Personal Firewall Test:
Trojan Scanners and Other Protection Mechanisms

By Seán Boran


January 26, 2001 - This article is part of a series of tests on Personal Firewalls/Intrusion Detection Systems. Refer to 1 for an introduction to personal firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on products complementary to personal firewalls.

  1. Trojan Scanners/protection: Tauscan, WormGuard, Lockdown 2000, The Cleaner, TFAK

  2. Integrity Checkers: tests of Tripwire and other tools will be reported on soon.

  3. Other Tools: Netlab

Ideally antivirus tools would be able to recognize and protect against Trojans as they do viruses.

January 26th 2001 update:
  • Table of contents
  • Move ICS to main article
  • Improve introduction
  • Add The Cleaner


However, the proliferation of Trojan-specific tools shows that AV products don't yet recognize as many Trojans as they should, so in a very hostile environment (e.g., certain IRC channels), you may wish to consider some of the following products in addition to a personal firewall.

Few tests have been carried out on these products. They are listed for reference purposes, to complement the personal firewall analyses.


Trojan Scanners/Protection


Tausan

Tauscan 3 removes Trojans from the registry without deleting files that the system needs to operate, that may have been altered by the Trojan. Its sister program, Jammer, is a registry monitor and has an excellent Netstat and DNS feature. It also has a very official-looking mail that can be sent to an abuser's provider explaining the type of attack with relative information. If someone does get ZoneAlarm, then Jammer will pick up their scanning activity and notify the user as to the attack. They work with any antivirus or security software, and are simple to set up and use. Tauscan and Jammer cost $39 and are available from Agnitum.


WormGuard

WormGuard 3 (also called Trojan Defence Suite) from Diamond Computer Systems in Australia, is a bit different:


Lockdown 2000

Lockdown 2000 3, $99, scans, detects and removes Trojans.
There are reviews available from other sources:
http://www.webattack.com/reviews/lockdown_rv.shtml

The Cleaner

MooSoft's "The Cleaner [3]," recommended by several readers, is another tool which scans the local drives for Trojans.

Features include: Huge database (over 1800 entries), Constantly updated. Fast scanning engine (~222,000 trojans/sec). Inspects ZIP, RAR, ARJ, ACE and CAB archives. Finds stealth trojans using FileSpect technology. TCActive! stops trojans before they can activate Interactive trojan database browser Install and uninstall. No conflicts with any programs.

Operating systems supported: Windows95,98,ME,    NT4 Workstation/Server Windows2000 Pro/Server

Cost: $29.95 after the 30-day trial period.

A quick test showed no stability problems. Scanning of 75GB did take a few hours, though.


TFAK

TFAK 3 is a free program to detect up to 366 types of Trojans. It worries me that it was developed by a hacker, and that the source code is not available. It was not very stable either, blocking CPU usage at 100%. I recommend you avoid this tool completely.

Other Tools

Netlab 4 is a free program that offers a comfortable interface for finger, whois, daytime, ping, traceroute, clock synchronization, DNS lookup and network scanner. (Tested on NT4, useful.)


References

  1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article.)
    pf_main20001023.html
  2. Netlab
    http://www.adanil.com/NetLab
  3. Tools complementary to personal firewalls
  4. Toy Box (a collection of tools that may help clean a system possessed by Trojans)
    home.earthlink.net/~rmbox/Reticulated/Toys.html

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

07.Nov.00 Delete section on Firewalls not tested (move to main article)
21.Nov.00 TFAK warning.
25.Jan.01 move ICS to main article, add Cleaner

© Copyright 2000, Seán Boran, All Rights Reserved     Last Update: 10 octobre, 2001