Tauscan & detecting polymorphic trojans.

[illukka]

yeah man i have f-secure on one of my pc's, you don't have to convince me of it's quality... but it is the kav engine with it's unpacking abilities that is resposible for f-secures good trojan detection, the f-prot is the main virus scanner, orion is a purely heuristic engine for unknown viruses and malware. i have been told that f-secure uses mainly updates and signatures written by kaspersky labs, so most kav problems concerns f-secure too.. so far only certain anti-trojans(tds and th) are the only ones capable of dealing with dll injecting trojans..
but check this thread for info on f-secure and other av's, besides it's fun to read anyway..thanks john for doin it
http://www.dslreports.com/forum/remark,7165307~root=security,1~mode=flat
i still don't know if f-secure has real time process memory scanning or not, and haven't had time to test it against the likes of beast..

[Gavin - DiamondCS]

I see lots of trojans and backdoors that even KAV dont detect. A popular news site uses KAV to scan when it does writeups on new backdoors and trojans, and I would guess 20% at least were not detected. Not going to waste tons of time to find real numbers, but there are quite a lot that are missed. This is a FACT and if you went looking in underground sites you would know, how can I tell you in any simpler terms ?

What people fail to realise is that AV vendors receive thousands of submissions. They live on submissions. But in that, they miss things which noone spreads to lots of machines, the quiet attackers are the ones who currently have tens of thousands of victims at their mercy. If any AVs were perfect, that would simply not happen. There are even more reasons, but this is a big one.

agreed @Gavin.

You have to search by yourself in forums, you have to follow links, to collect infos and and and. Many trojans are not even known so far as long as a infected user sends a copy to the av companys.
This research for new trojans is a time consuming task and you need good connections into the "dark zone"

[ChrisP]

"only certain anti-trojans(tds and th) are the only ones capable of dealing with dll injecting trojans.."

This is not so. The Beast is a dll injecting trojan - and F-Secure detects it.

Anyhow the author of trojanhunter says "The Beast trojan, employing modern stealth techniques actually injects itself into other processes. TrojanHunter is the only scanner capable of cleaning process-injecting trojans."

Just another example of all the smoke and mirrors, contradictions, etc concerning trojan detection!

(If you want to find which trojans F-Secure detects - the list is on their website)



ChirsP

[Magnus Mischel]

F-Secure may very well be able to detect it, but I can pretty much guarantee you it can't clean it without resorting to doing something like "delete the file on reboot", something which is not guaranteed to work as the trojan can easily erase that command before the reboot happens. However, I think you have made it very clear to me and everyone else that you aren't interested in facts, you simply want to start an argument. I am most definitely not going to play that game, so I won't be responding further in this thread.

[ChrisP]

I notice you have failed to come up with any facts or any proof yourself.

I asked you ages ago in this thread to name a single trojan your Trojanhunter could detect that F-Secure couldnt. Your silence speaks volumes!

I dont see why you have got so upset and resorted to insults just because I have pointed out the fact that there are so many contradictions - ie someone here claimed that TDS and Trojanhunter are the only apps to detect process injecting trojans - when you claim it is only your app which detects them. (both of you cant be right)

You have the arrogance to claim that F-Secure is unable to detect and clean the Beast - when it is clearly stated that it does this on their website. You resort to calling other honest organisations liars just because someone points out the fact that your application isnt the only solution.

Lets face it. You are a one-man-band and there is no way you will ever compete with the big boys since you dont have the technology ard resources.

Regards

ChrisP

[Paul Wilders]

Chris,

Please lower your tone. You haven't been insulted in any way, and we will not accept off topic and personal remarks like for example this one:

Quote:

Lets face it. You are a one-man-band and there is no way you will ever compete with the big boys since you dont have the technology ard resources.

Magnus stated he will no longer participate in this thread for reasons mentioned, so I fail to see wether you've chosen to address him once again.

We are not in the habit of doing so, but do regard this as a first warning.

regards.

paul

[ChrisP]

I replied because:

1) Although he will not respond - he will read my reply - and so will others

2) He made an unjustified claim when he implied that F-Secure would not remove the beast trojan - when it is clearly stated on the F-Secure website that it does detect and clean it.

He should not resort to making unjustified claims against another manufacturers product just because someone points out the FACT that another scanner detects a trojan which he uses as an example to illustrate some unique technology of his offering.

As to my personal remarks.... I am simply pointing out the fact that there are fewer resources, less technology, less expertise and knowledge available to the development of Trojanhunter than there is for F-Secure.

If pointing out this and other facts is unwelcome here then I would prefer not to participate any more here.

Bye.

ChrisP

Please stop your behavior with "f-secure is my hero".
If other people like to use TH or TDS they use it anyway - dosn't depends on how good f-secure or KAV is. And speaking about f-secure f-secure would be nothing without the knownledge and the powerful scan engine of kaspersky. POINT.
And speaking about trojan detection we should face this fact.
Nobody claims here to be better than f-secure; however it seems to me that you are riding on the wave of golden words. There are a lot of trojans which are not detected by Kaspersky, nether by f-secure. Wanna have a half thousends of it ? PM me for this.

[Gavin - DiamondCS]

System33r Stealth Downloader 0.5

(Not detected by AVP on october 06, 2003 for server)
(TrojanDownloader.Win32.VB.r for create.exe)

Released 18th Sept, detection added to TDS on the 19th. So nearly 3 weeks already ? Still waiting for KAV detection (therefore FSecure too), just scanned a server and its "clean"

PUBLIC Proof, end of story, lets get over it. Besides this is way off topic, this thread was about Tauscan and polymorhic trojans, which you seem to have avoided once we told you how to make a server ?

[DolfTraanberg]

Earth is flat

[Jooske]

Look, i don't care what other people run on their machines, as that's their freedom of personal choice.
As long as they don't make it a danger for others around including myself.
So i'll promote safe computing and we see good advices all over the forum here and if somebody gets into trouble we'll all be there to help the person out as good as we can.
But don't blame me for using the tools for that which i know best and have shown to be very reliable for my circumstances and for millions of other people on this planet. And you might feel better adding even more tools of that level, i can only advice to do so if you feel happy with that, and if you would get into compatibility problems listen to the people's advices. A second opinion is not a bad idea if you know what you're doing.
There are software tools maybe able to detect a nasty code, but dealing with it in a safe way and cleaning your system is quite different cook.
At least respect other people's time and experience.

Cook euh? The kind this flat earth was baked from? Funny, Edam cheese looks more like it, but that's a personal opinion. Melting like cheese fondu these days if you ask me!

[Gavin - DiamondCS]

I tried to convince a troll on another forum yesterday, gave up and now he compares usage of an AV and AT to slowing down your internet connection too ?

[illukka]

could chris p be vampirefo's distant cousin

[Jooske]

I keep with the cheese i guess
(melted)

start Windows
Start TDS
Start script
Script calls Clippit office helper
Clippit speak: "Oh, i see you are using windows! Let me help you to defend your system!
I can help you! press scroll lock and i hear your command.
First say "what can i say" to see my scan options.
Clippit continue speaking: "You can choose from
scan with F-secure, scan with TDS, scan with Trojan Hunter, Scan with Tauscan, scan with Kaspersky.
I'm waiting for your command now!"
Clippit rather annoying by now speaking: "While you are annoyed with scanning, let me tell you some facts of the day! For a start, did you know the earth is flat? Just as flat as a dutch cheese. You might need to use a heater to melt it but it's definitely flat with that!. "
Clippit really annoying now speaking: "Once you finished the first scan, you need to compare it with a second one. Ask me to scan with the next and i will start the scanning process for you, just till you had them all done."
Clippit speak: "Next fact of the day: there are no polymorph trojans. This statement is true / untrue. Send your reply to Microsoft and you won't win any price. I'm just winning time to heighten annoyance during scanning time"
End script.

This script is not possible as Clippit has no voice, but with TDS you can give him one. Make sure you have any MSOffice product started during this whole action because of the Clippit EULA.
Now you see you definitely need TDS to make this all possible.

Sorry for the annoying interruption guys, although i like it somewhat.

[Monique]

Very nice thread

Seems like chrisp refuses to take the test(s), and sticks to "the earth is flat" theory. Oh well, nice reading it was

Jooske,

Just out of curiosity: what's that last post of yours all about in the context from this thread? Correct me if I'm wrong, but I fail to see any - other than sort of TDS3 software promoting. Isn't that what the TDS3 forum is for? This isn't an advertisement board, or is it?

M

[Pilli]

Hi Monique, I think it was a tongue in cheek send up concerning some of the thread content, a bit of Dutch humour. And yes, as DCS mods we are probably biased - No harm done I hope?

[Dan Perez]

Quote:

it was a tongue in cheek

Agreed! Part of the tasks for moderators (or for responsible posters) is to lighten the mood a bit when things start getting confrontative.

Regards,

Dan

[Jooske]

Several times the program was mentioned so nothing new here.
User is known to the program already, and most readers in the forum where this is one of the dedicated forums products are familiar with it, hence no promotion and if so, we're allowed to.
But read through the five former pages to see the logic.
And by all means try the script in your own copy of TDS.
Unfortunately it has no polymorphic code in it (yet) so in this form it can not act as a server to be detected.
But with some help such a thing might be includable as a test too, but it's not my specialty so others should help with that.
Anyway, it was a nice Windows^(R)Clippit^(TM)(C)(R) and msagent promotion, if you ask me! Saving the very annoying Clippit from retirement, adding for several users extra enhancement to his options.
But yeah, humor and fun to enhance security, why not?
We do love lighter notes a lot!
See for yourself following the URL in my signature.
Now go melt the cheese!

After reading all of this i feel like i have to use a condem on my computer for the extra protection.

[Jooske]

And don't forget the cheese fondue with it

[GoonMan]

Quote:

quoting: lots-of-info link=board=25;threadid=13687;start=60#msg95526 date=1066895112]
After reading all of this i feel like i have to use a condem on my computer for the extra protection.

Even this is not a guarantee. ROFL

Thanks for the good read.

[Jooske]

Lots-of-info, do give it a try and keep us updated about the results, honestly!
Although i no matter the outcome, it would not make me change business for a rubber plant!