will Comodo BOClean delete my pr0n ???

I installed this app cuz I heard it has a tray icon, and I LOVE tray icons (I collect them!)

Seriously, I’m a bit confused about the extent of “scanning” BOClean performs.
After closing the “config” screen, the resulting popup window mentions scanning… and I see references to Windows, System32, ProgramFiles, etc. folders blinking in it.

Is BOClean just re-scanning the files related to the currently active processes?
If not, what path(s) should we expect will be scanned? I’m wondering the same (which paths?) with regard to the “resuming background scan” and “unattended” features also.

I had the impression that BOClean’s operation(s) involved antihook and dll injection watchguarding + sandboxing. If it is actually going to scan through the entirety of my drives (what about mapped drives?) I won’t be happy if it finds/deletes “stuff” which is on someone else’s “bad” list.

The absence of an option provided to enumerate paths which should be excluded suggests BOClean does not scan the entire filesystem; I’m asking for confirmation that it doesn’t.

No, it’s not scanning your files.
BOClean only scans active memory processes.

BOClean doesn’t scan files as its main course of action. It will examine files which are related to anything which starts to run to see if it can detect anything that way but over the years, I’ve been well known to heavily disrespect file scanners because everyone’s got an antivirus or some other antivirus-like file scanner. We do things differently solely on that basis alone. We only look at what’s actually trying to run, not what’s sitting there. And while file-scanning is useful, doesn’t do a lot of good until a system is so hosed up, the idea of “perhaps I should scan” is usually too late.

But we’ll stand behind anyone else’s scanner of your choice … :slight_smile:

Geez, I expected the cutesy title of this thread would draw 'em like flies, but only 166 views so far! 166, compared to 1000+ views for a generic -titled (“Complaint!!!”) thread someone started the same day.

Anyhow, now that I’ve had Comodo BOClean running on this PC for several days, it seems like a fine (stable, no-frills, dedicated purpose) app. I keep hearing (er, reading) how it’s the best, bar none, at what it does… but "Where’s The Beef?"™ ???

Same as with CyberHawk, after installing BOClean I’m sitting here thinking “Yah. This is like installing those AS SEEN ON TV ™(probably another tm) anti-deer whistles on your car. I know them deers is out there somewheres, and I ain’t hardly had none of ‘em run inta my car since I installed them there whistles… so them gizmos must be workin’ like they sez”

I think I’ve read through all the docs (both the marketing spiel and the support ‘page’) and nowhere have I found any meaty specifics, similar to those being touted by “competing brands”, ala:

http://www.diamondcs.com.au/processguard/index.php?page=introduction

Main uses …
Each capability of ProcessGuard is powerful in its own right. For example, a program which simply blocked a rootkit trojan from installing would be very valuable in its own right, yet this is just one feature of ProcessGuard! Here is just a brief list of some of the main uses of ProcessGuard:

 Securing processes from being attacked (terminated, suspended, modified)
 Controlling which programs are/aren't allow to run 
 Blocking rootkit trojans and other malicious drivers from installing
 Protecting physical memory from malicious modification
 Blocking hooks and code injections
 Determining which programs are being executed on your system
 Determining which programs are attacking others on your system
 Analysing the inter-process behaviors of programs
 Keeping a log of all programs that execute (important for post-infection analysis)

Main attacks ProcessGuard blocks …
ProcessGuard protects against so many different types of attacks that it’s difficult to combine them all into one list (for example, although it protects against process termination it secures over a dozen different “termination vectors” in order to accomplish this, so really it’s protecting you against a lot more than just one attack).

Here are the main classes of attacks that ProcessGuard can protect against:
Unwanted/unknown process execution
Process/service termination
Process/service suspension
Process/code modification
Process/service crashing
Rootkit trojan installation
Firewall leaktest bypass methods
Hooks and code injections
Physical memory malicious modifications
Windows File Protection attacks
User Imitation attacks


I wound up choosing the title for this thread upon realizating that in numerous posts I’ve been ■■■■■-footing around, trying to find specifics (features, functionality) AFTER having installed the app. Gently, gently, because the limited response my earlier, more pointed/challenging post, in the “BOClean vs ??” thread
https://forums.comodo.com/index.php/topic,7742.0.html
suggested that the ranks of happily enthusiastic users are similarly unenlightened.

Do ya get out much?
The marketspace shared by BOClean is is now occupied by DOZENS of competing brands. Each of them is claiming best-in-class functionality; to keep pace, Comodo needs to improve BOClean’s “sales pitch” by providing details – perhaps even to the extent of creating a feature comparison chart.

or not.

Don’t worry about the details.
We don’t explain them because you wouldn’t understand them anyhow.
It’s a black box. It’s free. Trust us. Install it.

posted with sincere appreciation toward MrKevin and Comodo for bringing this much-needed app “to the masses”

hi Frazzled

There is a big difference in hips like products (the one you are quoting on) and BOClean…
BOClean works with a blacklist and monitors the memory in real time to see if any of these nasties are there or not. So its like an AV but instead of scannig the hard disk to find nasties, we wait in memory and catch them there. Until they are in memory they can’t cause any damage anyway… and its more efficient to sit and where they feed :slight_smile:

Melih

Hello Kevin,

What is the difference between these cases:

  1. I drag&drop the grc tester file into CBO’s window and it’s detected as MALWARE.

  2. I drag&drop a Hungarian trojan into CBO’s window and there’s no result.

  3. I drag&drop the old BO 1.2 there and it’s recognised (also, is this a bug or a special "BO"Clean feature, why CBO asks me twice?)

  4. I drag&drop Deep Throat 1 and it’s also detected as MALWARE.

  5. I also tried ****** (ask for) without results.

What’s the problem here? Does case 2 and 5 means CBO can’t save me from that malware? Can CBO save me if i actually run these threads in the memory?

Thanks in advance,

Geza Gabriel (nick: Arki)

As has been previously noted in another thread, Arkangyal, the drag&drop wasn’t intended to be a public release feature (it escaped by accident). They were using it in-house for some specific reason (I forget what) as part of their testing stuff. It doesn’t work the same way that the rest of it does, and shouldn’t be used as an indicator of safety or danger.

Your results might be different if the malware was released onto the computer, to try to execute in memory. Time to sandbox and see what happens, sounds like… :wink:

LM

Hey LM, thanks for the infos/answer! Sandbox solution then… but i’m afraid i haven’t got good news :cry: What shall be the next step?

What do you mean?

When I said it was time for a sandbox, I was referring to your question

Can CBO save me if i actually run these threads in the memory?
. In other words, you will very likely get different results if you allow the malware to run (and I wouldn’t allow it to run if it wasn’t in some sort of virtual environment).

LM

For me, sandbox is somehow equal with a test computer (i think it doesn’t matter what’ll happen if you simply reformat it). (Also, it’s a simple, old trojan, which isn’t infecting other computers.) So i run the trojan and CBO didn’t stop it: i only checked with taskmanager. Did i misunderstand something?

Woopsies! Maybe the trojan is so old all its teeth fell out and it needs a cane to help walk? Or a wheelchair, and it’s blind?

Is the trojan list in CBO fully updated?

LM

I’ve updated it today, i think that should be correct. Old? I wouldn’t find any problem with your statement IF CBO wouldn’t recognise the older Back Orifice v1.2 ;).

Ooh, that would be problematic, wouldn’t it?! ;D

Next question is, is the trojan in the list?

Correct me if i’m wrong but CBO should stop the malware code by BEHAVIOR, what ever is it’s kind. So i mean even if the trojan got a new version CBO should recognise it’s malware behavior, no?
I had another test with a newer *** trojan, which isn’t on the list (there’s only 1 sub-version difference, so instead of 1.00, it’s 1.01, etc.).

No, you’re wrong, so I must do as you request, and correct you… :slight_smile:

CBO’s not a behavior-blocker. It works strictly from definitions. The differences come in as far as where it looks for those malware (in memory only) and how (based on the “core” of the malware; the “naked” version).

Basically, rather than take time and resources to scan the filesystem, CBO monitors the memory, where a malware will be unpacked to execute. This is where the other difference comes in. I’ve seen the count of detectable malware (I don’t remember the specific number) and it’s huge; this is due to the way it sees the malware.

CBO is programmed to see malware as (Melih’s term) a naked lady. When she’s all packaged up (with clothes on to disguise) she’s not recognized; when she gets unpacked (undressed) to run, Wham! CBO knows who she is. Basically (as I understand it), malware is able to evade detection by modern AVs due to the way they’re packed. At the core, the code is still the same. This is why there’s only some 24,000 definitions in CBO, but with detection in the multi 100,000 range. Kevin has stated that there are very few “original” trojans written any more; they’re all the same, just packed in new ways. But the trojan still has to unpack to run; the instant it does, CBO pounces. But the AV won’t twitch coz it’s all confused by the package.

Hope that helps clarify…

LM

Thanks ^^

Then the definition list is small and i can have the opinion that CBO is not too good, yet. That 100,000 and 1 million are nice numbers then: of course, i can pack by UPX every kind of malwares, so the current 24,000 will be 48,000 and if i find another compression methods (even zip, rar…), this number will increase, fun -.-

Well, Kevin, i was able to find 3 working trojans and i only checked 5, it’s an interessting thing, isn’t? I haven’t got brand new ones, i guess they are from 2003 or earlier times. This is 4 years. I wish you to update those definitions as fast as you can (:WIN). I’ve already submited all the files by CAVS submit program, let me know if you need their names, etc.

Thank you for your help, LM, i reall appreciate it!

Arkangyal,
What are you using as a test environment?
Memory isn’t handled the same in a VM environment as in an actual OS environment.
I’ve run into this confusion before when doing testing and had to have Kevin explain it to me.

Edit: Also, the drag and drop scan is not all inclusive. It’s strictly for a select number of variants that are redundantly submitted to the team. It’s an in house testing feature made to save time on analysis.
We really ought to pull it out of the public releases to prevent the confusion.

No, i haven’t used a VM, a single computer with XP sp2. I don’t want to steal Kevin’s time if you can provide me the link to read his answer :). I understand, i really understand, and i didn’t used drag&drop for the second time. I also understand that it’s a usual problem that a scanner can’t detect a file until it’s not recognised by a definition, so i know that this is not a big problem:

  1. i just thought after reading - maybe too much so i was confused - this BOClean can detect harmful codes.
  2. these trojans are from 2003 and earlier, which is funny if you see that BOClean was shareware and noone could send in a sample for 4 years, eh…

BTW, Arkangyal,

I found the info I was looking for, on nsclean’s website. 278,000 + variants, and by “traditional” counting methods, 1.8 million due to technique used. Those are some big numbers…

LM

I really wonder how 278,000 comes out from 24,273 :THNK