Has your real-time anti-trojan ever caught anything?

No, the above test is not meant to be "AV vs AT".
Rather it is "AV vs AV/AT", and see how an extra AT can help an AV to catch missed trojans.
Best regards.

 

I know the intent of the survey but I don't think the results will have very much meaning one way or the other.

First I doubt enough people would respond to make the survey worthwhile and even if every wilders member and guest responded, it would only show you results from what has happened to those people that like coming to Wilders which is a extremely small part of the internet universe. Wilders members tend to be interested in security....most of the internet does not have as high a interest in security. You would also need to sample people that have no interest in security....like maybe people that work at corporate or government entities that have both a AV and AT installed.

Secondly, I think a sample size of at least 100,000 people from people located in all areas of the planet and varying degrees of knowledge and interest in the security would be needed to even begin having relevance.

I doubt a survey like this could be organized and done so that the results have relevance.

The intent of the survey is honorable but I doubt that anyone could extropolate meanings with any degree of accuracy from the 5, 10, 15, 50 or even 100 people that might respond to this thread.

I also doubt if anyone would conduct a scientific test that would be conclusive one way or the other either because there is too much involved.

This is how I believe such a test would have to be conducted. There would be two sets of tests that are each divided into two seperate steps.

The first test set would only include only unmodified trojans.

The second test set would include trojans that are modified in ways that are explained better here:

http://scheinsicherheit.sc.funpic.de/procedure2.htm


The two parts of the test that would be done with both modified trojans and unmodified trojans are as follows:


You would take a Windows computer with XP installed (either sp1 or sp2...this is a variable in the test). You would load a antivirus (another variable). You would then activate trojans from the test bed and see if the antivirus can stop the infection. If the antivirus stops the infection then it is taken out of the test bed that will be used in part 2. If the antivirus does not stop the infection then it WILL become part of the test bed for part 2 of the test.

Part 2 of the test will be taking a second computer with a anti-trojan (variable) on it. We will then activate the trojan and see if the anti-trojan stops it. (Of course what is meant by stopping it must be defined).

This testing method would give one a idea of how effective a AV is against modified and unmodified trojans and would show how many trojans that a AT would be able to catch when the AV misses it.

This is just a rough version of how I would conduct the test and I am sure I am missing some variables that might make the test give not relevant answers but I think this type of testing would probably yield more useful results to this question than all the tests mentioned that I have seen so far. It might even be more relevant than a survey, due to the difficulty of obtaining a accurate survey.

The only problem with this type of testing is that I doubt anyone has the time to do this type of testing. I think I once seen someone ask Nautilus about this and Nautilus replied that he does not have the time (or something to that effect) and I doubt many others do either.

The second problem is finding someone who is "independent". As a matter of fact, a independent tester might be harder to find than anything else. Every time I have ever seen a test talked about on a forum, arguments would break out concerning the independence of the tester.

I think this question of AV vs AT will firmly remain in the eye of the beholder. My opinion on the subject is that a AT can be relevant for either A) High risk user or B) Noob or someone that has absolutely no interest in security.

I have strong suspicions that the reason why BoClean is succesful in selling to corporations and certain governments is because there are many people working for government agencies and corporations that not only have no interest in security but also do insecure things on the corporate or government computer.

Maybe owning Boclean is a "insurance" policy against AV's failing for governments and corporations. Maybe these companies and governments had AV's fail in the past on them?? Who knows?

I do know that people that extrapolate their own personal situation on the rest of the world are often in error.

My personal opinion is that AT's are very relevant for some people and for others it is not relevant at all.

If you feel that you need a AT then by all means use one. If you don't feel you need a AT then by all means don't use one....BUT by all means THINK for yourself. There are many pied pipers in this world....they might lead you in a direction that is good for them but you might go over the cliff headed in the same direction. You must learn, educate yourself and do what is right for YOU...not what is right for other people. It might be that having a AT is wrong for 99% of the people in the world but you might be part of the 1% that it is right for (or vice versa). It won't matter if that 99% is right for themselves if you go over the cliff because you believed "them" and headed in the same direction.

THINK FOR YOURSELF



Starrob

 

Dazed, as Rich pointed out, that is probably because your AV "hooks" the O.S. at a lower level and gets first crack at the malware -- TDS {and every other process} was most likely denied access because your AV flagged the malware first. When your AV detects something, it instantly jumps in and denies access to the malware detected, effectively "freezing" your PC and not allowing any other process, even another scanner such as an AT like TDS, to access that file. We encounter this all the time at TH forum and tell folks to temporarily disable AV-RTM (the AV realtime monitor} in order to do a conclusive full scan with TH. {Then immediately reenable AV-RTM of course}.

Permit me to quote from illukka's post in another thread:
https://www.wilderssecurity.com/showpost.php?p=522349&postcount=25

I can vouch for that: Just visit any hacker site and download a trojan package {I can't link to any here because it's against the rules}. Often in the "readme" for the package or kit, the author will state that he offers "undetected" variants for a price, usually small, like 20-30 bucks. Most often, in my experience {and I am not trying to target one product here}, it is KAV that is targeted for an undetected {modified} trojan, I assume because of its reputation for trojan detection. These kits usually include an editor or "editserver" as it is commonly called, which allow even a casual user to modify the server, so in some cases, even a casual user can create a modified server that will go undetected. However, because ATs scan memory, the process signature of a modified server may not be significantly different, and it may still be detected by an AT scanning memory. THIS, to me, is the big difference, and why I would still recommend an AT lilke TH or BOClean as a second-tier defense. Also, consider that all malware, once resident, immediately tries to kill your AV. But if you have a hardened AT running as well, that makes the malware's task more difficult because he has to kill both your AV and AT before they kill him. Two programs are harder to kill than one, given that he has probably only seconds to succeed or be killed himself. That is my take on it. Sorry I can't comment on any "poll" but I can say that, experimentally at least, I have in the past launched a few samples that my AT detected, but of course, that is more of a "laboratory" curiosity and not real-world or "ITW" {in-the-wild}. HTH ..

 

Very informative, RB. Thanks.

Doesn't the above imply that my AV was good enough to catch anything that was suspicious? In other words, it appears my AT was unnecessary because my AV caught everything I came across before my AT got a swing at it.

 

This may or may not be what is happening in real-life. If it is, then a couple of comments:

1) From a "sucess rate" perspective, it would not make sense to target an AV, such as KAV, that has about 1% of the market and is generally used by "hardened security users", as opposed to targeting products such as Norton or McAfee which have over 40% of the market and whose users are more likely to be new users who simply had these packages initially installed at purchase time.

2) The best way to lose any edge over a laboratory like KL, is to advertise the availability of a new trojan that can bypass KAV. Exactly how long will there be any value to this trojan once KAV (and every other lab that shares malware) obtains a copy of it. A malware developer may develop and advertise such a trojaon for one of two reasons: a) to advertise his/her own ability to be able to do such b) to get $20 from KAV. Neither is very lucrative, but it can possibly fulfill some personal needs.

In any case, the usefulness of AT, is still very much theortical. In this thread, on user has so far reported that a trojan was caught. Most have said otherwise. The "online man years" represented by even just a handful of people on this thread is quite substantial, so it remains to be seen how Yeas and Nays we get, keeping in mind that a safe surfer has a very low probability of encountering a trojan that one of the AVs cannot already handle.

But we'll see as the thread progresses. To all forum members who are reading this thread, a No, I have never had a real-time AT catch a trojan, is as important as a Yes, my AT has caught a trojan. So let us know. Also, when and how long you have been running ATs is also quite useful information.

Cya,
Rich

 

@Rich: Maybe trojan authors do that for "bragging rights", figuring if they can fool KAV, then they can fool any scanner. Surely if they can create a new variant undetected by KAV, there is 99.99% it will be {at the time of creation} undetected by everything else. So I'm sure that must be the reason they "advertise" as such, in their "readme" text for the kit.

@Dazed: Who's to say your AV caught or cleaned everything? There can be remnants, hopefully nothing dangerous. That is why we often recommend that folks temporarily turnoff their AV-RTM and scan with TH to get a second opinion. {Then immediately turn the AV-RTM back on when done}. But sounds like in your case your primary protection {NOD32} caught everything so far.

I might add, I'm really sorry to see TDS-3 go, because it had excellent staff {Gavin was top notch analyst} and very good detection. I can't say I have had anything in-the-wild that was caught by my AT {and frankly I don't wish to play with fire, either} -- but I still see a place for dedicated ATs like ewido, TH, and BOClean.

I do recall others' making comments that ewido had caught some things missed by KAV but unfortunately don't have the links to those posts. Basically my philosophy is to promote multi-layered defense and not rely on one security program for protection; it could inexplicably fail, it could get killed by malware which became resident and killed it before it killed the malware; etc. Just my two cents, now I'm gone, heh ..

 

Understood.

I definately got my money's worth. Thanks, and don't go too far!

 

Rich,

As with any aspect of security it comes down to risk incurred versus benefit achieved.

In my own case I have experienced a handful of instances (more than 3, less than 10) in which my AT (BOClean) has prevented trojans from executing.

All the scenarios were the same. A user at this or some other security site noted the occurrance of a malware infestation. For examples given at Wilders, I was typically testing whether a supplied link was to a malware source or not and in a number of cases it was. The AV in all these cases was either NOD32 or KAV - not sure of the split. Both AV's have been in use on this machine. For either, it would have been from a period of a little over a year or so ago until the present. Invariably, these all appeared to be reasonably new samples and generally received coverage quickly. I also recall one case in which NOD32 let a sample through, although it would have been flagged as a potentially dangerous program (according to Eset, and I did verify this).

This sounds a little more than theoretical to me. For both NOD32 and KAV, this is certainly a diminishing event. On the other hand, I'll keep BOClean at the ready for the foreseeable future.

Blue

 

Hi Blue,

So to re-iterated, so that I am sure I understand:

1) Some users reported some online malware which you decided to investigate
2) You investigated with either NOD32 or KAV running in real-time
3) These were relatively recent events
4) BOClean successfully caught the intruders

If this is correct, then my comment woulde be:

1) Investigative work is substantially more dangerous than normal browsing (since you are actually seeking out dangerous sites)
2) BOClean did provide extra protection during these "hunting expeditions"

One further question, if you do not mind commenting. Did any every get through both shields?

Thanks for the info.

Regards,
Rich

 

I bought both TDS & BOCLEAN within the last 3 months. I decided to leave BOCLEAN running all the time & use (the now discontinued) TDS for on demand stuff.

In the 1st month or 2 BOCLEAN detected 2 trojans that McAfee didn't catch.


There was a 3rd catch which Boclean later admitted was a false positive:
It said Notepad was a trojan:

07/02/2005 10:05:40: CONSUMERALERT5 TROJAN STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\NOTEPAD.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

Of the 2 valid trojan reports, I can only find this one: [The detection & removal all happens in the blink of an eye!].
------------------------------
07/03/2005 22:53:03: C:\WINDOWS\YHL.DLL
Trojan horse was found in above file
YHL TROJAN STOPPED by BOCLEAN!
Above file copied to evidence location for examination
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.

(***In mid July, I switched to ZoneAlarm's Security Suite--McAfee downloads its updates etc. using ActiveX & my WinXP Home w SP2 stopped playing nice with ActrveX with both McAfee & the MSN Photo Upload Tool despite all kinds of research and attempts at rectifcation on my part--including spyware-possibilities. [At least 'm not alone in this--the respective user forums for both have others in the same boat--Short of a XP reformat, I 've given up [I can no longer delete SP2 & thus reinstall it).


Chet

PS: In addition to BoClean, ZoneAlarm Security Suite, & Process Guard , I usually let Counterspy or Spysweeper run in realtime and use Spysbtract, Spybot, & Adaware & AOL's AntiSpyware Beta2 for ondemand scanning.

 

1) Yes
2) Yes
3) Well..., all are more than ~ 4 months old and none more than ~ 12 months old
4) Yes, the initial downloader was dealt with

1) I agree, although not that much more dangerous than errant browsing. These weren't porn or warez sites. Typically, the enticement of free games, links to on-line gambling, and anti-spyware apps constituted the hook. Some of the sites looked reasonable from a casual aesthetic perspective.
2) Yes, it did. Of course, the original victims were not hunting, they fell prey during normal surfing. While I assume they considered their activities as fine since they avoided the obviously seedier side of the net, it's clear that their activities were, in fact, rather high risk.

No, as verified by a complete on-demand scan from the boot partition that was not active during the hunt and manual inspection of running processes, startup applications and services.

Blue

 

Thanks for sharing your experiences.

Regards,
Rich

 

Hi Blue,

Thanks much for relating your experiences. Very interesting indeed.

Regards,
Rich

 

Trying to stay on topic...

Approximately 10-15 different malwares got through Symantec AV for me on my work computer. Most of them were caught by on-demand AT scanners, but I am convinced that they would have been caught by a real-time AT too, if it would have been running. At home AFAIK nothing got past KAV+Jetico, being the most important reason why I have switched to KAV. So my experience is that the usefulness of your AT depends on which AV you are using.
-hojtsy-

 

Hi Hojtsy,

I too have found KAV much more resilient than Symantec Norton AV, which is why I switched. Since using KAV, nothing has gotten through, but I keep the AT (usually Ewido) running in real-time for old times sake. When I clean other machines, I always use Ewido and KAV (and use to use TDS-3), and had similar experiences as yours.

Thanks for sharing your experiences,

Regards,
Rich

 

Well I used Trojan Hunter and NOD32 and both has been very quite, have not found any that would damage my computer, any one want to send me something to make sure everything is working or not.

 

Nothing has gotten by NAV 2005 on this box. Nor has NAV destroyed my box with any f.p. the way KAV 5.x did on BigC's box recently.

 

http://www.eicar.org/anti_virus_test_file.htm (scroll down)

 

Same thing here as well !!

HR

 

I have not had my AT (TDS-3 until yesterday) detect a Trojan on-access, but then neither has my current AV, NOD32.

On the other hand, when I first installed TDS-3, it found a Trojan that had gotten past my then current AV, eSafe.

Just yesterday, my new AT, ewido, caught a spyware called Alexa during a scan, but did not find a Trojan after a full system scan.

What followed the detection of Alexa has me perplexed: after I clicked on ewido's option to delete the detected malware, ewido reported,
"+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup"

Since the above key is protected by RegDefend against modification of the key or value, RegDefend should have flagged ewido's intended action, but RegDefend did not. (?)

Following ewido's detection of Alexa, I opened the Registry and found that the value, {c95fe080-8f5d-11d2-a20b-00aa003c157a} continues to exist, but is now located at HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\. (Notice the addition of the subkey, CmdMapping.)

This event led me to wonder of the spyware was indeed removed. So I re scanned the Registry with ewido. This time, ewido reported that no infected files were found!

I don't understand what's going on; can anyone help?

 

Hi. I would like to add more points to your post.
- In the real world case, I think a hacker doesn't need to target on the weakness of one particular AV. the best is to try to find a weakness where most or all AVs share (eg there are different techniques one can use to terminate/nullify/hide themselves in fron of the AVs). Also don't rely on the GUI or any error will signify you of the problem. The hacker can make it that the icon of the system tray is still on, and hide the error if he wishes to.

- Also people generally don't install AV as their only security program. Nowdays AV+AS+Firewall is a basic security suite promoted by Microsoft, so hackers have to find ways to bypass all security products. And it is not hard for them to do so. What they simply need to do is to exploit fundamental weaknesses.

- There are several techiques one can use: buffer overflow, dll injection, code modification, rootkits, driver/service installation, covering/hiding, covert channels. Read the following for more info on how hackers can bypass the current security suite, or why the current security suite is not adequate:
http://engr.smu.edu/~tchen/papers/handbook2005.pdf
http://www.immunitysec.com/downloads/0days.pdf

- to protect ourselves against such kinds of common and advanced techniques, I think the best solution is to take back the power from Windows. There are many things we can do, from manually configure our Windows (eg apply for stricter security templates, don't use admin accounts, use strong passwords etc.) to adding a fundamental layer of security (eg using application firewall, system monitoring, memory restriction).

- They will provide much better and more effective protection instead of determining one AT to protect you from trojans-typed malware AND trojans idientifiable by its signature base.

Also in the case if a hacker wishes to intrude a particular computer with its trojan, it may have considered to bypass the AT as well. The memory scan is not flawless. While providing limited extra protection, it has its own problems too. The AT itself is also subject to termination/modifiection/nullification like its AV counterparts.

Anyway installing one more AT may be desirable to some people who don't bother to learn a bit AND do not wish to use system baseline security products. To them, it does add a bit extra protection.

Something is better than nothing.

 

Executable trojan/virus tests are not conclusive any more because your anti-intrusion protection will catch them and your AT would never see the file. A better test would be malware packed or embedded in a file.

Below, and next two posts:

1) attempt to download from the server is blocked

regards,

-rich
________________
~~Be ALERT!!! ~~

 

2) attempt to extract (Copy) from zip file is blocked

 

3) I gave permission for the file to download, and the attempt to run it (Open) is blocked.

Of course, you can argue that your good judgment would make you question whether or not you would permit the file to download in the first place, so even your anti-intrusion program wouldn't get a chance at it, and that these examples just show how someone can be prevented from unwittingly executing them, like your kids or other family members!

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Something worry me is AT itself has its own problems which can be bypassed by trojans too. One one side, it may be able to address a few problems which AV have. On the other hand, the memory scan is also problematic, and AV and AT themselves are also subject to intrusion/attacks.

Anyway, something is better than nothing. I agree with you at this point. If you don't like other solutions, at least AT can provide a bit extra protection.