Hmm... software layering question

Discussion in 'other anti-virus software' started by VikingStorm, Oct 11, 2003.

Thread Status:
Not open for further replies.
  1. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    I've been using NOD32 as my main resident scanner for the last couple months, and it was doing fine until my little brother somehow ran a trojan(Optix) (that terminated Outpost Pro btw). Kaspersky detects it, so at the moment I'm using Kaspersky monitor (only scanning all incoming download, and temp folders as to not bog down system). Should I stick with Kaspersky scanning on entry ways? Or does a NOD32+Some trojan package still use less resources, and is more reliable then Kaspersky?
     
  2. Stranger

    Stranger Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    9
    Utilizing Nod32 with an AT doesn't necessarily consume less resources compared to a machine that's running Kav by itself, especially the earlier 3.5 version.

    An option you have is to use Nod32 for general purpose, all around av and then obtain and use a process/port tool and Kav's - on demand scanner only - to check from time to time if there's a rogue process that starts up and listens on a particular port. Granted, this is partly a reactionary approach since without the protection of Kav's or a dedicated At's monitor there's a risk of getting infected, but it's also a proactive approach in a sense that it forces you to be more aware of the processes that's running behind the scene and take corrective action. The awareness of what "normal" process that should be running in a system cannot be overstated.

    As for a firewall, pick another or use the same one and learn to configure it tightly; among other things enable it to prompt for any process attempts to make outbound connections and every now and then view those logs. The ideal situation is to not have a malware go undetected and find its way inside the perimeter but realistically this can and will happen, and this is where a strong av/av combined with a properly configured firewall or a process interrogation tool steps in to seal off things.

    If you must use it by itself you cannot go wrong with one of the best hybrid of av/at out there, which is Kav, or of course if you have more than enough resources to spare you can also opt of an av and a separate at to complement each other. :)
     
  3. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    You have many choices. An AT developer will tell you that there are trojans that KAV does miss. And although one might suspect an AT developer of bias toward use of AT products, there are many fairly knowledgeable people who study malware who indeed use an AT in addition to their AV whether it's KAV or not.

    It's a risk management issue and the answer depends on what risks your PC might be in during ordinary use. You mentioned your brother has access to your PC and that resulted in an infection. Assuming that safe computing practices may not always be followed by the PC's users you may want to look into an AT app. It depends on the circumstances and how much risk may involved.

    Is resource/memory use much of a concern with your PC and OS? I currently run NOD and BOClean on a year old XP box with no noticeable impact. But both are known as light running apps (BOClean is just a real time monitor, no on demand scanning). But that combo also suits my present computing habits. When you get into the more heavy duty ware, like KAV and TDS, I'm told the impact can be noticeable. Although there are tips in various support forums such as Wilders (including a KAV support forum out of Iceland I believe) for how to adjust settings in KAV's RTM to reduce PC performance impact. But from your post it sounds like you are already aware of them and have implemented them.

    If I had a younger brother who had access to my machine and if I had KAV, I'd go with that as the real time AV although I might also add an AT as well. Trojan Hunter is another AT that is well regarded with both resident and on demand scanning and I haven't heard complaints about resource use.

    So you have various options to consider as Stranger also has discussed. FWIW, Trojan Hunter and TDS have free trial versions so you could see if an AT is something you'd want to add or not.
     
  4. Stranger

    Stranger Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    9
    Sig made valid statements. Considering whether to utilize a single av or a combination av and a separate at to cope with backdoors depends on several things such as user habits, resource availability on the machine in question, what is being protected ect.

    If you have not, you also might want to consider researching on a backup device and medium to store irreplaceable data just in case something does happen, because frankly speaking nothing beats a whole image or file level backup. The ability to replicate and repeat a state is a basic security practice.

    Also, if you have personal and sensitive data in the system you could also consider storing it in a removable cd instead or utilize file level encryption. just suggestions
     
  5. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    I've been trying TrojanHunter, and it scans only when a trojan is ran in memory I guess? Since the trojan executed all it's code: placed itself into system32 folder, start-up registry entry, and closed Outpost Pro, before TrojanHunter detected it, and deleted it. Does BoClean intercept any sooner than this?
     
  6. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    I don't really know first hand how TH works, my impression is that it should do more than just scan when a trojan is run in memory although it does that too. Here's a blurb from its site: http://www.misec.net/products/

    You can always ask in the TH forum and see what responses you get: http://www.misec.net/forum/ The author is responsive and I imagine would be interested if a trojan gets by his product, which seems to have at least partially happened in your instance in that it shut down your firewall before TH caught it.

    Here is some info regarding BOClean from the vendor's site: http://www.nsclean.com/supboc.html
     
Loading...
Thread Status:
Not open for further replies.