Products

BOClean Support



BOClean Current Version is 4.25.001

BOClean 4.25 Critical Upgrade

A buffer overflow vulnerability has been discovered by our QA team in Comodo in ALL existing versions of BOClean which can possibly be exploited. Therefore we have brought out this version. Please upgrade your copies to this one if you have not already done so.

Back to BOClean Support | Back to the Top

Installing your BOClean

To install BOClean for the first time, all you need to do is run CBO_Setup_4.25.exe you downloaded. If you're REPLACING an existing version of BOClean, then you'll want to first double-click the traybar icon and click "Shutdown BOClean" on the button menu which appears. Then UNINSTALL the earlier BOClean from the BOClean program group on the start menu, or from the Windows control panel's "add/remove programs." BOClean should appear on the list. If your previous BOClean cannot be uninstalled, then go ahead and install the 4.25 version, then UNINSTALL it, and then finally install it again.

Once BOSETUP is finished, you can activate BOClean immediately from the program group on your screen without the need to reboot, or you may reboot and it will start automatically. BOClean version 4.25 is designed to install itself automatically as a traybar icon. If the Setup Program is used to install BOClean, it will be configured for you already. If you double-click on the traybar icon, you can perform additional configuration adjustments if you wish to, as described below in the "Configuring BOClean" section.

Back to BOClean Support | Back to the Top

BOClean Autoupdate

Our trojan databases are updated whenever new trojans are encountered. This is pretty much DAILY, on occasion multiple times a day. We expect you to set BOClean to collect them automatically so if you want to do so manually, you may want to bookmark the Covered Malware page and check it frequently. BOClean will ALSO warn you if you need a free VERSION upgrade.

Prior to version 4.10 of BOClean, you needed to manually download and install these routine updates. Since this is still possible, instructions to continue to do the manual updating can be found below. In BOClean's Configuration screen are options with respect to the auto-update features of BOClean. Further detail can be found in "Configuring BOClean" below. BOClean by default will now automatically come to our FTP site and automatically download and then install the update if there is one. If you're not online, or you already have the latest update, you will receive a message and the auto-update screen will disappear. If you've selected the "silent" update option, then BOClean will not disturb you about this, and the screen shown above will NOT appear. BOClean will just grab the update and leave you alone. This option can be set in BOClean's configuration screen.

A MANUAL update can be performed by double-clicking on BOClean's traybar icon at any time and when the button bar appears, click on the button marked "Check for update" ... BOClean's updater screen will appear and notify you as to whether or not there is an update. If you prefer to update manually, or you have difficulty performing the auto-update as a result of your firewall or other security software blocking BOClean's access to our FTP site, then a manual update can be done by ftp download from ftp://nsdownloads.comodo.com/pub/boc425.xvu and then moving the file to the location specified in the BOClean configuration screen. The manual update and the automatic update are the same at all times.

Once you have downloaded the BOClean update file from our site, BOClean will handle the proper location automatically. Once the update has been run, the box will close by itself. BOClean will then load, authenticate, and then APPLY the update. The date should appear at the top of the screen with the date and time of the latest update (which will always be "today" or "yesterday." Select "Exit this menu" once you're done. That's it!

Back to BOClean Support | Back to the Top

In Case of Difficulties

Installation problem: "Failure while copying (file) to (file)"
If you received a ZIP file, you need to move to the folder in which the zip was saved and run BOSETUP from that location. If this problem occurs, it's because Windows is not trying to copy FROM the proper folder where the files are located and thus cannot find them. When doing an install from a network drive, it's best to use a "command prompt" (or DOS) to actually MOVE to that drive and folder, and then invoke BOSETUP.EXE from there.

After installation, BOClean runs 100% CPU
We saw this occur in beta as well as a few times with 4.12 and earlier releases. We never did find out what caused it, but it was an oddity on a handful of XP and Win2000 systems (probably due to another security program running while BOClean was originally installed. If this happens, hit ctrl-alt-del to bring up the task manager and check to see if there are TWO BOC425 processes running. If so, stop both and UNINSTALL BOClean. Then reinstall it. This always solved the problem when this occurred.

Please note that it is normal for BOClean to run at near 100% CPU when it is first started, as well as after opening and closing the menu button bar. This typically occurs for anywhere from a few seconds to almost a half minute while BOClean is re-examining ALL memory, processes and startups. During this time, the traybar icon will have a blue color before settling back to its normal black with regular ten second interval green flashes. Once the icon turns black, CPU should be near zero usage with an occasional 4% or so spike when the icon flashes. "Stuck at 100" usually indicates that two copies of BOClean are running and fighting one another.

BOClean runs 100% CPU on LIMITED accounts, OK for administrator OR when limited login occurs first, administrator's BOClean hits 100%

Problem here turns out to be a bug in Windows2000 and WindowsXP permissions as a result of one of their past "security updates" that caused a strange anomoly. In all earlier versions of Windows, the ability to "load and unload kernel drivers" was not granted to "limited user accounts." When a limited account logged in, it was not possible to load or unload a kernel driver. When any such attempt was made, the calling program was returned an "access denied" by the operating system and the driver never started.

Somehow this "expected behavior" has changed and now when a limited user logs in, the kernel driver *IS* loaded and started regardless of permissions, however notification to the caller of the kernel driver loader does not occur. Neither "success" nor "failure" is returned and BOClean was seeing its kernel driver and waiting for an acknowledgement from Windows that it had indeed loaded and was sent into a "wait loop" for a notificationthat never came. In other words, BOClean had one of its threads held in limbo. This was the cause of the "100% CPU." We fixed it by not waiting for system return at all and now just check to see if the driver is running ornot by ourselves. Please note that the "100% CPU" problem is also associated with a noticeable "slowdown" from BOClean 4.12 upon upgrading ... SAME issue!

Cannot get BOClean to update on "limited user accounts"
This is strictly the result of restrictions which Microsoft has introduced over numerous "service packs" and bandaids for Win2000 and XP. The solution requires granting "modify and "write" permissions to the limited user(s) for the BOC425 BOClean folder. This will ONLY work with BOClean 4.25 or later ... This is how to modify the permissions to allow BOClean to be updated while a limited user is online:

First of all you need to be Logged in as an Administrator in Windows XP, this is CRITICAL! "Limited users" and Microsoft's failure to provide a single "common" point for file writes is the problem here. By MICROSOFT'S choice, "limited users" do NOT have the necessary permissions to update BOClean. THEIR choice, not ours! However, thereIS a way around this!

Use the "search" feature to locate a FOLDER called BOC425. When you search, a number of "BOC425" items will likely appear, only ONE of them is a FOLDER. It SHOULD appear somewhere under an "All users" folder. Once the icon for BOC425's FOLDER appears in the search window, RIGHT click on the FOLDER icon and select "Properties." Can you SEE the security tab?

If you are running Windows XP PRO and cannot see the SECURITY tab, then you need to enable it which is done by going to Tools->Folder Options on most any open window. On the View tab click the Advanced Settings box; towardsthe bottom of the list that appears should be an entry "Use simple file sharing [Recommended]", you need to CLEAR thecheck box. You do NOT want to use simple file sharing. Click OK to close all the windows and follow the instructions above to alter the write permissions. All permissions are inherited from a master template, so doing this for just BOClean does NOT expose you to a security hazard, and in fact gives you FAR greater control over security by being able to make specific folders even more secure than Microsoft's "defaults." As Martha Stewart used tosay, "this is a GOOD thing!" Any newly created items will still inherit the highly limited "limited user" settings regardless of this change.

If you're running XP HOME, Simple File Sharing is enforced by default and cannot be disabled. You must boot the computer into Safe Mode and log in with the Administrator account, in order to see the Security tab.

You need to alter the settings on this tab to change the permissions of the BOC425 folder, which should be self-explanatory (just click the box stating that you wish write permission and modify permission to be enabled for the SPECIFIC user(s) you are interested in).

Check the boxes marked "Write" and "Modify" for the BOC425 folder so that it can be updated by "limited users" or whoever happens to be online when an update is available. "Modify" should also enable "write" but if not, check that box as well. This change will ONLY affect the BOC425 folder wherein the BOC425.XVU update exists. No other folderswill have their security settings changed. Once this is done, then any "limited user" will be able to collect BOClean updates and place the update where it's available to all.

NOTE: If you uninstall BOClean and RE-install BOClean, these special permissions will be wiped out by Windows. You will need to go back and provide these permissions again ANY time that the BOC425 folder is removed for whatever reason, and then restored. "Modify" and "write" permissions will not be available for updates or exclusions untilthose permissions exist in the "new" folder.

Program hangs or system crashes
Windows98 and WindowsME (to a much lesser extent) are built on the original Windows95 technology. While Windows95 and WindowsME are QUITE stable, the same cannot be said for Windows98 after years of Microsoft patches and upgrades to its functionality. Windows98 has SERIOUS memory management problems, made all the worse by upgrades from the original Internet Explorer 4.0 which it shipped with as well as its current "OBSOLETE" status by Microsoft. Microsoft is not interested in fixing memory management problems in Win98 since problems only result in sales of newer versions.

Add to this original instability, many programs optimized to run on Windows 2000 and XP at the EXPENSE of Windows98 compatibility can become QUITE unstable with commonly used programs NOT designed SPECIFICALLY for Windows98 and its various "issues" as Microsoft prefers to call "bugs." Because BOClean requires the use of DEEP memory scans, already unstable and poorly behaved programs, including those from the largest, well known software companies could "wedge" ... past versions of BOClean would end up with a locked RED or BLUE icon on the traybar and the entire system itself could wedge under Windows98. Any lockups which occur are the result of bad memory management in Windows or badly written software which is incompatible with Windows98 in particular. These problems do NOT occur with WinME, Win2000 or XP as was determined by over a year of experience with BOClean 4.11. We did not see this problem in BOClean 4.12 through to 4.24 thus we don't expect to see it in BOClean 4.25 either.

Back to BOClean Support | Back to the Top

The BOClean Excluder

SOME programs are SO unstable under Windows98 (especially "internet software") that it may be necessary to EXCLUDE programs from BOClean's deep memory scanning. As a result of this possibility for a FEW potentially affected users, BOClean provides an EXCLUDE screen where you can drag and drop programs into this screen, and BOClean will beadvised NOT to detect it as a trojan, and to be VERY cautious in analyzing it, making sure to clear memory before entering into a deep scan if necessary. A deep scan will be performed on excluded programs ONLY if it appears they've changed, have been tampered with, or have been "injected."

If BOClean should "wedge" along with your machine, SIMPLY TURN THE POWER OFF! You WILL receive that "you've been naughty" message from Microsoft about "shutting down properly" and will need to suffer a disk scanning in all likelihood.

Start the BOClean Excluder from BOClean's configuration screen. There's a button on the bottom marked "EXCLUDES" that will make this same screen appear. To exclude a program, open the Excluder screen first. Then run the Windows FILE EXPLOER, or select "My computer" on newer machines. Navigate down to the folder containing the program's main file, and then DRAG its icon with your mouse (hold left button down on top of icon, KEEP left mouse button down, drag the icon from there and then move it to BOClean's excluder. Let GO of the left button once you've dragged the icon to the excluder) ...The Excluder will take a few seconds to analyze the file, and then the icon from that program (and its title) should appear in the Excluder screen.

Since many troublesome programs are started from a DESKTOP shortcut, BOClean's Excluder will ALSO permit you to drag a shortcut from the desktop or a shortcut from elsewhere to the Excluder screen and will figure out where the actual program is and add it automatically. In this situation, it is not necessary to find the program. If the Excluder can't, then you will need to use the find/search feature on the start menu to locate the program, then you can drag the icon from THAT to BOClean's excluder. Excluded programs will be treated ever so gingerly by BOClean once excluded.

Back to BOClean Support | Back to the Top

BOClean in normal operation

Once you have installed BOClean, it will appear on your Windows system traybar, near your clock. Unless you wish to customize, no further action is required. BOClean will run in the background automatically, monitoring your system for anything which attempts to startup and run which manages to slip past your various "file scanners." The reason why BOClean does not do "file scans" is that most backdoor trojan horses elude file scanning entirely. The majority of "backdoor compromises" involve FAMILIAR trojans which have been "encrypted," "repacked," "patched," "hex edited" or otherwise modified to obscure them from "pattern matches." This is HOW they sneak by antiviruses and "malware/trojan/spyware scanners." File scanning IS the province of traditional anti-malware software and we consider it ineffective in the "real world." BOClean does not waste time duplicating a systemwide file scan which is what your antivirus is expected to do, and already has done. If it gets past THOSE, then BOClean stands at the ready.

Many antiviruses do well and detect about 90% of trojans in the wild. It's the other 10% which are modified that is the major concern, and known trojans can be easily configured to elude file scans even when they're "known." BOClean doesn't bother. Once they're unpacked or decrypted and go to run, they must shed their "cloaking" and this is where BOClean comes to the rescue. Instantly.

If a nasty gets past your antivirus' file scanning or your firewall, (most modern trojans kill antiviruses and firewalls as their FIRST act of invasion) response to any startup is instantaneous. BOClean also performs a "recalibration" every ten seconds which examines registry and system components to ensure that nothing has changed since its last calibration cycle in order to prevent against injections into already running programs. Response to a startup is instantaneous and is not subject to a "ten second wait" for recalibration. This function merely provides another layer of examination in addition to instantaneous detection of a fresh startup.

A blue or green colored "flick" of the traybar icon will be noted when BOClean does this recalibration every ten seconds. The icon's black vacuum cleaner will turn BLUE when memory is being examined in connection with a program starting, it will flick green when it's doing a routine examination of the registry during a recalibration. Formerly, BOClean would flick RED during the recalibration cycle which confused people, causing them to think a trojan had been caught, or worse, MISSED. As of BOClean 4.12, you will ONLY see the icon turn "blood red" IF a trojan has been caught and an alert is being triggered OR if you open the configuration screen or button bar, during which time BOClean goes "quiet" and you're unprotected. It will REMAIN red until all cleanup has completed, or when you close the button bar, whereupon BOClean will start its examination cycle again with the icon being blue until it has REscanned ALL memory andrecalibrated itself.

You will also see the icon turn blue and remain blue at startup or when BOClean has been stopped for configuration and the menu is closed when you're done with the button bar and configuration screen. Disk activity will be furious as well as BOClean examines not only memory, but all of the files and associated system libraries associated with each process, task, or device driver. This may take a while depending on how many items are currently running on your achine at startup time. BOClean will examine every detail at startup, and this may take some time. BOClean is designed to yield to other tasks with higher priorities, so don't be surprised if the icon remains blue for a decent period of time at startup or "start from zero" recalibrations. This is NORMAL. At any interruption of BOClean, it will discard its internal list of already examined items and start from scratch with a blue icon color. It will REMAIN blue until BOClean has finished all examinations, whereupon it will revert to its green flick every ten seconds when the system is examined and remains "quiet." BOClean will immediately respond as soon as a trojan prepares toactually start running. If BOClean remains quiet, all is well.

If a "trojan horse" or other malware is present on your machine, BOClean will shut it down FIRST, then you'll receive a warning box and you will be prompted by BOClean asking if you want to remove the offending file and clean up its remains. If you are running BOClean in regular standalone mode, you will be able to hit YES to perform a safe cleanup, or you can hit the NO button to delay cleanup if there is some valid reason. If you hit the YES button, the trojan horse will be removed from your hard disk and the windows registry. There is NO NEED to disconnect from theinternet or your network and a reboot is not necessary either. In the RARE situation where you are using a remote control trojan horse or other known malware and INTEND to be using it, you can use the BOClean EXCLUDE screenas described later to tell BOClean to IGNORE any nasties you INTEND to use for whatever purposes. You can ALSO use the Excluder to tell BOClean to be gentle on any poorly behaved programs from other vendors that make themachine crash. See below.

If a program or the desktop itself has been infected by a memory "injection" into another program, BOClean may shut down a legitimate program which is infected, or may reset your desktop, causing it to go blank and then reappear. This permits BOClean to destroy the injection. Under the most EXTREME circumstances, BOClean might even force a system reboot. Only a small handful of trojans are so severe as to require this drastic a step, but in such a situation, BOClean is "smart" enough to know when such a drastic step is required and will do so if absolutely necessary in the rare event that a nasty cannot be stopped by any other means.

BOClean automatically stops the trojan prior to alerting so it's merely a question as to whether you want the remains removed. Once the trojan horse has been removed, you can continue on your merry way without concern! If you've opted for BOClean to generate a report, the incident which resulted in the alert will enter the terse details of what was caught, where and what was done about it to an ongoing report, along with time and date stamp for the incident. The reports are intended to be very brief and terse in order to conserve disk space and will ONLY contain reports of trojan captures and elimination. BOClean will NOT fill the log with various "I was here" messages. By default, the report generation is enabled. You're invited to turn it off in BOClean's configuration screen if you wish to conserve disk space.

Be aware that there are configuration options which will modify the default behavior of BOClean. If your machine is on a corporate or other network environment, the configuration may have been selected by your system administrator and it is possible that you may be denied access to the configuration menu of BOClean as a result of a lockout designed intoBOClean. There are several layers of lockout possible and anyone wishing to use them should contact support@comodo.com for details on proper use.

Back to BOClean Support | Back to the Top

BOClean Options

To access BOClean's operations menu, simply double click the left mouse button on the BOClean traybar icon (or RIGHT click once) and you will be presented with the seven options shown above. At the top of the screen is the BOClean version you're running, and below that is displayed the time and date of the latest BOClean update you have. Since this will change almost every day, "updated every day" is substituted for the date in this graphic. It should reflect a date and time within a day or two of "today" or you may need to manually check for a BOClean update. If you choose the default "automatic" update, this should change by itself after BOClean has automatically connected to our site and collected your update FOR you. This is just one more "set and forget" convenience in BOClean's design.

If you select the top button marked "Shutdown BOClean," BOClean will instantly close and be removed from the traybar icon. This item is offered in case you run into any problems with BOClean or wish to start it up again. Shutting down theprogram will leave you without any protection and therefore is not recommended.

The second button is marked "Configure BOClean." If you are running BOClean in standalone mode, this will bring up the configuration dialog described in the next section. If you are in a network environment and the system administrator has chosen to exercise the "Prevent any changes" option in the configuration, you will receive an "permission denied" message and will be refused access to the configuration menu.

The third button marked "Check for update" will launch the "BOC4UPD" module of BOClean to allow you to perform a MANUAL update of BOClean. BOClean provides AUTOMATIC updates, but some people have expressed a desire to allowBOClean updates to be MANUALLY performed and don't like "Automatic updates." If you've decided to turn off "Automatically update BOClean" in the configuration screen, pressing THIS button will allow you to MANUALLY download a BOClean update database from our site yourself. When selected, if you are online, BOClean will check our site for an update and if one is available, will download and install it automatically to the location specified in the BOClean configuration settings. It will automatically validate, verify and install without any action on your part. If no update is available since the last one, you will be told that there's no new update to collect at this time and the updater will exit and re-verify your existing update. If you are using a firewall, you will be alerted to the BOClean update module trying to access the internet via FTP (port 21 on the other end) to perform the update. If your firewall blocks the BOClean updater, then an automatic update will not be possible until your firewall is properly configured, and you may need to do it manually. If you encounter problems updating, contact your firewall vendor for assistance in allowing BOClean to perform its autoupdate. We use "PASSIVE FTP" on PORT 21.

The fourth button allows you to import a newly installed update into BOClean without the need to shut down BOClean or reboot the system to accept a new update. BOClean will authenticate the update and will then change the date on the panel to reflect the new update if it passes inspection. It is marked "Reload/test update" but can also be used to import a manually downloaded BOClean update if you choose to collect yours the way you did in the past, as well as to allow you to have BOClean check its current update to ensure that it hasn't been tampered with. This button is unlikely to be used, but it is provided "because it's always been there."

The fifth button allows you to examine a list of malwares which are contained in your present BOC425.XVU malware data file. The list will also remind you where to obtain update files. We STRONGLY recommend that you visit our site at least twice a week, though we have been updating the antimalware data file just about once every day for QUITE some time now. The top of the BOClean selector menu contains the date and time when the antimalware datafile you are currently using was created. We STRONGLY URGE you to use BOClean's automatic updating feature so you won't have to worry about this, and so BOClean can be kept up to date with the very latest database. Once upon a time, updates were rare. With all the nastiness ongoing lately, don't let BOClean get out of date. That's why the automatic update feature has existed for a couple of versions now.

The sixth button will allow you to read any reports generated by BOClean. There will be no report to view until BOClean has been triggered into evaluation mode or has found a malware infestation. If you have not had a malware event, the file will not exist and when you select this item, you will receive an error message about Notepad not being able to find the report file. This is normal and the proper response is not to create one. Reports, where they exist, will have a separate date and time-stamped entry for each event describing what was found and what was done about it. You'll be asked after each viewing if you wish to delete the cumulative report or let it continue to accumulate.

The seventh button will bring up the BOClean Excluder screen which is used to exclude programs which result in false alarms in BOClean's heuristics, or more significantly provides the ability to EXCLUDE programs from BOClean's "deep memory scans" which are unstable, poorly written and tend to cause crashes, particularly in Windows98. See below in the "In case of difficulties" section where we explain how to use the Excluder.

The bottom button allows you to close the menu button bar. In previous versions of BOClean, the menu bar would automatically go away on certain functions. You must now click on this button to close the menu and restore BOClean to operation.

You will note a bar on top which tells you which version of BOClean you have installed. If you grab ahold of the top of this button menu, you can drag it and relocate this popup menu ANYWHERE YOU WISH on your screen and it will remember where you placed it and will pop up in that location until you move it somewhere else. This will allow you to move the menu button bar out of the way should you need to as it's designed to always remain on top of any other windows and might block a window behind it from view. In addition, each of the EDGES of the button bar display can be "grabbed" with the mouse and RESHAPED should part of the menu be obscured or missing. Simply drag it up, down, left or right until the screen is "neat" given varying screen sizes and the foibles of Windows XP miscalculationsof actual display sizing.

Back to BOClean Support | Back to the Top

BOClean Configuration

Autoupdate Options grouping
A NEW section marked "AUTOUPDATE OPTIONS" as of BOClean 4.12 provides control over the autoupdate feature as well as allows you to set the location for the BOC425.XVU database update file. The installation of BOClean will automatically pre-select the smartest options for your machine and situation by default. It's recommended that you don't change them unless you have a need to. If you wish to change the defaults, please read the possible repercussions below before doing so!

The first item at the top left of the dialog is the option to "Automatically start BOClean at bootup." This checkbox controls auto-startup of BOClean from the registry. When this box is checked, BOClean will start when your system does. This mode is HIGHLY recommended to ensure that BOClean is watching your system from startup when any latent nasties sitting on your hard disk are likely to be started. Many nasties can be downloaded and never triggered when first dropped on your system. Since BOClean is NOT a "file scanner," it will not notice nasties UNLESS they actually try to RUN - this is the point where you're most vulnerable, so it's a good idea to leave this checked. This checkbox also has another useful nature - some "registry cleaners" might remove BOClean's autostart and should that be the case, when you run BOClean manually, UNcheck this box, then recheck it again and it will repair the autostart if necessary without having to reinstall BOClean to get the startup back.

On the top RIGHT, a checkbox marked "Automatically update BOClean as below" is provided. If this box is CHECKED, then BOClean will silently check for updates and apply them if an update exists that you don't already have. If UNCHECKED, then BOClean will pop up a box indicating "Update is available, update now?" with a YES or NO option. The update will wait until you decide. This option is provided to allow people to set BOClean to pop up an "Update available" warning so as to not cause nervousness about internet activity should BOClean be silently updating. HOWEVER, there can be a downside to NOT having this checkbox checked - your firewall or system may time out and when you click YES to collect the update, the update may FAIL. Therefore we recommend that you opt for the automatic update by leaving this checkbox checked in order to assure you that BOClean is ALWAYS up to date. If you turn this off, then you will need to remember to do manual updates on your own. YOUR choice.

The MIDDLE box allows you to configure BOClean's autoupdate feature as you wish. If this box is CHECKED, then autoupdating of BOClean will occur automatically. If it is NOT checked, this entire line and its contents will be grayed out to remind you that you've turned it OFF. The "Automatically update" box in the upper right will ALSO be grayed out as this checkbox is the "master control" for automatic updating. If unchecked, then BOClean will neither autoupdate nor will it check for updates.

You can select how often BOClean checks for an update - the DEFAULTS are check every 24 hours, starting 4 minutes after bootup. You can adjust these settings to a minimum update check of every 6 hours to a maximum of every 48 hours. The time lapse between system startup can be adjusted between 2 minutes and 60 minutes after system startup. Inputting values lower than or higher than these values will result in BOClean setting to one of these minimums or maximums in order to prevent a denial of service attack on our servers for too short a minimum as well as ensure that you cannot set BOClean's update to too high a value to cause BOClean to not be updated frequently enough to protect you.

The "Roll back" button was new to BOClean 4.24 and permits you to revert to the previous BOClean update. Its purpose is to replace the current database with the previous one in the event of a false positive or corrupted download. Be advised that if you CLICK on the "Roll back" button, then the older database becomes yours. You CANNOT update until there's a NEW database, so don't go playing with it unless it's necessary because of a problem. This is performed automatically in the event of a defective download. For Microsoft Vista users, owing to the way User Account Control works, a rollback will not "take" until BOClean has seen at least TWO updates. This is because any writes of the original files are sent to a "virtualized" location and therefore the original database will not be there. The first update accepted will become the rollback backup and then the second update received will land there. Once this has happened, the rollback feature will work in Microsoft Vista thereafter

The bottom checkbox in this grouping allows you to specify a location for the trojan horse datafile (BOC425.XVU) that is different from its normal default location. This need not be changed for those using the Autoupdate feature. It permits the BOC425.XVU trojan horse datafile to be placed in a location of your choice and also permits network administrators to provide a common location on a server so that all users of BOClean on their desktops can all be pointed at a single shared copy of the BOC425.XVU file for a network deployed situation.

In situations where a network administrator needs to deploy the latest BOClean update onto a system, this can be done in a logon script where they check to see if BOClean already exists, and if not, creates the folder and then copies the files out to the workstation with the final act being calling REGEDIT and having it merge the following startup file silently:

--------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BOCstart"="C:\\PROGRA~1\\NSCLEAN\\BOCLEAN\\BOC425.EXE"
--------------------------

Network administrators can prevent user tampering by giving them a BOC424.INI file in the WINDOWS folder with the following items set in the [Prefs] section of BOC424.INI as distributed locally:

hide=yes

hide2=yes

These would be =0 otherwise. When "hide=yes" the configuration screen is hidden, as are information screens. If "hide2=yes" as well, then the traybar icon is hidden and no alerts appear. BOClean just nails any malware silently. Updates can be configured to be pulled to the desktops from Comodo BOClean server silently as well or the local copies can be set to point to a shared drive at the location so as to minimize traffic outside the site if desired. What most sites do is distribute all of the files plus the BOC424.INI file once they have things set the way they want them to all desktops.

The location will be automatically selected in order to allow "all users" to use a common location on Win2000 or XP or will default to C:\BOC425.XVU for Win95, 98 or ME users. This default location is also the default for the Autoupdater, which we recommend be used. If you change it, be sure to include the BOC425.XVU filename in whatever location you may put in here or it won't be found and BOClean will complain about it not existing, then undoing any changes you make, and reverting backto its previous "I know the file is here" mode.

Configuration Options grouping (lower part of screen)

The first item at the top left side of the dialog is the option to "Monitor System continuously." This is the default mode for BOClean and provides the highest protection. It should be left checked. However if you would rather BOClean ran only once at bootup and then shut down entirely, UNCHECK this item. As a result of it being unchecked, BOClean will run only once at system startup and then will shutdown once it's checked your system. In order to run BOClean again manually, you'll need to run the BOClean program from the programs listing on your start button. We STRONGLY recommend that you do NOT uncheck this box.

The second item on the left side is "Keep copy of trojan as evidence" and allows you to retain a copy of the most recently detected malware, safely disconnected from being operable, for further examination and study. The evidence copy will be named as "evidence.boc" and will be saved to your "My documents" folder or whatever location is specified for the report of malware activity and capture. If you choose to keep the evidence, please move it off your machine and onto a floppy as soon as you can to keep it from being renamed and used to reinfect your machine. It is also possible that another security program might detect it and cause undue panic. This is the reason why we default this to "off" in BOClean.

The third checkbox down is labelled "Unattended cleanup and removal" and can be set to FORCE the machine into a cleanup if malware is found. This option, if checked, always overrides the user option as to whether or not to do a cleanup and will always cause the machine to go into an automatic cleanup without showing any warning boxes to the user. If checked, there is no way to avoid an instant cleanup. The purpose for this specific checkbox is to give the "end user" no choice as to whether or not they want a stopped malware removed, when it's checked, no option is given. In addition, the notification of malware does not appear but will still be written to the report if reporting is enabled. By default, this is off in our latest BOClean versions since numerous customers like to click buttons. If BOClean is deployed on servers or unattended machines, you WANT this item to be checked so that BOClean will function without the need for human intervention.

The fourth checkbox IS DANGEROUS! BE VERY CAREFUL HERE. The option to "Prevent any changes to configuration" settings is a one way street. If this box is checked and the configuration screen is closed, you will not be able to run the configuration dialog again! This button is intended for system admins to protect against user tampering with preconfigured settings. If you are "master of your domain" then you really do NOT want to check this box. Be warned. If you slip up and check this box and then close the configuration dialog, you will have to contact support@comodo.com by email to learn the secret to re-enabling the configuration menu. You will be warned that this is an irreversible decision and given the opportunity to cancel this option before BOClean will accept it as a deliberate choice.

The fifth checkbox is ALSO DANGEROUS. Marked "Permanently hide traybar icon and alerts", this option will allow you to completely hide BOClean from the screen and the end user. This option will also hide trojan warnings on the machine in question and set BOClean so that if malware is found, it will be quietly killed and removed without any indication to the end user that malware had been found and eliminated. This option is particularly useful for sites who do not want their end users to know that malware is being silently defeated and that BOClean is on the job. It is also HIGHLY recommended for unattended sites as it will suppress ALL on screen information, rendering BOClean invisible. Because the traybar icon and BOClean screens are hidden by this option, selecting this will also make BOClean's configuration screen unavailable to the end user and should be carefully considered. As is the case with the "hide configuration" checkbox above, a warning will be delivered that this option is irreversible from BOClean's configuration and the option is given to cancel this mode if selected. The fourth and fifth items, selected together are the recommended configuration for unattended servers. However these two checkboxes are *NOT* recommended for personal use of BOClean.

The sixth checkbox on the left side controls the long obsolete display of BOClean's memory scanning display screen at startup when your system is already overloaded with better things to do. Painting text on a screen is VERY expensive in resources and particularly CPU time and tremendously lengthens the amount of time BOClean will take at startup drawing text. Over the years, the overhead slows down BOClean WITH the screen showing by as much as ten times over the speed with it NOT showing. This item should only be unchecked if you want to see what BOClean is doing, but will SERIOUSLY affect performance if left unchecked. It takes a VERY long time to show all that's going on. We STRONGLY advise that you leave it CHECKED. But feel free to see it once just so you can see what's going on if you must. Then check it back on to stop wasting valuable time. The "scan screen" has no real purpose anymore, but some folks like a "show and tell" which is why it even remains in 4.25. We recommend users leave it checked.

The seventh checkbox on the bottom provides an option requested in order to comply with needs of certain persons with disabilities such as Epilepsy and other similar conditions. It came to our attention that some customers had difficulty with BOClean's flashing traybar icon for medical reasons or simply because they found the flashing distracting. By checking this box, BOClean's traybar icon can be set to NOT flash every ten seconds. Formerly in previous versions, this was the checkbox that turned off detection of the Netbus trojan. However, since the company which distributed it has been out of business for several years, that function has now been removed.

Summary of left side checkboxes: Normal personal users will only want the TOP checkbox of the group of seven on the left side and the sixth (scan screen) checked. The others should be unchecked normally. ADMINISTRATORS might want all of the items selected, and might also want to change the report location to point to a network user's "personal shared" drive on a server. This will allow gathering of report data as well as the last captured trojan if desired for each user. If you want to make BOClean clean the trojan but remain visible and configurable by the end user, then "Unattended" should be checked. Fourth box removes the end user's right to play with the configuration, and the fifth box makes BOClean invisible if the third and fourth boxes on the left side are ALSO checked. "Sequential diminishment of 'appliance user' rights" is what has been designed for, as required by the majority of our industrial purchasers' expectations. Individual users will probably NOT want to take advantage of these design factors.

Right side:
The TOP checkbox on the RIGHT side of the screen allows you to tell BOClean to *NOT* shut down file shares if any are added. Normally this checkbox should NOT be checked as you will want any file shares placed on your machine to be eliminated. In SOME situations however you might NEED file sharing present. This will be the case if you're using "Windows networking" to connect two or more machines on a local network. "Windows networking" uses the incredibly awful NETBEUI networking protocol. A better choice is to use TCP/IP with ethernet cards as provided with cable modems. In this case, more than one machine can access a high speed modem connection to the internet and having file shares turned off will not pose a problem. We suggest you opt for the file shares option to be turned off *ONLY* if you have more than one machine on a home network and they suddenly won't communicate with each other any more. We also strongly suggest that if this situation applies to you that you contact your computer dealer or friendly neighborhood network nerd and find out how to use TCP/IP or other networking protocol between your machines as NETBEUI is a completely insecure networking method. Note: BOClean will NOT interfere with network share access on newer versions of Windows such as Win2000 and XP which no longer use the old "NETBEUI" protocols if this box is checked. However it will prevent the majority of trojans from facilitating access if NETBEUI is available on the machine in question for "X$ shares."

New as of BOClean 4.23 is finer grained configuration of automatic system repair options beginning with the second checkbox which is marked "Automatic reset of security zones." A large amount of malware will change your security settings to allow future installation of malware by setting numerous sites and programs as "trusted." If this box is checked and malware is found, BOClean will automatically reset "security zones" to their default state thus setting ALL sites to "internet zone" in order to prevent reinfection. If this box is not checked, no action will be taken but any changes to your security zone settings will remain as they were, even if infected. We recommend checking this box for your safety.

The third checkbox on the right is marked "Automatic cleanup of HOSTS file." By default this is also checked because once again, the majority of malware will write to the HOSTS file to block access to antivirus and antimalware updates and this file is also commonly used to redirect you from sites you intend to visit to rogue sites instead. Some people and some programs make use of the HOSTS file to block other sites however it is not possible to programmatically determine which sites are safe and which aren't and therefore in the event of malware detected by BOClean, we want to reset the HOSTS file to the Microsoft default of EMPTY in order to prevent reinfection.You should UNCHECK this item ONLY if you actually use a HOSTS file and are willing to check it manually yourself to ensure that all entries are what you intend. We recommend leaving this checked however.

The fourth checkbox is marked "Automatic cleanup of TEMP folder." Windows uses a TEMP folder for each user as a temporary storage location for files until they can be copied to their final location. As a result, the TEMP folder should be empty except during installation of movement of data from one place to another. Some programs fail to empty out the TEMP folder when they're finished copying data and this TEMP location is often used by malware to store a copy of malware so that it can be resurrected. It is strongly advised to allow BOClean to clean the TEMP folder when any malware is found and therefore this box should remain checked.

The fifth checkbox is marked "Automatic cleanup of ActiveX downloads." The ActiveX cache or "downloaded program files" area in Windows is a storage location for programs downloaded from the internet to be used in conjunction with your browser. Unfortunately, it is also a location where malware will be stored so that any time you open your browser, the malware can download another copy and restore itself. When this box is checked, BOClean will clean the entire ActiveX cache and any programs stored here can be readily downloaded again with adequate warning such as online scanners and other "features" which require a program on your end for the web page to function. We recommend that this box remain checked as well.

The sixth checkbox is marked "Automatic cleanup of winsock connectivity." This item is turned on by default as well. However, this checkbox controls a number of additional cleanups which reflect the latest tendencies to corrupt the winsock "Layered Service Provider" (or "LSP") stack as well as the winsock itself. When certain malware inserts itself into the winsock stack and is subsequently removed, you lose all internet connectivity as a result of the "missing piece." Leaving this checkbox checked will cause BOClean to examine the "winsock stack" and repair the sequence to prevent loss of connectivity. We strongly advise leaving this box checked.

If unchecked, then any trojan which affects any of these items would require manual repair. We explain this in detail because any "network connectivity" issues have been a major portion of support requirement for us as a result of some nasties out there, and a major focus of BOClean 4.12 and later was a means of automating this most difficult cleanup since it seems no two internet providers setup the winsock the same way twice. As a result, when network connectivity was lost due to a trojan, we had to refer the victim to their ISP to help them remove and then reinstall "networking." In addition, any DNS-tampering trojans will have any changes to "NameServer" and other connectivity issues automatically resoved when this item is checked.

It has come to our attention that a small number of people have configured their home machines to a hard-configured "DNS setting IP address." From a security standapoint, this is not a good idea as those manual DNS settings are used extensively in malware to redirect victims to places other than where they had intended to surf. It's ALWAYS best to leave your networking configured for DHCP or "get address automatically." Despite this being a really bad idea to manually enter this data, some people insist upon doing so. If YOU are in this situation, we strongly advise going to automatic network configuration using DHCP. If you still choose not to, it is IMPORTANT that the "Automatic cleanup of winsock connectivity" box NOT be checked or BOClean *will* remove those settings when a trojan is found.

Finally, the last box on the right is marked "Automatic cleanup of IE stylesheets." This last item is new to BOClean 4.23 as a result of a new trick used by malware, manipulating "CSS Style sheets" in order to embed hidden frames which silently download malware without any indication that it is occurring. It is rare for this item to be used legitimately and a setting in your browser can be set to restore any such if actually used to the intended style sheet in those circumstances. Once again, it is recommended that BOClean be permitted to remove style sheets in the even of malware being detected to ensure that the malware cannot be restored by a rogue site.

Summary of right side checkboxes: Normal personal users will want the first checkbox UNCHECKED and all of the others checked. If "File and printer sharing" suffers, then CHECK the first box on the top to NOT shut down file shares. Those who actually use HOSTS files and know how to check them for content can choose to uncheck the third checkbox. All others though should be checked unless you're an expert on manual removal of malware and the proper procedures for monitoring those items yourself and verifying their integrity.

Finally, two more checkboxes at the bottom with text input windows:

The first checkbox down will allow you to tell BOClean that you want it to create a written report when it finds malware on your machine. It will list where the rogue program was found and any details of how BOClean handled it. After the infestation has been removed, a copy of the report can always be found in your "personal" folder (usually "My Documents" folder) in a file named "BOreport.txt." Reports are cumulative as of BOClean 4.11 and when you go to VIEW the report from BOClean's menu, will be given the option of clearing it or allowing it to continue to accumulate. Each entry is date and time stamped. The report is deliberately brief because the report file can grow large over time.

The report CAN be sent to a server in an institutional situation, however the location cannot contain environment variables. For a situation where you want to send the report to another location rather than the local machine, we recommend mapping a drive as "personal" which is normally done in most situations to begin with. For example, amapped user drive could be:

"\\.\WORKGROUP\MARK\" or similar.

or a drive letter/folder/filename arrangement, mapped, such as "Y:\HERE". It is CRITICAL though that any change point out the PATH ONLY as BOClean will use that location for both the BOREPORT.TXT report file as WELL AS any "evidence" of the last captured malware if that option is enabled to this particular drive and thus no FILENAME should be specified as BOClean will add that automatically.

Finally, the bottom checkbox allows you to override the built in message warning of trojan horses being detected and allows you to deliver a site-specific message to the end user. This item provides an edit box which can contain the precise DOS-like path and filename of a custom written file of a maximum of 1024 characters (you'll never use that much) which can be displayed to the user when malware is found by BOClean. Simply create a plain old ASCII TEXT file (Windows users should use "Notepad") and however you format it is how it will appear in the box which warns the user that malware has been detected on their machine and what to do instead of the default message that comes withBOClean.

Here's an example of a typical warning text file:

 
Your machine has fallen victim to a
dangerous computer program. Relax,
you're not in trouble.

PLEASE CALL 555-5555 IMMEDIATELY!

Please report that BOCLEAN has given
you a warning. The help desk will be
in contact with you as soon as possible.

The danger has already been stopped. If
you click the YES button, the file(s)
associated with the danger will also be
automatically removed. There is no need
to disconnect or reboot your machine.

Simple carriage returns where you want the text to go to the next line is all that's required. If you don't format the text, Windows will do it for you with possibly unexpected appearance.

Be sure to put the physical location of the file (can be on any drive on the user's machine or on a network server to allow global changes of the text as required) into the box and that it is a properly qualified path. In other words, note where you've saved the text file and place that in the box. For example, if you just save the file as "warning.txt" to your own machine without specifying another specific folder and you are using Notepad, then the file location to put in the box might be "C:\WINDOWS\WARNING.TXT" If this box is not checked, or the location of the file you created is incorrect, then the default message will be displayed by BOClean instead of the warning you created. Any messages delivered, be it your or ours will contain the name of the malware found in the bar at the top of the message box.

Once you have set the configuration as you like it, click on the "Finished" button and your configuration settings will be saved and implemented. If you wish to bail out of this dialog, just hit CANCEL and no changes will be saved.

Back to BOClean Support | Back to the Top

Compatibility Information

BOClean has been carefully designed not to conflict with other software, particularly antivirus or other protection programs. Any time you have programs running however, each wants as much CPU time as possible. When many programs of any type are running, the machine will slow down slightly as each additional program runs. We are mindful of this and have designed BOClean to use minimum resources and CPU time. BOClean is designed to function so as to minimize conflict with other software running on on your system while it runs constantly in the background.

BOClean 4.25 runs on Windows For Workgroups 3.11 (Win32s required), 95, 95A, 95B, 95C (Winsock 2 required), 98, 98SE, ME, NT4 (SP2+ required), 2000, Server 2003, XP (any, including 64), Longhorn Server and Vista (any, including 64). BOClean also supports the LITESTEP replacement Windows Shell.

If you find that BOClean does interfere with multimedia display or slows down another program or "burps" it while the traybar icon flashes red, you can doubleclick the BOClean icon to pause BOClean. While BOClean is paused, you have ZERO protection so it is not recommended that you leave BOClean in pause mode by having its menu onscreen for any length of time. As soon as is convenient, EXIT the menu. At this time, BOClean will do two full scans and then return to sentinel mode where it is far less active. We've designed it this way in case of any unanticipated conflicts.

Back to BOClean Support | Back to the Top