Trusteer Rapport

Discussion in 'other anti-malware software' started by JerryM, Oct 4, 2012.

Thread Status:
Not open for further replies.
  1. sbcc

    sbcc Guest

    OK, I read through the .pdf's of the tests Scoobs found - thanks again.

    I'm only going to discuss the most recent one, as it uses live malware and is from this year.

    http://www.trusteer.com/sites/default/files/Mandiant.pdf

    I found very careful wording used to describe what Rapport actually did, in fact there is a numbered footnote to explain specifically what the testing company is reporting on. I'd quote it here, but the .pdf is marked "confidential and proprietary" :rolleyes: so I guess that means you'll have to read it yourself.

    Please see page 9, read the paragraph under the table and also footnote 5.

    What I gathered from this is that Rapport prevented all 25 malware samples from communicating, terminated their malicious processes and prevented them from reloading at startup. It also notified the user OR logged the event MOST of the time (!) and Rapport itself was not disabled by any sample tested.

    Here's the problem for me: I didn't see anywhere that Rapport removed the malware, nor does it appear that Rapport was tested for prevention of initial infection. Rapport claims to do both in its marketing materials.

    So, I'm left wondering...is my antivirus or antimalware expected to handle detection and removal in some or most cases? Can it do so properly if Rapport has blocked the malicious software? How do I know, especially if Rapport doesn't log or alert every time it takes action?

    Please read it for yourself and decide.
     
  2. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    Several pages of posts.I wonder at this point in time who is using Trusteer and with satisfaction?

    Although I can not be sure Trusteer was the culprit, and their Support was very responsive, I removed it from both computers and have not had hang-up problems since.

    I like the idea of such a program.

    Jerry
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    This foootnote appears twice in the report.

    From this statement I can only say that remenants of the original infection still exist. Is that a problem? Possibly if the trojan modified critical system files.

    All these types of malware are nasty buggers. They often install hidden backdoors.

    There are two camps in this area. One camp says your probably OK since the malware has been disabled; at least as far as performing malicious Internet financial activity. The other camp says these remanents will come back to bite you in the butt and the only way to get rid of them is backup all your data, wipe your hard disk with a DoD approved wipe algorithm -or- get a new hard drive, and reinstall your OS and applications.

    Kind of emphasizes the need to always maintain a full disk or partiton image backup to restore from.
     
  4. sbcc

    sbcc Guest

    Agreed. How can it be a good idea to leave, for example, modified system files in place, "disabled" or not? Is it tied to a chair in the basement, maybe...or what? Heck, I can go and rename a malware file and disable services. It probably won't run. Would anyone consider that removal? Is the system clean now? Rapport says it can detect and remove active components. Since that testing wasn't done, and the wording is so careful as to not mention it, then it leaves me hoping it does not interfere with other tools by hiding the malware from them or blocking removal attempts. I am not convinced that this is the case, based on brief personal experience.

    There are many quality tools that can actually remove a huge list of active malware components for serious infections - the modified system files, exploits, rootkits, etc. There are numerous examples of these tools here at Wilders, reasonably explained by their developers and researchers. They also discuss the limitations of the programs, the bugs that have been discovered, and they respond to feedback. We also see changelogs and lists of added detections/removals. With those tools, there is a reasonable expectation that your computer is protected against certain threats.

    Best of all, there are vendors who welcome thorough tests of all kinds - beta-tests, performance tests, and most importantly, careful testing in real-world scenarios with substantial malware sets by authoritative organizations. In other words, security products who openly acknowledge what they have now and where they intend to be in the future, and they back it up with independent, realistic data.

    It's been shown time and time again that being responsive to end users will result in a better product for everyone, with the side effect of strong customer loyalty.
     
  5. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    I have just downloaded this program from my Bank today on their recommendation, but before installing it I thought that I would check it out on Google and came across the video by Neil Kettle at 44CON. I am noway an expert at this but found the information presented broadly understandable and seemed to demonstrate the naivety of the developers. I don't intend installing it and in any case would not run with my software.

    The other problem I see with it is that more that it is installed the bigger magnet (such as IE is) it will be for malware to circumvent it - and they will.

    People who trust this implicitly are being foolish - I feel that much better protection is common sense.
     
  6. sbcc

    sbcc Guest

    I like the concept as well. If it will at some point perform as advertised, its a "no-brainer", a "must-have". I'm sorry, Jerry, I'm going to turn this into a plea to Trusteer. Please forgive the hijacking - again.

    Unfortunately, it appears to be nowhere near "must-have". Trusteer needs to look at how other successful product developers, large and small, interact with end-users. There are many examples just within this sub-forum. Look at how the developers respond to end users, how they gain valuable insights into what causes errors, how end users will work hard to submit memory dumps and deliberately test untried patches to try to fix a product's shortcomings. Developers and users benefit directly from this somewhat open process. In return, the developers respond with straightforward answers about the strengths, weaknesses and areas currently being improved in their particular product.

    Another late night for me, so I must cut it short. Come on in, Trusteer. You'll be treated fairly and you'll get lots of complaints, but also valuable feedback (memory dumps, screenshots, other debugging). You'll also build trust with the people who fix computers, who recommend software, and who promote the things that work. As a rule, we like free, effective tools. Your profit center is the financial industry. Why not leverage highly skilled end users as in essense beta testers? We use it for "free", but we also give back at no charge. Many of us enjoy doing this and expect nothing in return other than an honest assessment of what's been fixed and what's coming up. We expect to see similar effort on your part - responsiveness, updates, patches, etc.

    Think about it, will you? We will be here for you, in fact as evidenced by what we as a community have done for numerous companies (just browse a few threads). We will test for you again and again - spend our time, put our systems at risk, etc. so you can achieve your goals. Line up some of us as beta testers and have us track down problems, especially the slow performance and perceived interference with other security software. Let's figure out how to make it all play nice together.

    I never got the first ball back. Here is a second, and final ball for you to play with. Awaiting your shot on goal.
     
  7. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Vojta, if you've been reading you'll see that whether Trusteer blocks common malware or not hasn't been called into question. It's how easy to bypass Trusteer, and whether or not they've fixed these problems, which have been described as 'fundamental'.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Guys,

    Let's settle this discussion:

    + It is great that banking corporations stimulate the use of security software.
    + Another bonus when they provided that additional software for free.
    + That software seems to do well in comparative tests

    The Dutch bank ING also provides Trusteer to (all) internet users, .....

    but let's be honest :p

    The knight on the picture only has one arm and one leg, so ....
    you can't blame Trusteer for having mediocre self protection :D
     

    Attached Files:

    Last edited: Nov 17, 2012
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,217
    Location:
    USA
    Finally the matter is settled - thank you! :cautious: :D
     
  12. guest

    guest Guest

    Windows 7 is a ~ Snipped as per TOS ~ because windows 3.1 was... same argument, no proofs
     
    Last edited by a moderator: Nov 17, 2012
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Not even slightly the same.
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,217
    Location:
    USA
    Would you please explain what this means? I see no correlation between the discussion about Rapport and the different versions of Windows.
     
  15. guest

    guest Guest

    Webroot had said several times that they were working together with MRG and Webroot software was fixed to block it
    Webroot fails again. It was even in the changelogs as somebody mentioned.

    http://www.mrg-effitas.com/wp-conte...Banking-and-Endpoint-Security-Report-2012.pdf

    Until somebody can probe that the actual version of trusteer rapport can be easily bypassed (I wonder if it's so easy why nobody can't probe it) all this posts are a nonsense.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    You seem to really want to believe that it isn't vulnerable. I don't know why, but it seems like the only explanation for believing Trusteer is not vulnerable is that you want to believe it - there's no reason otherwise, there's never been a statement saying they've fixed these issues, and their only statement surrounding the issues was an attempt to dismiss them or obfuscate the issue.

    The information has been posted. A 44 minute talk explained multiple flaws, some of which were design flaws. Trusteer at no point has stated they've fixed these flaws, and their response to the talk was then responded to again by the people behind the talk.

    It seems really simple, the only reason you'd believe it's been fixed is because you want to believe it - there's 0 reason to believe otherwise, no evidence to prove it's been fixed, but due to the nature of the attacks it seems unlikely they have been.

    Trusteer and users here point to malware in the wild. That is meaningless in the context of these attacks as malware in the wild (and test suites) have not tried to bypass it. It's not a question of whether it blocks the type of keylogging seen in the wild, we know it does for the samples we've seen. But, as the guy in the talk said, it's trivial to bypass it.
     
  17. guest

    guest Guest

    Trusteer said that they were going to look into it, if the found a problem the obv¡ous action is to fix it.
    Since there is no proof that the actual version of trusteer is vulnerable, why do you want me to believe that it is?
    I believe in proofs not in faith.

    BTW Although is in my signature I don't use it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.