Command line options

Hello,

Having had a recent email conversation with the DCS support staff/engineers, and I still have one outstanding question;

What (if any) command line options are there to TDS-3? What I'm really looking for is an Unload or Reload set. The purpose would be to have TDS-3 do semi-automated scheduling of CRC32 and Memory scans (which would be set in the Scan Control).

Currently I'm doing this hack/batch file AFTER TDS-3 is loaded in the Scheduler Tasks on W2K Server;

kill TDS-3
tds-3.exe -scan

DCS support has said that a scheduler capability as well as more command line options will be available in TDS-4 when it is released. If anyone can give a better way to exit TDS-3 it would be much appreciated. The destination servers have uptimes of months (at least until the next Microsoft critical patch affecting an IIS / SQL server).

Cheers,
Mike Kalinovich
polaryzed@yahoo.com

 

hi polaryzed,
The only commandline options exists in TDS-3:

TDS-3.exe -scand <directory path>
TDS-3.exe -scanf <file path/name>

The one you named, was new to me
Dolf

 

Dolf,

Thanks for the response, and the confirmation of what I feared.

It's more likely that the -scan I mentioned doesn't exist, but by running the tds-3.exe after it's been closed with kill, just starts TDS again, and it auto-checks the CRC and Memory anyways.

Oh well. Another reason to wait for TDS-4

 

Don't punish yourself TDS-3 has a lot of other goodies, and the upgrade to TDS-4 is free.
Dolf

 

Hi polaryzed,

Maybe it could be done with using a SS3-script, but I'm afraid I don't know very much about SS3-scripting......

With respect to the CRC-check:
You could also try the free utility called NIS File Check. Although "NIS" is mentioned in its name, you don't need to have AtGuard/NIS/NPF on your system to use it.
There is a special forum-section here at the Wilders-board for NIS File Check. You can let it run via scheduler if you like to do so; Joseph (moderator at that forum-section) uses it that way.
Although I'm really happy with the CRC32-feature in TDS-3 (no doubt about that!), I have to say that NIS File Check gives you a lot of more information, gives stronger Hash-algorithms and protects its database with Blowfish.

 

Hi Polaryzed,

You wrote that you want it to be done "semi-automated".
What would you do with the results of those scans?
Read the results later on at the log-files?

I mean in those kind of logfiles, for example:
C:\your-TDS-directory\Logs\jan\13-01-03 ma.txt
Note1: "ma" means "maandag" which is Dutch for "monday".
Note2: "jan" means "January".
Note3: "13-01-03" is on my system in the form DD-MM-YY.
Note4: I have replaced my TDS-3 directory here at the posting with "your-TDS-directory".

If I run a check then I want to read the results immediately after running it (of course I also have the logs in case I would like to read them at a later moment).

 

I mis-stated, something is either automated or it's not.

What I was looking for was a regular check of memory space and CRC32 checks of files. The results of said scans are configured in TDS with it's emailing capability. (So I would know within a few minutes if any critical files were modified, or if a trojan/other bad thing has breached the server).

Regular meaning 15-20 minute intervals. TDS would in effect be acting as a continuous scanner.

 

OK, I see.
So you want: TDS-3 keep on running in the background (with Execution Protection enabled, which is the resident part of TDS-3), and regular scans with the CRC32- and ProcessMemorySpaceScan-feature, and then the results emailed to you using the email-capability in TDS-3.

Do I understand that right?

[hr]
On a site-note:
Earlier in this thread I wrote about NISFileCheck.
You can also have a look at File Checker from Javacool; see dedicated forum at this board for Javacool's programs.

 

Kinda correct

An email is generated only if badness is detected.

I'm currently using an MD5 perl script which stores the hashes in a database. Nothing dramatic, just want to be rid of some of the numerous scheduled tasks I have already.

 

Right, that is what I was thinking too

BTW, just some other thought (only thinking out "loud" now).
The Process-Memory-Space-Scan is a very important/usefull part of TDS-3.
But why would you like to perform that scan every X minutes? I mean: Execution Protection is already "running"!!
Wouldn't it be enough to do that Process-Memory-Space-Scan -let's say- once or twice a day, and at least at system/TDS-3 start-up?
I might be completely wrong here, but I have the feeling that doing a Process-Memory-Space-Scan every X minutes is just pure overkill.....

Now back to the CRC32-check:
You say that you already have enough tasks running in the task-scheduler. But one way or another you have to use some scheduler if you want to do those scan(s) every X minutes. Right?

You also said that you use now a MD5-check. Well, that's a stronger HASH-algorithm than CRC32 (sorry that I have to say it, but CRC32 is not exactly world's strongest HASH). And there are even stronger HASH-algorithms than MD5....
Read for example the guidelines for NISFileCheck here at the Wilders-forum, or ask Luv2bsecure and Joseph (both mods at the Wilders-forum). Well, of course all (i.e. using which HASH) depends on what level of security you want.

If what you want, is not possible with an SS3-script and timer in it, I might have found another possibility:
EZ Macros. It lets you make a macro (with for example key-strokes) and gives the possibility to edit it, insert pauses (which you will need if you want to do that Process-Memory-Space-Scan), and "export" the macro to an .exe file. It comes with its own scheduler, if you want to use that one. But there you have it again: you need a scheduler....
Anyhow, I've just downloaded it and I guess I will play a bit with it (I hope I'll have the opportunity to do so...). On the other hand: you said you already have some batch-file.......

 

LOL.

Good, you've come to the same conclusions I have so far.

The Task Scheduler uses the Run-as syntax. Password changes are monthly, sometimes more frequently. When I have hundreds of servers to change passwords on, this aspect isn't scriptable (yet, to my knowledge). The less time I spend doing a password change, the more time I can spend looking at dilbert.com

Yes MD5 is nice, and the scripts I have are all functioning as side apps. I was just hoping for an all-in-one app to do it for me. Maintenance and deployment is simplified, as is the standard place for output.

As for the memory mutex check. Overkill doesn't exist in the vocabulary as a Security Administrator.

 

Hey, I like this discussion

Only a site-note:

Oops, you write now "memory mutex check".
That is not the same as a Process-Memory-Space-Scan.
(Someone once called it a Process-Memory-Space-Cake ).
That PMSS might be what you're looking for, I guess....
Have a look at the Helpfile.

Yep, I understand.
Still I would also like to hear Wayne's/Gavin's thoughts about how important/usefull/make-sense it would be to do that scan every X minutes after an initial scan with it and then TDS-3 with Execution Protection "running"


Cheers, Jan.

 

It's one of the more interesting conversations I've been involved in on a BBS

I know they're different scans. Both would be of use to run, the mutex is more useful. Besides when you can tell your clients that you're running "CRC32/MD5 and Memory Mutex scans", the Mutex makes it sound more impressive

Agreed, it would be interesting to hear their thoughts. The automation and scheduling ability is the feature I would like to see most in a new version. Command line options would be useful too.