New Trojan Test

Discussion in 'other anti-trojan software' started by StevieO, Sep 21, 2005.

Thread Status:
Not open for further replies.
  1. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Sandboxie+ PG full + Core Force?

    Wow, talk about layers!! Very solid.
     
  2. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Thanks StevieO, You were of course bang on! It was very interesting.

    muf
     
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, and Deep Freeze. :D
     
  4. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    289
    I tried this little test--f-prot and ewido picked nothing up-- LNS firewall stopped it though.I d/l the demo of process gaurd and it stopped it right away so i might add this program to my computer.I will wait and see if it plays nice with everything else first.I wonder if regdefend would stop something like this?
     
  5. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
  6. xtype

    xtype Registered Member

    Joined:
    Aug 5, 2006
    Posts:
    2
    Just ran this test today and my computer failed. Currently running Kaspersky Antivirus, Spy Sweeper, Zonealarm, and BOClean. All were active and running and nothing warned me. Very concerning IMO. I really expected BOClean to catch something like this out of all three of the security products.
     
  7. donsan

    donsan Registered Member

    Joined:
    Feb 5, 2004
    Posts:
    149
    Location:
    grand prairie tx
    I run this program with kis 6.0 and Bo Clean and i am embaressed to say i failed big time. So i stopped Bo Clean and used trojan hunter i still failed.This time i unloaded TH and used Avg anti malware and still failed. For some odd reason that did not make me to well about ll these programs to protect my computer.
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ donsan

    Boclean does detect both these tests, and has detected the new one since 10/09/06. I tested it on mine, and i also asked the guy who knows when it was added into the defs, Kevin from Boclean !

    So i don't know what's happening at your end, but it's not typical behavior for others ? When was the last time you updated the defs, and have you also upgraded to version 4.22.002 ? If you have done both these, then email support@nsclean with your story.


    StevieO
     
  9. donsan

    donsan Registered Member

    Joined:
    Feb 5, 2004
    Posts:
    149
    Location:
    grand prairie tx
    I do have the latest product from Bo Clean and if you read a few post back some one else said that they also have Bo Clean and the program failed to work for them as well. Please don't misunderstand i like Bo Clean very much but for sure it did not stop the test with the latest version for me anyway in fact trojan hunter and AVG didn't either.
     
    Last edited: Oct 12, 2006
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hello StevieO,

    When you say "tested it on mine"....what are you actually meaning....BOclean, operating system....etc :doubt:

    Also....are you speaking of the DFK Threat Simulator v2 test when you mention "tested it on mine" ?

    Bubba
     
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ donsan

    What did support@nsclean say about it ?

    @ Bubba

    Hi,

    I scanned all the files in DFK on demand with BOClean, and with both versions of DFK. That's how i was able to say "does detect - on mine" as i got the malware removal popup box from BOClean when doing so.


    StevieO
     
  12. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    I think whether BOclean or any other anti-virus or anti-trojan detects the morgud test by signatures eventually seems to be besides the point.
     
  13. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I'm using Comodo Firewall, and the (Kaspersky) AOL AVS AV, and failed. Would Cyberhawk pass this? Also someone posted that their Kerio Firewall blocked outgoing to pass this test if that's correct, what version? CPF has passed all Leak Tests and Kaspersky is rated very high in Comparitives, but someone also said their Nod32 stopped this Trojdemo exe. I'm very curious about this Trojan Test, and posted about it in the Comodo Forums. Thanks for anyones replies.
     
  14. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I tried this test. Prevx1 asked me to allow it or not. Of course I said no. Prevx stopped it. Test passed.

    I then re-ran it and this time allowed the file to execute past Prevx. None of my other security apps stopped it.

    My thoughts? Well Prevx is what I use to detect unknown or bad apps and alert me on them. In this case Prevx did what I want it to do, it stopped it. I presume that BOClean, KAV6 and Regrun don't alert because it's not a 'real' nasty. This is where a HIPS comes into it's own. It's there to control what apps run or don't. Yes, HIPS sure are important.

    muf
     

    Attached Files:

    Last edited: Oct 17, 2006
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's right. If you can stop the installation of malwares you have the very best solution.
    If you can't stop the installation, you get two more serious problems :
    1. you have to stop the possible execution of the malware until it's removed.
    2. you have to remove the malware.
    It's quite simple in theory, finding the right userfriendly security softwares to do the job properly is something else.
     
    Last edited: Oct 19, 2006
  16. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Cyberhawk will pass this *specific* test now, I think. I ran the test program today (10/19/2006). CH didn't pop an alert until the bad stuff already had done a fair amount of raping & pillaging.

    When CH did jump in, it requested all the files for upload to their analysts. I said yes. So I expect CH will fully do the job next time around.

    I feel it significant to make note of the fact that CH jumped in because it detected malware-like behavior, and not simply because the process was not on a whitelist. Nevertheless, I was disappointed that CH didn't jump in fasterr.

    Of course System Safety Monitor popped up several warnings right from the get-go -- BING! BING! BING! Ergo, to run the test I finally decided to just turn SSM off.

    Shortly thereafter the little green spider in my system tray was dead (i.e., DrWeb got terminated). DrWeb gave no notice of any problems, but merely died without so much as a whimper. R.I.P. :oops:

    As to SSM -- yes, it gave me MORE than ample warnings. Again & again & again. However, I would expect any adequate HIPS programs to ask me if I want to "allow" any hitherto unknown processes.

    To be honest I would be likely to say "allow" in situations where I myself downloaded the executable(s) from a trusted site of origin -- unless, of course, I already knew the download to be a test of my security.

    If my HIPS BLOCKS the bad stuff & makes it bloody difficult for me to override it's judgment, THAT is a "pass." However, if my HIPS asks me "block or allow?" & I say "block" then the one who passed the test was me, moreso than my HIPS.

    This test has convinced me of two things (at least)...

    #1- Although I looove my SMS, I need a behavior blocker that will save me when I make baaaad judgment calls. I'm hoping that Cyberhawk will evolve to better fit that role. It came close to doing that this time -- but "close only counts in horseshoes."

    #2- In the final analysis the only *fail-safe* to counteract dumb decisions &/or laziness on my part is restoring a pre-stupidity image. IMO, anyone who doesn't have this sort of fail-safe is a lot braver than me.:eek:
     
  17. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    Boclean at my end doesn't stop this test either. Actually nothing I am running stopped them. :'(

    dja2k
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I don,t think if any scanner detects this test by signatures then u should feel safe.
    Ideally it should be detected and stopped heuristically or by beahviour.
    I played with it using various sandboxes( GW, DW, BZ, Sandboxie etc) and it was not able to do any harm.

    https://www.wilderssecurity.com/showthread.php?t=148690
     
  19. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    So if this is the case to block this kinds of viruses, then we all have to get sandoxed and well basically run everything in there. That is totally insane! :eek:

    Here goes another question, are there really any heuristically that stop it? I haven't seen anyone block it heuristically but only behavioral.

    dja2k
     
  20. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't know about which test you're all talking, but I ran the trustware trojan test and Prevx1 blocked it.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks aigle, this seems to be a more interesting test. Unfortunately I'm in the process of re-installing my computer from scratch to improve my special clean backup files and special clean archived snapshots and a few other things.
    After that I'm ready to test my new security setup and this will be a very exciting adventure, probably with many ups and downs and many posts. :)
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ok, let,s know when u run it.
     
  24. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England

    Attached Files:

    • SGP.jpg
      SGP.jpg
      File size:
      38 KB
      Views:
      255
  25. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    How did it block it, by just saying its unknown and you clicked block?

    dja2k
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.