Bo clean

Discontinued Products Comodo BOClean Anti-Malware
21

Seems like this is not the greatest tool on earth…
…this is what VirusTotal says about ComboFix:

http://img296.imageshack.us/img296/8827/combofixscaniv8.png

Whereas Sophos says that it is just an (powerful) application that may do harm if used incorrectly.
http://www.sophos.com/virusinfo/analyses/nircmd.html

So perhaps Combofix is clean but detected by the heuristics as dangerous? I’m getting mystified slowly but steadily :slight_smile:

22

Nirsoft detection is not a FP … NirSoft was once known known as “PROAGENT” and were in the trojan-making business for quite some time. Under PSC, BOClean covered Nirsoft stuff in the past only to be yelled and whined at and ultimately removing most of those detects. This time though, we need to detect all of Nirsoft’s stuff as a result of this …

http://www.hak5.org/wiki/Switchblade_Packages

… and a number of others now where the Nirsoft stuff is actively being used to compromise systems as few antiviruses detected any of this. COMODO has carried on the tradition though as a result of the problematic designs of Nirsoft’s stuff even though it can be useful in the hands of “white hats.” The issue isn’t just legitimate use of it, it’s the fact that it has been contained in SO many “pseudo rootkits” and worse and so the decision a long time ago was “detect it” rather than not.

In those situations where you’ve deliberately installed this stuff, you can always use the BOClean excluder to tell BOClean that you know it’s there and you actually want it to be there. This gives us a legal “out” in that any unauthorized installation of these utilities is detected and you can always tell BOClean “I know, I’ll take my chances, it’s useful to me.” But that’s why it’s detected … coders can always write their own “clean code” and not “borrow” code from others when they don’t know HOW to write their own code … but if Nircmd is in there, rest assured that whoever wrote that code had to “borrow.” :slight_smile:

23

Thank you Kevin for clearing things up.
So the origin of this utility is NirCmd - Windows command line tool and the program itself is not harmful or malware. But it has been abused by malware writers and therefore it gets detected. Due to that reason I shouldn’t mind Combofix using it as Combofix is just doing advanced cleaning operations using Nircmd. Abusing it in a positive way so to say. That would make Combofix a clean, “honest” application.
Did I understand the matter right?

24

I don’t know if Kevin thinks so… But I do know a few that reccomend and use it for the latest vundo variants… CalamityJane, LoPhatPhuud, TheJoker… Me… I could extend this list quite a bit… but there isn’t any point… None of us would cause harm… That is our first mission!!!

25

As I don’t know any of those persons mentioned: Are those knowledgable guys over at wilders security?

26

Those guys… (some of the most respected on the net… are well known at wilders, spywareinfo, dslreports and many other malware removal forums…

here at wilders http://www.wilderssecurity.com/member.php?u=1400 (CalamityJane)
http://www.wilderssecurity.com/member.php?u=5150 (LoPhatPhuud)
http://www.wilderssecurity.com/member.php?u=24857 (miekiemoes)

I can list a few more if you really want…

You can visit both dslreports security cleanup or spywareinfo’s forums to see it in action on a pot full of occaisions…

27

ALL of the people “Cajun” mentions are very well-respected people in this “field” … simple answer to the question is that if YOU put it there, YOU can attest that you MEANT to put it there, and you know what it does, then just EXCLUDE it in BOClean. ONLY reason why we detect any of that is simply BECAUSE it is a common denominator to “pseudo-rootkits” whose whole “cause of being” is to use “legitimate applications KNOWN to raise false positives and thus we’d better NOT detect their presence.” Such “pseudo-rootkits” depend GREATLY upon such “utilities” which are poorly designed from a security standpoint and thus are frequently exploited by “ne’er-do-wells.”

But if BOClean detects a nasty that you INSIST on using … well … you can EXCLUDE it and make BOClean ignore it … if you WANT to …

28

Oh… and Kevin… I agree you should detect it… Because you are right there are countless ways to misuse that tool… (Combofix was pulled for a time due to one of those misuses, and until a fix was done to make that misuse less plausible…)

Thanks

Hope you listen to that individual over in the 4.24 thread and not release until after the weekend… You deserve one… (a weekend that is…) (:CLP)

29

Yes I want BoClean to detect that, too. I myself handle those cases now that way that I open the BoClean menu (to deactivate it temporarily) and then execute the program.

Regarding BoClean, I wished there was some kind of a “traffic light” indicator in BoClean’s notification dialog that would differentiate between “is sometimes abused by malware, but is in itself not a dangerous file” (yellow) and “actual malware file that causes immediate damage” (red). That would have made me to first gather more information about Nircmd before I think I’m actually infected. Usually I think that if BoClean catches something it must be malware (which is obviously not always the case as seen with Nircmd).

I have to admit that for Average Joe this may be misleading and too much information s/he can’t handle, but as an advanced option it’s be fine. Would probably need re-classification of all 27000 malware types, though…

I hope I could make myself clear… English is not my mother tongue.

30

That “individual” is still a human being :slight_smile: Maybe with a red nose, but also with a name :wink:

Greetz, Red.

31

Sorry Rednose but… I’m an old man with a short memory… and between the time I read your post and posted this one… well I was doing great to remember that someone posted it at all… :wink:

32

I have been informed to ditch comodo firewall & bo clean along with my avast anti virus as they are iffy at best! Then replace them with all avg freeware & windodows xp firewall. What do others think?

33

Oh my gosh! I think your “informant” has been smokin’ something they shouldn’t be… Certainly nothing wrong with AVG in general, but nothing wrong with Avast, either (IMO, Avast may be the better AV).

As for the Firewall, well, I’ll let the test results speak to that: Learn Bitcoin, buy Bitcoin About halfway down the page here, you’ll see the overall test results; Windows scores “0” because, if you look up at the actual leaktests performed, it failed EVERY SINGLE ONE!!! Comodo on the other hand, is top dog. Okay, so leaktests aren’t everything to a firewall; malware shouldn’t be able to terminate it (turn it off, disable it) very easily either. Now sure how WinFW would fare there, but you can see that Comodo came in 3rd… firewallleaktester.com - and that’s with an old version, not the current one! Doesn’t look like the results of an “iffy” product to me.

As for BOClean, well, that puppy has been given a bad rap by many who don’t understand the idea of how it works. They want a traditional file scanner, never mind if there’s something that works better. Look to your own experience there - you indicated in your first post in this thread that it stopped 4 trojans for you. That was BOClean, not some other software. It was doing its job and apparently doing it well.

In the end, you’ve got to ask yourself a few questions… Do I trust this person (who told you to switch) implicitly? Are they qualified to advise on computer security? What are the possible motivations or gain for them telling me to switch? Why would they want me to switch? (as 2nd part of the previous question) Is there a viable reason for me to switch? And perhaps most importantly, Do I want to switch, or am I happy/confident with what I have?

Your computer security is your decision. I use a different layout than many others, and I have my reasons for doing so. I have used different layouts on different computers, and I have my reasons. I do not, however, tell others to do what I do (as far as specific software); it’s really kind of a personal deal, IMO. Personally, I think that CBO and CFP are two very good, cutting edge applications that do their jobs very well; but they’re not for everyone.

Hope that helps you,

LM

34

LOL

Melih

35

Yeah everyone likes their own solutions i was just asking him do i need extra security?

36

Lol :slight_smile:

But serious : I don’t think that there is any discussion possible about CPF and CBOC. But if you want to try a different AV, I would rather go for Antivir than for AVG :slight_smile:

Greetz, Red.

37

Might want to take a look at this are far as av is concerned, Comodo not here but they probably didnt test it,

http://www.av-comparatives.org/seiten/ergebnisse_2007_02.php

and of course this tests are for the retail versions

38

Another list of av’s compared are done here. www.virus.gr

39

Windows Firewall

Windows firewall is not recommended. It doesn’t block everything that may try to get in, it doesn’t block anything at all outbound, and the entire firewall is written to the registry.
Since most malware accesses the registry and can disable the Windows firewall, it’s preferable to install one of the suggested firewalls.

Free Firewalls

The two below are amongst the most popular now:

[]Comodo — This is the one I am using…
[]Zone Alarm

Tutorial about Firewalls can be found here
You can choose a free firewall from here