Help - TDS-3 isn't stopping subseven

I purchased a registration key and am running the full up version for the last couple days.  on the dslreports forum there was a thread where folks talked about how a different package didn't stop subseven when a guy downloaded it for a test.  Others talked about how their anti trojan software caught it without problem, so i went to wwx.subseven.ws/ and downloaded version 2.2 from mirror one.  It came as a zip file.  When I unzipped, NAV caught it so I had to delete the extract, disable NAV, and re-extract to a separate folder.  At this point, TDS hasn't given me a peep but that's ok 'cause I figure nothing has executed.  By the way, I THINK I have execution protection enabled.  I've gone to the TDS menu, selected execution protection/install, and I get a message that it's installed, but I can do it repeatedly and it tells me the same thing over and over  instead of saying something like "it's already installed you dolt".  I find this very confusing.

Anyway, I select the sub7.exe file and open it, confident that TDS-3 will leap into action and stop it dead in its tracks.  Nope.  It launches and I get a nifty black and blue little app.  How in the world is TDS-3 letting this thing fire up?  

I figure one of two things is happening.  Either TDS is missing it or I'm misconfigured, and the odds are the second option is a WHOLE lot more likely than the first, at least I hope it is.  But I've got everything I can see enabled and it's just not doing anything.  

Frankly, I'm very shaken right now and I'm REALLY hoping someone can straighten me out.  Please tell me what's going on here.  

Also, I tried to go to the private forum but it won't accept my name/access key combo when attempting to register, even though I'm copying and pasting it directly from the intro page.  So, I've got no way to get into the private forums.

Thanks

Rick

 

I need to add that when I select the sub7 folder for scanning that tds DOES find all the baddies, but that's of little comfort.  It needs to STOP them from EXECUTING, or it's worthless to me.

 

You must be misconfigured somehow. I went to the link you provided and went through the same steps and I tried to launch the editserver, server, and sub7 apps and it identified and stopped execution of each as shown below

18:44:32 [Screx] ¤    IRC     ¤ @Dan_screx are now in #tds3.
19:25:21 [ExecProt] WARNING: c:\untrusted\sub7\editserver.exe has been blocked from executing
19:25:50 [ExecProt] WARNING: c:\untrusted\sub7\server.exe has been blocked from executing
19:26:03 [ExecProt] WARNING: c:\untrusted\sub7\sub7.exe has been blocked from executing

The fact that when you enable exec prot it seems as if it is doing so for the first time is normal (though I agree, unaesthetic) there must be something with your settings

 

On reviewing my own settings I see that for the "Initialization" part of the TDS3 Config window I have everything selected. That might be one place to check first.

 

Hi Rick
For the technical part of the s7 story i'm sure Wayne / Gavin will be able to explain.
As it is in the database so is caught.
If exec.prot is installed you see it with the next start in TDS in the first couple of lines.

When you scan, do you have all possible options checked and sensitivity on highest?

Is it the original s7 2.2 or a harmless test version?

If there is a problem with the private forum, please send an email to support@diamondcs.com.au with the username you tried to register as DCS has to unlock the forum for the users.

 

Dan, first, thank you for going to the trouble of downloading and testing.  I feel better knowing someone else with TDS-3 had it work the way I expected it to work.  

Re the config/startup tab, I have EVERYTHING under both initializations AND startup scanning selected, on config/options I do NOT have mIRC DDE enabled (looks like it's script related and I'm not that far along yet), and none of the rest looks like it's relevant to this discussion.

I dont' know where else to look or what to do.

 

What OS are you running? I am operating on Win2Kpro SP2.

How about Jooske's suggestion on looking at the startup lines it should be something along the same lines as

19:55:04 [Init] Trojan Defence Suite v3.2.0  - Registered to Dan Perez
19:55:04 [Init] Started 05-04-02 19:55:04 Pacific Standard Time (UTC: , Internet Time @1204.91
19:55:04 [Init] Loading TDS-3 Systems ...
19:55:04 [Init] • Priority         :   OK.
19:55:04 [Init] Token successfully adjusted.
19:55:04 [Init] • TDS Privileges   :   OK.      Adjusted TDS-3 token privileges to maximum
19:55:06 [Init] • Plugins          :   OK.      Loaded 21
19:55:06 [Init] • Exec Protection  :   OK.      Installed
19:55:08 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
19:55:15 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
19:55:15 [Init] • Systems Initialised [12196 references - 3715 primaries/2827 traces/5654 variants/other]
19:55:15 [Init] Radius Systems loaded. <Databases updated 05-04-2002>
19:55:15 [Init] TDS-3 Ready. <Dan@192.168.1.210, 127.0.0.1 - United States>
19:55:16 [Tip Of The Day] If you regularly query certain computers, add them to the default Target Host list by clicking System Analysis | View File | Default Target Host List
19:55:16 [TDS] Good evening Dan. Go home! The weekend is here at last!

 

yeah, it says execution protection is installed on startup.

jooske, please look at my response above and tell me if there are any other settings I need to be looking at.  One thing I didn't mention, I've also got both trojans and worms enabled for checking.

and yeah, it's not a harmless test version near as I can tell, it's the real 2.2.

 

On the Scan Control Config (Which I am not sure applies here) I have everything selected on the Deep Search side; on the advanced scan side I have everything except Show NTFS ADS streams and EICAR strings checked

On the Generic Detection tab, I have both options selected and the sensitivity set to the second highest setting

 

DID YOU UPDATE WHEN YOU FIRST GOT IT LIKE I SAID TO=)

WHY WOULD YOU PURPOSELY INFECT COMPUTER OUT RIGHT COMIT SUCIDE WHEN YOU JUST GOT TDS?

i would had ask some one here with experince to tell me if tds workd on it and how to config mine so it protects me.

DID YOU UPDATE WHEN YOU FIRST GOT IT LIKE I SAID TO=)

ps you shouldnt hang around those guys that gave you sub 7 bad cyber candy were you presured.

it was pure presure wasnt it?

one of the bigger kids open up his trench coat and said have a sub 7 the first ones free didnt he=) blaze wink eye.

Bad mo jo joe jo=)

 

Dan....i have EVERYTHING on that screen checked, both under deep search and advanced scan.  On the generic options, I have the same settings as you.

Mr Blaze...yes, I immediately updated the definitions.  And as to why I would download and run sub7, the answer should be obvious.  I wanted to verify I have tds-3 properly installed and configured and that it's doing it's job.  Obviously the test was worthwhile because something isn't working properly for some reason.  I wasn't protected, yet I thought I was.  

 

some environmental info to provide in case this proves helpful...

My OS is XP Home.  I'm also running NAV2002 (though it was disabled during this testing because the first time through it found everything and deleted it - i had to disable and re-download and re-extract).  I've also got Zone Alarm Pro 3.x and Proxomitron running with ZX's custom scripts.

 

Well I THINK we have exhausted all possibilities as to the config then. But clearly something is preventing your install from working right (I loaded from the same mirror site as you and it prevents execution on my system) and their own staff would be better able to help you on that side. I think your decision to load Sub7 as a test was obviously warranted!

In case the info comes in handy to yourself or to TDS, the MD5 Hashes of the three main executables are as follows

editserver.exe D2BD19DF36EFC420A96785440A4E3408

server.exe 22B144AD5B597FDE1825B85E2DB8C800

sub7.exe 1F846F68CE5F19B4927CCE64E1C90BCF

Sorry I couldn't help you get it resolved.

 

As a quick followup on the environment side;

I also have ZApro 3.x as well as WormGuard and Kaspersky AV Pro (though I disabled the latter for the tests)

 

Dan, thanks again for all your assistance this evening.  I greatly appreciate it.  At least I can rest easy knowing it's not the app per se, but something about how it's working on MY system.  It sure LOOKS like I've got this thing tightened down, but to see that sub7 app start right up scared the hell out of me.  I sure do look forward to hearing from the folks at DCS on this.

 

No Problem. Glad to be of help. The only time I had occasion to email support (the private forum logon issue) I got a reply within two minutes so they should be able to get back to you soon once they receive your email.

Good Luck.

 

Thought I'd post what comes up at the startup just to throw some addl info out there.

22:03:36 [Init] Trojan Defence Suite v3.2.0  - Registered to Richard Mathes
22:03:36 [Init] Started 05-04-02 22:03:36 Pacific Standard Time (UTC: , Internet Time @1294.17
22:03:36 [Init] Loading TDS-3 Systems ...
22:03:37 [Init] • Priority         :   OK.
22:03:37 [Init] Token successfully adjusted.
22:03:37 [Init] • TDS Privileges   :   OK.      Adjusted TDS-3 token privileges to maximum
22:03:37 [Init] • Plugins          :   OK.      Loaded 13
22:03:37 [Init] • Exec Protection  :   OK.      Installed
22:03:40 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
22:03:43 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
22:03:43 [Init] • Systems Initialised [12196 references - 3715 primaries/2827 traces/5654 variants/other]
22:03:43 [Init] Radius Systems loaded. <Databases updated 05-04-2002>
22:03:43 [Init] TDS-3 Ready. <Rick@192.168.1.100, 127.0.0.1 - United States>

 

Hi all
Rick and Dan, are you at the same ISP?
I IM'd DCS in the meantime, realising it's weekend there, but i'm sure if Wayne or Gavin is able to he'll answer as soon as possible and explain the tech parts here.
You run XP, i don't so i can't advice much in that part, but i read in the private forum people installed on that TDS both as an administrator and as a normal user on their system, so twice, for ultimate protection. Might be an idea to try?
Think you don't need to unzip the nasty btw, as TDS does scan inside zips as well, so in a right click from explorer, going into the zip to click on running it, it should give the wanted alarms.
You might like to create in the TDS directory an extra folder "ScanAlerts" for instance, in which you store all that kind of nasties and whatever you might receive in infected emails, to build a nice test database. If you zip them, they can't do much harm nor be found by intruders that easily if they ever would scan your system. So you have some to show you the scans work and don't allow you other scanners to delete/disinfect/quarantine whatever; i have them alerting but further the other scanners are not allowed to touch them at all

Wormguard 3 you can try, on the one XP it works fine, on others there might be some problems, reason for DCS not to recommend it on XP on their site this moment; in v4 this should be all solved in a whole new engine.

ZAPro 3 runs normal with TDS.

 

Hey Jooske,

I doubt if Rick and I use the same ISP. If you were going by the local addresses shown in the TDS output we are just using the same private Class C network scheme and having our network firewall do the NAT at the perimeter of the network. I use a dual-homed OpenBSD machine as a firewall and have another OpenBSD box running Snort as an IDS interior to this on a hub where my other stations are.

 

Yep, sorry, i realised and you reacted already before i could edit that part.
In my identification it gives my modem or netcard connection first, my IP at my ISP, my local machine, my location; your scheme i should have recognized.
Time to rebuild one of my 486s to a FW when i'm ready for that part of education how to.
There'are still so many wishes, like running an own server, so before that the FW part and configuration should all be ok!
So you understand i like to look in packets etc what they are, as possible with TDS in which you're even able to change them.

 

Heh, heh...

Sorry I reacted to your message so quickly! Now the whole world KNOWS you made a mistake  

 

Please try downloading the v3.2.1 update (~800kb) from http://tds.diamondcs.com.au and re-test the execution protection, it should comfortably intercept and block the execution of any Sub7 server
Let me know how it goes!

Best regards,
Wayne

 

Dan, doesn't matter, i'm not all computerized yet, still human

Wayne thanks for the advice.
So maybe not necessary to install TDS on the XP another time both as administrator and as a user to be all sure (it shouldn't, but...)?

 

Jooske......yeah, I have to unzip it because that's the only way to actually RUN it.  I'm not concerned with tds catching in when I manually select to scan the folder.  I'm testing my real time protection and unless I'm misstaken, I actually have to launch one of these bad boys to do that.

I'm going to try Wayne's suggestion and see what happens.  I downloaded the update file, but I'm unclear what to do with the unzipped contents, if I just copy the files into the same folder as my tds-3 install or what, so i've uninstalled the whole of tds-3, am downloading and will reinstlal 3.2.1 and see what happens.  I would think, though, that 3.2.0 should've caught it.

 

Nono. the update is to be unzipped in the TDS-3 folder, as it is updating and adding 42 files to TDS in several places in the system. The main TDS.exe is not changed though, so you will see still 3.2.0 in your console at the restart running the update, don't let this confuse you.
Hope you soon get your access key to the private forum too, where we discussed a few things like these i'm describing now.

When i want to know what's in a file, after downloading i first scan it  before running or unpacking. So if you know you have this nasty by it's tail, put it into that ScanAlerts folder i suggested you make inside TDS to know where to store your test materials. When you right-click on a file, you have the option (in explorer) to extract the thing somehow. I press "cancel" but i am in the folder looking at the various files there. So that moment you can do what you like, look at them, click them to run, and you could right-click them again from there for a scan either try to run them, in which moment the exec protection would jump up to alarm or block the thing, etc.