Why Anti-Trojans?

Chris P.

I don't agree that anti-trojan programs are a "fad".
I am sure that there are some AT programs that aren't very good for some users.

I have TDS-3 and that program definitely is a serious,functional(and an excellent one IMO) AT program.


I take my security seriously.TDS-3(or any good AT program)is valuable as layered defense.

I wouldn't go without an AT program.Your personal preference may be different.

Because one AT program disappointed you,doesn't mean that another program won't be the solution that you seek.

 

First of I don't want to get in the nepotism argument with KAV and PCFlanks testing of it again. Lets just say that I choose not to use PCFlank as a factual source. What I am talking about is not about verses a trojan which is old enough for a file detection protocol to work I am talking about those that are not longer detectible by file definition, because they are new or modified to the point that they are no longer recognizable. Not all test are from good sources and not all things come to testing what is all ready out there. AT also have port detectors and process detection that looks at the process once unpacked. Some of these things you cannot test for and you can lie with statistics as well as in person.

 

Fire fighter,
You have a problem which you are prefaricating upon with no objective substance to your arguments, you ask us for answers & then try to tell us what is right based on upon what you think! Nothing wrong with that providing you are also prepared to listen
We all have our own methods of securing our systems, only time will tell which is right.
As said many times within this thread layered protection is probably the safest defence, no panacea here.
There is no magic pill that does it all. You obviously have a problem with other realities.
You appear to be obsessed with packers / unpackers whilst you could download spyware or pick up web bugs of which, as yet, no AV or AT can fully protect you?

Here is a suggested range of solutions which MAY protect you NOTE: each contributor to this thread should and undoubtably will add thier own preferences.

FIRST lines of defence:

Ensure you have the latest security updates for your chosen OS & programmes
Secure password strategy
Router with NAT or other firewall configuration. (networked environment) epecially in a broadband environment.
Software firewall preferably with both application & rule based capabilities, to allow outbound control where NAT routers usually only control inbound

Second Lines of Defence:

Anti-virus - resident
Anti-Trojan - resident (execution protection)
Dedicated Worm / script guards with registration protection
Spyblocking Pop-up & Ad stopper, Unsafe Java, Active X , unfriendly cookies + parental control i.e Browser protection & set up
Email, AV + Spam removal identification / removal facillities.
Secure encryption facillities
Proxy browsing etc.
Practice Safe HEX!

Third Line Defence:

Spyware and reg cleaners
Temporary internet file & unwanted cookie cleaners.
On demand AV & AT scanners
Secure data back-up facillities.
Monitoring utilities & logging

There will be other requirements based upon your percieved personal needs.

Unfortunately there are no "foolproof" answers.
We are just talking Windows OS's here, there is a whole new set of problems when using other Operating Systems such as Linux

So let's get some balance back into this thead so that we can all benefit.

Pilli

 

Hi Firefighter,

I agree with Pilli here (excellent post). Ever wondered why people have one mouth and two ears?
The question in this thread is: Why Anti-Trojans?
My answer (and that of many others that have responded) is layered defense.
IMO having four virusscanners and no room left for an AT is the wrong way of layering your defenses.

Regards,

Pieter

 

To Pieter_Arntz from Firefighter!

For me the question, "Why antitrojans?", hasn't been so clear, because I have seen plenty of at-tests where KAV and some other heavy unpacker av:s are as good or even much better in detecting trojans than the best at-programs.

I think there is a clear correlation with good unpacking av:s and the capability to detect trojans!

I haven't seen independent tests where for example KAV was some 50% of that detecting capability than the best at:s but I have seen some just the opposite!

Is the answer in capability against trojans in the financial capability to make programs, because the markets are so far much larger within av:s than at:s? Who knows?

When I said that I have several av:s now, it's just because at the beginning they were my "hobby", so why don't use them now?

"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

To everyone from Firefighter!

Why I am not so fond of antitrojans? I have read numerous tests lately and very rarely the winner is an antitrojan! Here are some tests about av:s and at:s plus one bonus for them, who thought that there is only one God among av:s, which name is N...!

It's only that what do you believe. I believe in combined truth about these and several other independent tests!

Antitrojan tests:

http://www.rokop-security.de/main/article.php?sid=18

http://www.rokop-security.de/main/article.php?sid=19

http://www.rokop-security.de/main/article.php?sid=22

http://www.rokop-security.de/main/article.php?sid=23

http://www.rokop-security.de/main/article.php?sid=155

http://www.rokop-security.de/main/article.php?sid=226

http://www.rokop-security.de/main/article.php?sid=356

http://www.av-test.org/online/sites/os03.php3?test=2002-01

About layered defence, I can made them also with several av:s, (not resident, I have to admit), because those boundaries between av- and at-programs are only in human minds! The biggest errors in human history has made among classifying! Those are all programs, why not pick then the best ones?


"The truth is out there, but it hurts!"

Best Regards,
Firefighter!

 

Firefighter, I think you may have lost the plot

 

Wrote a few hundred postings ago the reminder the beloved KAV is a combined av/at.
NOD32 for instance is known to be a specific av, but covers many of the trojans and worms as well.

To know the difference between worms, trojans and viruses and combinations of the one including the other, rats, drats, backdoors, streams, is a whole study on it's own, as their scripting, payload, behavior is exactly what makes them the one or the other and thus the best way of detecting and disinfecting them or need to run other tools first to disarm and after get rid of them layer by layer to avoid as much further damage as possible.

Many good people with lots of experience posted here with so much good info and links, so not any need to go deeper in this remark.

 

I tend to agree with Jooske, no one is going to change your mind, just like the people who are out there that are convinced that software firewalls are of no use. After checking and translating the list of what was detected for, on the german website, there are glaring problems in the formation of some of these tests. One is that they have not differentiated between trojan servers and other aspect of a trojan. The testers have misformualted their tests so the aspect of the relationship to real world threats is close to nil. I have yet to see a well done test that truely deals with the actual threats out there.

Packing can be done in so many ways that it is not really effective measure and the Trojan has to initiate so that it will become readily apparent when it tries to start up. Delivery to the machine doesn't compromise the machine, a functioning trojan is what compromises a machine. The other portions of a trojan suite are not worrisome, as they only allow the owner of the trojan to control the box from his own machine, it compromises nothing if you have that on your machine. Until someone who understands what the threats are creates a fair test of an anti-trojan capacities, these test are useless and misleading.

Use an anti-virus to look for packed and unpacked versions of a file definition is fine, but it ignores associated .ini files, process detections, and a number of other detection methods used to find trojans. If you end up with a trojan on your machine becasue of it, that is your problem. But to advise others based upon that opinion does a dis-service to others just as those who feel that all software firewalls are useless. There are also those who believe having a virus scanner is something not need if you practice safe computing habits. Well I choose to practice safe computing habits and have a AV, AT, and Software Firewall and NAT Router (with Filtering). Additionally I have a few other applications that help protect my computer.

Just because someone may be able to get away with smoking a cigarette around a gas/petrol pump does not mean that everyone should do it everyday.

 

Just add my 2 cents. KAV will protect you brilliantly. Overall it is without doubt one of the best pieces of software you can use to protect from trojans. I use it myself. But the point about layered protection should not be ignored. Remember, as long as KAV is running you will most likely have nothing to worry about. But if something takes it down then your one and only line of defence is gone. An additional stand-alone trojan detector is there for the 'just in case' scenario. You will only benefit from an additional trojan detector if this ever happens. But the day it does, and if your additional trojan detector saves you. That will be a day you can sit there and say "i'm glad i chose a layered defence"...

muf

 

Although i am in favour of layered defence..but i agree with Firefighter on anti trojans....they don't do anything...except TDS..which is better...i used tauscan,anti trojan,trojan remover and some others..but it was always KAV that stole the show.

 

I agree with adiel and firefighter too, I've never used an AT till now because almost all tests show that KAV and sometimes other AV's too detect more trojan than AT programs.

 

I agree that KAV is fabulous at catching trojans. But just having one form of defence is very risky. I hope KAV never gets compromised, i really do. But a lot of people choose a layered defence so that if one fails, there's another behind that to give you a second chance, or another to give you a third chance, and so on. Like i said, i have KAV4 and love it to bits. But i also have additional protection 'just in case'...

muf

 

Why antitrojans ?

Because they are specialist programs. TDS is designed to find trojans under as many circumstances as possible. Be it a new trojan, a private trojan, or an edited trojan, we aim to detect a new trojan as fast as possible with updates. Where possible, it is nice to detect trojans that will be used against internet users before they are released.

See SubSeven 2.1.5 detection thread here

https://www.wilderssecurity.com/showthread.php?t=7648

 

TDS is a class apart in trojan defence of course.
It's not a common scanner.
The many scan options where normal av/at programs don't come and don't test (normally), the exec protection blocking a nasty from running if it would wake up, the detection of life and sleeping trojans/worms, not to forget the many ways of determining suspicious files and deal with it.
KAV support ever told me never to try to repair an infected file but better delete it and even better get rid of the whole program in which it was found and get a new download/install of that whole program. Sounds drastic and i suppose depends on.
Anyway, i like to know what i'm doing and TDS does give me the possibilities in hands.
Many TDS users have KAV or NOD32 (especially for viruses even though it does cover many trojans and worms too) beside it. Hope you did not forget the worms, for which i use of course WormGuard beside TDS, which has worm detection too.
Why AT? Layered, second opinion, second protection, specialist, prevention, blocking, etc. Same for AW (anti worms). It's complete different worlds.

 

>KAV support ever told me never to try to repair an infected file but better delete it and
>even better get rid of the whole program in which it was found and get a new
>download/install of that whole program. Sounds drastic and i suppose depends on.

In fact replacing infected files with original ones is the only 100% reliable method for killing malware. Its a fact. So this answer is the most secure one.

>Layered,

Well KAV detects more trojans and backdoors than any other AT program does. So it would be hard to bypass a trojan through KAV that is detected by an AT.

>second opinion,

One of the online scanner does the same thing.

>second protection,

Look ahead.

>specialist,

Well ... no anti trojan engine es more powerful that KAV's one. So who is the specialism means to be more primitive?

>blocking, etc.

Most ATs doesn't block files. And TDS doesn't block, too. It can only catch file executions triggered by the explorer ... . Start the nastie by using a console or a batch file or outlook ... .

But you have forgotten some thing ...

1. waste of ressources (system and financial)
2. more security risks (cause more software)

It would be better to use a sandbox or a ids as second line of defense.

 

Horse-hockey.

Sandboxes and IDS's don't cost money?

Sandboxes and IDS's don't use resources?

How amazing.

And, how much does this version of KAV cost that everyone's trying to convince us is the be-all/end-all? Pete

 

Hi Pete! (Me again. Hehe.)

Here is the link for how much KAV costs. Not bad actually.

KAV price for home users.


Best regards from Larry

 

And, This may explain why many of us use layered protection, http://www.securiteam.com/windowsntfocus/5OP0H1F95O.html

The gist of the link is:

"KAV) is a family of antiviral products.
A few vulnerabilities were identified in their products, the most serious one allows user to crash antiviral server remotely (write access to any directory on remote server is required).
1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection"

I use KAV but do not trust it on its own

Your Quote:

"Well KAV detects more trojans and backdoors than any other AT program does. So it would be hard to bypass a trojan through KAV that is detected by an AT."

I doubt very much that catches as many Trojans as a dedicated AT such as TDS3, in fact I am sure it does not.

Crackers will always try to find ways of stopping or by-passing security programmes and the bigger the Company the more vulnerable they become.
So I would advise not to put all your eggs in one basket.

 

And, This may explain why many of us use layered protection, http://www.securiteam.com/windowsntfocus/5OP0H1F95O.html

The gist of the link is:

"KAV) is a family of antiviral products.
A few vulnerabilities were identified in their products, the most serious one allows user to crash antiviral server remotely (write access to any directory on remote server is required).
1. Long path crash
2. Long path prevents malware from detection
3. Special name prevents malware from detection"

I use KAV but do not trust it on its own

Your Quote:

"Well KAV detects more trojans and backdoors than any other AT program does. So it would be hard to bypass a trojan through KAV that is detected by an AT."

I doubt very much that catches as many Trojans as a dedicated AT such as TDS3, in fact I am sure it does not.

Crackers will always try to find ways of stopping or by-passing security programmes and the bigger the Company the more vulnerable they become.
So I would advise not to put all your eggs in one basket.

 

Fact 1: KAV knows more trojans in the main variants than TDS3 does have over all (including packed signs)

Fact 2: KAV has at least strong signs. And TDS3 ? Dont tell me now it has stronger Signs than KAV. Almost the half are textbased signs. If you have doubts about this i give your advanced lessions with some malware samples.

Fact 3: Including Pre-Packed Samples is not the same than having such a strong unpack engine than KAV (and NAV at the end of this month) has/will have.

Fact 4: TDS is good program. But you should learn how to treat weak sides.
This means you can write here 500 times the same text - you will ever get the same results: Kaspersky is far ahead with trojan detection even if TDS detects 400 samples which KAV missed.

Fact 5: KAV has not such a market place with the private home users.
Most people using NAV. So as a hacker you have to take care that NAV does not detect it or TDS. If you want links to such discussions in the RAT-Boards i can PM you this too. But i dont post it here cuz TOS.

Take this not as a offense, its more technical.
If you want to speak about this in private feel free to PM me.

[-xor-] aka Michael

 

Looking forward to the TDS-4 Pro, Guard and S, WG-4, speaking about special tools for the job, and some more in the build.
TDS-3 scanning with everything up and highest sensitivity? Even on my system taking less time, scanning the whole network and i can work on during it.
Of course i use online scanners in between, each time another one. Dialup-connections have paid in a few times in phonebills for such scanning more then actually buying appropriate software costs, which at least is supposed to protect while being offline too. The online scans don't take all details and heuristics: if i see online 30,000 files scanned while local over 300,000 .....
etc.
OK, seen the pricelists for ONE YEAR in your link.
Glad there's another policy in other places, like DCS.
Geeh, i'm not promoting, just showing differences in view.

From the other points, for sure many are not mentioned. Have work to do, supporting users for instance.

 

Michael, Thank you for your comments. Hopefully one of the DCS progammers will answer your technical "facts" which I am in no position to do.

I kow that TDS has many ways of detecting Trojans & also that the TDS4 will have more and as I said earlier I use KAV but don't put all my eggs in one basket.

I notice you did not reply about the possible vulnerability in KAV?

Pilli

 

I reply to such things only if i did test it by myself.
And i hadn't time yet for this.

There are some reasons - it can be a OS specific flaw. This means this would not only happen with KAV.
Therefore, before i say something to this i have to test this, find out the facts with technical details how to explain this.
Then i will answer - that's my way

Michael