Started my TDS3 and recieved this:

Scan Control Dumped @ 23:27:10 05-02-05 Positive identification: DDoS.RAT.rBot.apk File: c:\program files\syslogd\syslogd.exe

I submitted this to Diamond Labs. This post is mostly informative, I will post back with results.

Anyone else seeing this? :lurking:

Is that the standard version of Kiwi Syslog Daemon? My service version does not have a syslogd.exe but a syslogd_service.exe and scanning the program folder did not produce similar results.

Regards,

CrazyM

Doesn't seem right at all.. try a different database location if a registered user, do you still get the alarm ?

-{ Quote: "Doesn't seem right at all.. try a different database location if a registered user, do you still get the alarm ?" }-

Gavin, Im using Syslog daemeon 7.1.4 freeware version with Sygate personal firewall Pro 5.5 build 2710 on a Pentium 4 system with XP home. I am a registered user of TDS3.

Please explain the different database location. I thought about deleting the Syslog program and setting it up again to see if I get the same alarm. This comes on the Mutex Memory scan at start up, also if I tell TDS3 to rescan the file, I also get the alert. ???

edit: Gavin I deleted my old Syslog and downloaded the newest daemeon version from the Kiwi website. I still get the same alert as before. I will mention that this is the non-service version of 7.1.4 Kiwi Syslog daemeon version.

What GAvin is saying is to try and download the latest update file from a different location

look in your update.cfg file and see which server is listed at the top

then download the new update cfg file from TDS home page and then do a manual install of the database and see if you get a different reading

Ok, here is the deal. I updated my radius files manually. It still indicates the alarm in the GUI. I go to my logs and it says there were no trojan mutex's found and gives no idication that anything was found.

Other than the shown indication at the bottom of the opening screen the logs says everything is fine. I will wait for a response from Diamond labs about the file I sent them. 8)

Damn, I need a cup of coffee!

I also get a warning with Kiwi (two in fact), the first when I do a Process memory scan, the second warning when I run Kiwi

Scan Control Dumped @ 23:48:18 06-02-05
Live trojan found (in process memory): Unknown Trojan
File: C:\Program Files\Syslogd\Syslogd_Service.exe
Positive identification: DDoS.RAT.rBot.apk
File: c:\program files\syslogd\syslogd_manager.exe

both files have been submitted

EDIT: I am running the service version of Kiwi

New Radius updates today (2/7/2005) seem to have cleared up the issue for me. Diamond Labs have still not replied and when they do I will post here.

I would like to thank Gavin and the Gang at Diamond Labs for giving such a powerful tool against the "Bad Guys", utmost confidence in these guys and gals and their wonderful product!

--Disclaimer-- I am not, nor have I ever been a employee of Diamond Labs. This is not a paid advertisement for the product, just an honest opinion. Good Day M8s!

8)

The latest database update allows me to run Kiwi (it was blocked with yesterdays database) . however if I do a process scan with Kiwi running I get the following

Scan Control Dumped @ 17:59:07 07-02-05
Live trojan found (in process memory): Unknown Trojan
File: C:\Program Files\Syslogd\Syslogd_Service.exe
Live trojan found: Unknown Trojan
File: C:\Program Files\Syslogd\Syslogd_Manager.exe

Are these false alarms?

I do hope so
Tom

-{ Quote: "Are these false alarms?" }-

Anyone?

Hi frogfoot, Gavin is probably doing a deeper analysis and this probably takes a bit longer, hopefully he will reply when his research is complete.

Thanks. Pilli

Thanks Pilli, I will look forward to Gavin's input.
Tom