Does boclean have heuristic scanning?

…or is it purely signature based? And if so does that mean that Boclean can not show false positives? Isnt that the purpose with signatures; that it finds an exact trojan?

Reason for asking is that Boclean, but none of the big brands such as KAV, NOD32, Mcafee, Norton you name it, detected a trojan I found on the net. I am one of those people who never encounter malware so I have to hunt for it to see if my protection is good enough :slight_smile:

So finally I seemed to find one in a keygen for some software
Boclean calls it “KEYGEN19”
Is a keygen per definition a malware in boclean? Or is there a actual original trojan named KEYGEN19 out there? Or whats the reason for the name?

04/29/2007 12:24:18: KEYGEN19 MALWARE STOPPED by BOCLEAN! Trojan horse was found in memory. F:\FTEMP\VIST\KEYGEN.EXE contained the trojan. Active trojan horse WAS shut down. System now safe.

Do I understand Boclean, and signatures in general, right when I assume that the reason for Boclean to alert is that it has an exact signature of what the malware does (installing a trojan) as a signature, not a false positive because it reminds of what a malware could be doing? Like heuristic scanning…

Its purely signature based. However, that doesn’t mean that it can’t have False Positives… it can… Because signatures are actually based on few bytes of information in specific places and it can cause FPs…

If you want, you can report the above and we can check to see if its a FP or not… but CB (Comodo Boclean) says its a trojan… and its not the first time where CB has caught things that other AVs and Anti spyware products have missed… check here,8376.0.html
And if this is another one that AVs have missed, pls report it to this forum

thanks Sukarof…


That is not what I understand from Kevin. It also uses heuristics.

Well, heuristic has a different meaning than “glorified signatures”… Lemme explain… having other kind of rules that catches malware even though it doesn’t have its “signature” in traditional sense it still catches it based on other rules, that the AV industry calls Heuristic. However, I call that “Glorified Signature” :slight_smile: I know Kevin has nice tricks, that could be considered heuristic as other AV vendors. Kevin has an amazing arsenal of knowledge of Malware Authors and the way they do their coding…and he uses that to his advantage in a way that we all call heuristic I guess…



That is not my understanding. For instance, a kernel rootkit was specially written to test BOClean. It detected and removed it without having a signature in the database. It was detected using heuristics. I have the information from Kevin and it was he that wrote that it was detected by behaviour (heuristics)

Thanks for your reply Melih. I will submit the file.