Home What is a Trojan Horse? How we reviewed anti-trojans About us |
|
|
Since the time I created this site the problem of malware infection has both escalated and changed in character. At the same time anti-virus products have become much better at detecting trojans. As a result of these developments I no longer recommend for most users the routine use of a separate anti-trojan program such as those listed below. I've left these now dated reviews on this site for reference purposes only. Indeed those faced with removing an existing trojan infection will find the trojan removal capabilities of some of these products useful, particularly the free version of Ewido (now known as AVG anti-spyware). For my latest security recommendations check out the editorial column in the most recent issues of my newsletter - Gizmo, May 2007. The Cleaner from Santa Fe based Moosoft Development LLC started life as product designed to combat the Back Orifice trojan. Since then it has been expanded and generalized and is today one of the most widely used anti-trojan products. Design The Cleaner consists of an on demand file scanner combined with two monitors. The first, TCActive! is a process monitor designed to catch Trojans when they run. For the most part, it sits in the background quietly doing it's job as a watchdog. Apart from the small icon in the taskbar tray, you wouldn't know it was there. However should a trojan start up, TCActive! intervenes to stop the intruder running and offering removal options to the user. The second is TCMonitor is another background monitor though in this case it watches for changes in important registry keys and files. Any time one of these items is modified, TCMonitor sounds an alert. TCMonitor will tell you what it expected to see and what is really there. You can then choose to edit the data or leave it alone. TCMonitor can also disable JavaScript and VBScript if you choose to do so. The use of two separate monitors, each looking for different signs of trojan activity, enhances the degree of protection provided though at the cost of some additional memory usage. The Cleaner provides an option "stealth mode" for its monitors. If enabled this assigns a random generated name to the monitor processes and additionally hides the processes. It's a simple but quite effective way of making it difficult for aggressive trojans to pull down the monitors. The on-demand scanner allows you to check files (or your whole hard drive) for trojans. It will optionally scan within a wide range of archive files including ZIP, ARJ, CAB, ACE and RAR. It will also (optionally) scans for hidden executables. According to Moosoft, the latter involves "an original process to uniquely identify files whereby they cannot hide by changing their name, reported file size or by hide by attaching themselves to other programs." It' s possible to setup The Cleaner to automatically scan your system. It's not a terribly sophisticated scheduler but quite sufficient for the job. Usage Installation is straight forward. On completion the user is presented with a simple wizard that offers a set of options including updating the trojan database online, immediately running the two background monitors and launching The Cleaner. By default the program automatically checks for updates and these include updates to the actual program as well as the signature database. When you fire up the Cleaner the first thing you see is the striking opening graphic. While unusual in layout, it provides an utterly clear set of options for the user. The only minus is that users will be tempted to immediately click on the scan option. This action immediately launches the scan operation. What users need to do first is click on the Options button so that the scan options can be set. Fortunately the default scan options are well chosen so even a raw beginner could get good straight results out of the box. Less fortunate are the default update arrangements. Unlike other products there is no simple update button. Updates must be set up using the Options button and then selecting the update tab. There the user is offered the option of updating the signature file each time The Cleaner starts. The problem is that this is turned off by default. This is surely an oversight as unsophisticated users may never actually locate the option. Another oddity is you can't elect to scan individual files or even directories from within the scanner console. However this option is available from the context menu in Windows Explorer. When you right click a file or directory, a scanning option comes up. If a trojan is detected during a scan the action taken depends on the option set. The default is to quarantine the file. Other options are to delete, to report, or to ask the user what they want to do. If the TCActive detects a change in the system registry, startup file or other monitored area an alarm sound and user is offered the option of viewing/editing the changes or to accept them. Only guidance is offered by the help system and many users would be simply confused as to what to do. Need cheap inkjet cartridges? Check out http://www.techsupportalert.com/cheap_inket_cartridges.htm Performance Scanning speed was slow - the only slower program was TDS-3. The two monitor programs between them consume quite a bit of memory; TCActive takes up 6.4MB and TCMonitor, 8.8MB. From the following graphs below you can see that TCActive (green trace) flicks momentarily into action every few seconds even when the system (blue trace) is idling. This presumably is when the is registry activity.When a program is loaded (hump in blue trace) there is more activity but not a great deal. TCMonitor consumes even fewer resources. There is virtually no activity while the system is idling and only small amount when a program is loaded. From these graphs it is clear the both monitors consume hardly any CPU resources at all. This corresponds with our subjective observation that even with both monitors running, we could notice no reduction at all in the performance of our test PC.
ln our trojan detection test The Cleaner detected 6 trojans, a performance that puts it in about the middle of the pack. This is consistent with our finding in previous years that The Cleaner is a capable anti-trojan but falls well short of the best products. We ran the Monitors in Stealth mode and this works as advertised. We certainly couldn't detect the processes using Windows Task Manager. However with a more sophisticated process viewer we were easily able to spot the randomly names processes and equally easily able to terminate them. Now could a trojan do the same? Well it could but it would require some complex coding to do so. Certainly stealthing provides a degree of protection, far better than having none at all. Other Reviews: The Cleaner has had mixed reviews. In one ( 2) it came top of the pack, though the test was not very authoritative. In three others (3, 4, 5) it was middle ranked. In yet another (6), which was qualitatively oriented, it was rated last. In perhaps the most thorough review (1),The Cleaner fared poorly, the reviewer noting " ... its signature scanning was especially lackluster." Support The Cleaner has an inbuilt help system although it's rather minimal in length and detail. Particularly poor were the so called tutorials built into the help system. We found them so short as to be almost useless. The website has a list of common support questions though most seem to date from 2003. There is also a FAQ but it's mostly sales oriented. Far more useful is the online forum which appears to be quite active. Email support is also available. To test the support provided, we emailed three questions at different times to Moosoft. We got answers to each with 48 hours, which is an acceptable though hardly scintillating level of performance Summary The Cleaner is an easy to use, multi-faceted anti-trojan with reasonable detection capabilities though several notch below that of TDS-3, Trojan Hunter and Ewido. It's slow scan speed may be also be a problem for some users. The Cleaner is a mature, well supported product that is best suited to the average user operating in moderate risk environments. Version tested: 4.1 Price: $49.95 Download: Click here for trial version Trojans in database: 18505 as at the 24th of August 2004. Website: http://www.moosoft.com Signature File Update frequency: "According to prevailing threat"
Advertisements: The Best Backup Software: 18 backup programs reviewed and rated but only one get "Editor's Choice" Inkjet Printer cartridges: The best places to buy cheap inkjet cartridges. We looked at 47 seven sites but could only recommend eleven.
|
