Links: Volcanoes

Review of BOClean Anti-trojan
BOClean is from the New York State based Privacy Software Corporation which has been producing security products since 1996. BOClean has developed a solid reputation in security circles. After using the product, we can confirm that this reputation is reasonably well deserved though we must say that this product's lack of a file scanner is a serious concern. Design Most anti-trojan programs usually consist of a file scanner and an in-memory monitor. Not so with BOClean. The product consists of a memory monitor only - there is no scanner. This approach may once have been appropriate once but must be questioned given developments in Trojan design. Many of today's trojans attempt to pull down anti-trojan defenses mounted by the user. For example, one common trojan claims that it can disable any of 32 different anti-virus/anti-trojan monitors that may be running on the user's computer at the time the trojan is executed. And it's no idle boast - this trojan does have that ability. Watching it in action is an awesome experience. The simple fact is that the best way to stop a trojan is never to let it be executed to start with. That's why a file scanner is so important. It allows you to detect and remove a trojan before it is executed and gets control of your computer. BOClean not only has no scanner, the monitor itself is not well protected. This surprised us as the web site states that "BOClean will protect itself from trojan horse tampering or shutdown, so there's no worry about being left unprotected. Most modern trojans will disable either your antivirus or firewall, or sometimes both. Not BOClean." In fact we found BOClean can be quite easily terminated. Even Windows task manager can shut down both of BOClean's running processes quite easily. That said, BoClean is still an capable monitor. Most memory monitors included with anti-trojan programs appear to have been tacked on to the scanner, almost as afterthoughts. However BoClean was developed right from the start to be an in-memory monitor and it shows. BOClean works by halting newly started newly started processes and then unpacking and scanning the code before allowing execution to continue. This allows the for the detection of trojans hidden inside complex packing schemes and gives BOClean a good chance of detecting polymorphic trojans as well. Usage Installing BOClean is simplicity itself, just double click on the installation files and within a few seconds it's all done. After installation BOClean lets you know that you can run the program immediately or let it start automatically with Windows. When you run the program for the first time you are reminded to update the signature file If you don't do this manually BOClean will after a time check itself if an update is available and ask if you want to download the update. When BOClean is running a little icon appears in the notification section of your task bar. That signifies the program is now quietly watching everything that's going on in your computer and is waiting to pounce if necessary. Double clicking the icon brings up a number of choices including configuration and updating. Clicking the update button results in a new signature file being fetched from the website. It worked well if a little slowly. BOClean by default scans running processes every ten seconds. This can be varied from the options settings. Be aware that setting BOClean to check more often will requires more processing and this may have an impact on your PC's performance. In testing, we used the default setting. If BOClean detects a trojan a warning screen comes up that tells you that the trojan has been prevented from running and offers to delete the infected source file.