Detection?

Hi,

How is the BOClean detection of polymorphic viruses, potentially unwanted programs and scripts virus/malware?

Thanks

Smells like you’re describing an antivirus there. Polymorphism has been a way of life since the 1990’s, a reason why we didn’t focus on file scanning like everybody else … polymorphism MUST dissolve once something’s loaded up in memory and BOClean exists because, if it’s RUNNING, then your AV failed you in the first place and in memory, it’s got to be thoroughly decoded or it will either crash or blue screen your box on you. That was always BOClean’s “ace in the hole” as far as detection went but it’s not what folks are used to. How many times do you want to scan those files and see “no virus detected?”

“Potentially Unwanted Programs” (“PUP”) … heh. What a cop out! No, they’re NOT “potentially unwanted,” I’d give that a layer of certainty! (grin) BOClean has gone after MIRC because no one ELSE had the stones to do so. BOClean provides an EXCLUDER programme which is protected by individual system scambling so that malware cannot sneak into that excluder. If you WANT ro run anything “potentially unwanted” that was how we decided to deal with it after the “Netbus affair” (referred to elsewhere) as a solution. We’ll DETECT it anyway - if you really WANT to make it “wanted” then just exclude it and tell BOClean you wanted it to run. Backwards I suppose from our competitors, but better to detect something “legitimate” that’s often used by the ne’er-do-wells because nobody else detects it than to just let it happen silently. Same for a number of other otherwise legitimate things we detect. If YOU put it on there deliberately, then chances are you REMEMBER doing so and will check it and then allow it. But if you didn’t put it on there, I’ll bet an alarm would be appreciated. :slight_smile:

And as to scripts? Nope … we don’t do those at all. Exploits and other tricks are merely a means to plant a payload. We go after THAT instead since the purpose of all that is to put something else on there. WE concentrate on the “else” … EVERY AV out there is expected to handle those things and place hooks into this, that and the other. That’s WHY they’re multiple megs in size. BOClean was NEVER intended to be your “first line of defense” or substitute for an AV file scanner … BOClean exists to back that up on things that might actually get past the “bouncers out front” and into your “personal space” … so we limit the design to what it does in order to keep it from being yet another bloated “same old, same old.”

Hope this helps … hopefully some others can amplify on what I’m talking about here.

Now hopefully more people will understand why BOClean doesn’t scan like an AV although you can drag and drop a file onto BC to get it scanned.

Not quite there either … short little story behind that phenomenon is in order then …

The “drag and drop” was NEVER intended to get out to the public in the first place, and we’re actually going to start neglecting that bit out of necessity. Lemme explain …

That “drag and drop” as well as a hidden “scan folders” bit that nobody’s ever seen within BOClean was designed as part of a VERY special build of BOClean which was created for our own internal analysts when we had a full staff a couple of years ago as well as some of our “hard core” friends who looked for, found, tested and submitted things they gathered out there. It was designed to allow THEM to find “duplicates” and save us all the trouble of looking them over in the lab. That’s ALL it was ever intended to do.

Back somewhere around 4.10 or 4.11, we accidentally left that capability inside the PUBLIC release and somebody “blabbed” when they found it working as it does when we’d NEVER intended to make that feature available to the public in the fisrt place. But once “blabbed,” we were kinda stuck LEAVING in subsequent builds. And while it can be QUITE useful, any form of TRUSTED “drag and drop file detection” would require that the FILE scan detect variants to the same degree that BOClean will once run and that has NEVER been so. All that “drag and drop” does is spot an IDENTICAL variant of something we’ve seen and it will NOT detect something that’s been repacked and encrypted. Anyone who’s followed BOClean and knows my own philosophy on the utter uselessness of “scanning files” since the 1990’s should know that we wouldn’t have done something we never endorsed …

But yeah, if you drag and drop a file and we’ve seen it before, THEN BOClean will detect it not as a variant or a confirmed nasty, but rather a DUPLICATE of something we’ve already done. Granted, there’s more than plenty of THOSE out there … but DO NOT trust that leftover function as anything to be trusted if it does NOT alarm on something … just needed that to be clear lest anyone be disappointed if they get an “all clear” from that, then go and run a suspect file only to have BOClean biff it … :slight_smile:

Ah, o.k. got it, thanks for clearing that one up.

Thank you for the explanation. I understand what you wrote, my problem is understanding the process. What’s different in memory concerning the file itself, etc. Is there some good link where i can read what happens in the process you describe? That is, so i don’t take much of your time (plus i don’t mind reading and learning :)).

TIA if you find the time

EDIT: Welcome to the forum
(CNY)

Thanks for the good explanation, Kevin :wink:

Another question: BOClean use some kind of scan optimization, like NOD32, KAV and some others AV’s have, to only scan the same files when they were modified or have a new signatures update?

Thanks (R)

P.S.: Kevin, you should be added to the Administrators group of this forum… :wink:

I think it will check everything everytime it gets to memory.

If this is true, it will be possible to improve it?

Sure its possible to improve, cos nothing is perfect. However the optimisation techniques used in the traditional AVs are somewhat different than BOClean ones due to its architecture. Naturally, we will always look for ways to improve everything we have.

thanks
Melih

Yep, I know that you are always trying to improve your products and have resources to that… :slight_smile:

But we always also want to read that from you… :stuck_out_tongue:

Regards

Heh. As “BOClean father” (always got a kick out of Tataye referring to himself as “Beast father” and thus I just had to go there) there’s lots of “guard programmes” added to numerous OTHER “file scanners” but reality is that all they do is notice a memory event and then scan the file, TRY to unpack it and if they fail, it runs. BOClean has ALWAYS, since its inception, ignored the file system entirely - that’s the REASON why we never had anything more than a very rudimentary scanner whose sole purpose was to spot “duplicate submissions” for our analysts and NOTHING more beyond that.

I’ve made it a point to argue since the mid-1990’s that file scanning is a waste of time, and that if you choose to do so, it’s probably already too late. And again, also pointed out that there are just SO many ways of hiding nasties from file-scanning (even if triggered by a “memory scanner”) then it’s a complete waste of time. YES, BOClean will scan for well-known “fixed pattern” files as part of its design (that’s why we ALSO spot things of “commercial malware design” since those DON’T change) but “variants” of the same old stuff has always been what’s set us apart because a file sitting there on yur system can do you no HARM unless it actually RUNS, and BOClean was designed to notice anything RUNNING and stop it cold and then “biff it” removing it from the file system.

But a file which might be a virus or other type of nasty that’s just sitting there and doing NOTHING is no more dangerous than a red bag of medical waste in a proper quarantined, isolated safety container. BOClean’s whole purpose is to be an ADJUNCT to your “scan my files, please” whatever and actually STOP anything which might actually be ACTIVE … and over the years, we’ve REMOVED things which are actually detected by every antivirus known to humankind, especially when the WORST of them all finally got a clue … for Nancy and I, it was ALWAYS about covering those things that weren’t detected by others. Perfect example of this is MIRC variants, NIRSOFT utilties and a raft of others for which we’d been accused of “false-positiving” on … our REASON for covering these was that they were the CORE COMPONENTS of many “pseudo-rootkits and bots” which were designed SOLELY on their “legitimate usage” and ignored by the others. After our “netbus” episode, BOClean begat a “protected EXCLUDER” for such situations. If you really INTENDED to run it, then you can manually exclude it in BOClean.

So our INTENT was never to be a “first line of defence” … that’s what any decent AV should be doing. OUR intent was to cover those things that would elude AV’s and ALSO to detect those things that would have yet another “zero day” owing to obfuscation methods … in MEMORY, all things are equal or they won’t run at all in the first place. OUR design was to study the malware authors, pick up their UNIQUE traits and set a “tipping point” for BOClean so that WE could beat “zero hour” as often as was possible. That’s what always set BOClean apart from any OTHER programme which had a “file scanner.” If a “file scanner” missed the same submissions and pickups that every OTHER AV/AS/AT missed, why in heaven’s name would WE find it either?

So we went with our OWN way of doing things … worked pretty well over the years if WE were the ones who alarmed instead of something else who had a go at it before WE got a sniff. :slight_smile:

Thanks for the explanation, Kevin :wink:

You mean NIRSOFT utilities are malware planters??

Oh, and, LOL:

http://www.comodo.com/news/press_releases/01_04_07.html

De nada! I’ve come to realize in the past few months how self-centered and clueless some people can be - PARTICULARLY those in this (ahem) “business” … Nancy and I failed the business because we just couldn’t attain the whole “P.T.Barnum” quality of “showmanship” … I’m a simple tekkie, I just do the obvious, code it up and put it out. Nancy wanted to be sure everybody was happy. We were never good at “sales” or perhaps PSC wouldn’t have needed to fold in the first place. :frowning:

But that all said, I’m relieved as is Nancy that we didn’t have to end up the same way as one of our very closest FRIENDS who happened to be a competitor. At least BOCLEAN and all we made it will live in someone else’s hands, true to the honor and requirements it delivered as well as designed to be SMALL and a BACKUP to an AV … we’ve ALWAYS been trapped in other people’s stereotypical expectations of what a “security program” should be, as based on the trade rags, clueless reviewers with their OWN expectations and limitations … we never got a fair shake. And whenever somebody TESTED us, it was always tested in terms of the expectations of “yet another scanner” and thus we did poorly as a direct result of the expectations and NOT the results. There’s NO room for something that doesn’t fit the old 1980’s “file scanner” mindset and sadly, I’ve seen the SAME old mindset in a couple of other threads here as well as far as the same old tired “rulesets.” Sheesh. :frowning:

I’d say something about comparing BOClean to the difference between the APOLLO space capsule and the SHUTTLE … but alas, SHUTTLE finished, FUTURE is the APOLLO spacecraft design. Everything OLD is new again. As an engineer type I s’pose I’m just too old to remember when the word “PROGRESS” was synonymous with “IMPROVEMENT” but I digress.

But hey! 1980’s! GOGO’s! Billy Idol! Talking Heads! Great music, poor excuse for security in the 21st Century. Well … PSC’s competitors, particularly Microsoft put, PSC out of business. And ONLY COMODO took a REAL look at what we did with BOClean and said, “At FIRST glance, we were worried that integrating BOClean into OUR stuff would be impossible.” THEN they actually paid ATTENTION and realised it would be EASY, and met COMODO’s “corporate religion” which meshed with ours … seems our code wasn’t so hard to fathom (or port) as the peddlers of 1980’s technologies believed. At last to COMODO and MELIH who looked it over, studied it and said “works! actually works pretty well and I understand what Kevin and Nancy did here” … and so the BLESSING of continued living … and the space for IMPROVEMENT! W00h00! :slight_smile:

Well … not QUITE … Despite the fact that the NIRSOFT kids USED to write trojans years ago, and they’re NOT “trustworthy” to ME on that basis alone, most of what they write are useful tools for specific situations where you WANT their stuff to run for a purpose and do so DELIBERATELY. Alas, like more “war tools,” NIRSOFT’s stuff finds its way into WAY too many rootkits and PSEUDO-rootkits and thus we had NO CHOICE but to detect them. Like I said, if you REALLY want to run something “natty” you can ALWAYS add it to BOClean’s excluder … it’s DESIGNED to let you IGNORE any potential malware you really want to run - but it’s encrypted, and designed to prevent OTHERS from excluding THEIR nasties, and so you gotta handle it manually.

But yeah, the aboslute FAVORITE invasion method is to use every tool the ne’er-do-wells can find that will NOT be detected by “anti-spyware” or AV’s BECAUSE by itself, it is “legitimate” and any action to detect such is met with “so and so is garbage, it’s full of false positives all the time” and so the BIG corporates wimp out and let such slide. Nope … Nancy and I never wimped out on ANYTHING that was used maliciously … OUR attitude was that if the author of a proggie even ALLOWED hiding of a “system utility” then it was BOGUS and a THREAT …

And when their customers whined at us, “BOClean Fp’d on such and such and it was ON our “evil” list” all we did was tell them “wanna RUN that? EXCLUDE it, we’re not removing the def” … and so it goes. Kids WANT to avoid capture … HOW do “skiddies” do it? Build a dropper, dump MIRC and all scripts, and a couple of HIDER’s and no one will ever KNOW that MIRC is running in your system folder, phucking your machine, and sending 60,000 spams an hour until your ISP shuts down your account.

THAT’s what BOClean was designed to stop. And more. Whoops. :slight_smile:

This would seem to be one of the major stumbling blocks to CAVS2 becoming widely accepted. A lot of people rely on sites like AV Comparatives or similar and their testing methods (as scrupulous and accurate as they are) are based around the traditional detection and removal AV schema that has been around since day dot.

The simple fact that CAVS2 doesn’t operate solely in this manner weighs the testing against the product, but by ignoring a large chunk of the products capabilities, IMHO, flaws the results when tested against any app that doesn’t conform to their concept.

When CAVS and CFP V3, with their co-operative HIPS, are released, AV testing sites will hopefully expand their testing and include “something that is blocked and never gets a chance to execute” on an equal footing with “something that got through the AV to the file system and then we picked it up”.

Geeze Louise, why spend so much to build a better broom, when it’s much more efficient to make sure the mess never happens in the first place! 88)

Cheers,
Ewen :slight_smile:

Heh. GLAD to see that there’s anyone else who FATHOMS whY I piped onto the good ship COMODO in the first place! First time I sat down with melih, first words out of MY mouth was “you KNOW that we’re not only lsoing the battle, we’re losing the WAR against malware” and he just smiled and seemed relieved to know someone ELSE got it too. :slight_smile:

I knew that not getting infected in the FIRST place was the only answer - in the past some of our idjit “reviewers” made that point in the FIRST place, but thanks to Melih and others who I shall leave nameless within COMODO that I grew to LOVE the first day ALSO had the clue of reality, and we ENJOYED each other’s company in “wow … WE have the CLUE if only we could convince the world that everything everyone is SO used to as a concept was dead in the 1980’s.” :frowning:

THTA is the reason I keep harping on that point. BOClean was so mired in just dealing with more nasties than we could handle, same for the AV’s and in our desperation to just “keep up” some of us realized that this was just a lost cause and there HAD to be a better way around all this. I knew it, had ideas which I started to code but never had time to COMPLETE, and so did COMODO’s people. I got kissed, so off to the altar to DO it! Heh.

The OTHER “vendors” are just SO over once my code, COMODO’s code, and the INCREDIBLE genius of the people I’ve already been working with on top of the people at COMODO that I have YET to sit down with and confab … byebye every “vendor” you’ve EVER known from the biggies to the smallies … heh … the BULLSQUIRT of the “same old” is about to die, and I am so proud to be a part of the burial of the 1980’s ideas of “security” and oh so many vendors who are still peddling that same old tired bullsquirt … and I got tired of the nonense of the 90’s! SERIOUS stuff afloat in the labs and all we’re confabbing on now. AV’s? Hahahahahaha. AT’s? AS’s? Uh yeah, let’s install MSDOS 3.1 and par-tay with progress. (grin)

As I’ve said elsewhere and here … the BEST is yet to come and I have SEEN a good bit of it. Need to code up the REST of it!

As I said a lot of times, this will be very good if everyone knows what the file does and take a decision, and I’m also curious to see that white list to avoid all the annoying useless windows… Even if you have a really huge list, it will be impossible to avoid them…
That is why, normally to not say always, everyone wants a solution that identify the threat instead of annoying the users to make that decision where they doesn’t have that knowledge…

The safelist was at 300,000 executables mid-March and growing by just under 3,000 a day. While I concede it’s impossible to know everything, the safelist and the HIPS layer will prevent the vast majority of pop-ups ever occuring.

Personally, I don’t care about the things that don’t get in. I wouldn’t give a running rats if I never knew what didn’t infect my system. I’m more worried about getting my work done.

Ewen :slight_smile: