Does BoClean keep a Black / white list?

Discontinued Products Comodo BOClean Anti-Malware
#1

I downloaded a small app called Trojan Simulator to test BoClean. I got the file from…
http://www.misec.net/trojansimulator/

When I first ran the app, BoClean stopped it dead in it’s tracks before it could load it’s server. I did not delete the file. Now, whenever I run Trojan Simulator, Boclean allows it.

My question is, does BoClean keep a whitelist that this app may have been added to? Is there some kind of edit that I can do to get BoClean to block this file again?

Thanks,
Mike

Edit*************

Just as a final thought, if I drag and drop the file onto BoClean, it is flagged as malware. BoClean will, however, allow the app to run.

#2

Hey,

I’ve downloaded and tested the file also, did what you did (don’t delete it) and tried it again → BoClean kept stopping it .
As far as I know BoClean hasn’t white list but you need to ask ~cat~ (I’ll send him a PM)

Hope I could be of help even if I didn’t give you the solution

#3

Thanks for looking into it. It’s a little bit odd but fortunately, it’s not malware.

If you hear anything, please post what you find.

Thanks again,
Mike

#4

Did you not see the attached alert from BOC?

This might help explaining it. A few seconds later, I got another of the first warnings; this time I chose to delete it, and have not heard from BOC since…

LM

[attachment deleted by admin]

#5

Thanks for the reply Little Mac. I didn’t see that particular warning about the system locks. But what I’m seeing has me curious. Maybe you could help.

The following takes place inside Windows Explorer… between 9 pm and 10 pm
Double clicking the icon to run Trojan Simulator brings up a BoClean window that states…

"This trojan horse program was found on your machine.
It has been shut down, but the FILE from which it
started still remains and can be started up again.

     Do you want the file removed also?

I clicked “No”

Here’s where it gets a little strange

I double-clicked the TrojanSimulator icon again and didn’t get an alert from BoClean.
I shut down the TrojanSimulator app.
Waited 10 seconds

Ran TrojanSimulator again, but BoClean stopped it.
I didn’t allow BoClean to delete the file.
Waited 5 seconds

Ran TrojanSim again and it was allowed to run.
After receiving no alert from BoClean, I closed TrojanSim and went back to my web browser.
After about 15-20 seconds, I heard the Windows “Exclamation.wav”
I minimized my web browser window and, finally, there was the Boclean alert - same as before.

From what I’m seeing, BoClean will block any further attempts to run the file again if I wait about 10 seconds. Other than that, BoClean doesn’t seem to mind it running the second, third or fourth time if it is attempted within a few seconds.

I’m kind of leaning toward performance issues on my end, mainly because of the long time delay for the last alert.

In this type of situation, could this be any type of risk if it were a real trojan? I ask because I don’t know alot about trojans or if they are capable of persistantly trying to infect a system. Not trying to act like I’m intelligent in these matters, cause I’m far from it. Just sharing what I’m seeing. Hopefully, it’s nothing.

Just one more note: Some info on my machine…
Dell system with 2.8 ghz processor
1 gig of ram
Windows Xp Pro

Running processes: 38, including: Kaspersky Antivirus, SpySweeper, CPF.

Thanks for your reply Little Mac.

Mike

#6

Since I have uninstalled CBOC for the time being for the testing of V3 I thought I would see how the V3 firewall would react to Trojansimulator. I set the Defense+ setting to Learn Safe Only and tried to install the Trojansimulator and it caught it every time with a popup. I chose to block it without remembering and it would not let me try to install it again without closing it then starting it again. I realize that the firewall wouldn’t get rid of it but at least it saw it and alerted me.

I tried installing it again in Learn All mode and it installed with no inkling of anything being installed. Nothing popped up at all. It even set itself to modify registry keys when I looked in the list of programs. Just goes to show that you better be sure that you have a safe system when using the Learn All setting on any firewall.

I realize this thread is about CBOC but I just thought it would be interesting to try the simulator on the firewall so we could see how the V3 firewall would react.

jasper

#7

■■■■, I can’t even get that far as NOD32 smacks it one before I can download or run it!!

#8

Edit: Let me run this and see what it’s doing…

#9

On execution of TrojanSimulator.exe, CBO alerts and stops it from loading. (1.) I decline to delete.
On a second attempt I got the same alert as the first time, then I did it a little faster (under 10 seconds) and got the install dialog.
I assume CBO was recalibrating and missed it due to user interaction.
I have a install screen now so I hit the install button and CBO alerts on a variant (2.) of the first detection and prompts for removal. I agree and the original file TrojanSimulator.exe is deleted but a run key is now in place and TSServ.exe is still in it’s folder.
I reboot and get a prompt claiming TSServ.exe is active (3.) and CBO alerts, prompts for action (4.) and whacks it in file, memory and the run key.
Game over… now, what was the question? :-\

[attachment deleted by admin]

#10
My question is, does BoClean keep a whitelist that this app may have been added to?
No, I assume CBO was recalibrating and missed it due to user interaction (repeatedly executing the original TrojanSimulator.exe file after telling CBO to leave it alone). Allow CBO 10 seconds between executions and as you noted the behavior is as expected. The multiple .exe's can make it difficult to follow what the test is doing.. at least for me when I need sleep. 88)
In this type of situation, could this be any type of risk if it were a real trojan?
No, although CBO can be initially "deferred" when all else fails CBO will get it when you reboot.
#11

Yep … that’s actually “as designed” … when a real nasty occurs, the “correct” response is “oh noes! Make it go away!” a YES response and losing the nasty would have repeatedly, reliably behaved as expected. We left the “NO” option in the design (and it will endure in 4.24) for those rare circumstances where you actually want to RUN something that we smack down. And even here, the proper response would be to add it to the excluder if you really meant to do that.

When you select “no” then BOClean will “cache” the item until its next recalibration (typically every ten seconds) whereupon it will clean that cache list (or what you’re referring to as “whitelist”) … we’re obligated to do this because the CORRECT response would be to initiate a COMPLETE rescan of everything every ten seconds (or whatever it’s set forin the configuration screen) … this is a necessary evil because if we were to actually rescan everything every ten seconds, then your CPU% would hit 100 and peg there for over a second or two every ten seconds. Folks would be doing some serious whining about “CPU hog” as has occurred in the past … so that’s why it works that way. But once the recalibration occurs, it’ll get picked up again - but by saying NO, then you’re not so worried about it and out of necessity upon your choice, then neither are we.

But that’s why … and it’s quite repeatable and by design that way.

#12

You ARE the man Kevin. I kind of fell bad that you had to waste your time for this. However, I have a litlle better understanding of what BoClean is doing. So maybe it wasn’t all for not.

Thank you man,
Mike

#13

De nada! (V)