Detection?

[Guest]

[VaMPiRiC_CRoW]

Hi,

How is the BOClean detection of polymorphic viruses, potentially unwanted programs and scripts virus/malware?

Thanks

[Kevin McAleavey]

Smells like you're describing an antivirus there. Polymorphism has been a way of life since the 1990's, a reason why we didn't focus on file scanning like everybody else ... polymorphism MUST dissolve once something's loaded up in memory and BOClean exists because, if it's RUNNING, then your AV failed you in the first place and in memory, it's got to be thoroughly decoded or it will either crash or blue screen your box on you. That was always BOClean's "ace in the hole" as far as detection went but it's not what folks are used to. How many times do you want to scan those files and see "no virus detected?"

"Potentially Unwanted Programs" ("PUP") ... heh. What a cop out! No, they're NOT "potentially unwanted," I'd give that a layer of certainty!  (grin) BOClean has gone after MIRC because no one ELSE had the stones to do so. BOClean provides an EXCLUDER programme which is protected by individual system scambling so that malware cannot sneak into that excluder. If you *WANT* ro run anything "potentially unwanted" that was how we decided to deal with it after the "Netbus affair" (referred to elsewhere) as a solution. We'll DETECT it anyway - if you really WANT to make it "wanted" then just exclude it and tell BOClean you wanted it to run. Backwards I suppose from our competitors, but better to detect something "legitimate" that's often used by the ne'er-do-wells because nobody else detects it than to just let it happen silently. Same for a number of other otherwise legitimate things we detect. If YOU put it on there deliberately, then chances are you REMEMBER doing so and will check it and then allow it. But if you *didn't* put it on there, I'll bet an alarm would be appreciated.   

 And as to scripts? Nope ... we don't do those at all. Exploits and other tricks are merely a means to plant a payload. We go after THAT instead since the purpose of all that is to put something else on there. WE concentrate on the "else" ... EVERY AV out there is expected to handle those things and place hooks into this, that and the other. That's WHY they're multiple megs in size. BOClean was NEVER intended to be your "first line of defense" or substitute for an AV file scanner ... BOClean exists to back that up on things that might actually get past the "bouncers out front" and into your "personal space" ... so we limit the design to what it does in order to keep it from being yet another bloated "same old, same old."

 Hope this helps ... hopefully some others can amplify on what I'm talking about here.

[JWill]

Now hopefully more people will understand why BOClean doesn't scan like an AV although you can drag and drop a file onto BC to get it scanned.

[Kevin McAleavey]

Not quite there either ... short little story behind that phenomenon is in order then ...

 The "drag and drop" was NEVER intended to get out to the public in the first place, and we're actually going to start neglecting that bit out of necessity. Lemme explain ...

 That "drag and drop" as well as a hidden "scan folders" bit that nobody's ever seen within BOClean was designed as part of a VERY special build of BOClean which was created for our own internal analysts when we had a full staff a couple of years ago as well as some of our "hard core" friends who looked for, found, tested and submitted things they gathered out there. It was designed to allow THEM to find "duplicates" and save us all the trouble of looking them over in the lab. That's ALL it was ever intended to do.

 Back somewhere around 4.10 or 4.11, we accidentally left that capability inside the PUBLIC release and somebody "blabbed" when they found it working as it does when we'd NEVER intended to make that feature available to the public in the fisrt place. But once "blabbed," we were kinda stuck LEAVING in subsequent builds. And while it can be QUITE useful, any form of TRUSTED "drag and drop file detection" would require that the FILE scan detect variants to the same degree that BOClean will once run and that has NEVER been so. All that "drag and drop" does is spot an IDENTICAL variant of something we've seen and it will NOT detect something that's been repacked and encrypted. Anyone who's followed BOClean and knows my own philosophy on the utter uselessness of "scanning files" since the 1990's should know that we wouldn't have done something we never endorsed ...

 But yeah, if you drag and drop a file and we've seen it before, THEN BOClean will detect it not as a variant or a confirmed nasty, but rather a DUPLICATE of something we've already done. Granted, there's more than plenty of THOSE out there ... but *DO NOT* trust that leftover function as anything to be trusted if it does NOT alarm on something ... just needed that to be clear lest anyone be disappointed if they get an "all clear" from that, then go and run a suspect file only to have BOClean biff it ... 

[JWill]

Ah, o.k. got it, thanks for clearing that one up.

[Pedro*]

Smells like you're describing an antivirus there. Polymorphism has been a way of life since the 1990's, a reason why we didn't focus on file scanning like everybody else ... polymorphism MUST dissolve once something's loaded up in memory and BOClean exists because, if it's RUNNING, then your AV failed you in the first place and in memory, it's got to be thoroughly decoded or it will either crash or blue screen your box on you. That was always BOClean's "ace in the hole" as far as detection went but it's not what folks are used to. How many times do you want to scan those files and see "no virus detected?"

Thank you for the explanation. I understand what you wrote, my problem is understanding the process. What's different in memory concerning the file itself, etc. Is there some good link where i can read what happens in the process you describe? That is, so i don't take much of your time (plus i don't mind reading and learning ).

TIA if you find the time

EDIT: Welcome to the forum
 

[VaMPiRiC_CRoW]

Thanks for the good explanation, Kevin

Another question: BOClean use some kind of scan optimization, like NOD32, KAV and some others AV's have, to only scan the same files when they were modified or have a new signatures update?

Thanks 

P.S.: Kevin, you should be added to the Administrators group of this forum...

[Pedro*]

I think it will check everything everytime it gets to memory.

[VaMPiRiC_CRoW]

I think it will check everything everytime it gets to memory.

If this is true, it will be possible to improve it?

[Melih]

If this is true, it will be possible to improve it?

Sure its possible to improve, cos nothing is perfect. However the optimisation techniques used in the traditional AVs are somewhat different than BOClean ones due to its architecture. Naturally, we will always look for ways to improve everything we have.

thanks
Melih

[VaMPiRiC_CRoW]

Yep, I know that you are always trying to improve your products and have resources to that...

But we always also want to read that from you...

Regards

[Kevin McAleavey]

Heh. As "BOClean father" (always got a kick out of Tataye referring to himself as "Beast father" and thus I just *had* to go there) there's lots of "guard programmes" added to numerous OTHER "file scanners" but reality is that all they do is notice a memory event and then scan the file, TRY to unpack it and if they fail, it runs. BOClean has ALWAYS, since its inception, ignored the file system entirely - that's the REASON why we never had anything more than a very rudimentary scanner whose sole purpose was to spot "duplicate submissions" for our analysts and NOTHING more beyond that.

 I've made it a point to argue since the mid-1990's that file scanning is a waste of time, and that if you choose to do so, it's probably already too late. And again, also pointed out that there are just SO many ways of hiding nasties from file-scanning (even if triggered by a "memory scanner") then it's a complete waste of time. YES, BOClean will scan for well-known "fixed pattern" files as part of its design (that's why we ALSO spot things of "commercial malware design" since those DON'T change) but "variants" of the same old stuff has always been what's set us apart because a file sitting there on yur system can do you no HARM unless it actually RUNS, and BOClean was designed to notice anything RUNNING and stop it cold and then "biff it" removing it from the file system.

 But a file which might be a virus or other type of nasty that's just sitting there and doing NOTHING is no more dangerous than a red bag of medical waste in a proper quarantined, isolated safety container. BOClean's whole purpose is to be an ADJUNCT to your "scan my files, please" whatever and actually STOP anything which might actually be ACTIVE ... and over the years, we've REMOVED things which are actually detected by every antivirus known to humankind, especially when the WORST of them all finally got a clue ... for Nancy and I, it was ALWAYS about covering those things that weren't detected by others. Perfect example of this is MIRC variants, NIRSOFT utilties and a raft of others for which we'd been accused of "false-positiving" on ... our REASON for covering these was that they were the CORE COMPONENTS of many "pseudo-rootkits and bots" which were designed SOLELY on their "legitimate usage" and ignored by the others. After our "netbus" episode, BOClean begat a "protected EXCLUDER" for such situations. If you really INTENDED to run it, then you can manually exclude it in BOClean.

 So our INTENT was never to be a "first line of defence" ... that's what any decent AV should be doing. OUR intent was to cover those things that would elude AV's and ALSO to detect those things that would have yet another "zero day" owing to obfuscation methods ... in MEMORY, all things are equal or they won't run at all in the first place. OUR design was to study the malware authors, pick up their UNIQUE traits and set a "tipping point" for BOClean so that WE could beat "zero hour" as often as was possible. That's what always set BOClean apart from any OTHER programme which had a "file scanner." If a "file scanner" missed the same submissions and pickups that every OTHER AV/AS/AT missed, why in heaven's name would *WE* find it either?

 So we went with our OWN way of doing things ... worked pretty well over the years if WE were the ones who alarmed instead of something else who had a go at it before WE got a sniff.   

[VaMPiRiC_CRoW]

Thanks for the explanation, Kevin

[pepoluan]

Perfect example of this is MIRC variants, NIRSOFT utilties and a raft of others

You mean NIRSOFT utilities are malware planters??

Oh, and, LOL:

http://www.comodo.com/news/press_releases/01_04_07.html

[Kevin McAleavey]

De nada! I've come to realize in the past few months how self-centered and clueless some people can be - PARTICULARLY those in this (ahem) "business" ... Nancy and I failed the business because we just couldn't attain the whole "P.T.Barnum" quality of "showmanship" ... I'm a simple tekkie, I just do the obvious, code it up and put it out. Nancy wanted to be sure everybody was happy. We were never good at "sales" or perhaps PSC wouldn't have needed to fold in the first place. 

 But that all said, I'm *relieved* as is Nancy that we didn't have to end up the same way as one of our very closest FRIENDS who happened to be a competitor. At least BOCLEAN and all we made it will live in someone else's hands, true to the honor and requirements it delivered as well as designed to be SMALL and a BACKUP to an AV ... we've ALWAYS been trapped in other people's stereotypical expectations of what a "security program" should be, as based on the trade rags, clueless reviewers with their OWN expectations and limitations ... we never got a fair shake. And whenever somebody TESTED us, it was always tested in terms of the expectations of "yet another scanner" and thus we did poorly as a direct result of the expectations and NOT the results. There's NO room for something that doesn't fit the old 1980's "file scanner" mindset and sadly, I've seen the SAME old mindset in a couple of other threads here as well as far as the same old tired "rulesets." Sheesh.   

 I'd say something about comparing BOClean to the difference between the APOLLO space capsule and the SHUTTLE ... but alas, SHUTTLE finished, FUTURE is the APOLLO spacecraft design. Everything OLD is new again. As an engineer type I s'pose I'm just too old to remember when the word "PROGRESS" was synonymous with "IMPROVEMENT" but I digress.

 But hey! 1980's! GOGO's! Billy Idol! Talking Heads! Great music, poor excuse for security in the 21st Century. Well ... PSC's competitors, particularly Microsoft put, PSC out of business. And ***ONLY*** COMODO took a REAL look at what we did with BOClean and said, "At FIRST glance, we were worried that integrating BOClean into OUR stuff would be impossible." THEN they actually paid ATTENTION and realised it would be EASY, and met COMODO's "corporate religion" which meshed with ours ... seems our code wasn't so hard to fathom (or port) as the peddlers of 1980's technologies believed. At last to COMODO and MELIH who looked it over, studied it and said "works! actually works pretty well and *I* understand what Kevin and Nancy did here"  ... and so the BLESSING of continued living ... and the space for IMPROVEMENT! W00h00! 

[Tags:]