it a look when I can get back online with my own computer (right now I am in Indonesia).

The reason why I brought this whole subject up is that it appears to me at least (from doing a lot of reading around) that Flux is a quite popular trojan.

So what good is it if some AV or AT company can say they have tens of thousands of definitions (Many of which are zoo trojans in some cases) when my favorite scanner can't protect me from the most seemingly popular trojan.

Can someone confirm whether this statement from Nautilus is true or not:

"BOClean does not detect Flux 1.01 at all"

Does BoClean detect this version or no?

Is any other AT or even AV company willing to stand up beside A2?


Starrob

 

Did you miss my post?

 

Yes, it does.