will Comodo BOClean delete my pr0n ???

[Guest]

[frazzled]

I installed this app cuz I heard it has a tray icon, and I LOVE tray icons (I collect them!)


Seriously, I'm a bit confused about the extent of "scanning" BOClean performs.
After closing the "config" screen, the resulting popup window mentions scanning... and I see references to Windows, System32, ProgramFiles, etc. folders blinking in it.

Is BOClean just re-scanning the files related to the currently active processes?
If not, what path(s) should we expect will be scanned? I'm wondering the same (which paths?) with regard to the "resuming background scan" and "unattended" features also.

I had the impression that BOClean's operation(s) involved antihook and dll injection watchguarding + sandboxing. If it is actually going to scan through the entirety of my drives (what about mapped drives?) I won't be happy if it finds/deletes "stuff" which is on someone else's "bad" list.

The absence of an option provided to enumerate paths which should be excluded suggests BOClean does not scan the entire filesystem; I'm asking for confirmation that it doesn't.

[~cat~]

No, it's not scanning your files.
BOClean only scans active memory processes.

[Kevin McAleavey]

BOClean doesn't scan files as its main course of action. It will examine files which are related to anything which starts to run to see if it can detect anything that way but over the years, I've been well known to heavily disrespect file scanners because everyone's got an antivirus or some other antivirus-like file scanner. We do things differently solely on that basis alone. We only look at what's actually trying to run, not what's sitting there. And while file-scanning is useful, doesn't do a lot of good until a system is so hosed up, the idea of "perhaps I should scan" is usually too late.

 But we'll stand behind anyone else's scanner of your choice ... 

[frazzled]

Geez, I expected the cutesy title of this thread would draw 'em like flies, but only 166 views so far! 166, compared to 1000+ views for a generic -titled ("Complaint!!!") thread someone started the same day.


Anyhow, now that I've had Comodo BOClean running on this PC for several days, it seems like a fine (stable, no-frills, dedicated purpose) app. I keep hearing (er, reading) how it's the best, bar none, at what it does... but "Where's The Beef?"(tm)

Same as with CyberHawk, after installing BOClean I'm sitting here thinking "Yah. This is like installing those AS SEEN ON TV (tm)(probably another tm) anti-deer whistles on your car. I know them deers is out there somewheres, and I ain't hardly had none of 'em run inta my car since I installed them there whistles... so them gizmos must be workin' like they sez"

I think I've read through all the docs (both the marketing spiel and the support 'page') and nowhere have I found any meaty specifics, similar to those being touted by "competing brands", ala:

http://www.diamondcs.com.au/processguard/index.php?page=introduction

Main uses ...
Each capability of ProcessGuard is powerful in its own right. For example, a program which simply blocked a rootkit trojan from installing would be very valuable in its own right, yet this is just one feature of ProcessGuard! Here is just a brief list of some of the main uses of ProcessGuard:
 
     Securing processes from being attacked (terminated, suspended, modified)
     Controlling which programs are/aren't allow to run
     Blocking rootkit trojans and other malicious drivers from installing
     Protecting physical memory from malicious modification
     Blocking hooks and code injections
     Determining which programs are being executed on your system
     Determining which programs are attacking others on your system
     Analysing the inter-process behaviors of programs
     Keeping a log of all programs that execute (important for post-infection analysis)

Main attacks ProcessGuard blocks ...
ProcessGuard protects against so many different types of attacks that it's difficult to combine them all into one list (for example, although it protects against process termination it secures over a dozen different "termination vectors" in order to accomplish this, so really it's protecting you against a lot more than just one attack).
 
Here are the main classes of attacks that ProcessGuard can protect against:
     Unwanted/unknown process execution
     Process/service termination
     Process/service suspension
     Process/code modification
     Process/service crashing
     Rootkit trojan installation
     Firewall leaktest bypass methods
     Hooks and code injections
     Physical memory malicious modifications
     Windows File Protection attacks
     User Imitation attacks

I wound up choosing the title for this thread upon realizating that in numerous posts I've been *****-footing around, trying to find specifics (features, functionality) AFTER having installed the app. Gently, gently, because the limited response my earlier, more pointed/challenging post, in the "BOClean vs ??" thread
http://forums.comodo.com/index.php/topic,7742.0.html
suggested that the ranks of happily enthusiastic users are similarly unenlightened.

Do ya get out much?
The marketspace shared by BOClean *is* is now occupied by DOZENS of competing brands. Each of them is claiming best-in-class functionality; to keep pace, Comodo needs to improve BOClean's "sales pitch" by providing details -- perhaps even to the extent of creating a feature  comparison chart.

or not.

Don't worry about the details.
We don't explain them because you wouldn't understand them anyhow.
It's a black box. It's free. Trust us. Install it.


















posted with sincere appreciation toward MrKevin and Comodo for bringing this much-needed app "to the masses"

[Melih]

hi Frazzled

There is a big difference in hips like products (the one you are quoting on) and BOClean..
BOClean works with a blacklist and monitors the memory in real time to see if any of these nasties are there or not. So its like an AV but instead of scannig the hard disk to find nasties, we wait in memory and catch them there. Until they are in memory they can't cause any damage anyway.. and its more efficient to sit and where they feed

Melih

[Arkangyal]

Hello Kevin,

What is the difference between these cases:

1. I drag&drop the grc tester file into CBO's window and it's detected as MALWARE.

2. I drag&drop a Hungarian trojan into CBO's window and there's no result.

3. I drag&drop the old BO 1.2 there and it's recognised (also, is this a bug or a special "BO"Clean feature, why CBO asks me twice?)

4. I drag&drop Deep Throat 1 and it's also detected as MALWARE.

5. I also tried ****** (ask for) without results.

What's the problem here? Does case 2 and 5 means CBO can't save me from that malware? Can CBO save me if i actually run these threads in the memory?

Thanks in advance,

Geza Gabriel (nick: Arki)

[Little Mac]

As has been previously noted in another thread, Arkangyal, the drag&drop wasn't intended to be a public release feature (it escaped by accident).  They were using it in-house for some specific reason (I forget what) as part of their testing stuff.  It doesn't work the same way that the rest of it does, and shouldn't be used as an indicator of safety or danger.

Your results might be different if the malware was released onto the computer, to try to execute in memory.  Time to sandbox and see what happens, sounds like...

LM

[Arkangyal]

Hey LM, thanks for the infos/answer! Sandbox solution then... but i'm afraid i haven't got good news  What shall be the next step?

[Little Mac]

but i'm afraid i haven't got good news  What shall be the next step?

What do you mean? 

When I said it was time for a sandbox, I was referring to your question

Can CBO save me if i actually run these threads in the memory?

.  In other words, you will very likely get different results if you allow the malware to run (and I wouldn't allow it to run if it wasn't in some sort of virtual environment).

LM

[Arkangyal]

For me, sandbox is somehow equal with a test computer (i think it doesn't matter what'll happen if you simply reformat it). (Also, it's a simple, old trojan, which isn't infecting other computers.) So i run the trojan and CBO didn't stop it: i only checked with taskmanager. Did i misunderstand something?

[Little Mac]

Woopsies!  Maybe the trojan is so old all its teeth fell out and it needs a cane to help walk?  Or a wheelchair, and it's blind?

Is the trojan list in CBO fully updated?

LM

[Arkangyal]

I've updated it today, i think that should be correct. Old? I wouldn't find any problem with your statement IF CBO wouldn't recognise the older Back Orifice v1.2 .

[Little Mac]

I've updated it today, i think that should be correct. Old? I would find any problem with your statement IF CBO wouldn't recognise the older Back Orifice v1.2 .

Ooh, that would be problematic, wouldn't it?! 

Next question is, is the trojan in the list?

[Arkangyal]

Correct me if i'm wrong but CBO should stop the malware code by BEHAVIOR, what ever is it's kind. So i mean even if the trojan got a new version CBO should recognise it's malware behavior, no?
I had another test with a newer *** trojan, which isn't on the list (there's only 1 sub-version difference, so instead of 1.00, it's 1.01, etc.).

[Little Mac]

No, you're wrong, so I must do as you request, and correct you...

CBO's not a behavior-blocker.  It works strictly from definitions.  The differences come in as far as where it looks for those malware (in memory only) and how (based on the "core" of the malware; the "naked" version).

Basically, rather than take time and resources to scan the filesystem, CBO monitors the memory, where a malware will be unpacked to execute.  This is where the other difference comes in.  I've seen the count of detectable malware (I don't remember the specific number) and it's huge; this is due to the way it sees the malware.

CBO is programmed to see malware as (Melih's term) a naked lady.  When she's all packaged up (with clothes on to disguise) she's not recognized; when she gets unpacked (undressed) to run, Wham! CBO knows who she is.  Basically (as I understand it), malware is able to evade detection by modern AVs due to the way they're packed.  At the core, the code is still the same.  This is why there's only some 24,000 definitions in CBO, but with detection in the multi 100,000 range.  Kevin has stated that there are very few "original" trojans written any more; they're all the same, just packed in new ways.  But the trojan still has to unpack to run; the instant it does, CBO pounces.  But the AV won't twitch coz it's all confused by the package.

Hope that helps clarify...

LM

[Tags:]