which is the best anti trojan ?

Discussion in 'other anti-trojan software' started by monica_84, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. monica_84

    monica_84 Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    31
    i am using nod anti virus and i want to know which is the best anti trojan software and also lighter in resources
     
  2. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    BOClean
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Monica, welcome to the forum.
    Is there a special reason why the resources are a matter for you?
    Choices depend so much on personal likes and dislikes on your own system.
    There are quite some discussion threads about exact this question in this forum, which you might like to read through, download and try on your own system.
    People will love to assist you with your questions and experiences.
    Wonderful that you want a special layered protection!
     
  4. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Hello monica_84

    We prefer to use the oldest and most thorough anti-trojan software when necessary. This is TDS3 found at this address.

    Try it and see! Out of the box it has wonderful functionality and does not need anything else but if one wishes there are a myriad of user settings available with extra tools to go with it.

    Hope this helps!
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Bear in mind that's an essential part of the question, ladies and gents ;)

    regards.


    paul
     
  6. Try Trojan Hunter...

    http://www.trojanhunter.com/

    VERY Light on resources, and it's a FULLY featured Anti Trojan that's both easy to use, and understand, and it has both memory scanning AND an on demand scanner...
     
  7. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I agree.

    If you want an AT that works with a minimum of user intervention and don't want to "bother" with a file scanner, BOClean is a good choice. It is extremely light on resources.

    TDS-3 and TrojanHunter are good choices if you want to do scheduled or on-demand file scans for trojans in addition to a resident monitor similar to your AV. They both also have other useful tools included, and are also worth checking out.

    My opinion is that an extra file scanner is redundant--but that's my opinion, and others will disagree for what to them are very valid reasons, so it certainly depends on how many/what features you are looking for.

    Best of luck, and have fun in your search!

    :)
     
  8. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    when i saw the topic... i knew the fight would be mainly btw BOclean, TDS and Trojan Hunter... i love the three of them... but to choose one... i would go for TDS for its memory scanning and also useful tools with it... to go with...
    but anyways... one can choose any 1 of these 3... best possible anti trojans out in the web....
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Shooter, someone pointed me to a rather annoying hole in the ThSec.dll. I really do hope Magnus will have this fixed real soon!. That said: I'm sure you agree until this has to be fixed first - not only for new customers, but for existing ones as well. A matter of time, I presume ;)

    regards.

    paul
     
  10. I already fixed it by downloading a replacement dll file for thsec from his forum... Magnus should update TH after he tests it pretty soon.. I'd say that was fast response, wouldn't you? :D
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I haven't been informed about a recplacement dll file - is it safe to assume no one but regular TH forum visitors are actually aware of the issue at hand - and a possible fix? As for a fast response: as for the forum regulars: yes. As for the vast majority of paying customers: not at all.

    Anyway, I for one am looking forward to an engine update. There's no doubt in my mind, Magnus will soon take care of this!. After that, we can test the new dll ;)

    regards.

    paul
     
  12. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I'm a fully registered TH user and i did not know about this .dll file. Seems to be a breakdown in communication somewhere along the line. I would think that registered users should know about any patches/improvements. Poor that the liveupdate doesn't have a way of telling you, and even worse that you have to rely on visiting the TH forum to find out!

    Lets hope the liveupdate is improved to let users know about version upgrades, patches and improvements.

    muf
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Pete,

    If I do read correctly, this seems to be an untested new .dll - and has only been published in the TH forum.

    Once more: I'm pretty sure Magnus will tackle the issue - I for one sincerely do hope so!

    That said: very few TH users actually visit the TH forum, and thus are totally unaware of the issue plus the temp fix available.

    regards.

    paul
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, I'm sure the fix won't be generally released until it's proven out in testing - that's as it should be.

    Listen, can we all kind of try to remember here that this is a win-win situation?

    Wayne (DCS) puts out APT for free - Magnus uses the program to discover a problem with TH - Magnus goes to work to fix the problem.

    Who won?

    Everybody!

    Wayne gets the satisfaction of knowing that his program helped
    someone else improve/make safer their program.

    Magnus got to find an error and fix it (and thus) - all users of TH benefit - and the Internet becomes a safer place for everyone.

    At least, that's the way it seems to me. Pete
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Pete,

    Let's keep DCS out of this discussion - in the end it's of no concern who detected the flaw; it could well have been you for that matter, and it's really of no importance.

    I for one do wish all decent software developers all the best - and that includes Magnus, Wayne, Kevin, Daniel, Mikheal, to name a few antitrojan developers.

    My concern in this - TH related! - discussion is stated above. No need to quote, I presume.

    regards.

    paul
     
  17. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    I’m really surprised that people are getting so upset about the supposed “problem” with TH Guards shutdown protection. The protection that currently exists is still better than any other AT’s built in protection as far as I’m aware. (Please feel free to correct me).

    Yes APT can shut down TH Guard. APT could shut down Process Guard using some of its techniques initially. But, I’m sure Magnus will continue to improve the protection for Guard just as Wayne has for PG. TH will still detect Trojans and still has a memory scanning module that is well protected. Plus it would seem, with just a few modifications people will be even better protected from attempts at forcibly closing Guard. Flawo_O?

    The THsec.dll file in question is currently under going beta tests and I’m sure Magnus will widely announce its availability once he feels it’s 100% ready.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I would like to read from the original questioner why light in resources is important.
    Is that the main importance or are other issues as user friendliness, set and forget, extra security also important issues?

    You'll find in the forum here each time the same three mentioned, BOClean, Trojan Hunter, TDS (in no specific order) as the top three to chose from and each depending on some personal circumstances and wishes.
    Try what you like, and at the moment you're close at deciding there comes TDS-4 Active Guard (currently in the build) to change your whole view and you can start again :)

    You can read many threads in this forum area and you will see each time the same kind of discussions, be it that now this time the one dll fix in the build is being mentioned.

    You will also see a couple of golden remarks and threads about developers discussing and helping each other, building more security or detection in their products. It's really nice to see the people working together and using each other's tools to enhance their own products too.
    I do know my choices which work nicest for me on my system, but it is all personal!
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Jooske,

    The need for extremely light on resources issue is one and the same that made the initial poster go for NOD32 - a cleary stated wish - no offense intended ;) TDS4 as at this moment not an option, and obviously there's a need for antitrojan protection now.

    Regen,

    Let me start with your last comment:

    I surely do wish this will happen - for the benefit all TH users ;). Nevertheless, I'm somewhat worried here.

    user-mode hooks could well be an issue here; they can be "undone" - contrary to kernel-mode hooks. Delphi/pascal (and that's what TH is all about) can only create executables and dll's - nothing in the kernel mode. Therefore, I'm kind of worried this THsec.dll (old or new) will be actually no real defense at all.

    now,

    I surely do hope and wish so!. In perspective of the above mentioned, it seems to me, this might very difficult to accomplish. Delphi/pascal does come with limits.

    regards.

    paul
     
  20. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    TrojanHunter is currently the only trojan scanner that has built-in protection against TerminateProcess and similar attacks (others rely on a second watchdog process or random file names) so it is beyond my comprehension why someone would argue that this feature of TrojanHunter is a reason for not chosing it.

    As for user-mode vs. kernel-mode: Any hook installed in software can also be undone by software. The procedure to remove a kernel-mode hook is the same as that for removing a user-mode hook. If the account being protected was a limited account in the first place then the protection wouldn't be necessary anyway. The thing about protection against these attacks is that it makes it much more difficult for malware to terminate the security program. It's not possible to get 100% protection, and it doesn't matter if it's done in user mode or not - but it's possible to make it very difficult for an attacker.
     
  21. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    IMHO it's almost ridiculous to discuss whether TH is sufficiently protected against TerminateProcess:

    1.
    It's not really important whether TH is protected against such an attack. Yes...anti-process termination is a nice feature. But that's it. If a trojan actually manages to terminate TH the user will get warned (at least in the long run) since the resident monitor will not work anymore. Be happy if this ever happens. Things could be worse. Imagine an undetected trojan which stays silent ...

    2.
    It's also funny that people talk about minor, potential vulnerabilities (like possible termination attacks) but do not take into account that the signatures of many AT scanners can/have been revealed (either because they are not encrypted at all or because the scanner's signature database was cracked).
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Magnus, good to seeyou join in! ;)

    It's an interesting discussion - I for one do hope for the benefit of all ;)

    As for your second remark user-mode vs kernel-mode): isn't SetWindowsHookEx merely a global hook?

    Debuggers should have no problem with a user-mode in general. Very few debuggers are able to reach the kernel - Win32dsam, OllyDbg, IDA - none of them can.

    I tend to disagree on:

    for reasons stated above. Open for discussion ;)


    regards.

    paul
     
  23. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    All it takes is a small driver and any advantage you think you have of doing something in kernel mode is blown away. There are already pre-made drivers that allow for access to the entire kernel memory so an attacker wouldn't even have to write his own. Like ano1 said, I think this whole discussion is blown way out of proportion... instead of discussing the fact that TrojanHunter is protected against TerminateProcess maybe we should start discussing why other scanners aren't? Or perhaps let's just let this issue die so the original poster can get his questions answered...
     
  24. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Magnus, as far as I'm concerned, this isn't some sort of contest - please keep that in mind ;) I for one couldn't care less which software is discussed.

    As for your comment mentioned above: do I understand you correctly: there's no way to prevent access to the entire kernel? If so, please elaborate in specific. Furthermore: isn't it far more easy to tackle te user-mode?

    IMHO it's fair to leave it to readers to decide. As always, everyone is entitled to his own opinion over on this board.

    You are most welcome to start a separate new thread in regard to other scanners. In this thread, TH has become an issue of importance.

    The original posters' issue has been answered - and other answers are welcome.

    As for letting the issue die: as long as there is input, it will stay alive. As a developer you probably agree this is an interesting thread - whatever the outcome.

    regards.

    paul
     
  25. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    No, there's no way to prevent access to the entire kernel memory space if you're running under an Admin account, which 99% of all home users do. If you're running under a limited account you wouldn't need any special protection software anyway as you could just run your security software under a privileged account thus making any attacks impossible.
     
Thread Status:
Not open for further replies.