Home What is a Trojan Horse? How we reviewed anti-trojans About us |
|
|
Since the time I created this site the problem of malware infection has both escalated and changed in character. At the same time anti-virus products have become much better at detecting trojans. As a result of these developments I no longer recommend for most users the routine use of a separate anti-trojan program such as those listed below. I've left these now dated reviews on this site for reference purposes only. Indeed those faced with removing an existing trojan infection will find the trojan removal capabilities of some of these products useful, particularly the free version of Ewido (now known as AVG anti-spyware). For my latest security recommendations check out the editorial column in the most recent issues of my newsletter - Gizmo, May 2007. BOClean is from the New York State based Privacy Software Corporation which has been producing security products since 1996. BOClean has developed a solid reputation in security circles. After using the product, we can confirm that this reputation is reasonably well deserved though we must say that this product's lack of a file scanner is a serious concern. Design Most anti-trojan programs usually consist of a file scanner and an in-memory monitor. Not so with BOClean. The product consists of a memory monitor only - there is no scanner. This approach may once have been appropriate once but must be questioned given developments in Trojan design. Many of today's trojans attempt to pull down anti-trojan defenses mounted by the user. For example, one common trojan claims that it can disable any of 32 different anti-virus/anti-trojan monitors that may be running on the user's computer at the time the trojan is executed. And it's no idle boast - this trojan does have that ability. Watching it in action is an awesome experience. The simple fact is that the best way to stop a trojan is never to let it be executed to start with. That's why a file scanner is so important. It allows you to detect and remove a trojan before it is executed and gets control of your computer. BOClean not only has no scanner, the monitor itself is not well protected. This surprised us as the web site states that "BOClean will protect itself from trojan horse tampering or shutdown, so there's no worry about being left unprotected. Most modern trojans will disable either your antivirus or firewall, or sometimes both. Not BOClean." In fact we found BOClean can be quite easily terminated. Even Windows task manager can shut down both of BOClean's running processes quite easily. That said, BoClean is still an capable monitor. Most memory monitors included with anti-trojan programs appear to have been tacked on to the scanner, almost as afterthoughts. However BoClean was developed right from the start to be an in-memory monitor and it shows. BOClean works by halting newly started newly started processes and then unpacking and scanning the code before allowing execution to continue. This allows the for the detection of trojans hidden inside complex packing schemes and gives BOClean a good chance of detecting polymorphic trojans as well. Usage Installing BOClean is simplicity itself, just double click on the installation files and within a few seconds it's all done. After installation BOClean lets you know that you can run the program immediately or let it start automatically with Windows. When you run the program for the first time you are reminded to update the signature file If you don't do this manually BOClean will after a time check itself if an update is available and ask if you want to download the update. When BOClean is running a little icon appears in the notification section of your task bar. That signifies the program is now quietly watching everything that's going on in your computer and is waiting to pounce if necessary. Double clicking the icon brings up a number of choices including configuration and updating. Clicking the update button results in a new signature file being fetched from the website. It worked well if a little slowly. BOClean by default scans running processes every ten seconds. This can be varied from the options settings. Be aware that setting BOClean to check more often will requires more processing and this may have an impact on your PC's performance. In testing, we used the default setting. If BOClean detects a trojan a warning screen comes up that tells you that the trojan has been prevented from running and offers to delete the infected source file. Need cheap inkjet cartridges? Check out http://www.techsupportalert.com/cheap_inket_cartridges.htm Performance BOClean has no scanner so the scanner time tests could not be run. The BOClean memory monitor creates two running processes: the first BOClean.EXE takes about 3.4MB memory and the second BOSEC.EXE takes about 2.5MB. It's BOClean.EXE that does virtually all the work. From the graph below you can see that while the system (blue trace) is idling, BoClean (green trace) consumes virtually no processing resources except a short burst every ten seconds or so when the monitor scans running processes. Note that when a program is run (the hump in the blue graph) that there is no increase in the BOClean monitor activities. That indicates that the program file is not being scanned for trojan signatures before execution.
When BOClean is running we couldn't perceive even the slightest decline in responsiveness of our test PC. BOClean is a very resource efficient product, amongst the best of the products we tested. On a modern PC the only way you know it's there is from the presence of the task bar icon. In previous years BOClean did reasonably well in our trojan detection tests. This year its performance was not as good with only four trojans detected compared to nine for the two top performing programs. We suspect the product is starting to show it's age. Indeed, there have been no program updates for more a year. By way of comparison, in the same time period there have been four major program updates to Trojan Hunter. A number of the other monitors in this review achieved the same or better results as BOClean. Given these products offer scanners as well, it is difficult to recommend BOClean. Other Reviews To our knowledge BOClean has only been reviewed twice and in both cases it received the highest rating, though this was a shared honor. Don't be too overwhelmed with these results; one of the reviews allowed BOClean to be updated during the course of the review which is not exactly methodologically kosher. The other review was more qualitative than quantitative. Support BOClean offers email support only. There is no support section on the web, not even a FAQ. Nor is there a help file provided with the product. In 2002, the email support was excellent. On the 3 occasions we tested it, we got same day answers to 2 questions and the third was responded to within 48 hours. In 2003 the support appears to have fallen off. Only one of our questions was responded to within 48 hours, another took three working days, the other five. In 2004 , there was a marked improvement - we got responses to all three of our questions within 48 hours Summary This is a simple to use, resource efficient product that offers reasonable degree of protection. However the lack of a disk file scanner is a serious product deficiency given the capacity of modern trojans to pull down monitors like BOClean. Newer products like Ewido offer monitors that perform just well as BOClean plus a file scanner and do so at a lower cost. Version tested: 4.11, current version 4.11 Price: $39.95 Download: No trial version available. Click here for purchase details Trojans in database: 4239 as of the 26th of August, 2004 Website: http://www.nsclean.com Signature File Update frequency: weekly
Advertisements: The Best Backup Software: 18 backup programs reviewed and rated but only one get "Editor's Choice" Inkjet Printer cartridges: The best places to buy cheap inkjet cartridges. We looked at 47 seven sites but could only recommend eleven.
|
