Please recommend a top-notch AT program.

No problemo (for me) - I'm running WinXP Pro.

 

Right, but now I've got 3 - 4 top recommendations (thanks to all of you), so I don't have to waste my time looking at other progs.

 

It is sometimes hard to determine which AT is "the best". The reason why is because you may choose "the best" at the time, on the day of purchase only to have buyers remorse when the new version of a competing program comes out.

Right now, it looks as if Ewido, the new kid on the block, is the most hungry and has leapt ahead of the competition in many important ways. In fact, I believe the Ewido entry in the market is driving the competitors to make vast improvements in their products more quickly or risk losing market share.

In my opinion, the "leading AT's" have grown too comfortable with always being ranked number one, two, three. It seems to me like Ewido has come along out of nowhere and actually put out innovative ways of detecting trojans instead of spending the time on the forums talking about how the new version would be great. Ewido is here and now and driving competition.

Having said that....I believe that when TDS4 does come out that it will probably be considered top of the line and many people will be calling TDS4 the number one scanner. I also believe that the people at BoClean are very innovative and many will be impressed with BoClean5. There will be many calling BoClean5 the number one scanner.

As for Trojanhunter. It happens to be the AT that I like the least BUT I believe Magnus is no dummy and I can see Trojanhunter moving quickly ahead so they don't lose ground to any of the other scanners. Trojanhunter will more likely than not have many calling it the best scanner at various points in time.

Right now....at this snapshot in time...I believe Ewido and TDS3 are probably the "best" ....for me. I believe Ewido has the best memory scanner available....just slightly edging out BoClean. The makers of BoClean are right, to me at least....the most important thing in a AT is the memory scanner. You can hide just about any trojan from a on demand scanner. It is quite easy. I travelled the black hat forums just to find out how hackers think....It was quite shocking. It is actually quite easy for hackers to beat everyone's favorite "unbeatable" on demand scanner.....even KAV can beaten by more than a few methods.

If you want the "BEST" AT then look for the one that has the "BEST" memory scanner....this is how I determine the "best" for me. The "best" memory scanner at this point is Ewido followed very closely by BoClean. The best On demand scanner is.....KAV. The best for others might be somewhat different and may change as competitors update their features. You might have the best today BUT who knows who will be best tomorrow?


Starrob

 

Hi Starrob,

Are your currently running Ewido with realtime protection on alongside BOClean?

 

No, I only run Ewido memory resident. Having BoClean memory resident would be too much. I was looking for a memory resident AT and almost purchased BoClean before running across Ewido.

I took a long hard look at strenghts and weaknesses of each one. Reading various articles by Nautilus, along with a lot of reading from every forum that I could find (including black hat forums which are sometimes good because they can tell you which programs or features the script kiddies have the most difficult time against.. sometimes) helped me to determine the strenghts and weaknesses of all the scanners that are considered top-notch.

Let me say...I have high regard for BoClean even though I have not personally tested it. I think the authors of BoClean are very intelligent. I have done some reading in their forums. I don't know how long I will consider Ewido the "BEST" memory scanner because I believe BoClean can easily regain that top crown.

I also believe that TDS4 will most likely feature a superior memory scanner with strong heuristics. When TDS4 hits...I expect that it will be called by virtually everyone out there the "best"

As for TrojanHunter....In my opinion, they are not far from having the "BEST" memory scanner either. They just have to fix a few things and they will be able to make those claims also.

In my opinion, within about a year, Ewido, TDS4, BOClean5 and Trojanhunter will all be considered elite with probably not a whole lot of difference in the protection between them.

In some ways the team at DCS got out ahead of their competition by creating ProcessGuard....which at this time totally unique (Only SSM has something similar and they are slightly behind PG). PG sets DCS as a whole apart from the others right now because DCS is providing some type of solution in case their scanner gets beaten. TDS4 might occasionally get beaten but most likely PG would save the day and block whatever new exploit was developed to beat or kill the scanner. PG also protects against rootkits which I think will start coming into more widespread use very shortly.

Right now, almost all of the AT's can detect rootkits sitting as a program on the disk but once a rootkit goes memory resident.....well....that is another story. I do know that one of the AT companies that I talked to told me that they will be working on detection of rootkits even while it is in memory. Even if that can be done reliably...if I ever found a rootkit on my system then it is time to reformat....better to have PG and block the thing for sure then depend on a scanner to "maybe" detect it.

Nothing is full proof...even PG may not be foolproof but I think it would be extremely difficult for someone to beat PG....it would have to be a really genious hacker and why would someone like that come after little ol me?


Starrob

 

Thanks for the response Starrob. Very much appreciate your taking the time. I am on the PG 3.0 all night vigil. I will not go to sleep until it comes out!

Cya tomorrow,
Rich

 

That was an interesting read Starrob. Now that I'm in the evaluation phase, seeing which interface I prefer and identifying any conflicts with my AV & AS programs are fairly straight forward ...but is there an objective way to test their effectiveness in identifying and removing Trojans?

 

That is quite a lot of speculation...
What is it you know for sure?

I have seen you make this reference in quite a number of your posts (much in the same way in fact). Specifically pointing to the weaknesses in on demand scanning (in particular KAV). Yet you have made no real attempt to elaborate on these methods. Not to say you should provide links or a detailed how-to, but perhaps something that we have all not heard before might be interesting. Because I too have heard of malware bypassing scanners (probably without visiting as many "underground" sites as you). And unless we are talking about a serious flaw within a scanner that can be used time and time again to exploit the software (until the vendor corrects the issue, whether it be an engine update or new version), I do not particularly find these "warnings" very interesting. Especially if we are just talking about a new way to hide malware through modification, packing, or encryption. Mainly because signature updates are usually sufficient in these cases (in which case KAV has an advantage with the frequency of its updates). Though some might argue this is not the best way. I believe I made this point in response to one of your other posts though i am not sure.

How did you come to this conclusion?

No offense, but now i am really confused

From what I gather from your posts is that you believe on demand scanners, in particular KAV (as you reference it so many times) are very easy to bypass. Yet you believe KAV is THE BEST on demand scanner, and you use it for yourself.

You believe memory scanning is THE BEST way to determine the quality of an AT. And yet you completely ignore the fact that just because an AT has a good memory scanner does not make it invulnerable to other methods in which it can be bypassed. In some cases a memory scanner is just as vulnerable to methods that are used to bypass an on demand file scanner. Hex editing for example. IMO a single detection method should not be used to determine the quality of a scanner. Layered protection right? Something you are so adamant about.

With all the speculation you have made in your posts you make it seem like you do know

One should point out that just because someone is considered a "blackhat" does not make them anymore knowledgable about a security product than you or I. In some cases they are even more misinformed. Providing examples of how it can bypass one scanner which makes it suck, while another scanner can detect it which makes it the best. When in reality the same method could probably be used to make the first scanner come up with the detection, and the second scanner come up with nothing. "Blackhats" really do not provide anymore background to a product than anyone else. How do you know where their loyalties lie?

Edit: Typo

 

Hi Rerun, thanx for giving your thoughts on this one.

In this particular case I stand completely behind Starrob, but it is a delicat discussion here. in fact there wasn't any bashing on any other product yet I get the feeling here you feel a bit attacked. still I cannot figure it out why: trojanhunter?

anyway I suggest you read a bit on here:

http://home.arcor.de/scheinsicherheit/rootkits.htm

in fact on their forum you find a lot of info on how scanners are tested and which vulnerabilities they all miss. and it seems that kav is the best on demand scanner at the moment but it can be bypassed by armadillo variants, in fact all those scanners could be bypassed so nothing in particular for KAV anyway.

I am not a kav user (although I am licenced to gdata-kav + bitd based engines) however I do admit that kav is on of the best for detection and updates/databases...

back on topic now (sorry mods) there isn't any based anti trojan, and it depends on what is new on detection/preventing getting infected in the first place. they all have their advantages and disadvantages...that is a fact.

we will allways have this discussions like this if you like a prog and the other one not...just my two cents. discussions are good...discussions and freebies that I like...

have a nice eve

 

You're scaring me now. All these speculative views on the best.

Ewido is the best because... because i said so! That's why!!!

Ewido is better than BOClean because... because i've never used BOClean and i've used Ewido.

Ewido is the best because the others have sat back and basked in the glory of always being named one of the top three.

Ewido is the best because i looked on a web site and they said so.

Trojanhunter4 will be near having the best memory scanner because, well because i just thought of it and decided it will.

TDS4 will be fantastic and will have strong heuristics, i'm sure it will, well i think so, maybe, err, well could have.

BOClean 5 will be great, or so i've read somewhere that it will.

All i can say is what a load of rubbish you lot spout. You just make it up as you go along. You have no hard facts that anything you have said is true. It's all based on speculation and your own personal opinion. You two are having a laugh. What are you, members of the Ewido fan club? You just think Ewido is the best because you use it and like it. I'm sorry for ranting but i really hate it when people spout poppycock just to persuade someone that the AT of their choice is the best.

muf

 

no fanclub...no fan...I use tds-3, trojanhunter and ewido and I am proud user of the three.

it was just my thoughts... and personal experience. that is true. but someone else his experience might be different and all do respect for that.

There wasn't any bashing of any product going on. because all three are valuable in all different area's. that is why I have three licences... and because it is a hobby well sort of actually.


still have all the respect for the other players...if it wasn't so then why purchasing the license
I do think (again) that the arrival of ewido would be a benefit for all of us. and to share your opinions and give your comments so the actual demand for a good at would be answered... well that is all this is about...just give your personal view and comments without bashing any other product.

if we could all give our comments and experience without bashing each other this would be a perfect place to hang out and we would have all the answers needed to make up our mind.

just my two cents here

inf

 

Bah, i'm sorry.

I just see so many posts from people that obviously have their own favourite. I haven't used Ewido so i can not give a view. And i certainly wouldn't guess at it's qualitities having never used it. But i do use BOClean and Trojanhunter. I have trialled TDS but found it too complex for a simpleton like me. I do advise that BOClean and TH are two of the best. But i do not go to the point of trying very hard to make people believe that the others are inferior. You obviously love your product. nothing wrong in that. but please try to remember that this person is asking for recommendation's. We are not trying to persuade them to go for a particular product. I know it's easy to get lost in these things and bestow glory upon your chosen AT but lets try to give even and unbias recommendation's. It's the user that matters.

Again, sorry for being such a grump.

muf

 

"You have no hard facts that anything you have said is true."

"All these speculative views on the best."

"and it seems that kav is the best on demand scanner at the moment but it can be bypassed by armadillo variants, in fact all those scanners could be bypassed so nothing in particular for KAV anyway."

"That is quite a lot of speculation...
What is it you know for sure?"

" Specifically pointing to the weaknesses in on demand scanning (in particular KAV). Yet you have made no real attempt to elaborate on these methods."


See here for further information on one of KAV's weaknesses and the limits of current memory scanners:

http://boardadmin.bo.funpic.de/viewtopic.php?t=43

Personally, I believe that memory scanning is good or at least better than file scanning. However, the near future lies with behaviour based detection.

For example, you can detect every standard trojan by searching for two or three specific behaviours/features:

a) process has opened a port
b) no visible window
c) autostart entry (optional).

Moreover, you can detect almost every DLL-injecting/code-injecting trojan or user-mode rootkit with the help of a CreateRemoteThread Monitor/Blocker. Unfortunately, no AV or AT supports this feature. Therefore, you need to install a relatively complex system firewall which may destabilize your system.

You can also stop almost any kernel-mode rootkit with an InstallService Monitor/Blocker. Again, only a few system firewalls offer such feature.

Finally, it should also possible to detect statically injected DLL trojans with the help of behaviour based heuristics.

I really hope that TDS-4 and others will not merely be based on signature scanning. I believe that signature scanning is more or less outdated.

 

no need to sorry (or feel sorry) I wouldn't like it either when someone else is selling me other stuff...but I wasn't doing that. if I did sound like an advertiser or whatever (really not intended to and not affiliated to any of the at's here) then please: sorry and I will try not let myself get carried away in the future...

p.s. you should have seen me with the service pack 2...I was going nuts here

 

I find Starrob's comments to be a little misleading and contradictory. And this is not the first time either. What I would actually like is some clarification/support to the statements made, and not that one just visited an underground site and is basing their statement around a flaw that in fact is non-existent (or is not really considered a flaw in the truest sense). Nautilus in his most recent posts and in a large majority of his posts does explain his argument and usually backs it up with tests he performs. Nautilus is also fair in not singling out a single scanner when multiple scanners may have the same weakness. For this I respect. And for the record I do read the articles that can be found in Nautilus' site and forums.

Yet a large majority of memory scanners you have tested still have weaknesses. Which makes other methods of detection important to complement the advantages/disadvantages of a memory scanner.

But how do you single out these behaviors as being malicious or not? I am still some what unsure about the importance of signatures in the future. I can see the advantages of more generic type of detection but in some ways cant really see signatures as being completely discontinued. But then again I am not really up to date with the latest advancements of behavior based detection. Is there a way of behavior based detection that is accurate?

 

"Yet a large majority of memory scanners you have tested still have weaknesses. Which makes other methods of detection important to complement the advantages/disadvantages of a memory scanner."

I agree. File scanning or other detection methods are not completely useless. They may complement a memory scanner. (Moreover, I would like to emphazise that I was merely talking about non-replicating malware. Replicating malware is a completely different thing.)

"But how do you single out these behaviors as being malicious or not? I am still some what unsure about the importance of signatures in the future."

Once again, I agree. Such behaviour based detection methods require user interaction: the user needs to decide whether, for example, a program is a trojan or just an invisible & harmless auto-updater. On the other hand, many users (including me) believe that almost everything which works behind your back and connects to the internet is a potential threat and, therefore, I would like to get warned. Virtually, the same applies to code- or dll-injections. Such behaviour is highly suspicous and I can hardly imagine a standard application that legitimately makes use (and has to make use) of such techniques. An exception may apply, for instance, to debuggers, security soft etc. But the user of such applications will be able to correctly interpret the alert message of a CreateRemoteThread Blocker/Monitor.

 

Many times, I read these boards and see people get upset when their product that they personally use is not called number 1 by the person commenting. My personal feeling is that BoClean, Ewido, TDS, Trojanhunter, KAV can all be called number 1 at any given point in time and also depending on the user. Many people call NOD32 number one and maybe it is.....for the things it is designed to do.

I wanted a strong memory monitor because I already have a strong on demand file scanner. I feel for me BoClean and Ewido are two of the best at this time even though both have weaknesses. Nautilus has excellent comments on the strenghts and weaknesses of both.

I feel no product is Flawless. On the blackhat boards, I one day found a product that claimed to find a vulnerability in KAV. It claimed to be faster than KAV real time scanner and could kill it. I passed the program on to KAV, so I am sure they have fixed it by now.

Also on the same website, I found a program that claimed to kill ProcessGuard V2. I passed that along to DCS and they told me V3 can not be killed the same way. There are some interesting things out there on the internet that I has led me to the conclusion that virtually nothing is invulnerable to being beaten. I guess the biggest thing that led me to that conclusion is that I read some article about the design of Windows...It was sort of scary to me. There is just so many security flaws in windows. The author of the article basically said the only way to fix all of the flaws is to rebuild windows from scratch. I do not have the article with me now. Right now, I am in a internet cafe in Jakarta, Indonesia on a slow computer that I suspect has coolwebsearch installed on it among other things

One of the strongest security programs that I have found is ProcessGuard and even in their forum that I just finished reading Jason made a statement on their new features, "Added new rootkit blocking methods, now covers all known rootkit/driver installation techniques". Notice he did not say, "blocks all rootkits/driver installation techniques" but he said, "now covers all KNOWN rootkit/driver installation techniques". Well what about the unknown techniques? You see...I am a bit paranoid when it comes to computer security and for the most part disbelieve in 100% solutions.

I use layered protection. The very last layer that I am looking for is behavioral based. Right now, I use PREVX for that duty but I am looking for a AV/AT/FW company to come up with something behavioral based that is better than the PREVX free version (Maybe PREVX itself will have something powerful in it's Professional edition)

I get contradictory and vague because of several reasons. I don't like arguing with people very much. Usually if a person comes out and states their favorite product, they get rotten tomatoes thrown at them. I have even seen Nautilus get rotten tomatoes thrown at him when he is promoting no product in particular but just stating his findings. This is why, I even give kudos to products I don't use. There are advantages to the products I don't use. The advantage may not be for me but the advantage may be there for other users of the product. I have not even mentioned A2 but I am sure if I looked at A2, I could find advantages to that as well....it is just I have not looked hard at that product.........yet.....

I have lurked on many different forums for years before making comments on Wilders and I usually find the "my product is better than your product" very boring, especially since I change my mind about products many times when a competitor comes out with a new way of doing things that makes my favorite product obselete. I don't fall in love with the product...just like I don't fall in love with stocks. When my "favorite" stock does not perform, it gets sold.

As for me not using BoClean but personally liking the product. Most of my knowledge of BoClean comes from a combination of reading both Nautilus and the BoClean forums. The author of BoClean explains the program in a way that I personally understand and like. I believe the author of BoClean is very knowledgable especially since he was there at the very beginning of the AT industry. There may be a day when I am a license holder of BoClean.

I trialed Trojanhunter once. It was OK. It was not my personal preference to use Trojanhunter at that time. After doing research later, there was just one thing I did not like about Trojanhunter, which I will not go into because I saw the issue discussed once before and it lead to major arguments. I am not one to argue because arguing rarely convinces either side that they are anything other than correct. I tend to be a relativist like Albert Einstein rather than a absolutist like.....Osama Bin Laden. Everything is relative and beauty is in the eye of the beholder. There may even be a few readers that find beauty in Bin Laden and I could get rotten tomatoes thrown at me for that. To those people I aplogize and for the victims of Bin Laden, I apologize for apologizing or maybe I am just being too vague...sorry for that also.

I also believe that I sometimes can be error. Maybe all I have written is in error, after all I am not a programmer. If I was really so knowledgable then I would be writing the programs instead of just talking about them. All I have is a personal opinion just like everyone else on this board which can be taken or left behind.

I hope everyone has a great day. Go George Bush...Go John Kerry....Go Ralph Nader....Go Ross Perot??

 

I think it is possible to carry on a positive discussion without having it get to argumentative. But I would like to say that I appreciate seeing that you have kept such an open mind about things. Take care

 

Hi Starrob et al, ,

I would like to agree with your comments. I think it is useful to people who are new to Internet security to be aware that all products have flaws and that nasties can seep into any system - even those that have well thought out layered protections. Why is this so? I believe there are two basic reasons:

1) Windows (internet versions) was designed from the onset to "let Microsoft in". Microsoft wants to know what its users are doing. It is called account control. Corporations, such as IBM, have onsite reps that watch everything going on in a corporation in order to ensure that they do not lose business. MS does the Internet equivalent by purposefully leaving "open doors" into the desktop. It can be debated whether this is good or bad for any given user.

2) People, by the very nature of Internet surfing, continually allow "stangers" into their "home". No person, or software, can possibly predict who is being let into the "home". For this reason, it is better to not let strangers into the home, by the Internet can be very enticing. I myself will often use Google to find new websites (strangers) and let them in without really knowing who they are.

Security software does the best it can to "id" strangers can keep out the dangerous ones, but there are always strangers for which there are no ids and for which standard "pattern matching" will not work (it is a game). So for this reason, no user should ever feel to "secure", nor should they be afraid.

For me, the most important thing I can do now that PG is on my system (I will probably be purchasing it as soon as I am clear that there are no conflicts on my system) is to get an "image copy" process in place for my system and my son's. I've decided that the next time I am hit, I will simply restore the image and that will be that. It is too tiring trying to preserve the system after a nasty enters. I rather start again. Each person will make their own value judgement. But it is good to know about this possibility before it happens, which is why I believe Starrob's comments are well worth reading and understanding.

Rich

 

Not only is it possible but down right necessary. That's what a forum is all about or am I missing something? That's what knowledge sharing, learning and information exchange is all about.

 

I don't know how good it is for Trojans but I use Webroot Spysweeper as one of my Spyware prevention/removal programs in addition to Spybot Search and Destroy, Adaware, and Spyware Blaster. It has detected a phishing trojan on my computer once before so I assume it can detect other trojans as well. As for how good it is in general with spyware, I've read a few reviews and supposedly Webroot Spysweeper is top notch.

 

My strongest feeling about this subject is that it takes a great deal of research to determine which AT program is best for you. Many people make reccomendations on forums about which product is best but frankly most of the times I find the advice as about as useful as going to Yahoo Stock forums and reading the opinions there to determine which stocks to buy.

On any forums, on just about any subject, there is a lot of truths mixed in with some untruths and it may take some digging around to find out the truths that apply to you.

When it comes to researching the AT industry, I have not found a whole lot of useful information around with the exception of Nautilus. It can be debated whether his conclusions are 100% correct sometimes BUT as far as I am concerned he puts out the most useful information concerning the AT industry and conducts the most useful tests that I have found.

I wish there were more unbiased sources around that I consider useful but I have yet to find them. Maybe I might start another thread one day about where the most useful sources of information concerning the AT industry can be found.

Let me also say....some useful information can be found in TDS, BoClean and Trojanhunter forums which I read very often. The only problem with these forums is that they are biased toward their own product. Sometimes (But not all the time), when a weakness in a product is pointed out in a products own forum, discussion is stifled.....and true learning is stifled also.

I also want to say I learned some things from Black hat forums BUT I do not suggest that people travel to those sites. Newbies should definetely stay away because some of those sights have exploits contained on them and infection might result.

Also some might get over-confident in their scanners and start playing with things that they should not play with. The funniest thing I ever saw was some script kiddie writing on some forum asking the author of some AV/FW killing software how to make his AV and FW work again because he accidently clicked on the program after he downloaded it and it killed his AV and firewall and he could not figure out how to make it work again. They had big laughs on that forum over that one.

I am just wishing that there was more independent information out there about things like DLL injection, rootkits, worms, etc. and effective prevention methods against them. I wish their were more websites explaining what heuristics is and what behavioral based detection is.

I sometimes find bits and pieces from different websites but the only website I found that puts most of it together is Nautilus. Does anyone know of any other websites with useful information? Maybe that is a subject for another thread....



Starrob

 

Hi starrob,

Interesting and sobering posting. I remember visiting Nautilus a while ago and had the same impressions that you have. Ultimately, the best defense is not to "open the door to strangers".

Thanks for your posts.

Rich