BOClean has a serious flaw?

I used to be much impressed with BOClean until I tried it. The day I came to know that I can try it free, I downloaded it and tried it against some malware files.

I have many dissappoints/ concerns about it but the most impotant one i will discuss here. Off and on I install Antivirus for some of my friends, co-workers etc and I am thinking to add it alongwith Avast( ThreatFire is another option but the users are actually dummies so BOClean with silent mode might be a better oiption).

This bug I have seen from the very first free version of BOClean and seems to be still present and seems a very serious flaw in BOClean,s protection. Using XP SP2, whenever I launch some malware files to test them against BOClean, BOClean off and on crashes while attempting to clean the infected file( crash happens only during file removal). Say I run a malware xyz.exe, BOClean detects it, kills its process and I get the message that do u want to remove the file also. When I say yes, it,s the time that BOClean crashes and I get the message about it. I have to restart BOClean each time.

I noticed that this crash is rather frequent. Recently I tried 6 malware files and got this crash about twice. Also I noticed that crash is more freqent with complex malware( that copies exes and dlls here and there, changes registry more and install global hooks etc), rather than with simple malware( like a downloader just executing and trying to connect out).

I don,t want to flare up any comodo/ BOClean fans but it,s a serious bug that renders BOCleans protection almost useless.

Ordinary users might not notice this bug as they might not come across malware execpt once or twice. It seems very easy to reproduce. Just run about 5 to 10 malware samples and when BOClean gives prompt to clean the file also, say yes. U will see BOClean crashing( unless my findings are wrong or there is some conflict on my system).


http://img84.imageshack.us/img84/3599/cfphc2.th.jpg

Can you please post an extract from your Windows System and Event logs that shows the pertinent details of the crashes.

I’m sure Kevin and the dev. team will be interested.

TIA
Ewen :slight_smile:

Thanks for the reply.
I am not using BOClean as I posted. I tested it as I wanted to put it for some of my friends who are not computer savy at all.

However the problem is very easy to reproduce. I have seen posts from other users who have seen such behavior. I wish that u try to reproduce in the same way I posted.

If you can,t reproduce it, I can install it again, reproduce the problem and send u the logs etc.

Thanks
Take care
all the best

what other security programs are running in realtime? do you have comodo’s “memory guardian” installed? that seems to cause problems with BOC, if you do have it installed…

i think you should contact comodo’s support about this… maybe someone at comodo will try running some tests to see if they see the same problem…

I tried (30 samples) and it doesn’t go pear-shaped on my system. Can you please reinstall and go through the loops again.

Many thanks for your assistance and persistance.

Much appreciated.
Ewen :slight_smile:

Ok, will do but please give me few days.

Also can you tel me in detail all the logs/ files etc you want as I will test it under ShadowSurfer and once I reboot my PC after testing, all info will be gone.

Thanks

May I ask what ShadowSurfe isr?
Is this a VM environment?
CBOC needs to be tested on real Windows installations in order to accurately determine how it will react.

http://www.storagecraft.com/products/ShadowSurfer/

I agree with you but I have no test PC.

Running EQsecure, NeoavaGuard and GesWall.
No Memory Guardian.

Previously posted
https://forums.comodo.com/comodo_boclean_antimalware/boclean_shuts_down_everytime_it_blocks_a_trojan-t10720.0.html

? no response at that time
?now

If you agree, why the declaration of “serious flaw”? :-
This page seems to indicate it is a virtual machine, no?
As has been posted previously CBO can not be accurately tested in a virtual environment.

Five,
I was out of town when that was posted and missed it…
Seeing the pup trolling it, I doubt any other members were inclined to help as well.
If you ever have an issue with installing, de-installing, error codes, compatibility etc using a Comodo product or service we encourage you to submit a support ticket for official support.
The forums are primarily a community support resource.

What makes u think that it,s a declaration? There is a very clear question mark( ?) at thread title.

A sort of!

Never knew this. VM are used commonly to test software.

Also there are other users who have reported such to see such a pop up, all can,t be running it on a VM.

My apologies, it was a question.

A sort of! Never knew this. VM are used commonly to test software.

Yes they are, that’s how I found out about it.
A U.S. based ISP was testing BOC for use in their “walled garden” when they ran into this.

Ok, I will try to test it in real system but I will need some day as I will have to prepare a backup image and then try it.

Hi, What logs/ details exactly I should send.

Thanks

If you click START - RUN and type in COMPMGMT.MSC, This will run the computer management application. In ithis window, click the PLUS sign next to SYSTEM TOOLS and then click the PLUS sign next to EVENT VIEWER. This should expose three options - Application, System and Security. Select one of these and click the ACTION menu and select “Save log as”. Give it a meaningful name and repeat the steps for the two other logs.

Ewen :slight_smile:

P.S. You’ll need to go through the resulting log files and remove any personally identifiable info and any entries that aren’t relevant to the issue.

Ok, thanks. Will do in a few days.

OK, here is my testing, done on a real system, XP Home SP2.
I installed latest version of BOClean, updated and used the settings as shown in the picture.

I used only three malware samples:

1- Trojan Click.Agent.fq.exe ( labelled as CRACKSERVER MALWARE by BOClean)
2- Trojandroper.Delf.xa.exe or Browsezilla( labelled as ZILLA MALWARE by BoClean)
3- Trojan Agent.XY( labelled as TROJ-AGENT.EI VARIANT by BOClean)

I executed all files one by one. First two malwares were killed on execution but files were not deleted.
On execution of third malware, malware process was killed but BOClean crashed with the same error message.
I repeated execution of these malware again and got same results.

Then I removed the option for Unattended Cleanup and removal from configuration and again executed the malware samples. First malware process was killed, I opted to delete the file but file was not deleted. 2nd trojan was killed and file removed OK. Third malware- BOClean killed the malware process and asked if I want to delete the file as well, I said OK and BOClean gave a popup that the malware file is locked and asked to reboot as early as possible, I said OK and BOClean crashed at the same time. I started BOClean again, rebooted. On reboot first malware file was deleted( it was not deleted when I executed the malware) but 3rd trojan file remained there. BOClean however stoppped some copies of this third malware from execurion (from system 32 and windows start up folder). That seems another failure, seems that malware was able to bypass BOClean and made its copies on my system.

I have uploaded three samples here.

BOClean log and system events log is also attached.

Thanks

Edit: Uploading malware here is against the TOS!
Please think of the safety of others when you post.
Malware attachment removed after grabbing a copy.
Thanks,
~cat~

[attachment deleted by admin]

That’s one way to get my blood pressure to hit the roof at 4 am. ;D
Please, never upload malware to the forums!
We need to have a way for this to be done without putting the general populace at risk. :-\

U can calm down!

Malware file( zip) is password potected and I PMed the passowrd to panic only.

Is it OK?