BOClean & other antimalware realtime shield

hi,
recently i tell my friend to install BOClean on his old computer since it’s easy on comp resource. and he ask me a few questions, (and i’m too stupid to answer ;D) i’ve tried to look in FAQ section,but i couldn’t find it.here are the questions :

  1. what’s the meaning of BOClean (the “BO” part, BO=buffer overrun?)
  2. what’s the difference between BOClean (realtime protection) & other antimalware realtime protection (assuming the detection rate are equal)? let say, i’ve already had an antispyware, and it’s got realtime shield activated, why i have to install BOClean as another realtime scanner?

Ganda

I’ve barely ever touched BOClean, but even I can answer:

  1. BO = Back Orifice
  2. Putting dection rates aside, it would depend on what that other anti-malware’s capable of (i.e. what areas does it cover, how it functions, etc.). But one thing is different from others is BOClean detects malware when it tries to execute your computer’s memory. People with AV’s regard it as a secondary or last line of defense. This part I didn’t explain well enough and I’m sure some long-time user will explain more.

I wouldn’t mind knowing if there’s any advantage to running BOClean with a-squared Anti-Malware in RealTime? While they are both good at finding trojans, I can’t help but to think that the way BOClean works in RealTime it could somehow still compliment the IDS Guard of a-squared.

  1. clear!

isn’t “detects when malware execute your comp memory” is the definition of realtime scan?

i’ve read in BOClean download page and in another thread, BOClean detects the “original”/stripped off malware, when other Antimalware detects a repacked old malware as a new malware, how?

hey, now i notice that CAVS doesn’t have realtime shield option, isn’t it dangerous?

note : these 2nd questions are for me, who cares about that stupid friend of mine ;D

Yes. Real time scan of your computer’s memory from what I’ve gathered. Again, someone more experience may correct me a bit or provide a more specific definition. I don’t have an answer to your other questions because I don’t use other security products. :-\

First, I want to say that I have used BoClean but threw it of my pc (donno why actually :-X).
So to answer : BoClean is a ‘scanner’ that stops the malware before it can even extract itself, so you could call it realtime monitoring. But it’s actually different :a Realtime scanner will find the virus when it has unpacked and installed himself BoClean will kill it when it’s trying to install itself that’s the difference.

Hope I’m right
Xan

I would say Xan’s definition is a little better/clearer. BOC is not a realtime “scanner” as it doesn’t scan files. Realtime “monitor” is a good descriptor; it waits and watches in the shadows with night/x-ray vision, and strikes without warning on the unsuspecting malware.

ganda, I’m not sure what you mean by CAVS not having a “realtime shield” option. CAVS has On-Access scanner, which is the “realtime” aspect of it. Terms used by different software companies can be confusing…

LM

(:CLP)nice, so can i conclude : BOClean PREVENTs malware to be installed & other antimalware realtime scan/shield/guard/protection detects when the malware is running (has already installed).

i thought on access scan is Scanning the file when we’re about to open/copy/paste the file,and realtime scan is scanning for executed programs in memory.

if they’re the same. let say my comp is infected by a virus, and it’s automatically running (i don’t open/access the file), will CAVS detects it?

Nothing is going to prevent an installation, except not using your computer, LOL. You can install a virus all day long, and may not get alerts from anything except a HIPS (which users will frequently allow anyway, but that’s a different discussion).

Most viruses don’t execute (ie, DO something; try to capture a piece of CPU time) until reboot. At any rate, BOC will see them when they try to actually execute, because in order to execute, they have to access CPU time. The beauty of BOC is that AVs will miss stuff because the signature is not an exact match (typically because it’s packed in a different way); but in order to execute, the malware has to expose itself in memory, so BOC catches it with its pants down (so to speak).

Your AV’s (or anti-malware) real-time scanner don’t monitor CPU time; they look for an exact match of file signature, or types of activity (heuristics). This will happen once the virus actually executes, or possibly when you click on (access) the infected file.

Everyone uses different terminology - real-time, on-access, shield, guard, protection, etc. Don’t let the terms confuse you.

if they're the same. let say my comp is infected by a virus, and it's automatically running (i don't open/access the file), will CAVS detects it?
A while back, a CAVS definition update targeted winlogon.exe as a malware (yes, it was a big mistake). As soon as the logon screen was reached, the system would shut down, because CAVS quarantined this supposedly corrupt file.

I hope that answers that question for you.

LM

sorry for being ignorant, [colored blue] what it means : “in order to execute”, and “once the virus ACTUALLY EXECUTE”?

OK, i can relax now ;D
thx LM

Execute: access CPU time in order to take some action.

For example, if you double-click a program icon to open it, the application has to “execute” in order to open (thus, the .exe extension being short for “executable”). This means that the application has to access the CPU (everything has to go through the CPU) in order to take this action.

Think of it this way… You put your hand on a doorknob, to open the door. This does nothing. However, when you turn the knob and push open the door, you “execute” the action of opening the door. Until you make that effort, the door is not open.

LM

then BOClean catches the nasties when they touch the doorknob. COOL (:CLP) (:CLP)

Thx a lot LM.
:■■■■
Ganda