Does exe protection give warnings of malicious files and is there a test like eicar i can run on it?

thanks
JSa

Hi,

The answer on both questions is "yes" ;)

Here comes the example: Leaktest from Steve Gibson:
http://grc.com/lt/leaktest.htm

Is Leaktest in the definitions of TDS-3?
Yes, see screenshot of the primary list:

And here come the test.

TDS-3 was started before the test was done, and Execution Protection enabled.

WormGuard and my AV were disabled.

I downloaded the file LeakTest.exe from the GRC-site onto my desktop.
Then I double clicked it to start it.

Immediately TDS-3 jumped up and blocked it.

I right clicked on that warning, and got the following options:

I choose "Delete", and got a question whether I was sure.

PS:
I have the Dutch version of Windows, so you will see two Dutch words:

ja = yes
nee = no

I choose "ja" (="yes").

And here comes the confirmation from TDS-3 that the file was deleted:

That's all :)

I wanted to try this.

I have downloaded the leaktest to my desktop upon execution I choose to 'test for leaks'. My firewall then jumps in and asks if I want the application to connect to the internet.

I have wormguard installed and Exec protn is enabled on TDS3. Should I have been able to run the test???

Hi User da da da da ;)

If your radius definitions are up to date and your TDS is configured correctly then you should not have been able to run the leaktest without TDS intercepting it. I confirmed here just in case they put a really new version on the grc site that may "elude" the test definitions, but it intercepted right away. You might want to try scanning the directory leaktest is in from TDS and if it finds it you know there is something wrong with your execprot (maybe removing execprot, rebooting, re-adding, rebooting will do the trick)

As an additional test, there is a safe Trojan Simulator that includes both a client a server component that you can test TDS against. It can be found here...

http://computercops.biz/article1981.html

Hope this helps

-{ Quote: " quoting: user formerly known as mfreemanhcp17 link=board=5;threadid=20573;start=0#msg125315 date=1075383902]
I wanted to try this.

I have downloaded the leaktest to my desktop upon execution I choose to 'test for leaks'. My firewall then jumps in and asks if I want the application to connect to the internet.

I have wormguard installed and Exec protn is enabled on TDS3. Should I have been able to run the test???
" }-

Was TDS-3 started before you did the test?
Execution Protection works only if
1- TDS-3 has been started (either automatically at windows start-up or by yourself), and if
2- Execution Protection is enabled.

I am a little worried now, I removed and then added exec protection with reboots as advised.

TDS is running, but I can still run the leaktest.

I also downloaded the Trojan Simulator (thanks to Dan Perez) and TDS doesn't pick it up unless I run a manual scan of the containing folder. (I even shut down all other running security processes).

I then restarted all other security processes (including NOD32, Tauscan trial version (as TDS has no monitor to speak of) and Adaware.

I wouldn't expect NOD to pick up the Trojan Simulator but Tauscan also failed - the only one to notice a change was Adaware!!

I know we're not here to discuss other programs but I am concerned as to why my Exec Prot doesn't seem to be working. I have the latest Radius update (27.01.2004).

Any comments most gratefully received.

This is strange (to say the least).

Can you give more details on your OS and service pack?

Also, when you launch TDS does it confirm that it shows execprot as active?

Also, I think your radius defs are out of date, can you try an update and see if the values match mine shown below?

11:42:16 [Init] Trojan Defence Suite v3.2.0 - Registered to Dan Perez
11:42:16 [Init] Started 29-01-04 11:42:16 Pacific Standard Time (UTC: 8), Internet Time @862.69
11:42:16 [Init] Loading TDS-3 Systems ...
11:42:16 [Init] ? Priority : OK.
11:42:16 [Init] Token successfully adjusted.
11:42:17 [Init] ? TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
11:42:17 [Init] ? Plugins : OK. Loaded 13
11:42:17 [Init] ? Exec Protection : OK. Installed
11:42:18 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
11:42:34 [Init] ? Radius Advanced Specialist Extensions on standby for 13 trojan families
11:42:35 [Init] ? Systems Initialised [31483 references - 11266 primaries/9002 traces/11215 variants/other]
11:42:35 [Init] Radius Systems loaded. <Databases updated 29-01-2004>


I'm sure the real TDS experts will have plenty of input as well.

-{ Quote: " quoting: user formerly known as mfreemanhcp17 link=board=5;threadid=20573;start=0#msg125465 date=1075404989]
I am a little worried now, I removed and then added exec protection with reboots as advised.

TDS is running, but I can still run the leaktest.

I also downloaded the Trojan Simulator (thanks to Dan Perez) and TDS doesn't pick it up unless I run a manual scan of the containing folder. (I even shut down all other running security processes).

I then restarted all other security processes (including NOD32, Tauscan trial version (as TDS has no monitor to speak of) and Adaware." }-

Hi,

TDS-3 does have most certainly a "monitor" !!!
It is called Execution Protection !
Tauscan cannot even think about the security that TDS-3 gives you !
I'm sorry to say; I have both.

We were trying to test TDS-3 Execution Protection.
Disable other AV's and AT's.
Make sure that Execution Protection is enabled in TDS-3.
Reboot.
Let either TDS-3 start up with Windows or start it yourself.
Then download that file LeakTest.exe and double click it to start it.
In case TDS-3 does NOT jump up, then there is a problem, and then we need Wayne to jump in here to help you.

I am running Windows XP Prof SP1.

As you can see - Exec Protn is installed - you can also see however that my radius database does not match yours!! You will also notice that I have tried to update but the report tells me I am already up to date - not so when compared to yours???? ???

19:20:44 [Init] Trojan Defence Suite v3.2.0 - Registered to Mark Freeman
19:20:44 [Init] Started 29-01-04 19:20:44 GMT Standard Time (UTC: 0), Internet Time @847.73
19:20:44 [Init] Loading TDS-3 Systems ...
19:20:44 [Init] • Priority : OK.
19:20:45 [Init] Token successfully adjusted.
19:20:45 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
19:20:45 [Init] • Plugins : OK. Loaded 13
19:20:45 [Init] • Exec Protection : OK. Installed
19:20:45 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
19:20:47 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
19:20:47 [Init] • Systems Initialised [31180 references - 11094 primaries/8913 traces/11173 variants/other]
19:20:47 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
19:20:47 [Init] TDS-3 Ready. <Administrator@127.0.0.1 - United Kingdom>
19:20:47 [TDS] Good evening Administrator.
19:20:49 [Memory Scan] Memory scan started, please wait a moment ...
19:20:51 [Memory Scan] Memory scan complete.
19:20:51 [Mutex Memory Scan] Started...
19:20:53 [Mutex Memory Scan] Finished (no trojan mutexes found).
19:20:53 [Trace Scan] Started...
19:20:56 [Trace Scan] Finished.
19:20:58 [CRC32] Started - verifying 31 files ...
19:20:59 [CRC32] Test finished.
19:35:19 [Radius Update] Database already up-to-date - transfer aborted.
19:52:21 [Radius Update] Database already up-to-date - transfer aborted.

Just to confirm FanJ - as mentioned in my post, I had disabled all other AVs/ATs & Others.

Also I do not expect any other AT to match TDS-3 but am trialling other ATs which have active monitors - I know there is exec protn but I have read here that this does not match up to the like of BoClean - unfortunately they do not have a free trial so I am trialling others - I am not defecting. ;)

It does seem that I have a problem with my application. Maybe I have to uninstall/Re-install, but I hope it doesn't come to that - advice please.

Yeah, it may be that you need to uninstall/reinstall but I would hold off until you get work from the DCS folks as they may advise additional registry cleaning between the uninstall and reinstall.

In the meantime, you may have an out of date "update.cfg" so you might want to go to the page below to get a fresh copy of one

http://tds.diamondcs.com.au/index.php?page=update

If after that the "Update TDS Databases" thing doesn't work you can always manually download the latest radius file from the same page as above.

BTW, it has been a while since I last tested against Trojan Simulator so I did it just now and it was properly intercepted by TDS so definitely something is wrong with your install

Hi,

First: sorry Dan, I didn't see your posting before I was posting; sorry !

User-etc:
Some remarks:

As Dan wrote, you definitely have to get the latest defs !
I have the same number for the "primaries" as he has.
Get it here:
http://tds.diamondcs.com.au/index.php?page=update
Get from that same page the latest file update.cfg
Quote:
Important: The Automatic Update program (update.exe) requires an up-to-date server list (update.cfg) in order to download the database. This file can be downloaded here (Right-click | Save Target As...). Please save the file to your TDS directory, overwriting the existing update.cfg file. Remember to ensure that the filename is update.cfg, and not update.cfg.txt or anything else.
- end quote -

But to be honest: I doubt that the fact that you don't have the latest defs (Radius-file) is causing the problem; but only trial-and-error will prove that.....

Does your firewall block access to one of the sites in update.cfg?

When was the last time that you installed a new version of TDS-3?
Last summer (summer 2003) there was the so-called Final version of TDS-3.

I only have Windows 98 SE.
I really don't know whether any issue involved with running as Admin/poweruser/etc might cause this :-[

Thanks Dan Perez. I downloaded the latest update.cfg and this has enabled me to download the latest Radius update. It seems strange though that I was able to update only two days ago without any problems - have you nedded to download the update.cfg file in the past few days??

This seems strange to me and something is definately adrift here. Look forward to some DCs input here.

Thanks guys. :)

P.S. FanJ - I only bought and installed TDS-3 this month so am sure it's the latest version. I am logged in as Administrator.

-{ Quote: "First: sorry Dan, I didn't see your posting before I was posting; sorry !" }-

No need for apologies at all! The more input the better! ;)

I have not had occasion to change the update.cfg since I last upgraded ~ 6 months ago? but as I understand it, the update.cfg is changed periodically at the webpage you went to so as to help distribute the load amongst all the available servers. Under the assumption that the server at the top of your old list had an older (and possibly corrupt) radius file I thought we would get another update.cfg to almost certainly direct you first to a different server.

I agree though with Jan that this would almost certainly not address the main issue you are having, which seems to be a bad config somewhere that will not allow proper operation of execprot.

The DCS gurus will be awake and eager to provide more detailed assistance in about 6 hours and I'm sure they will have a quick resolution to the issue.

thanks for the replies all

I've try'd the tests suggested and they don't work for me either ,my OS is windows2k sp4

I noticed that since installing exe protection launching programs takes a fraction longer so i guess it's doing something but it did not report either leaktest or trojansimulator.

This was a tst of the trojan simulater trying to install. :) Also I do know that Dan runs W2K, This PC is XP Pro

Please Note: Thre three bolded items.

10:38:50 [Init] Trojan Defence Suite v3.2.0 - Registered to Pilli
10:38:50 [Init] Started 30-01-04 10:38:50 GMT Standard Time (UTC: 0), Internet Time @485.30
10:38:50 [Init] Loading TDS-3 Systems ...
10:38:50 [Init] Token successfully adjusted.
10:38:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:38:50 [Init] • Plugins : OK. Loaded 13
10:38:50 [Init] • Exec Protection : OK. Installed
10:38:50 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:38:53 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:38:53 [Init] • Systems Initialised [31483 references - 11266 primaries/9002 traces/11215 variants/other]
10:38:53 [Init] Radius Systems loaded. <Databases updated 29-01-2004>
10:38:53 [Init] TDS-3 Ready. <Pilli@127.0.0.1, 192.168.2.62 - United Kingdom>
10:38:53 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning inside the memory space of processes
10:38:54 [TDS] Good morning Pilli.
10:38:58 [Mutex Memory Scan] Started...
10:39:00 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:39:00 [Trace Scan] Started...
10:39:13 [Trace Scan] Finished.
10:39:16 [Radius] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:39:19 [Radius] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:39:19 [Radius] • Systems Initialised [31503 references - 11282 primaries/9006 traces/11215 variants/other]
10:39:19 [Radius] Radius Systems loaded. <Databases updated 30-01-2004>
10:39:19 [Radius Update] Update complete.
10:41:42 [ExecProt] WARNING: c:\documents and settings\alan\local settings\temp\temporary directory 2 for trojansimulator.zip\tsserv.exe has been blocked from executing

I regularly get this update problem. It's all due to my ISP having a transparant webcache and I have to frequently change the proxy server setting inside TDS to be able to autoupdate.

Luckily (?) I use NTL in the UK and have achoice of 3 proxy servers just by changing 1 digit and that normally solves the problem for me.

If you continually get problems then use a proxy server inn the TDS settings

It's NOT an update problem,I have the latest radius installed

05:52:52 [Init] Loading TDS-3 Systems ...
05:52:52 [Init] ? Exec Protection : OK. Installed
05:52:53 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
05:53:03 [Init] ? Radius Advanced Specialist Extensions on standby for 13 trojan families
05:53:03 [Init] ? Systems Initialised [31503 references - 11282 primaries/9006 traces/11215 variants/other]
05:53:03 [Init] Radius Systems loaded. <Databases updated 31-01-2004>
05:53:03 [Init] TDS-3 Ready. <xxxxx@xxx.xxx.xxx.xx, 127.0.0.1 >
05:53:03 [TDS] Good morning xxxxx, all systems are ready.


Here is a screenshot showing trojansimulator in memory alongside TDS
http://members.lycos.co.uk/bmge500/Capture008.jpg

If I do a scan control / live process files scan then i get a warning

Scan Control Dumped @ 05:58:42 31-01-04
Trojan Client\EditServer found: Demo.TrojanSim (Client)
File: d:\files\trojansimulator\trojansimulator.exe

Positive identification: Demo.TrojanSim
File: d:\files\trojansimulator\tsserv.exe


Obviously something is wrong with exe protection.

JSa

Hi JSa,

Maybe off topic:
I see for example in your posting this:

05:52:52 [Init] ? Exec Protection : OK. Installed

I have this:

15:13:01 [Init] • Exec Protection : OK. Installed

So, where you have: ?
I have: •

Maybe this is caused during your process of copying it to the posting, I don't know.
Do you have that • on your TDS-3 screen?

Could you please check your Required System Files?
See here:
http://www.wilderssecurity.com/showthread.php?t=13794

I don't think this has anything to do with the right function of Execution Protection, but it may be a good idea to check it...

Ah, I just saw that in reply # 11 of this thread Dan also had that "?" instead of the "•", so I guess it is only caused by the board-software or during the copying-process ::)

@FanJ

comctl32.ocx (Windows 9x/NT/2K) v6.0.80.22 YES

tabctl32.ocx (Windows 9x/NT/2K) v6.0.88.4 YES

richtx32.ocx (Windows 9x/NT/2K) v6.0.88.4 YES

comdlg32.ocx (Windows 9x/NT/2K) v6.0.84.18 YES

- - - - -



riched32.dll (Windows NT/2K) v5.0.2134.1 YES

asycfilt.dll (Windows 9x/NT/2K) v2.40.4277 YES v2.40.4522.0

msvcrt.dll (Windows 9x/NT/2K) v6.1.9359.0 YES v6.1.9844.0

msvbvm60.dll (Windows 9x/NT/2K) v6.0.84.95 YES v6.0.96.90

mscomctl.ocx (Windows 9x/NT/2K) v6.0.84.98 YES

I have uninstalled and reinstalled TDS-3 and still have the same problem with Exec Protn not working. To confirm, this is the manner in which the uninstall/reinstall was undertaken.

Shut down all running processes
Uninstall TDS-3
Re-boot
Delete all empty TDS-3 folders and references including registry files and DLL files
Re-boot
Shut down all running processes
Install TDS-3
Re-boot
Insert keyfile and updated Radius & Config files
Configure TDS to personal requirements (scanning and config),
Re-boot
Install exec protn - confirmation of install components message recieved
Re-boot

Exec Protn still not working ???

Not sure what the problem is User, ???
I take it you are running TDS as Aministrator? If so we will have to wait until DCS can reply unless, of course, someone else has any other ideas.

Hi mfreemanhcp17 :).

Before uninstalling TDS via Add/Remove Programs, did you remove Execution Protection first from within TDS?:

TDS>Execution Protection>Remove

and then uninstall TDS via Add/Remove Programs.

Regards,
Jade.

If not it could maybe help to remove reboot install exec protection again; maybe in the removed state it could be useful to check the registry if it is away from there before you install exec protection again.

Where should I look in the registry to see if Exec Protn is installed, and what name will it have? Should I also be able to see it as a running process in Task manager or through one of the DCS products (TDS Running processes or PE perhaps)?

After I had removed the program I ran search in the registry (using JV16 Power Tools) for every file containing TDS in its description and deleted all that was obviously related to TDS-3. Can someone please list (or e-mail) all registry entries that TDS is likely to leave behind so that I can delete them all and ensure a clean install.

Thanks all.

-{ Quote: " quoting: user formerly known as mfreemanhcp17 link=board=5;threadid=20573;start=30#msg126825 date=1075729249]
Should I also be able to see it as a running process in Task manager or through one of the DCS products (TDS Running processes or PE perhaps)?" }-

Hi user-etc,

No, you will not see Execution Protection as a running process because it is NOT a running process!

It is a so-called "hook".
Check in TDS-3: System Analysis > Process List, and you will not see it there (or for example in TaskInfo2003).

From the Help-file:

"If ExecProt is enabled, executing a file will cause the operating system to ask TDS-3 to scan the file before it is allowed to execute."

That's why TDS-3 must have been started (either by yourself or at Windows start-up) for ExecProt to be working in the way it is supposed to be.
If TDS-3 has not been started, ExecProt (= Execution Protection) will give that file back to the Operating System and let the OS do with it what it wants ;)

Execution Protection is a dll file in your TDS-3 directory:
execprot.dll

Question for Wayne:

Sorry Wayne,
Could you please jump in here on the questions why some posters don't seem to have Execution Protection giving an alert on for example LeakTest?

Leak test is a demo, as i see it in my detection for the copies i have, might be a valid known demo is not stopped?

I've been following this with interest - 'cause I had the same experience as the original post, ie Leaktest not stopped ('cept by ZA)
I've solved the problem by uninstalling my original version of TDS3 (from about 2 years ago can you believe) and installing the latest.
Now TDS stops it in it's tracks before ZA can even ask. Interestingly enough, the "Trial Trojan" I tried was detected by my original TDS. Hope this helps
Catcha Later
;)

Sorry guys,

I still have a problem with my exe protn - I have done all that I think I can - where do I turn now? I am still very, very happy with all my DCS purchases and the support received from everbody thorugh this forum, but I would appreciate some response from someone at DCS please. If only it is to be told that you don't know why it's not working and I'll have to live without a monitor 'till TDS4, that'll be fine - I'll just but BOClean or something. I'd just like to know please. :) Would you preferred I made a post in the user TDS private forum?

Thanks

Hi User, Sorry to read you are still having problems with EP :(
If you post in the private forum or direct to support@diamomndcs.com.au (http://support@diamomndcs.com.au) You may get a faster response, especially as it is now the weekend in Australia. :)

Sorry to say I've had no response over the past few weeks from either this forum, the private forum or through support e-mail. Guess I'm at a loss. :(

This thread has become so long i was lost already long time ago to understand what was the exact problem, and i have no time to wrestle through all these pages again, can you please in a few lines tell what is the exact problem on your system so we might be able to react on that again? Thanks for the trouble.

mfreemanhcp17 - (Print this sucker out before undertaking this) -

(1) I'm not seeing in any of your latter responses whether or not you disabled exe prot prior to trying another un-install/re-install.

Did you?

If not, you need to do the following -

(a) From the TDS main interface, click on "Configuration" and on the "Startup" tab, where it says "Run At Windows Starup" make sure that the dot is in front of the radio button before "No" (if it's not there, put it there and then click "Save").

(b)Then click "TDS" on the main interface, highlight "Execution Protection" and on the context menu that pops up, click on "Remove" and wait for the success message to show up.

(c) Click "TDS" again and then click "Quit".

Only now are you completely ready and in the proper "state" to do the un-install, so go to Control Panel - Add/Remove Programs and find both the "DiamondCS TDS ExecProt Module" and "Diamond TDS3" and click on BOTH to un-install them, making sure that both entries disappear properly from the list and that you don't get any error messages.

I also want you to un-install the "leak" test and the "trojan" test at this time!

Re-start your computer (don't worry about hunting down anything else).

(2) When you re-installed TDS, did you do so using a freshly d/l'ed copy of the program - or did you still have and use the one you started with originally?

If you did not use a freshly d/l'ed copy of the program, please do so this time. D/l your fresh copy from here:

http://tds.diamondcs.com.au/index.php?page=download

and write down the MD5 string of numbers on that page! (You'll see why in a minute).

Now, go here: http://www.slavasoft.com/hashcalc/overview.htm and use the "Download" button to get that.

Re-start your computer (I'm trying to eliminate any possible problems/conflicts here with these multiple re-starts here, so bare with me).

After the re-start, click on "hashcalc.zip" and install it. Run it (you can read the readme later). On the HashCalc interface, you'll see a blank white box at the top that has "Data" over the top of it with a little square box off to the side that has a bunch of dots in it - click on that box and navigate to wherever you just d/l'ed your fresh copy of TDS-3 to (hopefully, the Desktop). Click on the "tds3setup.exe" that you'll find in that Explorer-like window, and that entire path should pop up in the "Data" window of HashCalc. Then click on the "Calculate" button in HashCalc and compare the "MD5" of HashCalc to the letters and numbers of the MD5 you copied down from the TDS d/l page. You should have an exact match.

Assuming that you do, go ahead and re-install TDS-3 and set it up - including activating "Execution Protection" and updating the DB. (Do not have TDS starting with Windows!!!!). Make sure you "Save" all your selections.

Re-start your computer (I know, I know - humor me, okay?).

After the re-start, open HashCalc again and navigate to the exeprot.dll and "Calculate" it - it should read:
f698b26c00de6dc320c36b69a0accfe6

Only now do we know if you've got (a) a good d/l of TDS-3 and (b) a good exeprot.dll. If you do, then go ahead and re-d/l the "leak" test and the "trojan" test and see if your results differ from before.

That's my best shot (and where did my morning go?). Sorry I'm not with DCS - I'm just me, trying to help. Pete

I'll be damned. I just re-d/l'ed TrojanSimulator "Install"ed it and guess what? TDS's exe.protection never let out a peep! lol! I had to do a "System Testing"/"Process File Scan" from the main interface screen of TDS before it picked it up! What's up with that?

Shut down TDS and re-started it, and it picked it up then (due to the ProcessFile and trace scans I've got set at start-up) - but only because I have TDS doing a "Process File Scan" and the "Registry and File Space Scan" at start-up - if it weren't for that, it wouldn't have detected it at all (unless I did a re-start or a full scan).

IOW, instead of the guy I was trying to help having done anything wrong - or having a corrupted d/l or file, the simple fact of the matter is that TDS's "Execution Protection" doesn't do squat when it comes to protecting you against the "TrojanSimulator" exploit and - had it been a real exploit of some kind - it would have just merrily launched itself and done whatever the heck it wanted to without TDS ever intervening in time to do me any good!.

Someone want to "splain" this to me? Because from where I'm sitting right now, it looks to me like TDS just failed this one - miserably. Pete

BUMP!

So let me get this straight. When TDS is running (either starting with Windows or on demand) it works great and intercepts Leak Test and the like. When it's not running, it doesn't. I just tried it. Got the same results as Spy1. It has a monitor right? What good does it do to use all of my resources just to get it to work?

Executive protection only runs when TDS3 is running, that is providing the TDS GUI or TDS icon are running all the time & that Executive Protection is installed - After the initial scans TDS3 has a very low resource usage when Executive protection is running. Executive Pretection monitors every opening programme and you will only notice a very slight lag as each programme loads.

You will not be able to run Trojan simulator when Executive Protection is installed & a right click scan on Trojan simulator will flag that it is a Trojan as will a full scan.

See screenie below:

HTH Pilli

OK, I did again some testing on that TrojanSimulator.
Some screenshots will follow.

It looks to me that it depends on whether or not you have enabled scanning for clients/editservers in the TDS3 scancontrol.

When I have it enabled (checkmark in that box), then ExecProt will block as soon as I double click on Trojansimulator.exe

12:37:28 [ExecProt] WARNING: d:\trojan simulator\trojansimulator.exe has been blocked from executing

I can then let TDS-3 delete the file trojansimulator.exe.

And no reg-entry is made.

Now what happens if I have no checkmark in that box in scancontrol.
So TDS-3 will not scan for clients.

I can then double click on trojansimulator.exe.
No warning from TDS-3.

I can click on "Install" in the Trojansimulator menu.
No warning from TDS-3.

I look in the process-list of TDS-3, and I see TSServ.exe running.

I double click on TSServ.exe on my system, and then ExecProt blocks it.

12:20:07 [ExecProt] WARNING: d:\trojan simulator\tsserv.exe has been blocked from executing

I try to let TDS-3 delete it:

I click OK and TDS-3 deletes it:

I look in my registry and have to delete this entry manually in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

See screenshot further for that reg-key.

EDIT-1
For full description of that reg-key I quote from here (http://www.misec.net/trojansimulator/)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. The name of the entry is "TrojanSimulator" (without the quotes), and its value is the path to TSServ.exe, enclosed in quotes ("), and followed by the /install parameter. The type of the entry is REG_SZ (standard registry string value).

- end quote -

EDIT-2
I also manually deleted the file Trojansimulator.exe

OK, that's it for the moment.
I hope it makes some sense and that I did the right things ::)

To make sure we all are talking about the same TrojanSimulator, is here the MD5 checksum for the zip-file:

The file <D:\Trojan Simulator\TrojanSimulator.zip>
has the following Checksum(s)

MD5 - 6A1AC6675073BAB8EC61839E1D1434D6

Yes, FanJ and Pilli are correct ;).

You must have scan for Clients/EditServers enabled to detect the trojansimulator.exe, as this is the Client/EditServer:

Client: What a script kiddie/trojaner would generally use to connect to the actual server (in this case tsserve.exe) on a victims computer.

EditServer: Usually a part of the Client (sometimes seperate) used by the script kiddie/trojaner to create a server with different default ports, startup methods etc...then the default server would have contained.

Server: The nasty part which will install the trojan on your computer, thus allowing the script kiddie/trojaner to remotely connect to the trojan server (in this case tsserve.exe) on your computer and control it.


Having said that, TDS detects/stops all these parts of the TrojanSimulater test trojan - see my screenshot.

Regards,
Jade :).

Thanks Jade ! :)

It looks to me that we both tested it in a different way:

I tried to test it with ExecProt.
You tested it with a file-scan.

;D

-{ Quote: " quoting: FanJ link=board=5;threadid=20573;start=45#msg136933 date=1077973232]
Thanks Jade ! :)

It looks to me that we both tested it in a different way:

I tried to test it with ExecProt.
You tested it with a file-scan.

;D
" }-


No probs FanJ :), although in my screenshot you will see that I tested Execution Protection as well as the file scan ;D.

Best regards,
Jade.

-{ Quote: " quoting: Bowserman link=board=5;threadid=20573;start=45#msg136936 date=1077973746]No probs FanJ :), although in my screenshot you will see that I tested Execution Protection as well as the file scan ;D.

Best regards,
Jade.
" }-

Oops, you're right !!!

Cheers, Jan.

:Dvery cool and newbie friendly

-{ Quote: " quoting: Mr.Blaze link=board=5;threadid=20573;start=45#msg136968 date=1077981167]
:Dvery cool and newbie friendly
" }-

Thanks buddy ! :)

cookie for you *puppy*