|
|
|
|
Security for Home and SOHO Computer Users
|
Background: After reading about Lockdown Millennium in a forum, where the poster said on May 14, 2001, "Lockdown held up to what it says, even with the sig files renamed and moved out the directory, hence rendered them useless! Its heiratical (sic) scanning and process monitoring done (sic) exactly what it was claimed to do. Even caught our undetected sub7 2.2 server running.", I just had to try it. I am a BOClean user. BOClean is a single purpose application which does one thing - trojan detection and removal. It does it exceptionally well! After researching the subject, which I always do, on the net, I found a lot of "fer and agin". So, an objective test was in order. Lockdown Millennium version 8.1.6 is a suite of program modules of which trojan detection/removal is one. It has two modes - simple and advanced. Advanced mode gives you access to all modules. The program has a trojan scanner/detector; a module which shows you all your Startup programs; applications with server capability; hidden file extensions (like .shs); file and registry monitors; a port monitor; shares monitor; connections monitor; lists active processes; and has a set of network utility programs. One aspect I like is the encrypted ini files. When the program starts up, any process capable of being a server is identified. You can authorize the server, or kill it right then and there. This is my favorite utility. It even identifies explorer.exe (I wouldn't kill this one though). Lockdown Corp also make another product called Lockdown Millennium Pro, which has all the capability of Lockdown Millennium - as well as, a suite of programs including: a VBS interceptor; a web monitor; a file monitor (extensive!); a cookie monitor,; a net monitor - all as separate programs. This suite of programs can be individually launched automatically with windows, or from a convenient tray launch menu. Lockdown Millennium does many things but two of its many modules are covered here. They are trojan scanning and monitoring startup and registry run items. The system used for the trojan scan/remove test is Win98, with the following installed: GoBack 3.0 McAfee Anti-virus installed with latest virus/trojan dat file Two firewalls - (no trojan got as far as the firewalls) Lockdown Millennium Version 8.1.6 Ten trojans were used for the test. Aladino.zip Bla5.03.zip Buschtrommel Beta 2.zip GT Bot ScourExchange.zip pitfallv21.zip slackbot-1.0.1b.zip sub7defcon.zip Unicorn.zip Voodoodoll.zip Windowsmite1.0.zip The system was freshly booted and the first trojan unzipped and executed. Before I go on, I'll say now that the anti-virus program was also running in the background. It missed one trojan: Slackbot - a Denial of Service bot using IRC For the purposes of this test, the trojans picked up by the anti-virus program were allowed to be extracted from the zip files and run. The first trojan I happened to pick was Windows Mite. Nasty fellow, it replaced Scanregw.exe, and the next time the system was booted the infected Scanregw (which put the system into 16bit compatibility mode) was caught by the anti-virus program. Now sometimes neither an anti-virus program nor trojan cleaner can repair or replace a file that was replaced by a trojan. They can get rid of registry entries and the program, but what of a replaced file? It will have to be restored either from a backup or your Win CD. Backing up critical files would be a good thing to do, before the damage is done. Click here for my suggested list of files, yours may be different of course. The rest of the trojan zips were installed one at a time and one caused the problem of not being able to run any program - program execution was denied. Another one was very persistent (Bla). All ten test trojans were caught by Lockdown Millennium. All trojans were caught either trying to change registry keys, or running as a server (or both), and all were identified as trojans (to be deleted at the users discretion). LD caught its own change to Autoexec.bat (added LDClean.bat items to first 2 lines). This addition to autoexec.bat was necessary to finish getting rid of one of the trojans. A restart was then necessary. The anti-virus program missed one, but then it is mainly an anti-virus program, with anti-trojan thrown in. It has caught every virus program or attachment I've received. GoBack was used to revert the system after trials were finished. Lockdown Millennium got them all - notifying me of registry changes, server additions and trojan identities, and deleting the trojans. Summing up, I
like the features - the modules. Some people.will like one or two modules over the rest. I
have my favorites. Other than the Trojan scanner module, the Generics module tops my list.
|
|
All rights reserved. IBO
Business.com This page was last updated on 11/12/04. |
