Command line options

Discussion in 'Trojan Defence Suite' started by polaryzed, Jan 9, 2003.

Thread Status:
Not open for further replies.
  1. polaryzed

    polaryzed Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    7
    Location:
    Ontario, Canada
    Hello,

    Having had a recent email conversation with the DCS support staff/engineers, and I still have one outstanding question;

    What (if any) command line options are there to TDS-3? What I'm really looking for is an Unload or Reload set. The purpose would be to have TDS-3 do semi-automated scheduling of CRC32 and Memory scans (which would be set in the Scan Control).

    Currently I'm doing this hack/batch file AFTER TDS-3 is loaded in the Scheduler Tasks on W2K Server;

    kill TDS-3
    tds-3.exe -scan

    DCS support has said that a scheduler capability as well as more command line options will be available in TDS-4 when it is released. If anyone can give a better way to exit TDS-3 it would be much appreciated. The destination servers have uptimes of months (at least until the next Microsoft critical patch affecting an IIS / SQL server).

    Cheers,
    Mike Kalinovich
    polaryzed@yahoo.com
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    hi polaryzed,
    The only commandline options exists in TDS-3:

    TDS-3.exe -scand <directory path>
    TDS-3.exe -scanf <file path/name>

    The one you named, was new to me
    Dolf
     
  3. polaryzed

    polaryzed Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    7
    Location:
    Ontario, Canada
    Dolf,

    Thanks for the response, and the confirmation of what I feared.

    It's more likely that the -scan I mentioned doesn't exist, but by running the tds-3.exe after it's been closed with kill, just starts TDS again, and it auto-checks the CRC and Memory anyways.

    Oh well. Another reason to wait for TDS-4 :)
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Don't punish yourself TDS-3 has a lot of other goodies, and the upgrade to TDS-4 is free. :D
    Dolf
     
  5. FanJ

    FanJ Guest

    Hi polaryzed,

    Maybe it could be done with using a SS3-script, but I'm afraid I don't know very much about SS3-scripting......

    With respect to the CRC-check:
    You could also try the free utility called NIS File Check. Although "NIS" is mentioned in its name, you don't need to have AtGuard/NIS/NPF on your system to use it.
    There is a special forum-section here at the Wilders-board for NIS File Check. You can let it run via scheduler if you like to do so; Joseph (moderator at that forum-section) uses it that way.
    Although I'm really happy with the CRC32-feature in TDS-3 (no doubt about that!), I have to say that NIS File Check gives you a lot of more information, gives stronger Hash-algorithms and protects its database with Blowfish.
     
  6. FanJ

    FanJ Guest

    Hi Polaryzed,

    You wrote that you want it to be done "semi-automated".
    What would you do with the results of those scans?
    Read the results later on at the log-files?

    I mean in those kind of logfiles, for example:
    C:\your-TDS-directory\Logs\jan\13-01-03 ma.txt
    Note1: "ma" means "maandag" which is Dutch for "monday".
    Note2: "jan" means "January".
    Note3: "13-01-03" is on my system in the form DD-MM-YY.
    Note4: I have replaced my TDS-3 directory here at the posting with "your-TDS-directory".

    If I run a check then I want to read the results immediately after running it (of course I also have the logs in case I would like to read them at a later moment).
     
  7. polaryzed

    polaryzed Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    7
    Location:
    Ontario, Canada
    I mis-stated, something is either automated or it's not.

    What I was looking for was a regular check of memory space and CRC32 checks of files. The results of said scans are configured in TDS with it's emailing capability. (So I would know within a few minutes if any critical files were modified, or if a trojan/other bad thing has breached the server).

    Regular meaning 15-20 minute intervals. TDS would in effect be acting as a continuous scanner.
     
  8. FanJ

    FanJ Guest

    OK, I see.
    So you want: TDS-3 keep on running in the background (with Execution Protection enabled, which is the resident part of TDS-3), and regular scans with the CRC32- and ProcessMemorySpaceScan-feature, and then the results emailed to you using the email-capability in TDS-3.

    Do I understand that right?

    [hr]
    On a site-note:
    Earlier in this thread I wrote about NISFileCheck.
    You can also have a look at File Checker from Javacool; see dedicated forum at this board for Javacool's programs.
     
  9. polaryzed

    polaryzed Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    7
    Location:
    Ontario, Canada
    Kinda correct :)

    An email is generated only if badness is detected.

    I'm currently using an MD5 perl script which stores the hashes in a database. Nothing dramatic, just want to be rid of some of the numerous scheduled tasks I have already.
     
  10. FanJ

    FanJ Guest

    Right, that is what I was thinking too ;)

    BTW, just some other thought (only thinking out "loud" now).
    The Process-Memory-Space-Scan is a very important/usefull part of TDS-3.
    But why would you like to perform that scan every X minutes? I mean: Execution Protection is already "running"!!
    Wouldn't it be enough to do that Process-Memory-Space-Scan -let's say- once or twice a day, and at least at system/TDS-3 start-up?
    I might be completely wrong here, but I have the feeling that doing a Process-Memory-Space-Scan every X minutes is just pure overkill.....

    Now back to the CRC32-check:
    You say that you already have enough tasks running in the task-scheduler. But one way or another you have to use some scheduler if you want to do those scan(s) every X minutes. Right?

    You also said that you use now a MD5-check. Well, that's a stronger HASH-algorithm than CRC32 (sorry that I have to say it, but CRC32 is not exactly world's strongest HASH). And there are even stronger HASH-algorithms than MD5....
    Read for example the guidelines for NISFileCheck here at the Wilders-forum, or ask Luv2bsecure and Joseph (both mods at the Wilders-forum). Well, of course all (i.e. using which HASH) depends on what level of security you want.

    If what you want, is not possible with an SS3-script and timer in it, I might have found another possibility:
    EZ Macros. It lets you make a macro (with for example key-strokes) and gives the possibility to edit it, insert pauses (which you will need if you want to do that Process-Memory-Space-Scan), and "export" the macro to an .exe file. It comes with its own scheduler, if you want to use that one. But there you have it again: you need a scheduler....
    Anyhow, I've just downloaded it and I guess I will play a bit with it (I hope I'll have the opportunity to do so...). On the other hand: you said you already have some batch-file.......
     
  11. polaryzed

    polaryzed Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    7
    Location:
    Ontario, Canada
    LOL.

    Good, you've come to the same conclusions I have so far.

    The Task Scheduler uses the Run-as syntax. Password changes are monthly, sometimes more frequently. When I have hundreds of servers to change passwords on, this aspect isn't scriptable (yet, to my knowledge). The less time I spend doing a password change, the more time I can spend looking at dilbert.com :)

    Yes MD5 is nice, and the scripts I have are all functioning as side apps. I was just hoping for an all-in-one app to do it for me. Maintenance and deployment is simplified, as is the standard place for output.

    As for the memory mutex check. Overkill doesn't exist in the vocabulary as a Security Administrator. :)
     
  12. FanJ

    FanJ Guest

    :)
    Hey, I like this discussion :)

    Only a site-note:
    Oops, you write now "memory mutex check".
    That is not the same as a Process-Memory-Space-Scan.
    (Someone once called it a Process-Memory-Space-Cake ;)).
    That PMSS might be what you're looking for, I guess....
    Have a look at the Helpfile.

    Yep, I understand.
    Still I would also like to hear Wayne's/Gavin's thoughts about how important/usefull/make-sense it would be to do that scan every X minutes after an initial scan with it and then TDS-3 with Execution Protection "running" ;)


    Cheers, Jan.
     
  13. polaryzed

    polaryzed Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    7
    Location:
    Ontario, Canada
    It's one of the more interesting conversations I've been involved in on a BBS :)

    I know they're different scans. Both would be of use to run, the mutex is more useful. Besides when you can tell your clients that you're running "CRC32/MD5 and Memory Mutex scans", the Mutex makes it sound more impressive :)

    Agreed, it would be interesting to hear their thoughts. The automation and scheduling ability is the feature I would like to see most in a new version. Command line options would be useful too.
     
Thread Status:
Not open for further replies.