Which Anti Trojan progam would be good for me ?

Discussion in 'other anti-trojan software' started by Tuskero, Oct 16, 2002.

Thread Status:
Not open for further replies.
  1. Tuskero

    Tuskero Registered Member

    Joined:
    Oct 16, 2002
    Posts:
    2
    Hello everyone :D

    I am very new here, and have a question regarding Anti Trojan software. I have surfed around looking for one and BOClean and Pest Patrol have caught my attention. But I just dont know which AT program to buy.

    I already have Norton Internet Security 2003 installed, but it appears I will need something more to protect from Trojans.

    Any advice, comments etc.. are more than welcome.

    I am glad I found this site :)
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi Tuskero and welcome to Wilders, Home of the friendly security conscious. :D
    You can go here and get some good reviews on several programs.
    BO Clean is good, TrojanHunter is good, and TDS3 is best, but it does have a bit of a learning curve and some find it daunting.
    Unfortunately, it looks like Pest Patrol is turning into a lot of hype, but no substance. Too bad as it once showed promise.
    We're glad to have you here, and I accept the fact that my opinion is just the opinion of one person, but I have been a security buff for a few years now and I try not to steer anybody in the wrong direction.
     
  3. DrSeltsam

    DrSeltsam Guest

    >BO Clean is good

    Won't use BOClean. I think PSC and some others know why ... .

    >TrojanHunter is good

    Agree.

    >Unfortunately, it looks like Pest Patrol is turning into a lot of hype, but no substance. Too bad as
    >it once showed promise.

    PestPatrol has still a quite weak engine and many many false positives.
     
  4. Tuskero

    Tuskero Registered Member

    Joined:
    Oct 16, 2002
    Posts:
    2
    Thank you guys for the fast response. I will be downloading Trojan Hunter to check it out :)
     
  5. CARCHARODON

    CARCHARODON Registered Member

    Joined:
    Oct 1, 2002
    Posts:
    68
    Location:
    Portland, Or. USA
    I'll bite.. why?
     
  6. FanJ

    FanJ Guest

    Andreas,

    With all due respect I nevertheless have to say that I have a problem with one software-creator criticizing here the product of one of his/her competitors.
     
  7. DrSeltsam

    DrSeltsam Guest

    Sorry, but english isn't my native language ;o). The sentence doesn't make sence to me :eek:). "Ich werde beißen" - do you try to eat me? ;o) Perhaps someone can say it in other words? :eek:)
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Andreas,

    He means he's interested as of why you made that statement.

    You're welcome to post - on all subjects. If so, please keep it factual, without starting a flame war or provoking one.

    Thanks in advance.

    regards,

    paul
     
  9. DrSeltsam

    DrSeltsam Guest

    Ok - first of all i won't provoke anyone :eek:). If it sounds so please remember english isn't my native language ... .

    A few time ago wizard did a test of BOClean (http://www.rokop-security.de/main/article.php?sid=21). There was one point:

    a) Während der BioNet Trojaner problemlos erkannt wurde, übersah BOClean den neu gepackten Y3k.

    (While the BioNet trojan was detected with both variants, BOClean missed the new packed Y3K)

    A little bit later I found an other test http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests-2.htm ...

    There you will find a little note:
    Re-test Notes: In the initial tests run with Update 03/13/2002 23:31:28, BOClean detected only two of the trojan servers (Unpacked and default Packed). Once Update 03/17/2002 23:17:00 was applied, BOClean detected all six trojan servers.

    I wanted to know if this is so with every trojan. So i buyed a version over a friend and did a huge test. I collected about 100 servers that BOClean DEFNITLY detects. Than i put them into one dir and did a upx *.*. After that nearly all were UNDETECTED (5 of 100 were found later). Later i found out why some where detected and why someone not. BOClean has some signatures of packed trojans in his database (mostly for common backdoors like bionet or subseven).

    I asked PSC several times if BOClean is a MEMORY SCANNER. They said yes. I asked for the advantage of memory scanners. They said the possibility to detect ALL variants of a known trojan even if its packed or crypted. But the tests say something completly diffrent.

    I tried to find out how BOClean works. I found something very interesting. If you run boclean and start a programm BOClean performs several read accesses to the program file. This can be checked easily using FileMon for example.

    At this point i think: "LOL BOClean doesn't scan the process memory itself it only scans the process file.".

    I tried a little bit more. I dumped the process memory of BOClean to look at the decrypted signature table. A signature entry looks like this:

    seMILH00TSK#SUBSEVEN 2.2.3#!]AsIsB$#52166#

    The first entry is the signature type. There are many types - for example for "trace scanning" :eek:). The second part is the name of the trojan. The third part is the signature BOClean scans for. The last is the offset BOClean scans at.

    I wanted to substantiate my guess and looked at a trojan BOClean detects as SUBSEVEN 2.2.3. I jumped to the file offset 52166 and what did i find there? Yes, i found the string: "!]AsIsB$".

    Now my own personal conclusion of this facts:

    1. BOClean isn't a memory scanner. In fact its a file scanner. It simply works like every AT guard (ANTS 2.0, TauScan Guard etc.).
    2. BOClean isn't able to detect ANY packed or crypted trojan. Why else should BOClean have special signatures for repacked trojan variants?
    3. PSC defrauds his own customers.

    That is why i won't use BOClean.

    By the way:
    I give this information to Paul a view months ago. Paul and i confronted PSC with these facts. I didn't get an answer (i don't know if Paul got one). PSC didn't changed anything and continued his "game". I never reverse engeniered BOClean - just monitored it.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Indeed we have been informed concerning this "issue". It seems appropriate to me to leave the software vendor, PSC, answering here. PSC has been informed about this thread in the meanwhile.

    regards.

    paul
     
  11. To help clarify the "issue" Andreas is one of our competitors, and there are personality issues involved here. That said, we looked into this problem quite some time ago and YES, there were some problems in the memory scanning which we've fixed quite some time ago. Andreas does NOT understand how BOClean works and his interpretations of the data he sees are not properly analyzed.

    Yes, BOClean includes file examination functions as part of its database structure since trojans will execute in memory and ALSO make backups of themselves elsewhere in the file system. A portion of the database structure is used after detection in memory to examine other areas looking for stray portions of the trojans in other locations as well as for cleanup purposes after the fact.

    Without giving away our design secrets (which was the BASIS for all this) the first part of BOClean's database looks for entries in INI files and BAT files based upon behaviors of trojans. Other sections look for specific trojans that are locked in older non-extractable formats where the trojan could indeed be spotted by its FILE signature. Other sections look to registry patterns, DLL signatures and other means of identifying trojans. In addition, specific file patterns of potential false alarms are also used to determine whether or not a trojan is a trojan or a legitimate program that could have accidentally set off BOClean.

    If one examines our trojan list, you'll see that the entries appear to be repeated groups of names in alphabetical order that seem to keep repeating. Each of these "repeats" is a different set of "behavior" profiles. BOClean does indeed test memory although in our 4.09 version and shortly after release of 4.10, there were indeed problems with UPX 1.20 that was based on offset shifts that could not be covered in BOClean 4.09. Once we had everybody replaced with the 4.10 version, these offset difficulties no longer posed a problem.

    But what we have here is one person's animosity because we wouldn't turn over years of our research when it was demanded by a competitor. I'll leave it at that.
     
  12. DrSeltsam

    DrSeltsam Guest

    >That said, we looked into this problem quite some time ago and YES, there were some problems in
    >the memory scanning which we've fixed quite some time ago. Andreas does NOT understand how
    >BOClean works and his interpretations of the data he sees are not properly analyzed.

    I do - i did the test mentioned above with BOClean 4.10. If you want i will send you the testset. I will upload it and make it public - no problem :eek:).
     
  13. Thanks for your kind offer, but we've already collected your "packed/unpacked" collection from YOUR server a few months ago. You did indeed spot a flaw in our design with respect to UPX 1.20 and we fixed it quite some time ago. And yes, I APPRECIATE your efforts in pointing it out.

    However your analysis of BOClean from the database you collected is highly CORRUPTED and does not contain the actual structures so any interpretation of the corrupted data you presented lacks just on that basis alone. I know what's in our database and how it's constructed and it is NOT as you claim, nor does BOClean function as you claim. I can understand though that there's a competitive edge to be gained by bashing others, sorry - I just don't want to play.
     
  14. DrSeltsam

    DrSeltsam Guest

    >Thanks for your kind offer, but we've already collected your "packed/unpacked" collection from
    >YOUR server a few months ago. You did indeed spot a flaw in our design with respect to UPX 1.20
    >and we fixed it quite some time ago. And yes, I APPRECIATE your efforts in pointing it out.

    There are a few problems with TELock, too ... . UPX works well now (but as i said - always used BOClean 4.10).

    >However your analysis of BOClean from the database you collected is highly CORRUPTED and does
    >not contain the actual structures so any interpretation of the corrupted data you presented lacks
    >just on that basis alone.

    As i said - i didn't reverse engeniered it - just monitored it.
     
  15. DrSeltsam

    DrSeltsam Guest

    The same with armadillo ... .
     
  16. controler

    controler Guest

    Re:Which Anti Trojan program would be good for me ?

    Oh boy oh boy oh boy !! This is good, not bad. :D
    I for one don't see any problem with weaknesses made public.
    everybody does it here. Not many have one good thing to say about Microsoft. What has become of this previously private debate?
    One product has been improved. That is the main thing here.
    I overlook a vendor if they have a bug or problem with their software
    if they do not know it exists. I do have a problem if they know the problem exists and do not try in the least to remedy it. The nature of the beast is to let things slide.
    I must say Good job Andreas. I respect your knowledge
    Thank you Bo-Clean for improving your product and posting.
     
  17. Gladiator

    Gladiator Guest

    jesus christ.............. :eek:

    AS YOU SHOULD KNOW ANDREAS, (if you are really so good) is that FILEMON (from www.sysinternals.com) has CACHE PROBLEMS with the NT System - and you are using Windows XP, a NT based driver operating system.

    That means, filemon DOESN'T monitoring ALL access made to files.
    It's the filemon driver (yeah, that *.sys thing :D) that cause this issue.

    AND IF YOU LOOK IN THE SOURCE (yes, the Driver Dispatcher for IO_Request's where all call's from the usermode are handled) YOU WILL MISS A SOURCE CODE LINE THAT DISABLES THAT NT CACHE ISSUE.

    And of course it's Possible to do Memory Scan's with a "classical" Filescan routine. YOU CAN ENUMERATE PROCESSES AND THEN USE THE 'CreateFileMapping' Function or some custom replacement.

    AND I'm NOT A GUY FROM BOCLEAN.
    No, but i don't accept here that some people are allways choosing trouble for personal ego reasons. :mad:

    Best regards
    Gladiator

    EDIT: somewhat flaming text removed, as well as references to Gladiator software. Please open a new thread to discuss last mentioned software
     
  18. Scotcov

    Scotcov Guest

    Posts such as the one from Gladiator are the reason that I stick with Wilders Forums and software reviews. Your moderators and members show knowledge without the need to curse and flame. THANK YOU Paul and staff! ;)
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    All who joined or wish to join this thread (and any other for that matter): NO flaming, abusing etc. tollerated.

    Plain facts and discussing these facts in an adult way is what we prefer over on this board - and will keep the thread factual and on topic.

    regards.

    paul
     
  20. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hello Everyone!

    For the sake of clarity I'd like to quote the New Member who started this thread because it appears to be swerving off topic in many respects!

    He wants examples of good quality, most likely Gold, Antitrojan software. I sent two suggestions to him by IM. I will now put them here.

    Newbie Friendly and easy to use but effective = TrojanHunter

    Harder to use but one of the best = Trojan Defense Suite 3.++

    I suggested he try them and choose the one with which he is most comfortable. I remember being a newbie at all this stuff. (Over-the-top is not required here.) Thanks.

    Best regards from Larry! :)

    P.S. Thank you Paul! In the time it took me to write this, you made your post. I fully agree with you. Now, does anyone have some positive information on antitrojan programs, they could provide? :)
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Larry,

    Thanks for the support ;)

    Actually, root did post the same suggestions earlier on in this thread as you did. Other suggestions are welcome as ever ;).

    regards.

    paul
     
  22. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    May I suggest that Gladiator's entire, totally offensive post, be removed? Please.

    ......bellgamin
     
  23. DrSeltsam

    DrSeltsam Guest

    >AS YOU SHOULD KNOW ANDREAS, (if you are really so good) is that FILEMON (from
    >www.sysinternals.com) has CACHE PROBLEMS with the NT System - and you are using
    >Windows XP, a NT based driver operating system.

    *lol* - quite easy Michael. I didn't want to see ALL read access - i simply wanted to see IF boclean do any reading on process files.

    >AND IF YOU LOOK IN THE SOURCE (yes, the Driver Dispatcher for IO_Request's where all
    >call's from the usermode are handled) YOU WILL MISS A SOURCE CODE LINE THAT DISABLES
    >THAT NT CACHE ISSUE.

    Jepp - exact :eek:).

    >And of course it's Possible to do Memory Scan's with a "classical" Filescan routine. YOU CAN
    >ENUMERATE PROCESSES AND THEN USE THE 'CreateFileMapping' Function or some custom
    >replacement.

    Hmmm - i think OpenProcess and ReadProcessMemory would be more effective ... .

    >No, but i don't accept here that some people are allways choosing trouble for personal ego
    >reasons. :mad:

    As you perhaps? Just listed a few facts that are right as Kevin said. You may try it for yourself. The last test was done with upx 1.2. BOClean reacted and fixed the error (using a fixed offset memory scan). But there are still many packers that make trojans undetected for BOClean (Armadillo, some ASPack variants etc. etc. etc.). And thats why i won't choose BOClean.

    And than sorry Kevin :eek:).

    >1. BOClean isn't a memory scanner. In fact its a file scanner. It simply works like every AT guard
    >(ANTS 2.0, TauScan Guard etc.).

    Defnitly wrong (did a closer look to the programm itself). But you use a fixed offset memory scan and that is quite weak if you use some packer. TH has nearly the same problem but it was solved using a diffrent start point and not the imagebase as start point.

    >2. BOClean isn't able to detect ANY packed or crypted trojan. Why else should BOClean have
    >special signatures for repacked trojan variants?

    The test was done with BOClean 4.10 as it was released a few month ago. There was a problem with upx 1.20 (that i used for testing) like kevin said. Played a little bit around. If the scanner doesn't use a "copy memory" technology (like upx and most common crypters) boclean would find it. If it uses one BOClean won't find it (cause the offsets changes).
     
  24. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I have Trojan Hunter and like it a lot.If you are looking for a "user friendly" out of the box anti-trojan,Trojan Hunter is good.As for the other AT programs,I don't know much about them.I never tried TDS-3 or Boclean.
     
  25. DrSeltsam

    DrSeltsam Guest

    Jepp - TrojanHunter is a very good scanner.
     
Thread Status:
Not open for further replies.