Why bother using any anti-trojan program

There is no doubt that some antivirus programs detect more trojans than most AT apps. the difference I have noticed reading and trying to keep up with the technology is that an AT might not detect as many trojans but they are usually able to handle them better than an av. There are several cases here on wilders where an AV detected a trojan but couldn't delete it where as an AT was able to get rid of the malware. I realize that this is not always the case, but in most cases the AT will do a better job. So in my opinion it would be wise to have an AT if only to get rid of malware found by your AV.

 

Yes, what he said

 

Read this:

 

It seems you are asking about my signature
The number is just a rough indicator, so you don't need to treat it seriously.
It comes from a test at www.virus.gr, or arther it is from http://www.virus.gr/english/fullxml/default.asp?id=69&mnu=69
[PS: as you notice, I ignore the second one AVK, it is because this is a German porduct.]

More questions are always welcome.

 

Yes, you are right. AV is outperform AT.
If you read the list, even the worst antivirus program (AVG) still defeats the best anti-trojan.

You raise a good point.
So AT, although it is far worse at detecting trojans, once they are detected, they can remove them easily. And AV seemingly don't handle these trojans well.

So here comes my another question. Say I install an AV in my computer, and later I found XYZ trojan, instead of getting an AT program, how about getting a removal tool which is aimed at that trojan? Will the removal tool do much better jobs than AT (since you know, this tool aims at that trojan)?

What do you think?

 

There is some serious doubt as to the reliability of that test..
https://www.wilderssecurity.com/showthread.php?t=46810&highlight=virus.gr
https://www.wilderssecurity.com/showthread.php?t=77033&highlight=virus.gr

See above

Everyone decides their defense setup to their own liking, of course, but some would rather have something that deals with it properly to begin with, rather than having to hunt. What if the trojan blocks you from getting to the site with the removal tool, as some will do? What if the trojan is one of the real nasties, as the AT is designed to stop, in which you may not even want to be online until it's gone?

 

I am aware of jotti's. I would not really call jotti's a super scanner. Here is a quote from the jotti scanner:

"This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service."

Jotti's can and does miss malware.....some days it misses a lot for various different reasons. The types of private build trojans that are built to be undetectable would most likely not be picked up on a jotti's scan.

They would more likely be picked up as they unpack in memory by a AT such as Ewido or Boclean. All on-demand file scanners have weaknesses. I know a website that you can go to right now and download some software that has all types of malware in it and it would not be detected in a jotti's scan but more likely than not Boclean and Ewido would pick it up.




Why

 

1% assertion is doesn't matter. It's just a rough indicator. Don't treat it seriously.

If you are going to use the best anti-virus program (eg KAV, F-Secure, AVK), you will miss ~1% of trojans. Wait... 1% itself is also an over-simplification even if the product is KAV. So we need to talk about what this 1% really comprises. KAV, for exmaple, does not detect 99% for evey kind of malware. there are variation...
And if you are going...

See! If I'm going to elaborate every point I have made in my post. The article will become lengthy and lengthy.
In order to keep our disucssion into focus, so I will simplify anything which is not really the core of the argument, or the arugment can fall into a forever loop.

Can you see my point?
Surely if you feel the agreement of 1% is important (eg only 1% difference can influence the whole diecison) when talking about why we should bother using AT, as the best solution, to supplement that AV. Surely I can explain the "1% myth" if you wish to know more why I take this for grant.

I would like to hear more from you.
It seems you understand something which I don't know.
At the same time, it seems you still cannot understand all my points raised in my first post. Have you read it through yet?

Here's my questions:
First, what is IME?
Second why do you think if your first AV is ill-equipped, the second AV must also be ill-equipped?
Third, if your first AV is ill-equipped, why do you think your AT must be able to cover the holes/flaws AV has?
Finally, as I have already said, "AT is better at something than AV" doesn't prove "I shoud choose AT" or "it is the best alternatives", would you mind explaining why you feel AT is the best solution (if you tihnk so) comparing with all other possible solutions (eg AV, AS, firewall, process portection, registry protection)?

Hmm...
So we have difficulties in agreeing what Ewido belongs to.

Ok, first let's talk about the labels AV, AT, AS.
You know, these labels are rather misleading. you should know why.
AV = NOT only just for anti-virus, it is capable of getting trojans.
AT = this one is really mainly deal with trojan-related software.
AS = NOT just for spyware & adware. AS also take care of trojans, keyloggers, dialers etc.

So ignore the misleading labels and try to re-delimit their scopes.
I try to outline the scope of each type of program is focusing (ie wht aspects of malware do they mainly handle):
(Methodoloy: First, look at all programs of the same kind. Second, mark what type of malware each program of the same type can handle. Third delimit their scope based on the the results.)
AV: pre-requisite: must focus on virus(-related) threats. Also focus on macro, worms, scripts, trojans, keyloggers, dialers, and miscellaneous (harmeful**) malware.
AT: pre-requisite: must focus on trojan(-related) threats. And that's it! For other aspects, they do (very) little.
AS: pre-requisite: must focus on spyware(-related) threats. Also focus on adware, hijackers, trojans, keyloggers, dialers miscellaneous (harmeless**) malware.
** here "harmful/harmless" refers to the (intentional) damage done on the computer. Some malware may aim to screw the computer (similar to virus but the behaviour is not the same as virus). I call them as harmful malware. to the contrary, harmles malware is more to do with privacy intrusion, advertising, tracking (simliar to spyware/adware but the behaviour is different). I call them as harmless malware.

Do you understanding more aobut the "real" meaning of the behind labels?

If so, then we can see how Ewido sohuld be defined. The authority should lie on the author. Unfortunately it claims that it is a "security suite" (?) Call itself as security suite?!? It's again a misnomer. I expect this kind of "security suite"
include at least AV, firewall, and AS. Anyway simply leave this point apart if you don't agree. We wish to keep our disucssion into focus.

Now we analyse what Ewido can do:
In its website, the author tells us the product will detect:
- Hijackers (AS)
- Spyware (AS)
- Worms (AV)
- Dialers (AV)
- Trojan (AV, AT, AS)
- Keylogger (AV, AT, AS)
() indicates the areas which that most of that kind of programs focus on.

This product covers 4 areas of AV aspects and 4 areas of As aspects.
However it is required to cover virus in order to be qualified as AV. So I rule it is AS now.

If you agree on how I delimit the scopes of AV, AT, AS. you can Ewido is not really an AT now. It used to be (surely you won't feel suppose simply Ewido was AT in the first place, it must be AT all the time).

{see next post}

 

So now it's up to you to make your own claissification and definition.
In fact, how one classify products does not matter. The main point is you should understand the behind reasons why I tihnk AT is not the best alternatives to stop trojans.

For exmaple, if KAV turns out to claim it as AT (surely it can do so, it has the best detection rate in AT), then I will agree KAV is the only AT we should use.

Now back to Ewido. What do you classify now?

If you think it is still an AT (which I tihnk it's a misnomer, since it can now deal with more spyware-related threats), then the statement may be:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help a lot, the best AT being ewido of course.

If you think it is indeed an AT (2nd generation) or super-AT, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but it's not an optimal solution. I recommend you using this super-AT (2nd generation) Ewido.

If you think it is AS, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but don't bother snce they don't do well. Try to use As instead. you may try Ewido in this regard.


What I wish to say in the above is,
- apparently we are not agreeing with each other, we are just not agreeing with each of our wordings.
- in fact, we have the same idea (Ewido being a good program, no matter ti s called AT or super-At, or AS). Just we use different wordings to express.

If you ask me, I will surely like the AS label since it reflect more accuratly about the scope of this program (spyware+adware+trojans etc.) You know, AS are wokring hard to deal with trojans too since trojans are somewhat a kind of privacy intrudsion, right?
If I say it is AT, it will distory its scope (you know AT only focus on AT really)
If I say super-AT, since this is a new label, I need to explain. Why not use an existing label, AS?

There are some products which can guard the physical memory.
ProcessGuard is the one.
You know, the creator of Process Guard actually comes from TDS developers.
So they know well on how to stop trojans.
Is that clear now?

Hmm... It's another big topic to discuss.
I just take ProcessGuard as an example since I am familiar with this product.
In order to protect yourself against possible trojans. you read to go thorugh the following steps:
- read the manual; (the best) make sure your system is clean
- let RocessGuard learn your system (see below for explanation)
- every time you install a new program, do the folowing step:
-- turn ProcessGuard in learning mode. It will record the behaviour of the system and learn what to allow
-- run the program at least once, so it can learn your new program too
-- you need to restart at least once, so ProcessGuard will know which programs should load up at start
- Do you remember that I say your system needs to be clean? Why? Because if it is infected by viruses, trojans etc. ProcessGuard may wrongly record these behaviours as legitimate, and you are ruined.

After all, you don't need to decide which program is legitimate. ProcessGuard learns to distinguish them. And you are protected by a layer which can even stop the newest/unknown malware.

For advanced users, if you are interested to know how exactly it protects you, read the following:

Arguable disadvantage:
"you need some computing knowledge to utilize this program, or you may be stupid enough to allow a trojan to do its job "
--> However "search engines" and "forums" are your friends. So even for dummies, if they realize the existence of these 2 "helpers", it's not really a problem (although you still need to spend some time and effort on it). For immediately and general help, use search engines like "Google". For special and detailed help, ask experts in various security forums.
--> if you follow my step, ProcessGuard will not alert anymore. When it does aleart (which is something you haven't ever run before), it is really suspicious. Do the following:
1) Search to see if the *.exe is evil.
-> if found, follow what the website suggests
-> If you can't find it, it is likely to be evil
2) Ask the forum
-> Experts will tell you the answer hopefully. At that time, quarantine that evil until you get an answer


Now the decision is yours.
It's about all of what you need to do to utilize ProcessGuard.
To me, you just need to do some extra work, you don't need to have good computing knowledge. For some people, these steps may be already scarce them away.

By the way, as I have talked to you for a while, it seems you are also a computer expert. I would personally recommend you to try it out. I think the concept and the design is great, not ot say it adds a lot of basic technique to stop hackers' advanced technique.

Tell you one thing. I once tried to test the firewall alone in a small leaktest. About half of the leak attacks could bypass the friewall. With the help of ProcessGuard, it can block all leak atacks (including very advanced ones). It's really inspiring.

 

I think that sums it up quite nicely. For further information reffer to the links in my last post.

IME = In My Experience

 

Then what is Boclean? BoClean detects just as much spyware as Ewido, if not more. What about Trojanhunter and A-squared? I remember reading somewhere that Magnus had hired someone to concentrate on adding spyware signatures and I am sure if you look in both programs databases that you would find lots of spyware also.

Almost all of the Anti-trojans are on the way to becoming hybrid anti-trojan and anti-spyware scanners. All of this classification nonsense is just obscuring the debate.

Why don't we call anti-trojans another name? How about anti-malware scanners. Do we need anti-malware scanners that were formerly classified anti-trojans to supplement anti-malware scanners that were formerly classified as antivrus? That is a better question.



Why

 

The decisions that need to be made when it concerns PG is a little more involved than that. It involves making the correct decision on every alert. Sometimes, those answers are not found on google and sometimes forums can not give you answers either.

One of PG weaknesses is that if you like installing freeware, that you might willingingly allow a driver to install. Many software these days install drivers so how do you know what to allow and not allow when PG has no signatures?

Plus, PG is not foolproof. There are weaknesses that PG might not protect against. Some of those threats might be theoretical in nature and others are not.

Now there are some companies that are doing things to try to take the guessing game out of the equation. One such program is Online Armor. Online Armor creates a database of allowed programs and disallowed programs.

The disadvantage of Online Armor is that it is a reletavily new program and probably not at this point in time as good as PG is in protecting against certain threats.

What about A squared? It does not claim to have a great scanner. It's strength is it's IDS. A squared is more a behavior blocker than it is a scanner. You should look into what A squared is doing. You might actually like their concept.



Why

 

normally wont waste my time on topics such as this one due to the subject having been beaten to death over the years.

Classification: clearly one very long winded poster needs to learn what is and what is not a trojan before even attempting to enter into a debate on the subject.
So, whats it going to be: is a stored cookie a trojan? Is spyware a trojan? Is a trojan actually a virus? Are AV's suppose to detect trojans and AT's suppose to detect viruses? If a person really wants to confuse the issue just throw in a few questions like that. An that displays a persons true lack of knowledge on the subject.
No, I have no intention of entering into this subject. It was just beginning to get alittle embrassing reading some of confusing posting. There are a few very knowledgeable posters in this thread offering nice comments. An there is also at least one poster who really needs to start over in the learing process. Cause you just aint very computer savy.
No offense intended towards anyone. Its just that posting alot of links of other people's tests and results don't prove you personally know anything about the subject other than you know how to copy and paste links. An when it becomes clear that a poster can't make up their mind what is and what is not a trojan then its time to halt the debate.
Learn what a trojan is. Thats the best place to begin.

 

It is called "super" simply because I can scan a file with 14 engines at one-stop, but not because it can 100% detect malware.

You you are right. It is still not 100% safe.
Anyway, nothing is 100% safe, so does AT.

For people who says they need to share files in p2p (high-risk groups), one can use the online all-in-one scanner (14 engines) to see if it has any malware before installing the file. Surely I'm not going to say it is 100% accurate, it holds true for AT too.

So I don't know why this can be a point to disfavor the use of all-in-one scanner. If it was the point, we shouldn't use AT either.

Think about the chance. I do think using all-in-one engine (which some engines have 99% hit rates) is far easier to detect a malware than that of one AT engine.

Feel free to tell me why if I am wrong.

If I can detect the trojan in the first place, how come I need to have this protection?
It is already a bit bad when they have been infected in your system.

And as I said, although AT can supplement AV, it is in a limited way. There are far better alternatives which can supplement the AV and lots more, including AS (remember AS can detect torjans, keyloggers etc.), firewall, process protection, registry protection, or even another AV scan.

 

I believe this is the main point. There are certainly "custom malware" that can slip past signature-based and heuristics-based anti-malware packages that are either scanning on-demand or in memory (btw - believe that this may be a better way of classifying anti-malware packages). So the question is, what method of protection will provide the most incremental gain. I believe there are these courses of action:

1) Add heuristics based anti-malware to supplement signature based.
2) Add in-memory scanning anti-malware to supplement on-access.
3) Add behavioral-based anti-malware to supplement signatures and heuristics.

In real-time, right now I have strong signatures (KAV), in-memory (Ewido), and behavioral-based (ProcessGuard, RegDefend). I use online scanning now and then, in the form of BitDefend, to add some heuristics-based scanning. I believe that each addition, over and above KAV, provides very little incremental protection on a probability basis (I just don't run into any malware all that often), but it is comfortable for me.

Rich

 

Because you might not detect the trojan in the first place with a on-demand scan. You should read up on trojans and trojan detection methods. Super scanners are really not that super at all. Most of the reason all of those scanners are at jottis is so they can collect samples of malware that they can not detect.

About the site that has the malware that I mentioned before. I have sent the sample into Kaspersky and they still can't detect it weeks after submission with their on-demand scan!!! I suspect that the malware is using some packer that KAV can't unpack like maybe Armidillo.

That is a good science project. Everyone research how many AV's can unpack the latest Armidillo reliably.

AT's are not perfect either but some of the better AT's can catch the trojan before as it enters memory but before it has a chance to infect. You should read up on how Boclean works. Ask someone like Mercurie. I am sure he will enlighten you to how effective it is on detecting and removing trojans.

AT's are not the first line of defense. They are there in case something beats the AV scanner. Whether someone uses a AT or not should probably depend on their risk level.



Why

 

In fact, based on my way of classification, TrojanHunter & A-sqaueard is cearly AT. I tihnk your should understand why if you have read what I wrote. I have explained before, so I save it.

Boclean... I don't have info about this product. Again like Ewido, the authors do not claim its product as AT too.

Hmm...
My main delimitation line is what they mainly focus. If a program can detect a few or some numbers of that kind of malware (Eg spyware), should we still classify it as anti-spyware too?

If it is so, then a whole lot of security products are called anit-malware. AV, AT, AS are suddenly classified as anti-malware.

So what do yout think?
How should you define products like Norton, KAv, McAfee, Spybot, BOClean, Ewido? AV? AT? AS?

Anyway, we do need to settle on this matter since it is just a problem of definition or naming issue. No matter what definition, it doesn't really affect the essence of the claim. What I wish to find out is should we bother to use these-and-these products like A squared 2, Hacker Eliminator 1.2, the cleaner (whose their authors call them as AT), not how to classify a product.

Keep the discussion into focus is my point.

I have already said that the label of AV, AT, As are all problematic.
So I agree they'd better make some other labels.

That's again a debate of wording only.
The essence of the answer reamins unchanged, but just the wording is different.

It's up to you to make your own claissification and definition.
In fact, how one classify products does not matter. The main point is you should understand the behind reasons why I tihnk AT is not the best alternatives to stop trojans.

For example, if KAV turns out to claim it as AT (surely it can do so, it has the best detection rate in AT), then I will agree KAV is the only AT we should use.

Now back to Ewido. What do you classify now?

If you think it is still an AT (which I tihnk it's a misnomer, since it can now deal with more spyware-related threats), then the statement may be:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help a lot, the best AT being ewido of course.

If you think it is indeed an AT (2nd generation) or super-AT, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but it's not an optimal solution. I recommend you using this super-AT (2nd generation) Ewido.

If you think it is AS, then the statement becomes:
- If you use AVG (13.93% trojan detecton rate in 2005), adding any AT does help, but don't bother snce they don't do well. Try to use As instead. you may try Ewido in this regard.

So if you ask this question, the answer is it is (indirectly) answered already.
If you don't think so, I may re-word my claim, so you can see my point.

 

Did you load up Ewido, BOClean, Trojan Hunter, or A-squared (trial or licensed of any of these) to check whether they were able to detect? This would be a really nice test of these product backup capabilities.

Rich

 

Before continuing the discusion, I woud like to raise one point.
I do not intend to offend you. Just wish to amke you understand one point.

In your post, you talked about the problems of PG and Online Armor. Yes I agree that they have their own disadvantages. I have also explained their disadvantages as well in my first post. Have you read?

Then you point out AT is using IDS which is a behaviour blocker. From your flow and wording, I guess you are supporting AT since it has IDS and it is better than what I suggest, right?

That's the whole logic of your article. However you have committed fallacies in reaching your main conclusion. Not to beocme long-winded, I just briefly point out your fallacies:

"Since XX has disadvantages, XX is not recommended."
This reasoning is wrong. In order to prove we should NOT choose A over B, ou should prove A is overall LESS advantageous than B.

"Since YY has advantages, YY is recommended."
This reasoning is wrong. In order to prove we should choose A over B, you should prove A is overall MORE advantageous than B.

If you understand what I mean above, here's what I would lie to learn more.
How can we compare among AT and:
- firewall
- AV & AS
- Process protection
- Registry protection

Why do you feel AT (& its concept of IDS) is more beneficial to most people in general situations than other alternatives?

I would like hear, if you don't mind, how you weigh the pros and cons of different alternatives. Then weigh their advantages and disadvantages, and make your final conclusion.

to see how I weigh different options, see the heading "anti-trojan VS other alternatives - is anti-trojan program a trojan expert or misnomer expert?" in my first post

 

Before the discussion can continue, you will have to research Trojans and Anti-Trojan methods. No one is going to be able to teach you these things in one afternoon and in one small thread.

In your research you will probably discover things that will give you greater understanding and might make you question some of your original assumptions.

You can start here:

http://scheinsicherheit.sc.funpic.de/procedure2.htm

and here:

http://illusivesecurity.il.funpic.de/index.php

but don't just stop there. There is a whole world full of information beyond those starting points.



Why

 

Wai_Wai, I must say your english is much better than my chinese. I have/do look/ed at those two links, illusive/scheinsicherheit, you gave in your post, which are good resources, amongst others.


Back to (Xfocus)ing on things.

I was going to suggest calling them anti-malware scanners as Why has already done. I do think in principle it's a nice idea. The trouble is the market place in particular, and also consumers need clear deliniation for obvious reasons.

On top of that we have a situation where the purveyors or Adware etc etc are resiting and challenging, even through the courts, our guardians descriptions of their (products/services).

So AM as accurate as it is for us, won't hold up probably legally anyway, as a description for an App etc. It just wouldn't be worth the hassle. We are free to call it AM generally in references though.

I still prefer to know i'm reading/talking about AV, AT, AS etc for clarity.

About the 1% issue. I think that missing 1% etc could be covered to some extent by another App that the other one/s overlooked. I doubt if two or more databases from different Apps would match exactly.


StevieO

 

Here's what "why" said in another thread:

It seems your ProcessGaurd(PG) has problems.
Because your situation shouldn't happen unless you have messed it up.
It sohuldn't have any alert.
For the above method, what the trojan does is to rewrite the physical memory. Instead of giving an alert, ProcessGuard will block it. If you wish to allow it, you have to do it in the GUI.

And your case is applicable to stupid noobies. For people who has read the manual and remember to use "learning mode", you are very safe. Don't think the situation is the same as firewall, you will have even have fewer alerts when you use process guard (eg I can have no alart in the whole day).

One protection it offers is to lock the access rights of physical memory. In fact, ony a few system file needs to access to the memory. It is uncommon a program needs such kinds of access. So you don't really need to open the access rights (it's like the case in ports. It's stupid to open so many ports). So why not lock it up? It's much safer than relying on an AT to identify trojans, in which trojans still have good ways to hide themselves in front of an AT memory scan.

To have a clearer picture, I should really compare the pros and cons of ProcessGuard and AT, instead of just showing the positive sides of ProcessGuard.

This is a good comparison which tells you why PG is better than AT:
(If you don't have time, jump to the conclusion)

Conclusion
To me, after this comparison, I can't see why I should use AT instead of PG. First I'm not a stupid noobie. I'm willing to learn. If you are willing to learn, the product is not difficult to use due to its great feature - ProcessGuard. Surely you should not misuse your product. But if you read the manual and are willing to follow, it is easy to use it properly.
Second it provides far more better protection which AT cannot offer. The knowledge requirement is no higher than a beginner, at least in most of the cases.
Third, I am not security freak, I will not try to max. security by any inch. so I don't bother to add any AT. I don't wish to run so many security porducts and waste my resources.

 

Indeed I doubt if it is true.
"Why (the author)" did state that an all-in-one engine can fail to detect a malware, but it is true for AT, right?

Also it seems he don't know memory scan is unreliable too.
1) It depends on your signatures
2) troajns can bypass the scan
3) troajns can modify your AT.

So if you ask me, both AV and AT have their own problems.

A memory lock (offered by PG) is a far better solution. And don't get it wrong that you need to have good knwoledge to use this feature well. You don't!
Its secure structure (kernel-based) can solve my abovesaid problems too. A trojan can't modify it, or at least very difficult to do.

If you still don't understand why, read the above post before making other claims.

By the way, "why" seems to claim "I have excessive misplaced trust in the capabilities of heuristics."
It seems it feel it is rather useless. Indeed AV have good designs and the heuristics can work to stop malware which is not in their signature bases

See some hard facts:
KAV managed to stop 43% of Zoo malware, while NOD32 got 49%.
(http://www.av-comparatives.org)

I don't think AT can do much better than them when facing with Zoo malware.

If you are still in doubt, more hard facts can be quoted.

 

Your engaging in speculation now. Once the conversation veers off into speculation then I must leave the discussion because speculation only brings confusion.

It is not PG that has problems. It is the decisions that the end user must make that is the potential problem.

PG is still a fairly new program and it's user guide is well, incomplete. I am sure DCS will expand the user manual as they also update the program.

Also you might seem to think PG is 100% bullet proof but it is not. If you search far enough, you can find it's weaknesses.

Have a good day.



Why

 

Some hard facts have been provided indeed.
but since I am too long-winded, so the info is buried in the deep sea.

It's not really true.
You don't really need to make decisions.
PG will do it for you.

Again I have explained prevously.

I have never made such a claim.
It is common to you that you usually use "A is not 100%, so you should use B." method to prove your statement.

Think about it. Memory scan method is flawy too.
I have list 3 of them which is explained previosuly.

Thanks.