Why bother using any anti-trojan program

Discussion in 'other security issues & news' started by Wai_Wai, Aug 13, 2005.

Thread Status:
Not open for further replies.
  1. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Should I use any anti-trojan(AT) program?
    After doing a bit of investigation, I decide not to bother.
    Why? Read the following. The result is shocking :eek: .

    v0.3.1
    ========================================================
    v0.3
    - add a good article: anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?
    - add a link: TDS (anti-trojan program) is discontinued due to the rise of anti-virus programs
    - mistakes are corrected to include anti-spyware into the lists of anti-trojans.
    - elaborate more, add more Q&A


    v0.2
    - elaborate more, add more Q&A

    v0.1
    - first release of this article
    ========================================================

    The following are a bit long-winded. Scan for the bold/italic texts. If you find somewhere interesting, read that part.

    ++++++++++++++++++++++++++++++++++++
    Q: I know people hear from users or from vendor websites that anti-virus(AV) program is not enough. You need anti-trojan(AT) programs to help you to catch much more trojans which AV program misses. Hmm... So should I use any anti-trojan(AT) program?

    A:
    (For AT program users, take a breath first before reading on!!)
    As a short answer, you don't really need to install any AT program and you can be VERY VERY safe.
    It may sound like crazy, but it's a common misconception that anti-trojan(AT) program is required to protect you form trojan infection.

    To see why I made such a big or even ridiculous claim, it is due to my experiment and empirical observations.
    Just to quote one test done on 8 Aug 2004:
    AV List (from top to down) ==========Detection Rate for ITW Trojan
    AntiVirenKit(Kaspersky-based, German)===99.80%
    Kaspersky Personal Pro===============99.52%
    F-Secure (Kaspersky-based)============99.40%
    Kaspersky Personal==================99.24%
    Panda============================86.92%
    McAfee==========================86.56%
    Norton Pro========================82.43%
    Norton Corporate====================79.83%
    PC-cillin==========================73.51%
    AVAST===========================71.51%
    Nod32============================71.37%
    AVG=============================55.58%

    AS List (from top to down)===========Detection Rate for ITW Trojan (%)
    Digital Patrol=======================54.32
    PestPatrol=========================31.52


    AT List (from top to down)===========Detection Rate for ITW Trojan (%)
    TDS(discontinued on 22 Jul 2005)========54.80
    A squared 2========================53.59
    AntiTrojan Shield===================30.16
    PC Door Guard=====================30.06
    Trojan Hunter======================23.65
    Tauscan==========================19.22
    The Cleaner=======================18.76
    Trojan Remover====================18.29
    IP Armor=========================10.92
    Hacker Eliminator==================10.82
    Anti-Hacker & Trojan Expert===========00.01 (how dare you call yourself expert!! You are crap!)

    Analysis from the result

    Comment on the performance of an anti-trojan program
    As you see, anti-virus(AV) program is actually FAR better than ""ALL"" famous & non-famous anti-trojan(AT) programs.
    AT doesn't really specialize in AT (as you can see from the result, even the worst AV program defeats the best AT program). It's a false claim!!

    If you wish to get the details / complete result of the above test, email me at genuinem22-forum{.........}yahoo.com.hk [replace {.........} with @]

    By the way, there's interesting news that TDS (anti-trojan program) is discontinued. One main reason is the rise of anti-virus programs taking over the anti-trojan markets.
    http://tds.diamondcs.com.au/


    Q: Hmm... so should I still use AT program to add extra protection?
    A: I'm not going to give you a black-and-white answer, but I would like to raise several important factors, so you could consider before making your own decision:
    - what anti-virus program do you use?
    - If you use Kaspersky-based anti-virus software, they help you to catch nearly all trojans, and so does all sorts of viruses/worms/mal-scripts.
    - If you use something like AVG (the worst Anti-virus program on catching trojans), it may be worthwhile to install some AT program since they may help you to catch some extra trojans that your AV program misses.
    -- However you may wish to consider other alternatives too (eg more anti-virus programs, anti-spyware, firewall, extra protection like process & registry protection). They all have their pros and cons which has been explained in anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?

    - how much extra protection do you wish to add?
    Provided you are using the best AV program, there's still a catch that they miss a few tricky trojans. Theoretically, when you add 1 more AT program, you raise your chance to catch the missed trojans.
    Based the result I have presented to you, you can see how poorly they perform. If you ask me the chance of an extra AT program to catch a missed trojan, it may be less than 0.1% or even 0.01% or even much less.
    In other words, what AT program CANNOT catch, AV program can manage to catch; reversely what AV program CANNOT catch, AT program has (nearly) no capability of catching them.

    - Possible Crash or Instability
    Since AT program has its own real-time protection (so does AV program), it may crash with your AV program. The overlapping characteristics may create more problems than benefits.

    Frankly I'm not sure, but you may risk:
    - slow down your computer (Some AV is already resources-hogging. Imagining that you are adding 1 more)
    - worsen your AV/AT capability (when your AV and AT conflicts, no matter explicitly or implicitly)
    - crash your computer (they may compete for getting privileges to scan/detect virus. That causes problems!)

    - Other alternatives to boost your protection
    Apart from adding "AT protection", you may consider other much better alternatives. This includes:
    - adding 1 firewall (ZoneAlarm is good!)
    - adding 1 anti-spyware (it mainly protect your privacy, rather than security) (eg MS Anti-spyware, Ad-aware)
    - adding 1 process protection program (eg ProcessGuard [*])
    - adding 1 registry protection program (eg RegGuard [*])
    *: The programs I mentioned above is just an example. I don't know if they are excellent or not.

    Q: About the alternatives, it's true that your alternatives can also provide extra protection. But you miss the point that they have disadvantages too (eg anti-spyware is not good for detecting trojans; firewall, process & registry protection requires better computing knowledge), so anti-trojan (easy to use, using different signatures and scanning techniques) should be implemented instead to cover the above weaknesses.

    A: Hi. You have made some good points.
    Just to tell you in case if you don't know, you tend to point out only the advantages of anti-trojans over the other alternatives, but not vice versa. To get a better outlook, we need to look at both sides in order to make a better decision.

    You will find this article useful:
    anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?
    There are several things we can consider when we wish to protect our PCs (the more you implement, the better you are):
    - firewall
    - anti-spyware (it can detect some troajn or trojan-like spyware)
    - process protection
    - registry protection
    - more anti-virus
    - anti-trojan

    OK, let me which is the best. To do so, there are several I'm going to analyze:
    - effectiveness to stop trojans (*)
    - effectiveness to stop non-trojans (*) (#)
    - ability to remove the malware
    - knowledge required to utilize this software
    * The effectiveness rating ranges from 1-5. Bear in mind, it's just a rough indicator of their performance. Don't treat them as absolute.
    # Non-trojan means any other malware which is not classified as trojan, including MS-DOS & Windows virus, macro, dialers, scripts, miscellaneous malware etc.
    More Notes:
    - common benefits and common weaknesses are not included in the analysis since they won't affect your decision anyway (all have the same extent of benefits/weaknesses, how can it affect your choice if you make a rational choice?)


    - firewall
    Effective rating - anti-trojan (1-5): 3
    Effective rating - anti-non-trojan (1-5): 1-2
    Advantage:
    1. I think it does little to prevent the installation of trojans, but it is great to paralyze trojans. There are some functions firewall can do to stop trojans:
    -- stop them from sending info out
    -- stop hackers to access to your computer (the trojans may not help!)
    -- hijacking legitimate EXE
    Disadvantage:
    1. you need some computing knowledge to utilize this program, or you may be stupid enough to allow a trojan to do its job :p
    --> However "search engines" and "forums" are your friends. So even for dummies, if they realize the existence of these 2 "helpers", it's not really a problem (although you still need to spend some time and effort on it). For immediately and general help, use search engines like "Google". For special and detailed help, ask experts in various security forums.
    2. It can't remove any malware. You need to seek help for other tools. Anyway it is normal since this kind of product is a pre-caution software. Removing malware is not their scope.
    3. As to some other non-trojans malware, it may have some difficulties to stop them. (eg: I don't think it can do anything really to stop the damage done by virus)

    - anti-spyware
    Effective rating - anti-trojan (1-5): 3-4 (Yes, it is "3-4"!!)
    Effective rating - anti-non-trojan (1-5): 3
    Advantage:
    1. Little knowledge is required to use this product.
    2. If your anti-spyware has real-time protection, it helps more. Some anti-spyware like Microsoft Anti-spyware Beta can protect you from a wide range of things, including HOSTS, IE trusted zones, startup programs etc.
    3. it not only detect/stop trojans but also other kinds of malware (mainly spyware and adware). It will help to remove them if found too.
    4. one may that their disadvantage is that they are not specialised in trojan detection/removal. It's a common misconception! Digital Patrol (anti-spyware) can manage to get rid of ~55% ITW trojans. This result is already equal to the very best of anti-trojans (also ~55%). You know, Digital Patrol is not an excellent anti-spyware(AS) in the market. The best ones are Microsoft AS(308/425, based on the result of GAINT AS which has been purchased by Microsoft), Webroot Spy Sweeper(235/425), Ad-aware(231/425). Unfortunately I don't have authoritative third-party sources, but if you believe me, based on my experiences/observations, I would guess it can detect 80% or more trojans if it were run in the test. That's why I give "3-4" rating (if I can confirm my belief, I will give a "4")
    -- Don't you feel it's too hard to believe the above? Well, it must be since it is contrast to your established belief. I will explain to you why later.

    Disadvantage:
    - {no real disadvantage which is specific to anti-spyware}

    - process protection
    Effective rating - anti-trojan (1-5): 4
    Effective rating - anti-non-trojan (1-5): 4
    Advantage:
    1. a lot of malware needs *.exe, *.dll etc. to make them work
    2. If you use some products like ProcessGuard, it provides even wider range of base-level protection including terminating/crashing/suspending legitimate programs, exe file execution, leak attacks, installation of roolkits & drivers & keyloggers & mouse/key hooks, dll injection, modification of physical memory.
    (Note: I'm currently using it. It looks good but it's just mainly based on my estimation and the claims from the author, so it may not look as great as it looks)
    3. it seems it's more likely that these products are kernel-based. A kernel-mode device driver is a 32-bit modular component that runs at a privileged level (known as Ring 0 to those familiar with Intel hardware) on the computer's CPU. As such, drivers run as trusted components of the kernel, virtually becoming a part of the operating system itself. It is good since malware is much harder to intrude these kinds of products.

    Disadvantage:
    1. (= Firewall Disadvantage 1: knowledge required). By the way, it should be harder to learn this product than that of firewall.
    2. (= Firewall Disadvantage 2: can't remove malware, only detect).

    - registry protection
    Effective rating - anti-trojan (1-5): may be 3
    Effective rating - anti-non-trojan (1-5): may be 3
    Advantage:
    1. malware still needs registry keys to make them work. Protecting these areas can surely affect their activities.
    2. (= Process Protection Advantage 3: kernel-based protection)

    Disadvantage:
    1. (= Firewall Disadvantage 1: knowledge required). By the way, it should be harder to learn this product than that of firewalls AND process protection software. Registry is more cryptic and hard to understand.
    2. (= Firewall Disadvantage 2: can't remove malware, only detect)
    3. Comparing with process protection, it tends to provide less protection - it only protects registry. It is less important. Comparing with anti-spyware programs, some anti-spyware has already provide some kinds (although limited) of registry protection. This further lowers its significance.

    - more anti-virus
    Effective rating - anti-trojan (1-5): 5
    Effective rating - anti-non-trojan (1-5): 5
    What is it about?
    - I'm not suggesting you to install more than 1 anti-virus programs since it will lead to possible conflicts, no matter explicit or implicit (for details, please ask me).
    - I'm going to suggest you to use free online scan. You know, no single program can detect and remove all sorts of malware. There are many free online scans.
    - If you download a file and suspect it contains malware, try this all-in-one scanner (have 14 major AV scan engines, including topmost ones):
    http://virusscan.jotti.org/
    (Brilliant!! You are much much... safer than depending on your AT program to determine if it has attached a trojan.)
    - For a complete system scan, a lot of major anti-virus program provider have these services for free. Thus please visit their website more frequently :p

    Advantage:
    1. it is very excellent to deal with trojans (the best can be as high as 99.9X%) unless you are choosing some bad anti-virus programs
    2. it's also excellent to deal with non-trojans (the best one can be as well as 99.XX%) unless you are choosing some bad anti-virus programs
    3. Some anti-virus programs try to work on detecting spyware, hijackers, adware as well (although the performance is poor comparing with the best anti-spyware products)
    4. Unlike other precaution software (eg firewall, process/registry protection), it will help to remove/fix them automatically if detected.
    5. Little knowledge is required to use this product.
    6. To sum up, both anti-virus(AV) & anti-trojan are misnomers. AV is in fact all-round anti-malware programs (except spyware); while anti-trojan is indeed okay (NOT good!) at trojans only (the best being 5X%).

    To get a clearer picture, let's make some comparisons. A good or excellent anti-virus can detect more than 90% ITW malware (including MS-DOS & Windows virus, macro, dialers, scripts, trojans, miscellaneous malware). As to anti-trojans, see this table:

    Malware Type===average anti-trojans===best 5 anti-trojans===average anti-virus===best 5 anti-virus
    trojans==========10-20%==============30%(*)===========about 70-90%======99.50-99.90%
    Non-trojans=====2/3% to nearly 0%======less than 6%========about 70%-90%=====98-99%
    * there are big difference even among the best: only 2 anti-trojans manage to get ~50%; then it suffers from a sudden drop of ~20%. The rest are poor (only 2X%, some being less than 10%)
    Note:
    - the percentage refers to the detection rate of that kind of programs, based on overall results of several tests (2003-2005)
    - for the details of the data, feel free to ask me.

    Debatable point
    1. the only problem is you cannot install more than 1 anti-virus program (it's no good to your computer due to possible conflicts!).
    --> However you can use "online scan" to keep your computer in safe. What you need to do is to get online and get scanned. That's it.
    2. What you only miss is real-time protection from the anti-virus. But getting it may not be a good thing:
    --> you may risk getting conflicts if you use anti-trojan real-time scan as well as anti-virus real-time one (you know they try to fight for the same kinds of privileges for real-time scanning), no matter it is noticeable or not. Remember not all conflicts can be seen/felt. If you have installed an anti-trojan, it may not mean it is perfectly ok. It may mess up and slow your computer down already. you has to be careful about that if you really do so! (eg you should check if the anti-trojan is compatible with your anti-virus)
    ---> if conflicts exist, getting 1 more real-time protection will in fact worsen your security, not improving!
    ---> is there any real need for real-time protection? If you always scan suspicious files before installation, you get much less chances to get trojans.
    ---> I have found 1 website which uses 14 major scan engines to scan for viruses. I can't find such kinds of websites which combine plentiful engines in 1 site which is very excellent. If you get to use this online service frequently, it hardly get any kind of malware
    ---> If you frequently do online scan, your chance of getting virus/trojans is much lower than installing 1 more real-time scan (remember 1 more of the same kind of real-time scan may sometimes worsen your security!)
    3. Finally the above is just some short explanations. I can explain much more about this topic if you wish to know more or you are doubting. Feel free to ask me if you need.


    Disadvantage:
    - {no real disadvantage which is specific to anti-spyware}


    - anti-trojan
    Effective rating - anti-trojan (1-5): 3
    Effective rating - anti-non-trojan (1-5): 1 only :-(
    Advantage:
    1. (~ Anti-spyware advantage 4). They are more or less equal to each other. That's why both anti-spyware and trojans get "3".
    --> But they are far worse than anti-virus programs
    2. Little knowledge is required to use this product.
    Disadvantage:
    1. They are only okay (not good!) to deal with trojans
    2. They becomes abysmal when dealing with non-trojans
    3. you may risk getting conflicts if you use anti-trojan real-time scan as well as anti-virus real-time one (you know they try to fight for the same kinds of privileges for real-time scanning), no matter it is noticeable or not. Remember not all conflicts can be seen/felt. If you have installed an anti-trojan, it may not mean it is perfectly ok. It may mess up and slow your computer down already. you has to be careful about that if you really do so! (eg you should check if the anti-trojan is compatible with your anti-virus)


    If I miss any point, please tell me and I will add them back.
    Thanks for your kind attention.


    Q: Even if anti-virus program can hit 99%, this still leave 1% of trojans which have been caught. Better safe than sorry, we should use anti-trojans.

    A:
    Try to see if this makes things clearer.
    First by installing 1 anti-trojan, it doesn't mean it will automatically close the 1% gap. Try to simplify the situation and illustrate it to you with an understandable analogy.

    There are 6 grades in the school (A-F).
    "Anti-virus" program is like an A-B grade student; while "anti-trojan" is a D-E grade student.

    Surely A/B grade student cannot score full in the test (eg the best student can manage to get 99% only). How can the A-grade student get the remaining 1%?

    "How about asking D/E grade student to help?" A-grade thought.

    "Are you crazy? How come I will know how to solve this question? Too difficult to me." an E-grade student said, "There are surely chance I can do, but how big the chance is, you fool!?"

    Surprisingly what he mentioned something which enlightened A-grade student?

    "You'd better ask other A/B grade students help. They will know how to solve this difficult math" an E-grade student enlightened the A-grade student.

    "Ar! So stupid I am! Why don' I seek help for other A grade students in the first place?" A-grade student grieved, "Now A-grade students have been left school. I have to wait for tomorrow."

    Why does the software miss that 1%? Probably they may wish advanced technique which is hard to arrest, or the trojans are rather new, or they are less common. Simply, you may assume the remaining 1% is "super/special" trojans!!

    Your anti-trojan is not designed to arrest this 1% gap. Instead it is said to specialize in arresting trojans-related threats. Unfortunately they even cannot do better than anti-virus programs.

    You may feel anti-trojan is specialised in arresting trojan guys! You may feel so due to the fact that:
    - it is true in very early stages of security program
    - the name "anti-trojan" mislead you that they should be specialised in trojans. It's in fact a misnomer based on hard facts. Sad to say, hard to accept, but have to admit. :"(
    - now it is the sunset market. Remember why TDS is dead?? To survive, either convert it into either "anti-virus" & "anti-spyware" (Ewido is a good example towards anti-spyware). Anyway these 3 products have some degree of overlapping.


    So what you should do now if you are the A-grade student?
    Here's lead to the second point. Anti-trojan is not the only option. We have other alternatives too. If you believe anti-virus can get 99% hit rate; and only 50% for anti-trojan, you are equal to asking an E-grade student a difficult math question which you, as an A-grade student, don't know how to answer.

    Okay, so are you ready to ask other A-grade students now?

    Hope this answers your question.
    Feel free to discuss with me if you have further questions.


    - Okay, you are good at puzzling me! Simply tell me, if you were me, what would you choose?
    I am not you. I cannot choose for you.
    but if I simply give you such kinds of vague answer, you will definitely beat me up.

    Okay, if you are being bombarded/confused by the whole lots of advantages/disadvantages, then just forget the above. Take my word for grant temporarily, I will guide you to the appropriate choices.

    Now, the question: what is the best to protect me from trojans?
    I assume you only get nothing on your computer.
    I assume you protection capability is of utmost important to you.

    First identify who you are (I have some descriptive texts for each group).
    Then follow the steps each-by-each. Remember follow the first step first; the last step last. (Am I bullshxting?)
    Stop at the point when you see you are secure enough, or you are fed up with getting more protection.

    1st group: If you are a noobie, or a beginner who don't wish to bother anything:
    1. install 1 excellent anti-virus program (so you get 99+% trojan protection & lots more)
    2. install 1 more excellent anti-virus program (now you get another 99+% trojan protection & lot more). Remember to turn off the real-time protection to avoid possible conflicts. If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.
    3. install 1 excellent anti-spyware or more (now you may get 80+% trojan protection & some other benefits). If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.
    4. install 1 excellent anti-trojan or more (now you get 50% trojan protection & only a jot of other benefits). Remember to turn off the real-time protection to avoid possible conflicts. If you are crazy enough, you may add as many programs as possible to max protection. Again, turn of all these real-time protection. I only need 1 real-time protection.


    2nd group: If you are noobie/beginner who is willing to bother, or you are an intermediate:
    1. install 1 excellent anti-virus program (so you get 99+% trojan protection & lots more)
    2. Run as many FREE online virus scan (file + system scan) as possible until satisfied. You don't really need to install extra anti-virus programs: save space, save resources, save conflicts, save money, save problems...
    3. install 1 excellent firewall ONLY and no more unless you are ready for possible troubles. As I say before, firewall itself is difficult to use. But do you remember your friends - Google (search engines) and experts (forums)? If you meet them, you don't really need to be computing-knowledgeable. your friends will help you.
    4. install 1 excellent process protection. I temporarily recommend ProcessGuard. Really to learn how to use it, or you shouldn't bother. What you need is mainly to go through its manual once. That's it. The rest can be left for your friends. This product, once you are familiar, is no difference from firewall. You don't need to take care of them anymore except it will sometimes prompt you for decisions.
    5. install 1 anti-spyware ONLY + utilize as many FREE online scan as possible until satisfied.
    6. don't install any anti-trojan. Just utilize as many FREE online scan as possible until satisfied.

    3rd group: If you are someone who is willing to get into trouble :p, or you are an (semi-)expert:
    1. (see 2nd group Point 1-4)
    2. Install registry protection. I don't know really anything (seemingly) good to recommend. You may try Regdefend or ask Google. Good luck!
    3. (see 2nd group Point 5 downwards)

    Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


    Challenge &/or Criticism

    Q: I saw a vendor website claiming their product is far better than some famous AV. It even lists the result and the result is the reverse (ie AT program can catch more trojans plus it can catch more AV too), so you must be wrong.
    A: Hmm… I know which website you are talking about. (Maybe I guess wrong :oops:) Anyway try to think about the following factors before making your own decision:
    - vendor has strong motives to lie
    - should we trust independent websites (although you don't know if they have insidious relationships with vendors, so that's why we should read at least more than 1) much more than vendors?
    - does it display any technical info about the test? What database does it use? How does it test?

    Q: How about magazines? They claim XX program is The Best of This Year!!
    A: I would like to say something about magazine reviews (or its similar types). Try to consider the following factors and think if we should place too much trust on them:
    - Most simply do not have enough resources to conduct effective and representative tests/reports. Unless the magazine is using the results from a big and independent testing organization, the reviews cannot reflect their true value.
    - Some magazines receive money support from other programs (by advertisements etc.) So do you think they are will be impartial enough?
    - Small magazines may rely on analyses or research data from big magazines. Then they make their reviews and comments based on these data. If what they comment is based on these reports, why don't we read the reports ourselves. Sometimes you may reach a different conclusion even if the magazine and you depend on the same report databases.

    Wait! Many users praise this anti-trojan program highly. It works to stop many trojans that NO SINGLE anti-virus program can. So you MSUT be wrong!
    Yes, I may be wrong, but I would like to point out some situations which falsify the above claim:
    - Users comments may be based on the magazine reviews they have read. And magazine reviews are actually… so…
    - Experiences may lie unfortunately. Consider this case. A virus bypassed your anti-virus program. They don't cause serious problems in your computer. You never notice of its existence. You still feel your anti-virus program is doing a great job.
    - A security program generated a false positive, falsely claiming that the file is infected. You think it is great. Other security programs cannot detect that malware, but my program are. Excellent! There're one case (~10-12 Aug 2005) where none of the anti-spyware program can detect these 2 "so-called" spyware except CounterSpy. Finally they turned out to be false positives. One file is just a legitimate JPG compression functionality for Intel, but CounterSpy claims it's AB System Spy and the threat is rated "serious".
    - "Fallacy of popularity": I somewhat fall into teaching you logic. It is invalid to claim "something is popular or agreed by the majority CAN prove something is correct/good". Re-read the above cases. You should understand why. ;-D

    Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


    Q: Hey man! How dare you deceive me? Your test is deadly old!
    A: I have to admit that this test is done on 8 August 2004, so it is 1 year old. Sorry to say, there are indeed newer 2005 tests but I haven't included them because I have no time to gather & present them. It needs some time to do. I will do if I get some time. If you are kind enough, feel free to give me a newer test.

    Please try to consider the following factors before determining whether you should discredit/ignore this test completely:

    Relevancy
    We don't really need to worry too much about the outdatedness. As a rule of thumb, 1 or even 2 years old is not really a problem if you ask me. Its relevancy still holds true for most cases. Based on my experience, for example, if a product can detect 50% malware 1 year ago, it is very rare it will catch 70% malware in this year. [Note: Surely you need to compare the results from the same series of tests (having no noticeable change in this series, eg methodology of testing) AND are done by the same company.]

    If the normal situation goes, a good program should keep being good even after 1 year. If you haven't heard of any (major) bad news from the program within the year, it is quite safe to assume the program is still good. It shouldn't change dramatically in, say, 1 year. It holds true for bad programs.

    However the world is not black-and-white. I have to admit there're some exceptions. For example, if you realise a product is subject to huge advancement in this 1 year (eg it introduces a brand new heuristic method to catch malware), the relevancy of the past test is questionable.

    Reliability
    Surely I can choose to make my conclusions based on some magazine reviews. It should be more easily to find newer reviews. But as I said previously, they are not reliable. It is a good deal to get a more reliable and detailed report in cost of some time of outdated-ness, right?

    Finally, you should make your own decision. Think about my points and see if I make sense or I am bullshxting :"(, then feel free to keep your own decision.


    Hmm… but why don't you manage to get the latest report?
    It is impossible, but I think you should understand why. It's because a good and comprehensive report needs much time to produce - Half year is not unbelievable! It is never impossible to finish a report within a week or month unless you are going to read some magazine reviews, in which their credibility tends to low.

    I rely on detailed reports to make most of my comments because they are more trustworthy and reliable than brief reports and magazine reviews. I can know what methodology they use, what database they use, how they reach their conclusions etc.

    The only major price is I cannot get up-to-date information, and if you ask me, I don't think it is a really price. As I said, the outdated-ness is not really a problem. It is unlikely, not to say rare, to undergo big/huge performance difference in such a short period (eg 0.5-2 years).


    Miscellaneous

    I would like to know more about anti-trojan program performance // I would like to investigate by myself. What can I do?
    A good place to start is http://www.virus.gr/english/fullxml/default.asp
    If you know more good websites about anti-trojan programs, please tell me!!
    By the way, Google is your friend. you can search more and more reports to read.

    - Thanks. You are really helpful! // You are a silly crap (like Anti-Hacker & Trojan Expert). Get lost!
    Good to hear if you find the above info useful.
    Sorry if you feel I'm a crap. Don't be angry, please! All the above is my little advice anyway. You may disagree with me.
     
    Last edited: Aug 14, 2005
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Wai_Wai,

    I think Wayne of DiamondCS also has a similar position - i.e., it is difficult for an AT to provide any significant additional protection on a machine, if the machine has a good AV.

    However, the AT test that you are referring to is old, and some of the ATs (e.g. Ewido) have added significant protection in areas that may not necessarily be covered well by the AVs (e.g. malware that is hidden in cookies). Also, ATs approach the problem in a different way (e.g. memory process scanning) so that they may detect some malware that gets past the file scanning of an AV (I personally have never experienced this).

    On balance, I would recommend that users install different type of protection before they purchase ATs nowadays (e.g. anti-executables, registry protection, script protection) and apparently Wayne also agrees with this position.

    Cya around,
    Rich
     
  3. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    First of all, thanks so much for your reply.

    Hmm... This test is from Aug 2004, so it is just 1 year old.
    Also there are newer tests in site which I have no time to gather and present them there. The situation does not change. AT porgram still perform poorly. If you wish to find out yourself, read this (test: Apr 2005): http://www.virus.gr/english/fullxml/default.asp?id=69&mnu=69

    And read this as well if you are interested in:

    I understand they can add some protection.
    But before deciding to purchase a AT program, think about these 3 factors which will afect the usefulness of adding 1 AT program:
    - what AV do you use? (Take KAV as an example, it catchs about 97-99% trojans, so adding one is nearly useless)
    - how big AT can protect us? (the better the AV you use, the more useless your AT is)
    - is there any other alternatives which can provide more protection which AT achieves? (If I were to choose, I would prefer othe rkinds of protection against not only trojans, but also a lot of attacks, eg process/registry protection, firewall if you don't have now)

    If you haven't read yet, spare some time to read the following:
    After all, thanks so much for your comments!
     
    Last edited: Aug 13, 2005
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Hmm...care to expand on this RichRF? I've yet to hear of a cookie being used for anything other than holding data...

    Wai wai,

    The best AVs will provide good trojan detection - however the thing about trojans is that they tend to be "personalised" (i.e. altered by their distributor, via hex-editing, compression, rebasing or encryption) to avoid AV signature scanners.

    If you are a "high risk" user (i.e. you download files from anonymous sources like P2P, IRC or Usenet) then you are much more likely to encounter something that may slip past your AV scanner (even Kaspersky AV has some weaknesses here) so an AT scanner (using different signatures and scanning techniques) may be a worthwhile addition. However process/registry/network software (firewalls, Process Guard, etc) can also provide extra security, provided that you know (or are prepared to learn) how to distinguish normal from malicious behaviour.
     
  5. StevieO

    StevieO Guest

    I appreciate that some AV's are much more capable of detecting/eliminating Trojans than ever before. But even with a 99% hit rate, that still leaves around 1000 undected out of say 100,000 ! A lot more if the hit rate is less.

    It used to be that viruses were the things we needed to be concerned with mainly, but not anymore. The amount of Trojans in all their forms, including RK's, has increased dramatically in the last 6 - 12 months, as recent events with TDS3 have shown.

    Why take the chance, even if as i do you surf safely, with all that it implies. Because s**t does happen.

    I would be very interested to hear about the Cookie thing also.


    StevieO
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    How would you suggest the average user who wants to use these products, learn how to distinguish behavior?

    Can you give some examples you've found?

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. fetch

    fetch Guest

    I don't bother. I've never had to remove a trojan from a computer protected with Deep Freeze, or found malware that could write itself to my Qualystem (FREE) Rescue CD
     
  8. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Cookies should only cause privacy problems.


    But can AT does significantly better to solve this problem?
    Why and how do they achieve?

    You have made some good points.
    Just to tell you in case if you don't know, you tend to point out only the advantages of anti-trojans over the other alternatives, but not vice versa. To get a better outlook, we need to look at both sides in order to make a better decision.

    In short, provided that your aim is ONLY for better trojan protection:
    (Note: You will probably not agree with most of my statemetns since I give no explanation. Skip this part and read Anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert? first in my first post for detailed reasonings)
    1) use other anti-virus programs (FREE online scans) to detect trojans (they are best alteratives, especially to computer noobies/beginners)
    2) firewall (noobies/beginners should use nowadays)
    3) [optional] process protection (a bit more difficult to learn at start only)
    4) [optional] registry protection (really quite difficult to make use of it)
    5) anti-spware (surprisingly anti-spyware can have better detection rates than anti-trojans)
    6) anti-trojans (the last alternative, install if you still feel insecure after going through the above 5 steps)
     
    Last edited: Aug 13, 2005
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    ATs were never meant to replace AVs, or provide superior file scanning. I like how Kevin, of NSClean, put it.. your AV will pick up 90% of trojans, it's the last 10% that the AT is concerned with (that's paraphrased, not a direct quote).

    There are lots of ways that a trojan can evade file scanning, the AT is meant to supplement/fortify your existing scanner with real memory scanning and other things that a common AV may lack. An AT may not pick up all that much more than your AV, but a modified trojan can still be caught in memory.. if you have a real memory scanner. An AT is also generally more capable of keeping it from entering memory and/or removing it from memory if it's already there. I've seen all too many infections where the AV says "Hey, you're infected! Sorry, there's nothing I can do..." If you end up with the Beast trojan on your machine, an AV and an AT would probably both be able to detect it, but which do you think will be capable of removing it? You could always remove it yourself, but that may be a painstaking chore for many, and many may still end up needing to reformat. And what about the malware that uses exploits to inject themselves directly into memory without planting any files? Scanners like Ewido and BOClean will also pick up that last bit of stuff that is outside the scope of many AVs, and won't go through the same process of prioritizing when it will be added to the database, if at all. Some malware writers are writing tons of variants and releasing them in small numbers (per variant) so that the AV companies won't add detection (because it's not prevalant enough), but an AT will.

    Sure, if you're a KAV user it may not be worth it to you to get an AT, depending on many factors.. but not everyone wants to use KAV. Just with file scanning alone, some may prefer to use an AV+AT to get an equal level of detection. There are also still plenty of things out there that the KAV team hasn't found yet, and many new ones can still infect a KAV protected system before they have a chance to update.. so again, which do you think will be the better at removing them without extra effort on the part of the user? The above test says nothing of this, and says nothing of the scope of what ATs are intended for.

    There are plenty of ways that a user can go, an AT is just one option for a layered defense.. and I don't recall people here emphasizing otherwise to someone that's decided to choose another route.
     
  10. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi P2000,

    Merely talking about "tracking cookies", where privacy of the user is somewhat invaded. This is primarily the type of "problems" that Ewido has detected on my machine.

    Rich
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    This is how I look at the issue.

    Since I use KAV, there is, let's say, 1/100 chance that KAV will miss some malware. I estimate that, considering my surfing behavior, that I may encounter 4 malware in a year. That means, that KAV, on average, will miss some malware once every 25 years.

    Now, suppose of the 1/100 that KAV misses, Ewido picks up 1/5 of those (I think I am being generous) with Ewido's added protection scheme. That means that Ewido will help me on average, once every 125 years. This is pretty negligible which is what I think Wai_Wai's point is.

    My point is a bit different. That is, if one were to add additional protection, the user should be confident that the protection scheme is of such a nature that it would be able to add significantly to what KAV is currently offering. If one suggests (reasonable I think) that KAV's zero hour protection is "weak" at this point, then anything that enhances zero hour protection would substantially add to security by plugging this hole. For this reason, I believe that products such as ProcessGuard are quite reasonable additions to a KAV configuration.

    One could make a case that NOD32 would be a good addition since it adds heuristics to signatures, but unfortunately, NOD32 cannot (should not?) run side-by-side with KAV. Lacking this, adding host intrusion protection to signature based protection would seem like a natural. Adding signature-based to signature-based (even if the scanning process is different) seems to me to be more problematic, unless it can be clearly demonstrated that ATs will have a much higher chance of picking up malware that KAV missed, than the number I suggested (i.e. 1/5).

    Comments, as always are welcomed.

    Rich
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In the case of a firewall, simply take the time to know what programs are likely to have a legitimate need for network access (e.g. iexplore.exe for Internet Explorer, msimn.exe for Outlook Express, firefox.exe for Firefox, etc) and the basics of networking (the role of DHCP and DNS especially). For process control, understand what hooks and DLLs are.

    Most importantly though, become familiar with the legitimate software on your system and its normal pattern of activity (which is why such products need to be installed on a clean system) then you will be aware of any changes and can scrutinise them more closely.
    I thought this was the case - perhaps the term "malware" is a bit of an overstatement here?
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Possibly. I just call everything that Ewido picks up "malware" rather than try to differentiate viruses, trojans, spyware, tracking cookies, bots, etc. I've given up trying to differentiate types.

    Cya,
    Rich
     
  14. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Some good questions are raised.
    Q: Even if anti-virus porgram can hit 99%, this still leave 1% of trojans which have been caught. Better safe than sorry, we should use anti-trojans.

    A:
    Try to see if this makes things clearer.
    First by installing 1 anti-trojan, it doesn't mean it willa automatically close the 1% gap. Try to simplfiy the situation and illustrate it to you with an understandable analogy.

    There are 6 grades in the school (A-F).
    "Anti-virus" program is like an A-B grade student; while "anti-trojan" is a D-E grade student.

    Surely A/B grade student cannot score full in the test (eg the best student can manage to get 99% only). How can the A-grade student get the remaining 1%?

    "How about asking D/E grade student to help?" A-grade thought.

    "Are you crazy? How come I will know how to solve this question? Too difficult to me." an E-grade student said, "There are surely chance I can do, but how big the chance is, you fool!?"

    Surprisingly what he mentioned something which enligthened A-grade student?

    "You'd better ask other A/B grade students help. They will know how to solve this difficult math" an E-grade student enligthens the A-grade student.

    "Ar! So stupid I am! Why don' I seek help for other A grade students in the first place?" A-grade student grieves, "Now A-grade students have been left school. I have to wait for tomorrow."

    Why does the software misses that 1%? Probably they may wish advanced technique which is hard to arrest, or they are rather new, or they are less common. Simply, you may assume the remaining 1% is "super/special" trojans!!

    Your anti-trojan is not designed to arrest this 1% gap. Instead it is said to specialise in arresting trojans-related threats. Unfortunately they even cannot do better than anti-virus porgrams.

    You may feel anti-trojan is specialised in arresting trojan guys! You may feel so due to the fact that:
    - it is true in very early stages of security program
    - the name "anti-trojan" mislead you that they should be specialised in trojans. It's in fact a misnomer based on hard facts. Sad to say, hard to accept, but have to admit. :"(
    - now it is the sunset market. Remember why TDS is dead?? To survive, either convert it into either "anti-virus" & "anti-spyware" (Ewido is a good example towards anti-spyware). Anyway these 3 products have some degree of overlapping.


    So what you shoud do now if you are the A-grade student?
    Here's lead to the seocnd point. Anti-trojan is not the only option. We have other alternatives too. If you believe anti-virus can get 99% hit rate; and only 50% for anti-trojan, you are euqal to asking an E-grade student a difficult math question which you, as an A-grade student, don't know how to answer.

    Okay, so are you ready to ask other A-grade students now?

    Hope this answers your question.
    Feel free to discuss with me if you have further questions.
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
  16. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Actually, I do remember reading about a nasty sort of persistent flash cookie (I think it was a flash cookie) that had been developed, and was rather hard to remove, that didn't sound to pleasant.....sorry, read about it about 4 months back, and can't find the article on it.
     
  17. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Interesting article and usefull links here
     
  18. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Does this somewhat answer your question?
    If not, then you may wish to read this part in my first post:
    anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?
    I've discussd the difficulties issues, and I have explained how average users can still benefit from using firewalls / process protection.
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This was using Flash's local storage feature - see Macromedia - Settings Manager for details on how to restrict this.
     
  20. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    So are you going to say anti-trojan is actually specialisied in detecting the remaining 1% which other AV won't detect?

    But have you ever thought of using other AV or even AS free scanners to detect these trojans (remember both AV and AS can detect trojans)? You may wish to try "Ewido Security Suite" (now it tends to be anti-spyware-ise). It can detect decent amount of trojans (it gets ~80%, os it defeat every anti-trojans) plus some spyware.

    How about locking the memory for unauthorized access in the first place? Will it be more effective than anti-trojan ones?

    How about blocking the execution of trojans in the first place? Will it be more effective than anti-trojan ones?

    Not sure why one gets a trojan. Mostly probably from an infected file. How aobut using a "super" scanner before installing any suspicious files/exe?


    Surely AT is one alternative.
    But have you considered some other greater alternatives which can supplement anti-virus plus do much more other things?
    You may finally choose anti-trojans. It's perfectly fine. but what I wish to raise is - have you ever realise the existence of any alternatives? Have you considered them before making a deciosn that AT is the best supplement to AV. Have you tihnk of more effective ways to protect your computer form trojans? Have you weighed that anti-trojans approaches ot keep your computer away from trojans are not really effective than other candidtates?



    Yes, you made a point.
    I totally agree.
    Read this:
     
    Last edited: Aug 13, 2005
  21. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556

    Hi, Rich.
    You have pointed out 2 points:
    - AV can do it all (99%, don't you think is enough?) <-- you have said that
    - 1% gap can be filled by:
    -- common sense
    -- safe browsing and safe computing
    -- use "super" scan before executing/installing anything
    -- use FREE online scan which can shoot trojans & other malware down (eg AV, AS [AS can shoot trojans & can be far better than AT!], AT)
    -- don't forget your firewall
    -- don't forget process protection (suitable for everyone who don't mind to learn a bit, or intermediate users)
    -- don't forget registry protection (suitable for advanced purposes, for advanced users)

    After implementing all the above, I see too little point why I need an AT?

    One may ask, why don't you implement AT first, instead you implement other methods first?

    The points are as follows:
    - said by Rich, AT is not significantly different from AV. they share mroe or less the same problem as far as I know.
    - after reading the performance done by anti-trojans (the best trojan specialists manage to get 50% only! With the death of TDS, only A squared 2 can. And don't forget, they are just best 2, others are much worse, get 30% performance off)

    To get a clearer picture, let's make some comparisons (AV vs AT over trojans and non-trojans):
    - simply speaking, asking AT to supplement AV is analogous to "an A-grade student asking D/E grade student to help on a difficult Math question." I would rather asking other A-grade students, instead of D/E grade student.
    Read Q: Even if anti-virus program can hit 99%, this still leave 1% of trojans which have been caught. Better safe than sorry, we should use anti-trojans in my first post for details.

    - Surely you may not understand what I mean. It may be worthywhile to re-read my post since my post has been expanded by huge to clarify all my points made to treach my claims. We need time to understand each side, so we can find the "truth" :p

    Thanks for your kind attentions.
    And welcome for any comments.
     
  22. Why

    Why Guest

     
  23. fetch

    fetch Guest

  24. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,699
    Location:
    Texas
    Hello Wai Wai

    Your numbers for AV's look a little whacky! When you look at the comparisons at:

    www.av-comparatives.org

    see: Retrospective\ProActive May 2005


    Please explain, perhaps I'm the whacky one?

    Thanks
    rico
     
    Last edited: Aug 13, 2005
  25. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I don't agree with your 1% assertion, first of all, second of all it's not entirely about what the AV doesn't detect, it's about what the AV is not equipped to deal with should your system end up infected.

    If my AV is ill-equipped to remove a trojan infection, I'm not going to go to another ill-eqiupped AV. However, the trojans that an AT may miss are most likely ones easily, and quite possibly better, handled by an AV.. Scanning a bunch of files on your drive is kind of contrary to the entire point of an AT, and IME does not reflect it's real-world application.

    And yes, Ewido is, IMO, currently the best anti-trojan.. my AT of choice. My assertions about AVs also apply to ASs, which why I use Ewido over a resident AS. Ewido is still, however, an AT, and falls under the same catagory as your original post.. so I'm not entirely sure why you would put down ATs in general and ammend it by saying "Maybe you should look at Ewido".

    What are you reffering to here?

    Sure, provided you're saavy enough to make the correct decision. Problem is that most of these things make themselves look like legitimate system processes. The other problem is that if you just intentionally installed some software, you're probably going to allow any new executables it's installed run. Prevx had to overhaul the way their product worked because the majority of users were allowing their systems to be infected.. for that majority, an AT would have been far superior.

    Trojans are software in and of themselves, they don't infect other files as virii do. You may also want to define "super scanner".. do you mean KAV? KAV is ill-equipped to handle modified trojans until it updates.. NOD32 and Ewido are my personal choice, together they're about as good as it gets. On top of that I have other behavior blockers, most of which include more signatures, although most of them don't use strong signatures, but it can still help. I would also never recommend installing more and more AVs, unless you're installing something like BitDefender Free that is made to work only on demand.. installing more than one AV (that is made to run resident) is likely to cause problems.


    Lol, you may want to take a look in the pages in my sig.. there are plenty of alternatives there ;) There are many discussions around Wilders about HIPS and who they are and are not appropriate for. Rather than reiterate my opinion here, I will just recommend looking around a bit, there's lots of information available around here :) (including my own "weighing" of options ;) )
     
Loading...
Thread Status:
Not open for further replies.