Can TDS-3 automatically delete any malware samples contained in a directory?

I want to scan a malware archive and I want TDS-3 to automatically delete any malware samples found. Is this possible? (I do not want to manually delete the detected samples.)

Background: The TDS-3 scan log frequently includes more than one entry for a single malware sample. Therefore, you cannot reliably determine the detection rate of TDS-3 with the help of the scan log summary.

TIA.

 

No, it doesn't and we would not like it to delete automatically either. think of suspicious files with only double extensions, the possibility for false positives, etc.

You mean a zip with some files in it the zip and the files are counted; it will tell you in advance how many files are scanned and how many of those caused alarms.
30-6 07:05:56 [File Scan] Scanned 34 files: 22 alarms in 15,98047 seconds (Avg 3,13 files/sec)
30-6 07:05:56 [File Scan] Scanning in c:\06-29-04 ...
30-6 07:05:57 [File Scan] Scanned 1 files: 22 alarms in 0,9902344 seconds (Avg 2,01 files/sec)
30-6 07:05:57 [File Scan] Scanning in c:\06-30-04 ...
30-6 07:05:59 [File Scan] Scanned 8 files: 29 alarms in 1,310547 seconds (Avg 7,1 files/sec)
30-6 07:05:59 [Scan] Finished.

One of those files from the first series for instance was a file part-2.zip
positive identification (embedded in file) worm.netsky.AA part-2.zip
suspicious filename (in archive) Excessive space characters part-2.txt <lots of spaces> ........ .exe
positive identification (in archive) worm.netsky.AA part-2.txt <lots of spaces> ........ .exe

In this series were 3 files with such 3-fold detection because of excessive spaces and dual extensions so you could say we're talking about 6 lines less, so 23 detections total.
BUT:
TDS does continue detection, for instance if your archive would be a file infected with the one nasty, packed and zipped and infected with another nasty again and another time packed whatever, i have seen strange files at times, all those are detected individually, while i uploaded such a file sometime for analyses elsewhere and only one virus or possible bot was detected or even nothing! As many scanners say with the first detection, ok, file is malware and don't continue scanning if there is more the matter.
I've seen it with such a spybot infected with some virus and the whole lot infected with some other virus, while scanners told me it was just one virus (think the last of the three layers) but Gavin detected all the other stuff and the order of infections. TDS is not for viruses detection unfortunately it has so much already!

 

"No, it doesn't and we would not like it to delete automatically either."

I agree that, in principle, TDS-3 should not automatically delete any suspicious files found.

On the other hand, if TDS-3 does not have any hidden parameters etc. allowing a tester to produce an accurate scan log how can it be reliably tested? I wonder whether there are any reliable tests regarding TDS-3 and how the testers have solved this problem.

(Btw.: I am completely aware of the fact that the combined detection rate of TDS-3's file and mem scanner is better than the detection rate of the file scanner used on a stand-alone basis.)

 

http://www.secadministrator.com/Articles/Index.cfm?ArticleID=40313&pg=1
Reviews like these?

 

It seems to me that this review does not concern TDS-3 but Port Explorer (another good product from DCS).

 

Sorry, you're right, wrong link but interesting indeed; don't see the TDS reviews links at this time. Sure Wayne knows, the test reviews are on the level of that article at least.
Maybe in those tests they didn't have "complicated files" like those?

He! i'm happy, just made Gavin very happy with a very very nasty NEW and complicated piece of malware, consisting of 21 files in one and NTFS ADS streams exe files and lots of real bad intentions. Don't know it's name yet, it just came in as a spam email attachment -- good that i didn't believe other scanners, detection in the next database tonight. Great! So let's see if that gives 21 detections for one file

 

Here are some test reviews.. etc...

The 2nd link is particularly detailed.

http://www.anti-trojan-software-reviews.com/

http://www.spywarewarrior.com/uiuc/trojans/tr-tests.htm

http://www.vanish.org/security/trojans.htm

Cheers, TAS

 

@TazDevil

I believe the second test did not need to address my problem since "Tests were performed with six files". Almost the same applies to the first test ( http://www.anti-trojan-software-reviews.com/database-currency-test.htm ). By contrast, I would like to use a malware archive containing several hundred files.

The third test does not seem to be a real test. Moreover, this website seems to belong to a DCS reseller (look for a link leading to http://hop.clickbank.net/hop.cgi?vanish/diamondcs).

 

Hi ttt,

That is something we didn't include in TDS-3, sorry.

We should be including some suitable logging options and delete options in TDS-4 which will help collectors. They could create a copy of their collection, scan and delete found trojans leaving only undetected files. This could then be submitted, we hope you will do this when you scan your collection with TDS-4

 

Just FYI, anyone can resell our products. But yes it would make you question the test. From memory, this test was conducted before the user in question signed up as a reseller. You might want to email them and ask

 

Gavin:

thank you for your explanation!

(Btw.: I do not have a problem with DCS resellers testing DCS products. However, DCS should consider to ask such testers to identify themselves as resellers. But this is really "off topic" now. And ultimately it's your responsibility to make up your mind on this issue which has already been discussed a few weeks before.)

 

The effects of even testing an individual file affect us personally as TDS users. See above how happy i was with a new find? Loving to have another nasty unveiled and helping other users to even one more addition to the detection database, the feeling to do something nice for the internet community. And i know by testing such finds online those developers add them to their databases for detection too, so more people are helped with that, even though at this moment they said it was all clean.
So you see human detection can not be ruled out by no means!
And not holding back to spread the word as we see with own eyes and prove it happening each time again.
See my own story in the lightblue link in my sig, think it is what happens to many users who come new to the web and now happy to be able to help out other users.
I think for many convinced users it doesn't make a difference being reseller or not, as they just help spread the word after being helped out and convinced themselves.

 

Currently, the realtime component of TDS-4 allows you to decide what you want to do with the file if you want an automatic response, this includes deleting it. The scanner on the other hand will not have any automatic responses. I don't think it would be good to have an option where you cannot see what the program is doing, as it would be in this case. At the moment the scanner lists all the detected files, and at the end you can choose what you want to do with the files it detects with one or two mouse clicks. I think this is a better compromise, 2 mouse clicks instead of none is hardly "that much more" of a pain, in my opinion.

 

That's exactly how I'd do it if anyone asked. Good compromise between minimizing unintended consequences with false positives and speed. Queuing things to the end for a response session is a whole lot better than stopping midstream and waiting for an answer, which some programs still do.

Blue

 

Hi there Blue,
i also like it, waiting till the end and save to text, then looking if anything needs special attention.
It's a golden rule never to delete anything without a copy to submit@... unless it's a normal positive identification or a normal double extension.
All suspicious and possible <adv> etc go immediately to submit@.....
I thought one time with an online scanner to set it on "ignore" and "apply for all" and hoped it would continue while i stepped away from the system, to discover when i came back it had waited with the next alarm for my confirmation again before continuing scanning.
Or scanners where one can't save the alerts log, or only displaying the names of the nasties found without the full pathnames and file in which it was found, etc.