Has your real-time anti-trojan ever caught anything?

Discussion in 'other anti-trojan software' started by richrf, Aug 14, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Given all of the discussion concerning the effectiveness/usefulness of anti-trojan software, I have a quick question:

    Has anyone ever experienced a situation where their real-time anti-trojan software has actually detected some malicious software? If so, what other security packages were you using at the time, e.g anti-virus, host intrusion protection, firewall, etc.?

    Hopefully, we get enough responses to make this question somewhat worthwhile. Personally, I have never had the situation occur. I have been using KAV 4.5. and KAV 5.

    Thanks for your input.

    Rich
     
  2. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Rich,

    Going back to the last paragraph of my last post in the, AT vs AV 12 round bout thread:

    Of coarse what I mean is to use only an AT for protection and disable all other security software.
    I'm talking here about real life browsing not someone with a teat bed of malware. Then at the end of each day, do a lot of scans with the top on-demand scanners, whether they're online scans or by re-enabling your AV of choice on your machine and see what was missed by the AT.

    Maybe doing this would be a better indication of the effectiveness/usefulness of anti-trojan software.

    Regards,
    Jaws
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907

    This would be an excellent research project. It would be particularly interesting to me if a top-tier AV (such as KAV) was loaded, to check how many pieces of malware slipped by the AV and was caught by the AT - and of course, how many got through both. Some college computer science majors out there should do this for their term paper. :D

    Regards,
    Rich
     
  4. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    It's interesting to note that a lot of the posts in the trojan and backdoors forum here at Wilders are from guests or new members that get hit with trojans that get through their AV.

    Just an observation.
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Yes. It would be nice to know the full configuration of these incidences - e.g. firewall, AV in use, any AT, etc. This is useful information since sometimes it is possible to extrapolate patterns. For example, is the the free AVs that are more likely to be pierced, or is it the AVs that do not have frequent updates? All of this would be useful information.

    Regards,
    Rich
     
  6. StevieO

    StevieO Guest

    Hi rich,

    No never ! But maybe that's because my PC etc is very securely locked down in the first place, plus i don't visit lots of places to get infected, or open every email etc.

    Also my AV's AS's and online scans have caught the only 2 trojans i have ever experienced. And one of these is the TrojanSimulator test.

    I still think they are worthwhile having, plus if we don't have/use them, how can we recommend them etc to others who are in greater need than us.


    StevieO
     
  7. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Hi richrf,
    No, never.I had TH set as real time and TDS-3 set as on demand and neither one ever caught anything... Now I removed both of them from my PC and I have "only" PG, RD, NOD32 and Ewido. And my firewall of course. :)
     
  8. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Does your experience always tell truth?

    Not to spoil everyone, but such kinds of experiences may not be real, unfortunately.
    It's especially true to trojans.

    What does a trojan do?
    Try to do witohut anyone's notice.

    So if someone does not get any trojan, there may have 2 main reasons:
    - you are really clean. Congratulations!
    - sorry, the trojan is too insidious. You even don't know he has finished its task, and may remove its trace already.
     
    Last edited: Aug 14, 2005
  9. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    is there any AV/At test available, man?
    Hi, richrf:
    In fact, there are such kinds of tests indeed. what they did is to try to compare different AV/AT comparison and to what exten AT could help.

    The newest I have read seems to be about 8 months old.
    I don't remember which AV and AT are tested, but I'm plenty sure they should be famous, used by many users (since they tested only a few combinations, so they choose the most famous)

    if memory serves, with AV/AT, the result is boosted by about 1-2% (1XX-3XX more malware detected).
     
  10. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    So since AV/AT can boost my protection, so should I do so?

    Hmm... You can do so. Extra protection is always preferred although don't expect it can help much. Indeed it does little help only. :'(


    If you wish to add much protection or other kinds of better protection, how about consider this alternative – process & system protection?

    Instead of doing more or less the same as AV/AT does, it provides another way of protection, preventing us form both ITW malware and Zoo malware. AV/AT is weak at Zoo malware, so it is always worthwhile to add some other layers to your computer.

    What it does is to add an extra layer to the system, which is similar to the case where Firewall add an extra layer between your computer and the Internet/Intranet.

    There are several products available in the market, eg: Tiny Personal Firewall (not really a firewall!), ProcessGuard(PG), System Safety Monitor(SSM), Viguard.

    For stronger protection, one may decide to choose Tiny Personal Firewall, System Safety Monitor(SSM), Viguard.

    For strong protection bu still maintain the ease of use, choose ProcessGuard.
    It seems to be a common mistake that people feel ProcessGuard is as difficult as using Firewall, prompting many alerts for you to choose. It is NOT the same. What makes it easy to use is "learning mode". To write a simple difficulty flow chart:
    Further Reading
    ProcessGuard (PG) VS System Safety Monitor (SSM) VS Viguard
    http://kareldjag.over-blog.com/categorie-69553.html

    The author says:
     
    Last edited: Aug 14, 2005
  11. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Boclean caught one of the "bluefish trojan variants". It slipped by nod32. This particular trojan was and is a real nasty. It's only purpose was to steal financial documentation. Here's the link with screenshot. Nod has added this trojan to their database.

    I've also witnessed boclean catching a trojan that norton had missed. This was on a friends computer. I'm currently running kav, and nothing has gotten past it so far. https://www.wilderssecurity.com/showthread.php?t=69390
     
  12. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    Hi Mr2cents, :)

    I just visited your link on the " bluefish trojan " so thanks for posting that info with the screenshot.

    I use AOL & have received suspicious emails claiming to be from AOL. When I contacted AOL they informed me that if the actual email envelope was NOT blue then the email was in fact .... NOT from them.

    I am using Trojan Hunter & A2 presently .... both with their respective guards enabled. To date they have not detected any trojans.

    My AV & Firewall are Norton 2005.

    HR :cool:
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907


    In either case, the AT did not participate in the defense. I am simply trying to determine whether the AT ever participated in a defense.

    Rich
     
  14. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks Mr2cents for the info. Do you remember approx. how long ago these incidents occured?

    Rich
     
  15. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Hi richrf. The date was march 4, 2005. I had to follow my own link to see when I posted it. I made the post the same day this event occured.
     
  16. Sincerely

    Sincerely Guest


    The tests that you quote are flawed. You have not even read the links that people have given you that point out the flaws in the tests you quote. If you understood the flaws in those tests, you would understand why you can not use them to prove one way or another that a AV is better than a AT or at detecting trojans.

    Similarly, kareldjag testing methods have weaknesses also and can't be used to prove that one security application is better than any other security application.

    I think why you are not getting more people jumping on this thread and showing you the weaknesses is in your argument is that they can see that you are somewhat new. As one poster said before, you might want to do a little more research on these things.

    Sincerely
     
  17. nightflight1

    nightflight1 Guest

    No, I've never caught anything with my active realtime protection. I use NAV, Pest Patrol (which has a realtime memory scan), MSAS, WinPatrol etc... and nothing has ever been caught, except when I have done my own tests against malware.

    But then I'm a very safe surfer and careful about what I open (email, always in plain script) and what I install (never use programs from untrusted sources) on my computer.
     
  18. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556

    No, the above test is not meant to be "AV vs AT".
    Rather it is "AV vs AV/AT", and see how an extra AT can help an AV to catch missed trojans.
     
  19. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I don't understand much about AT (since personally I don't use AT, plus AT looks uninteresting and not effective enough, I don't bother to understand in depth).
    But it is sure that AT will participate in detection (NOT prevention).

    Eg: When a trojan is planted in your computer and access to the pyhsical memory, if the AT can identify this trojan (from its signature base or some other heuristic methods, if any), it can successfully defend the trojans.

    The similar case can hold true for AV since some AVs have simliar measusres to protect the physical memories.

    Hope this helps.
     
  20. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    both msas and teatimer notified me of a toolbar trying to download it was spysheriff/trojan and was blocked and caused no trouble
    it did however let one file in i can't remember what just a bunch of numbers which i removed with hijackthis
     
  21. Why

    Why Guest


    As has been stated before. The testing method is flawed and does not prove anything one way or another. To do the test in a manner in which could give someone a better idea of the effeciency of a AT would require a enormous amount of time.

    So far, I have found no one that has tested the effectiveness of the AT memory scanner. Also you would need a test that checks for Trojan servers only and not trojan clients. The test you quote checks for both trojan servers and clients.

    If you don't know the difference between a trojan server and a trojan client then you have a lot of researching to do about trojans but I will give you one clue. The server client is harmless.

    You should really study trojans and trojan detection methods.



    Why
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Wai_Wai,

    "AV" (e.g. Kaspersky, NOD32, Norton) packages will normally catch the malware before the "AT" software (e.g. Ewido, BOClean, Trojan Hunter, A-squared), because the AVs scan "on-access" to any file. If the AV misses, then the AT may catch the malware while the malware is processing in memory (by doing a full memory scan on a frequent basis). So there is a temporal order to the detection.

    If the AV catches all malware, then the AT will never have a chance to detect any malware.

    1) Most forum members on this thread have so far reported that their AV has caught everything and that their AT has never caught anything that has gotten past their AV.

    2) Some have reported that some malware has gotten past AV and either their AT or "anti-spyware software" (AS) has caught something.

    This is a real-life survey on actual experiences with the usefulness of ATs and their corresponding AV. Hopefully we get enough reponses to make this survey somewhat useful to people who are trying to figure out whether an AT actually provides useful real-life protection when running an AV.

    Regards,
    Rich
     
  23. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Never. When I was running both TDS (with Exec Protection turned on) and NOD32, My AV numerous times notified me of suspicious files that were supposedly variants of specific trojans. TDS was always quiet. :(
     
  24. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    After one ate my computer in about '98' i looked for help and found Wilders......this in turn led to proper protection..........have seen no trojan since..............no problems with anything....that i am aware of........... :)
     
  25. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Sorry for my ambiguity.
    That statement is meant to say something similar than the above.
    Nex time, I sohuld better say, if AV miss that intrusion of a trojan, AT has a chance to participate.

    Good findings, Rich.
    As to (1), it is also what I expect. Unlike doing test which an AV will face a whole lot of trojans (eg over 10,000), AT may give a jot of help. But in reality, I'm not going to be attacked by over 10,000 trojans at the same time. Otherwise I will scream [why pick me out? :( ]

    As to (2), true that AS can catch trojans too. To AS, they are just the same baddies who trespass our "privacy land". Kill... kill... kill... they msut be killed.
     
Thread Status:
Not open for further replies.