Threatfire or BoClean to compliment Eset 3.0 AV

Discussion in 'other anti-malware software' started by trjam, Nov 14, 2007.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Just curious to see which you feel might compliment the new Eset 3.0 AV better and why. Thank you.
     
  2. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    I prefer OA free :D
     
  3. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    please keep this on topic to the 2 products specified. Thanks.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    I use BOClean to complement my avast because Im not sure if ThreatFire would really protect me or if it would just give me a HIPS-like alert.
     
  5. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I've always been a little confused to what exactly BOClean does though. From my understanding it waits for malware to execute to try to catch it? Also what does it provide protection from? Is it just trojans or does it include spyware too?
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    My (possibly very flawed interpretation) of what BOClean is: it's a blacklist scanner that only scans memory. It waits for processes to execute themselves, then scans the code that is loaded into memory. Doing this has the advantage of being impervious to runtime packers, which is the most common method to generate "new" malware today. On the other hand, that's about all it's good for. Plus once a process starts running, it has control over the environment, and there's no guarantee BOClean can correctly intercept the executable code when begins.

    ThreatFire relies on the actions a process takes, combined with a black/whitelist to reduce FPs and immediately quarantine known malware right off the bat. Like BOClean, this approach renders TF immune to executable packers, or code obfuscation, or new variants, unknown malware etc etc etc. As long as it's a malicious process, then it is sure to perform a series of actions to install/propagate itself and deliver its payload. No matter how it tries to obfuscate its code, or even if the code is entirely unknown altogether, it can still be reliably identified by the actions it tries to perform.

    To answer the original question, TF wins hands down. In the short period of time that I tried it, BOClean appeared to be nothing but another blacklist scanner – which mean it doesn't compare to the level of protection a behavior blocker like TF can provide.
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thank you solcroft, that is a positive review from you and Stefan today, and that is good enough for me.:thumb:
     
  9. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Basically.

    Blue
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'd like to know what trigger does BOClean use to start scanning memory. If the scanning is too quick, the "real code" is still obfuscated by the runtime packer(s). If the scanning is too late, malware has the control of the machine. If I'm going to play this risky game (letting malware execute) I'd choose a non-signature app over a blacklist scanner in a heartbeat.
     
  11. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    Your question reminds of this: A patron asks waiter " Is beer or red wine good compliment to my steak dinner ?" Wine and beer both are alcoholic beverages, but serving different purposes and occasions. So are the two apps you have asked. ThreatFire is a behavior blocker while Boclean is an anti trojan, both are anti-malware all right, but the scope of protection is different. A good question you have put forward, however a tough reply to be given to you. I would take both apps, then I will feel more secured. By the same token, I would consume both beer and red wine so that I can get drunk quickly. :p
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Exactly. :D

    How does BOClean tell when the unpacking routine ends and control is handed over to the executable code? I have no idea. However, I do remember seeing an option in BOClean that lets the user specify the time interval in seconds to scan memory, and I have this suspicion that BOClean lets malware execute FIRST - giving it a chance to deliver its payload - and then cleaning it up, instead of intercepting the execution in the first place. A risky gamble at best.
     
  13. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    So if it seems that BOClean is such poor blacklist scanner, why is there such a following in Wilders?
     
  14. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I think BoClean still has it's loyal-followers here because of the contribution of it's developers more so than the apps. usefullness against the malware of today...
     
  15. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    well how useful is BoClean against todays malware?
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I'm still using it quite often on infected systems to "automatically" mop up baddies. I love watching it battle over with Trojans... When that fails I often have to do it manually which can prove tedious and time consuming. I find it's malware reporting to be a bit minimalist (Aftermath report).
    Recently it killed UltraVNC Server installation as it detected as a remote trojan. Pissed me off Royally as it created a massive amount of work for me.

    As to your question, personally I think it is still very relevant software and it remains as effective as can be considering the varied malware of today and their multiple complex attack vectors! :thumb:

    However I would consider PREVX or some type of HIPS as it would allow for more Process by Process protection toguether with file scans. I personally like PREVX because it is interactive within it's user base with a huge database of malware. Thus providing more relevant protection. Even though it is whitelist/blacklist based it also offers realtime activity monitoring and it works.
     
    Last edited: Nov 15, 2007
  17. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    How big is BoClean's database of malware? What does it actually include? Will it protect against the latest spyware/trojans trying to install via drive-by downloads?

    I'm trying to figure out a quiet solution for a friend who keeps getting infected with all sorts of garbage. He is an ordinary user and wouldnt want his security solution to be chatty. Im wondering if BoClean is going to provide an extra layer of protection given AVs already have support for packers.
     
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    for this check Lonewolf's post he already answered this question:
    https://www.wilderssecurity.com/showpost.php?p=1117102&postcount=6

    If you are worried about web site driven infection perhaps you want to read a page I created for my web site:
    Web Browser Security http://www.hermes-computers.ca/index.php?pid=46
    This article offers a layered approach with good advise on what to do, I think in simple terms enough for most to understand easily.

    I think you are dreaming if you hope to find a quiet all in one solution that works perfectly... Unfortunately no such single product can do the job these days. You must use some type of H.I.P.S. within your layered defenses otherwise you will keep suffering (your friend too). While BOClean being very good it is nowhere near powerful enough to fully protect against all current attack vectors...

    Consider PREVX... It offers a quiet mode and the benefit of a dynamic online assessment process. It is also a HIPS offering capabilities similar to Threatfire, although threatfire triggers too many FP's with key loggers, which as made my life miserable with inept users who panicked when warned of possible keyloggers. Personally I prefer it over many other tools recommended here. Those who disagree tend to be the cheapies who never pay willingly for anything...:D or are the developers of competing utilities... (Boy do I like to stir the pot :shifty: )
     
    Last edited: Nov 15, 2007
  19. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks Hermes,

    It will be hard to get him a good solution that protects him as you know doubt know from your work :p
     
Loading...
Thread Status:
Not open for further replies.