A few quetions about Boclean...[resolved]

Hello guys!
I’m new here and i think this forum is really intereting.

My questions are:

  1. How big is Boclean’s signature base?
  2. What’s an efficacy of detecting and removing infections that program? Is it good like SAS or MBAM? Have you got any tests it?
  3. I don’t understand why does it no have a manual scanner? Maybe i was a blind when i have installed that program, but i didn’t see any scanner on program’s menu. Is there only a realtime scanner?

PS. Sorry for my English :wink: I’m a beginner and i learn it, K.

Hello, Welcome to the forums

I will answer the questions best that I can,

When you open BOclean you can click a Tab to see the nasties it detects, I THINK If i remember correctly… It’s something like 70 000 Unique samples (not including it’s variants) So it is rather large…

Because Boclean scans the memory it can terminate and remove the threats effectively, It does have a manual scanner = Open Boclean and drag and drop a file you wish to be scanned.

In the future Boclean will be integrated into CIS, But first they must reduce the resource usage by alot.

ehm (:NRD)
let me explain why we still need BOClean.
File scanners can only detect fixed patterns and if the malware has been compressed, encrypted or modified, it cannot be detected by pattern matches since it will no longer match the pattern and will thus elude detection. BOClean watches memory, registry, and the file system waiting for malware to load up and then shuts it down before they have a chance to operate.
Think of your antivirus as a burglar alarm. BOClean is a motion detector.
(i am so kewl!) O0

i copied it from the download page (:TNG)

70.000 is not bad, but it doesn’t make a big impression on me, because for example Spyware Doctor has about 800.000 and Ashampoo Antispyware2 – nearly 1.500.000 samples.

It does have a manual scanner = Open Boclean and drag and drop a file you wish to be scanned.

Oh, in this way…

In the future Boclean will be integrated into CIS, But first they must reduce the resource usage by alot.

Thx for the information. I impatiently wait for it.

… but the part of good antiviruses can detect if the malware has been compressed or modified, because they use a good heuristic detection (Avira, Nod32) and i need Boclean if i use Avira?
Ok, you wrote that „BOClean watches memory, registry, and the file system waiting for malware to load up and then shuts it down before they have a chance to operate”, but antivirueses scan memory, registry or hosts file when system start. This is very similar for me. Hmm, where is Boclean’s exceptionality?

Maybe i sometimes grouching about this, but i’m a little sceptical about his efficacy (only 70.000 samples) and i don’t convinced that it’s necessary when i use Avira…

By the way i’m very happy with Comodo Firewall and now i’m testing CIS and i recogize that it doesn’t have automatically update virus database. Is there only automatically update virus database before scanning? And i don’t see there any possibility change of level heuristic if that’s possible.

A couple of things…

Firstly, CIS DOES have automatic virus signature updates and by default checks for virus signature updates before it scans.

Secondly, BoClean’s signature base is not the same as your general antivirus or antimalware virus database. It has over 70,000 Unique signatures, a huge amount of new viruses and spyware are variations or mutations of a particular virus. Not matter what variation or mutation of a known unique virus signature BoClean will detect it. So even though it only has 70K of signatures it detects over 1,000,000 (1 Million) viruses.


If I understand well it looks like a commercial antispywares or antiviruses advertising their products as better, because they don’t announce only unique signatures, but all their variations and mutations. If it the truth I get to like Boclean.

Thanks Eric for answers. You dispel my doubts about Boclean and CIS.


from what i’ve heard & asked before, BOClean is designed to catch the malware IF your primary AV/AS failed. it stays & watch your PC memory. Scanning/heuristic etc is your AV/AS job. but once your system’s compromised & the malware file is already in your comp, BOClean watch your memory & kick the malware when it tries to execute. >:-D

OK, i understand that Boclean is something different than only ordinary antimalware. I previously had doubts what Boclean’s had effectiveness, if it’s had 70.000 samples only and so I didn’t believe in his skills… I just install Boclean and I have intend to check his skills in practice. This is probably the best way to get to like him.

Thx for explanation :■■■■

BOclean will not detect things like EICAR Test file because it does not execute

yeah yeah 88) he’s gonna try it 88) no need more lecture for now ;D

Howdy! BOClean’s been around for 10 years now, and once upon a time we actually counted the number of samples “covered” by BOClean based on all the nasties that have passed through our fingers ever since 1998. We stopped counting those stats somewhere on the order of about 5 million or so. If I were to venture a guess, we’d now stand somewhere around 8 million “variants” as we called them back then since the vast majority of “NEW” malwares are nothing more than repacks or modifications of the 65,000+ or so “unique” items … we didn’t count “variants” simply because their bases were already detected.

Wonder if we can convince COMODO to spout impressive large numbers to testify to our “Kung Fu?” Nah … Melih wouldn’t go for it … we believe in honesty here and BOClean was one of the very first “Anti-Trojan” programs out there. It was once just US and the Otis-Vigil brothers who made a thing called “The Cleaner” since the first “trojans” were originally designed to mess up machines (they were poorly written) or to allow such nifty tricks as remotely opening and closing your CDROM drawer or crash your system. That’s how it was back then.

BOClean in its very first incarnation was given away by us for free, but as time went on more and more malware appeared on the scene and keeping up with it got VERY expensive. We had no choice but to charge for all the work we had to do in order to maintain it. :frowning:

So nowadays, the rest of the AV and AT/AS “industry” charges, and then hits you up for a subscription in order to defray their costs (which are actually tremendous) and superlatives and “numbers games” are a critical part of separating you from your money so they can sell you their “cures.” Here at COMODO however, BOClean is once again FREE simply because COMODO is committed to the “internet community” and its well-being. So looks like we don’t have to do a whole lot of “horn-trumpeting” like the “vendors” have to do in order to convince you to buy their wares. Maybe it’d be different if we had to SELL BOClean instead of giving it away for free. :slight_smile:

But yeah, we’re as good as we’ve always been, and even BETTER at it now since there’s a large number of folks in the lab keeping it up to date now, a luxury we could barely afford to maintain a couple of years ago when COMODO came along and took up the cause of BOClean’s continuing existence … and then gave me some incredibly skilled and talented analysts to ensure that we keep up with it. BOClean is in better shape than it’s EVER been as a result of COMODO’s commitment to what we do!

Comodo says that BOcean protects again keyloggers, but i have tested it and BOclean didn’t pass the Anti-Keylogger Test (:SAD)

Link of the tester is here ->> firewallleaktester.com - This website is for sale! - firewallleaktester Resources and Information.

Hi k4ll1 :slight_smile:

Ofcource BOClean doesn’t pass that test, and it never will :wink: That is because that test simulates different methods already installed keyloggers are using to steal information, so you can test if your Firewall and/or HIPS is protecting you against that.

But BOClean is a real time memory scanner that protects against the installation of keyloggers that are in its signature database :slight_smile:

Greetz, Red.

Hi Red.

It’s odd for me… Does BOclean scan all start applications? You wrote “BOClean is a real time memory scanner”, ok. So for example when i start any keylogger then Boc should scan a keylogger’s process, because it is in the memory. I think when BOc has that in his base of signatures it should react. If it is differently and BOc doesn’t detect keyloggers on the coincidence when they work, then it’s a bad and nonsensical solution in my opinion.
I know that HIPS should detect it, but now I take only BOclean into consideration and i don’t understand why doesn’t it use his possibility in that case?

Hi k4ll1 :slight_smile:

BOClean scans the memory for keyloggers/malware executables so that they can’t run. The reason BOClean works this way is that malware executables are sometimes very hard to detect because they are packed and/or obfuscated, but they have to reveal themself when they load into the memory to be executed.

Greetz, Red.

The reason BOClean works this way is that malware executables are sometimes very hard to detect because they are packed and/or obfuscated, but they have to reveal themself when they load into the memory to be executed.

But Tester hasn’t been packed and obfuscated, so i think it was simple to detection. I don’t see difference between keylogger it works and keylogger it executed, because they have the same code and keylogger in the both examples are in the memory that it’s scan by BOclean. Maybe i’m a nitpicker, but i think it’s odd.

I would just like to point out that this is a TEST and not a real threat, This test is aimed against “Anti-loggers and HIPS software”

BOclean is aimed againt real world threats, not to pass these tests. If you are familiar with a virtual enviroment\ Have a spare machine then you could try BOclean against real threats

See how antimalware programs face up against this Test.

Some trojans includes keylogging functionalities, that can steal confidential information you are typing. To fight this threat, many HIPS software, and also dedicated anti-keyloggers software, now provide anti-keylogger features. However, there is many ways to monitor the keyboard, and few HIPS cover them all.

OK. Your answer satisfies me about BOclean. I would like to add Comodo AV detected the keylogger in AKLT.exe and Comodo’s HIPS passed the test. But I haven’t a certainty that it’ll protect me, because it asks so often and sometimes happens I thoughtlessly accept his questions.

I try BOclean against real threats on Returnil Virtual System.

How do you protect against keyloggers? Do you have an effective solution?

Well… Comodo’s defense+ is really strong, if you stick with it for a little while you will very rarely ever get pop-ups and bullet proof protection. Other alternatives to AV’s would be virtulization, such as returnil or application sandboxing such as sandboxie ( I use Sandboxie and CIS) you could also try Geswall… there are alot of programs.

Really though, In the realworld if your a normal surfer and don’t click everything you see you should be fine.
My personal thoughts are you should stick with CIS and get familiar with it, after a short while you shouldnt get pop-ups at all once everything is learnt and you’ll have very strong protection, and if anything ever does go wrong you know that the support forums are very active.


Nice tutorials (also “Setting up Firewall for maximum Security”), good job! Thanks for all.