Trojan Protection with NOD32

Wow,

So much information and forethought has gone into this thread. I really appreciate everyone's comments.

I still have not decided what to use yet, however I am leaning towards BO Clean due to its low resource usage.

I still need to get a good software firewall too. I am behind a Linksys BEFSX41 router and for the time being, am just using the Windows firewall. (I know not great, but better than nothing). Im trying to decide on what firewall to use, again, something with a small footprint, esp because I am a gamer.

Ive tried Sygate and Look N Stop in the past, I may give ZA a shot but not sure since I have heard some negative things about it like conflicts with other programs and it being a resource hog.

Currently I have...

Windows XP Pro w/SP2 and all up to date hotfixes.
NOD32 for AV
Custom Hosts file found here.
Spybot Search and Destroy
Spyware Blaster
Lavasoft Ad-Aware
MS Antispyware
Analog X Script Defender

So I figure I have a half way decent setup, but I want a firewall and some type of anti trojan/malware protection.

Again, thanks to all for your comments and feedback. I love this site!

Regards,

Jag

 

Hi,

I am using ZA Pro with:

KAV 4.5 (and NOD32)
Ewido (and/or BOClean)
RegDefend
UnHackMe
ProcessGuard
RegDefend

I am running Windows SP2 with 512K. This setup has never had any conflicts. However, I do run Ewido (which I consider equivalent to BOClean in this setup) instead of BOClean, because for some unresolved reason, BOClean spikes in resource usage (much more than Ewido) when ProcessGuard is installed. Others have reported similar behavior. Also, when I run BOClean, and forget to shut it down before I shut down my system, my system does hang.

The two ATs where I have experienced conflicts are:

1) TrojanHunter (which I use on-demand from time to time just for fun)
2) TDS-3 Exec Protection (I use TDS-3 as my primary on-demand Trojan remover).

Rich

 

Jag,

I think I speak for all the contributors - it's our pleasure to help.

You have a decent router, a software firewall can wait and depending on your gaming needs, you may want to skip it altogether. Whether you need/desire a software firewall depends on a lot of factors, but I personally feel it is one of the last layers to add (assuming a router is present) and first layers to go. Others may differ on that point, although from a load-balancing perspective, it's fairly clear a router should come first if the question is software firewall vs. router. The router provides all the in-bound blocking that you need. The only things that will get through are those that are requested from the user side. The only question is whether you've initiated the request. If NOD32 is in working order and decently configured, you should be fine.

I'm a BOClean fan and appreciate its low resource footprint and minimalistic mentality. The home licensing terms don't hurt either (the license is for under 5 PC's in a family residence, see here).

You have a very decent group of applications. You should be well protected.

Blue

 

Hi Blue,

I agree with everything you say. My experiences are this:

In the past, where there have been holes in my security, I have been penetrated (my son's machine even more so). It was very, very costly for me. I have changed my surfing habits, as the security risks became more clear to me, and I have asked my son to do the same - and he has. But even so, there are times when simple browsing with Google can end up in trouble. Many users may not even know that they have been penetrated, simply because the security tools that they have in place do not detect the situations. So opted for:

1) More conservative browsing
2) Using non-Microsoft tooks (e.g. FireFox and Thunderbird)
3) The best pro-active defense I can find

For me it is worth it, since one security penetration would cost me much more in time and money than running these tools. One other thing that you alluded to - system instability. This is certainly very true. An early version of Prevx mangled my registry and I had to do a total restore. Since then, I now keep an image copy of my system on an external harddrive using Image For DOS. Total cost is $100, but again it is well worth it to me. Recently, I thought I may have a problem (but probably not). I really didn't want to take a chance, so I just did the image restore. More peace of mind.

Everyone is different. I guess the more one experiences security problems , the more cautious one becomes in life. Just recently, I was casually browsing and I caught a bad trojan which KAV 4.5 promptly neutralized. Who would have guessed?

Cya,
Rich

 

We use NOD and BOClean on a gaming machine used by a bunch of teens; no noticeable effect while gaming with both real time scanners running.

Actually over the last 6 months NOD has stopped everything on that machine that is used by a bunch of teenagers who don't always practice the best computing habits on the Internet.

 

Do you know if there are plans to improve the trojan detection in future versions of NOD32? Is it better in 2.5 than 2.12.3?

 

NOD32 captured this in an e-mail earlier today: Win32/TrojanDownloader.Small.ZL trojan. Thank you NOD!

 

Also the NOD HTTP scanner provides additional benefits on the game machine that is used by a bunch of teenagers that don't always practice safe computing habits. The following is a sample of the virus log showing just the NOD HTTP scanner results over several days that the HTTP scanner stopped from even downloading to the machine.

JS/TrojanDownloader.IstBar.A trojan connection terminated
Win32/TrojanDownloader.Agent.BP trojan connection terminated
Java/Exploit.Bytverify.F trojan connection terminated
Multiple infiltrations connection terminated
HTML/Exploit.ObjData trojan connection terminated
Win32/Dialer.NAD trojan connection terminated
Win32/TrojanDownloader.OTXloader.A trojan connection terminated

 

Blue et al,

Thanks again for the GREAT feedback I have received on this thread. I could really not be any happier than what I am right now. You guys are the best on this forum.

Just so you all know, I decided to pull the trigger today and so I purchased BO Clean. Seems pretty sweet, runs in the background using minimal resources, kinda like NOD32.

I will take your advice on the software firewall Blue, perhaps I will just try to lock down XP a bit more, and wait awhile on the software firewall. I know they are great, and I would like to know what is "trying to connect" to the internet, but I also want to keep performance up on this pc. I will say however that I will not compromise security for system performance. I never do, and never will. I just try to find the right balance of protection and performance that keeps my rig running smoothly, while also allowing to fill my gaming needs.

Thanks and Regards to all,

Jag

 

My pleasure Jag.

For the record, I do have Outpost Pro installed on my machines at home - the family license (basically 5 machines for the price of 2) was a major driver.

My older son is a semi-hardcore gamer and doesn't have any performance issues, at least that I know of, with Outpost - he also runs the NOD32/BOClean combo, as do a number of other folks around here.

I use Outpost for pure outbound application control. Ran for quite some time without it with no problems. Once the application rules are set, I leave it basically in the background - checking on things every couple of months.

It's also good to stage system changes as you are now doing. It's a lot easier to debug system problems or performance drains since the latest installation is generally the unambiguous culprit - alone or with the help of some of the other installed applications.

Put your system through the wringer and see how it holds up. That's a good way to get a feel for how it all comes together.

Have a great weekend!

Blue

 

Good choice. Be aware that the author of BOClean recommends (in at least some cases) going into NOD32's configuration, and excluding the entire BOClean directory, as well as the BOC412.INI file in your Windows directory (usually C:\WINDOWS\BOC412.INI; just hit WinKey+F and search for %SystemRoot%\BOC412.INI).

And due to a shortcoming in NOD32, if you do this, you will have to exclude the BOClean path using both the short file-naming convention, and the long (that is, exclude C:\PROGRA~1\NSCLEAN\BOCLEAN and "C:\Program Files\NSClean\BOClean", or whatever your BOClean directory is).

If you don't have any problems, though, never mind...

 

Blue,

Thanks for the feedback. I have tried Outpost before but got some good ole BSOD while trying it, not sure if you have ever experienced that at all.

Nameless, thanks for the tip. I am curious however as to why they recommend setting up exclusions. So far I have not had any problems. Do you know when they could occur? Is it during a scan perhaps?

Let me know.

Thanks,

Jag

 

Jag,

I've never had an Outpost based BSOD - go figure - that's why we trial these things.

On the exclusions, in the past you'd see AMON constantly respond to BOClean files. The exclusions took care of that. Curiously, I'm not seeing that behavior on the beta. I'm running with default settings

Blue

 

Hi Blue:

AMON now has this feature:

Optimize scanning - enables use of cache. When enabled, any file will be checked by AMON only once until it has changed.

 

Blue,

Thanks again for the help. I never really checked out what AMON was scanning and I can see it was scanning all of the BOClean files so I set up the exclusions. So thanks to you and nameless for that one.

I also noticed it constantly scanning the GCASDTSERV.EXE file from the MS Antispyware program. So I added an exclusion for that file, just FYI.

I am not running the beta version of NOD32, I think I will wait until it goes final. I am however testing it in a VM Ware session as well as Virtual PC. So far, so good.

I am using NOD32 version 2.12.3 with Blackspear's recommended settings however. I had no exclusions setup until this evening tho.

Thanks again to all for the help here. I also failed to mention that I use Firefox for my web browser, which by the way is now updated to version 1.0.3 so be sure to upgrade!

Jag

P.S. Have a great weekend yourself!

 

Jaguar, try to use CounterSpy (trial version) i/o MS antispyware. Is definetly better. Can find spyware that MS antispyware cant.

 

I am not familar with Counterspy. I have heard of it tho. I thought I remember hearing that it gave out too many false positives however. Altho I could be mixing it up with another program.

 

On my system, the reason for the exclusion was more serious than just files being scanned repeatedly. I was actually having total system freezes. Somehow, the freezes were caused by NOD32 scanning the BOClean files in real-time (i.e. with its AMON component).

In any case, excluding all BOClean files from NOD32's AMON component solved the problem completely. I should also point out that this was what Kevin--the author of BOClean--advised.

If your system runs fine, though, I don't think I'd worry about excluding BOClean.

 

See this post for further information on CounterSpy.

Hope this helps...

Cheers

 

Blackspear, finally i purchased CounterSpy. It looks like the MS Antispyware but the database is stronger. Really i checked it and is very good. Has found 2 keyloggers that other antispywares couldnt found.

 

Good to hear.

Cheers

 

Just i dont have any firewall in my pc. I think that NOD32,CounterSpy and teatimer are enough. Generally i dont like the firewalls What u think?

 

Not good at all, try ZoneAlarm FREE, it is really simple. At the moment you are playing chicken on a large multilane highway, it's going to be very messy... Time to get a firewall my friend.

Cheers

 

The firewalls can reduce the speed of my internet? (DSL)