Discussion in 'other anti-malware software' started by trjam, Nov 14, 2007.
Just curious to see which you feel might compliment the new Eset 3.0 AV better and why. Thank you.
I prefer OA free
please keep this on topic to the 2 products specified. Thanks.
I use BOClean to complement my avast because Im not sure if ThreatFire would really protect me or if it would just give me a HIPS-like alert.
I've always been a little confused to what exactly BOClean does though. From my understanding it waits for malware to execute to try to catch it? Also what does it provide protection from? Is it just trojans or does it include spyware too?
Current Covered Malware
My (possibly very flawed interpretation) of what BOClean is: it's a blacklist scanner that only scans memory. It waits for processes to execute themselves, then scans the code that is loaded into memory. Doing this has the advantage of being impervious to runtime packers, which is the most common method to generate "new" malware today. On the other hand, that's about all it's good for. Plus once a process starts running, it has control over the environment, and there's no guarantee BOClean can correctly intercept the executable code when begins.
ThreatFire relies on the actions a process takes, combined with a black/whitelist to reduce FPs and immediately quarantine known malware right off the bat. Like BOClean, this approach renders TF immune to executable packers, or code obfuscation, or new variants, unknown malware etc etc etc. As long as it's a malicious process, then it is sure to perform a series of actions to install/propagate itself and deliver its payload. No matter how it tries to obfuscate its code, or even if the code is entirely unknown altogether, it can still be reliably identified by the actions it tries to perform.
To answer the original question, TF wins hands down. In the short period of time that I tried it, BOClean appeared to be nothing but another blacklist scanner – which mean it doesn't compare to the level of protection a behavior blocker like TF can provide.
thank you solcroft, that is a positive review from you and Stefan today, and that is good enough for me.
I'd like to know what trigger does BOClean use to start scanning memory. If the scanning is too quick, the "real code" is still obfuscated by the runtime packer(s). If the scanning is too late, malware has the control of the machine. If I'm going to play this risky game (letting malware execute) I'd choose a non-signature app over a blacklist scanner in a heartbeat.
Your question reminds of this: A patron asks waiter " Is beer or red wine good compliment to my steak dinner ?" Wine and beer both are alcoholic beverages, but serving different purposes and occasions. So are the two apps you have asked. ThreatFire is a behavior blocker while Boclean is an anti trojan, both are anti-malware all right, but the scope of protection is different. A good question you have put forward, however a tough reply to be given to you. I would take both apps, then I will feel more secured. By the same token, I would consume both beer and red wine so that I can get drunk quickly.
How does BOClean tell when the unpacking routine ends and control is handed over to the executable code? I have no idea. However, I do remember seeing an option in BOClean that lets the user specify the time interval in seconds to scan memory, and I have this suspicion that BOClean lets malware execute FIRST - giving it a chance to deliver its payload - and then cleaning it up, instead of intercepting the execution in the first place. A risky gamble at best.
So if it seems that BOClean is such poor blacklist scanner, why is there such a following in Wilders?
I think BoClean still has it's loyal-followers here because of the contribution of it's developers more so than the apps. usefullness against the malware of today...
well how useful is BoClean against todays malware?
I'm still using it quite often on infected systems to "automatically" mop up baddies. I love watching it battle over with Trojans... When that fails I often have to do it manually which can prove tedious and time consuming. I find it's malware reporting to be a bit minimalist (Aftermath report).
Recently it killed UltraVNC Server installation as it detected as a remote trojan. Pissed me off Royally as it created a massive amount of work for me.
As to your question, personally I think it is still very relevant software and it remains as effective as can be considering the varied malware of today and their multiple complex attack vectors!
However I would consider PREVX or some type of HIPS as it would allow for more Process by Process protection toguether with file scans. I personally like PREVX because it is interactive within it's user base with a huge database of malware. Thus providing more relevant protection. Even though it is whitelist/blacklist based it also offers realtime activity monitoring and it works.
How big is BoClean's database of malware? What does it actually include? Will it protect against the latest spyware/trojans trying to install via drive-by downloads?
I'm trying to figure out a quiet solution for a friend who keeps getting infected with all sorts of garbage. He is an ordinary user and wouldnt want his security solution to be chatty. Im wondering if BoClean is going to provide an extra layer of protection given AVs already have support for packers.
for this check Lonewolf's post he already answered this question:
If you are worried about web site driven infection perhaps you want to read a page I created for my web site:
Web Browser Security http://www.hermes-computers.ca/index.php?pid=46
This article offers a layered approach with good advise on what to do, I think in simple terms enough for most to understand easily.
I think you are dreaming if you hope to find a quiet all in one solution that works perfectly... Unfortunately no such single product can do the job these days. You must use some type of H.I.P.S. within your layered defenses otherwise you will keep suffering (your friend too). While BOClean being very good it is nowhere near powerful enough to fully protect against all current attack vectors...
Consider PREVX... It offers a quiet mode and the benefit of a dynamic online assessment process. It is also a HIPS offering capabilities similar to Threatfire, although threatfire triggers too many FP's with key loggers, which as made my life miserable with inept users who panicked when warned of possible keyloggers. Personally I prefer it over many other tools recommended here. Those who disagree tend to be the cheapies who never pay willingly for anything... or are the developers of competing utilities... (Boy do I like to stir the pot )
It will be hard to get him a good solution that protects him as you know doubt know from your work
Separate names with a comma.