Do scanners just provide a illusion of security?

Discussion in 'other anti-trojan software' started by Starrob, Nov 4, 2004.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    During my travels of some blackhat sites, I found that one of the favorite trojans of the script kiddies on the particular board I was reading was Flux. Many on that board were considering trojans such as Optix getting slightly outdated.


    Then, I recently ran across this thread:

    http://boardadmin.bo.funpic.de/viewtopic.php?t=43

    In that thread, supposedly all of the scanners out there have problems detecting Flux in memory. Many scanners have difficulty detecting compressed versions of Flux.

    My question is there any scanner out there that can reliably detect FLUX running in memory? I really want a scanner that can perform against modified trojans that the script kiddies are actually using. Who is going to step up to the plate. TDS? Ewido? TrojanHunter? BoClean? A2?

    As far as I am concerned this is another reason to have either ProcessGuard or SSM installed.

    I am not here to start arguments....I just want a good scanner that provides security and not a illusion of security because according to this forum:

    http://boardadmin.bo.funpic.de/viewtopic.php?t=43

    A expiremental scanner has already been built that can detect FLUX. How come I don't have that detection in my favorite scanner? o_O


    Starrob
     
  2. Andreas Haak

    Andreas Haak Guest

    Hi,

    We released the advanced memory scan enabled engine yesterday so Flux memory detection is available in a² (stable and beta tree):

    http://updates.emsisoft.com/flux.png

    For people not using a² we offer a little stand alone tool that detects and deactivates Flux in memory so you can clean the Flux loader by hand or using your favorite anti malware program. You can find the tool here:

    http://forum.emsisoft.com/viewtopic.php?p=11077

    Or for direct download:

    http://download1.emsisoft.com/fluxscan.exe
    http://download2.emsisoft.com/fluxscan.exe
     
    Last edited by a moderator: Nov 4, 2004
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I am positive that ewido will detect that in the future
     
  4. Andreas Haak

    Andreas Haak Guest

  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    A2 has been bringing my system to it's knees for the last two days, every time I try and use it everything freezes!

    It's a great pity 'cos I never had any problem with versions 1.0 and 1.2, it is just this new version that is crippling me. :mad:
     
  6. Andreas Haak

    Andreas Haak Guest

    While starting it?
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    In my case, yes. Verrry slow to load sigs.
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Live and learn. I guess we can never escape technological compromises. It seems with Ewido the issue is "trojan detection within performance limits". Does BOClean detect Flux? I have both running as we speak. I would hope one does it.

    Rich
     
  9. Andreas Haak

    Andreas Haak Guest

  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    Where is it located?
     
    Last edited: Nov 4, 2004
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I personally think you canno compare the two yet with eachother, it is too soon for it...but it looks promising, I wish you all the luck Andreas Haak
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Andreas, I'd love to, but how?

    I've tried updating, which said it had fixed some 'minor' bugs , but not this one!

    It doesn't matter whether I start the scan from a right click or the interface, everything grinds to a halt for a couple of minutes (while the Sigs load).
     
  14. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    A poster on dslreports directed me to BOClean's Covered Trojans files which lists Flux and Flux2 as covered trojans. I am not sure whether this covers all Flux version - e.g. compressed and uncompressed.

    Rich
     
  15. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    It has to uncompress itself to run, then it will be caught in memory.
     
  16. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    This is how BOClean works.

    "There are a multitude of compressors, encryptors and wrappers that can elude filescanners. BOClean's MEMORY scanning is INSTANTANEOUS. Any time any process or dependency is started, BOClean stops the program (momentarily) the moment it's ready to actually start running. This allows the program to UNPACK (unwrap, decompress, etc.) in memory whereupon BOClean halts it, sniffs it and if it ISN'T a nasty, then lets it proceed. If it smells like a nasty, BOClean halts it completely and then throws up a box asking if you want to remove it and its entrails completely."
     
  17. FanJ

    FanJ Guest

  18. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    What good will ProcessGuard do you? You have to disable it when installing software, much of the time. DCS even recommends doing so in the documentation:
    Maybe I am missing something, but I fail to see the benefit of something that needs to be disabled during the most-risky events your system undergoes: The installation of new software.
     
  19. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    It's a matter of judgment - if its a new program that I'm not familiar with, SSM stays on. If it's a matter of updating apps already on my system, SSM can be shut off - when it comes back on, I get asked about excepting new/changed exe's anyway or additional startups.

    NAV for instance likes to sneak in new startups on non-virus def updates, got one with the WMI update this morning which I disabled.

    Regards - Charles
     
  20. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    There are, of course, exceptions to every generalization BUT --- whenever I surf to a site with blue & gray letters on a black background, I immediately exit. I do so for reasons of health (and I do not mean my eyes).:blink:
     
  21. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Looks nice Andreas :) . Is this advanced memory scanner operating in the background for real time protection? Thank you for the free utility too.

    Perhaps copy and pasting the text to word or wordpad will help in such situations. There are definitely sites I have a harder time reading as well but usually it is because of bright fonts ;) I actually like the color scheme at Scheinsicherheit, but I guess it is all a matter of opinion :)

    ProcessGuard can be a very powerful tool in capable hands. But I can definitely see where you are coming from with this argument. And it just happens to be a very common "flaw" with today's behavior based detection methods. Perhaps what one can do (in ProcessGuard's case) with an unfamiliar exe is to block it once and do some research on the file before further action is taken?

    I have not used SSM for awhile now, but even if SSM stays on wouldn't it require user interaction to determine whether the exe should be allowed or not? For example a user could mistakenly allow a malicious exe to be run with SSM in the background, simply because it might be binded to what a user might think as a trusted/harmless/non-malicious exe and so it is given permission to execute by SSM.
     
  22. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
  23. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I have held off looking at A2 up until now but I will begin giving it a look when I can get back online with my own computer (right now I am in Indonesia).

    The reason why I brought this whole subject up is that it appears to me at least (from doing a lot of reading around) that Flux is a quite popular trojan.

    So what good is it if some AV or AT company can say they have tens of thousands of definitions (Many of which are zoo trojans in some cases) when my favorite scanner can't protect me from the most seemingly popular trojan.

    Can someone confirm whether this statement from Nautilus is true or not:

    "BOClean does not detect Flux 1.01 at all"

    Does BoClean detect this version or no?

    Is any other AT or even AV company willing to stand up beside A2?


    Starrob









     
  24. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Did you miss my post?

     
  25. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    Yes, it does.
     
Thread Status:
Not open for further replies.