LockDown as Trojan

Discussion in 'Trojan Defence Suite' started by controler, May 15, 2002.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    1. sent in file
    2. updated today
    3. still detects Lockdown as a RAT

    move]?[[/move]
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Your [ and [ /codes ] were not in the exact place for that.


    And what is DCS reply?
     
  3. controler

    controler Guest

    They are not replying :(

    I better leave the HTML to you dear
     
  4. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Lockdown put the signatures uncrypt into memory. So many other (more reliable) programs produce due to the weakness of Lockdown a false positiv. IMHO if you use TDS-3 than there is no need for this LD-garbage anymore.

    wizard
     
  5. controler

    controler Guest

    Mr Wizard? Mr Wizard?

    Time for this one to come home.

    My Copy of LockDown is free

    My Copy of TDS-3 is a TRIAL and I am not worthy to get a beta copy.

    Now you don't see me calling TDS-3 GB do you?

    "Lockdown put the signatures uncrypt into memory"

    Did you mean to use English to explain your Quote above? And ment to write encrypted?

    You should take this up with Michael Paris if you are so sure LockDown is GB
     
  6. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hey controler, I don't know how familiar you are with the history of Lockdown, Mr. Paris, PC Help, and various and sundry parties, BUT, there are a lot of people around that have some very strong feelings one way or the other. The story goes back a ways, and there are lots of ins and out to it.
    I try to allow others to make up their own mind about products and not criticise them for the choices they make.
    I can only suggest at this point in time, if you put your trust in Lockdown, I hope you have researched it at least a bit, so that there is a reason for your trust.
    There are a lot of programs out there I consider garbage. I always have what I think is a good reason, based on investigation. Sometimes I pop up with my thoughts about a certain program being garbage. When I do, hopefully people don't take it personally if they happen to like that program.
    I guess all I'm trying to say here is there is a reason people do not care for Lockdown, and if in using the product you are happy, and do not find a reason to dislike it, fine. However, it would be my personal opinion, fwiw, that you would be better served by TDS3, BOClean, or Trojan Hunter.
    I hope I have said nothing that would upset you farther as that is not my intent.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hold on guys, may i remind this part of the forum is about TDS and TDS finding a possible false or not false alarm in another product, for which a thread is running, waiting for DCS replies.

    If it comes to opinions about products and comparison i really must ask to open another thread for that in the general forum parts, where are certainly suitable places.
    Everybody for sure is free to have opinions about products and a healthy discussion without flaming or namecalling and such is certainly encouraged, as we all can learn from other peoples experiences and explanation on which these opinions are based.  
     
  8. controler

    controler Guest

    Hey sweetie, Thanks

    You know thats all I been trying to do here is get feedback from TDS about LockDown false Alarm.
    I didn't see ROOT mention exactly why he hated LockDown but I have read all the PC-Help stuff and of course you knowm me by now and would do anythimng to help anybody. nuff said.
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi controler,

    I replied to your email as soon as possible today. Just to recap, Lockdown has some trojan signatures stored - in PLAIN TEXT - inside the main executable. This means that any scanner looking at the process when it is running will see those detection signatures, and by chance we make a detection on those :)

    As explained, signatures should always be in an external, updateable, ENCRYTPED database - for many reasons. TDS-4 will not detect this, we will make some changes to the main TDS executable which is the best way to get around this false detection.
     
  10. Developer

    Developer Guest

    Gavin,

    Just the other day DCS reprehend SpyCop for finding a spy-bot string in your dcsmutex.dll and detecting it as a Trojan.

    You advised SpyCop developers to improve the _primitive_ way they use to find trojans.

    It seems DCS also sins a little by storing trojan related strings in _plain text_ inside executables (.dll)

    I don't care a bit about LockDown but with the 16 (?) advanced methods TDS3 uses to detect torjans , a false positive relying on a text-string is a bit surprising.

    I'm sure you can find a way to eliminate this false-positive.
     
  11. controler

    controler Guest

    Well then this should prove to be interesting and a good thing since both TDS and LockDown are comming out with huge releases in the next few weeks.
    It is nice to see the two working together for the good of all now.
    Things are really going to start getting nasty in this old world in the next year.

    And Yes it is ODD that everybody uses internal txt signatures instead of pulling them all from an external database.

    [glow=red,2,300]controler[/glow]
     
  12. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Peace to the world
     
  13. controler

    controler Guest

    LockDown has it's own signature database which is
    not a part of the executable. If you look in the LockDown directory you will
    see a file called sigs.l2k and sigs.bak. These are the signature database
    which LockDown
    uses. If you were to move both of those files and put them into another
    folder and then scan
    them with TDS you will see that they are not detected as Trojans. Next open
    LockDown
    in advanced mode and scan the running process with TDS and you will get a
    detection as
    a Trojan. Then go to the scanner in LockDown and look at the file signatures
    and you will see that you
    have no file signatures loaded. Close LockDown and copy the 2 signature
    files back and reopen
    it and you will see that it now once again has signatures. Scan again with
    TDS and you will get
    another false detection from it. This will prove that the signatures are not
    built into the executable.
    I would suggest that you try the above to verify this to be correct for your own peace of mind.
    [glow=red,5,300]controler[/glow]
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Controler,

    The TDS/LD issue has been talked over extensively by now; DCS has provided an answer in this thread.

    This should do as for TDS vs LD in the TDS forum.

    In case you feel the need to discuss LD any further, you are free to do so in an appropriate other forum. DCS forums are not the appropriate ones, and for that reason off-limit from now on.

    No offense mend, but we'd like to keep our forums as "clean" as possible, meaning relevant threads/posts in relevant forums.

    regards.

    paul
     
  15. controler

    controler Guest

    "No offense mend, but we'd like to keep our forums as "clean" as possible, meaning relevant threads/posts in relevant forums.  

    regards.

    paul "
    Very unprofessional there dude :( The issue was not resolved about the file sigantures and furthermore this was the correct forum. The issue was with regards to TDS false alarm. Wouldn't the readers want to read about all that stuff?
    You dissapointed me.
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hello Controler,

    I have no problems in you commenting on me being professional or not; that's anyone's perogative. I do mind being referred to as "dude". Please refrain from such remarks.

    As it seems, I've choosen the wrong words here, thus let me refrase:

    As long as the issue is focussed on TDS flagging false alarms (regardless what other software is involved) I don't have any problems with this thread being continued.

    In case the focus comes down to specific other software - in this case LD for example, this is the wrong forum, and a new thread has to be started on the appropriate other forum.

    I'm sure you'll survive.

    regards.

    paul
     
  17. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    You want reading about all that stuff? Just search the web for reviews on LD and have look at http://www.wilders.org for an overview of good anti trojan software. ;)

    wizard
     
  18. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Quite so.
     
  19. controler

    controler Guest

    desn't like being called dude. hum what does this tell us ? LOL
    I doublechecked and his sign shows male, amI wrong here?

    Actualy since my life is in turmoil , and am sure you like eharing that. I won't post anymore
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    controler - Absolutely no one here is going to take any satisfaction in the fact that your life is in turmoil right now - if you knew any of us personally, you wouldn't be hearing many songs about how life is but a bowl of cherries on our end, either.

    With the turmoil part of your life, feel free to email me if I can be of any help or if you just need someone to talk to.

    The issue with the detection you brought up is a valid one - hopefully, someone from DCS will stop around and try to explain it.

    Please just be realistic in your expectations here, okay? We all like TDS - if we didn't, we wouldn't have a forum here for it. That doesn't blind us to any issues that may arise with it's use - it just let's us relax about it until the problem either gets thoroughly explained and understood, or fixed.

    Just my .02 Pete
     
  21. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Well said Pete.

    Controler, I an sorry to hear things are not well with you. It seems fate (if you believe in that rubbish) has been dealing some bad circumstances to many people on this forum lately. Truly saddening. As with the rest, I am honestly sorry to hear that. Whether you like TDS3 or LD makes no difference to me in that respect. you are still a human and worthy of compasion.

    'nuff of the mushy stuff. Back to biz...

    Until Diamond Computer Systems responds to the valid challenge posted by Controler:

    There is no need to post further in this thread. Ten-Forward is an excellent place to discuss the woes of  the world (and the existance of fate ;)), NOT here.

    Gavin/Wayne, we wait for your answer.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Righto.

    He Pete, with all those .02 you spent today in the forum, that's about a large sunday icecream! Good to have it all cool down and to enjoy.
    I am sure nobody would like to walk in other people's shoes if they knew more backgrounds.
    It's good doing business here in a forum where we know all people being helpful and patient with each other and respectful. So we all can learn more by the day and build this intelligence knowledge base.
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi everyone,

    Just to let you know of a couple of things.. firstly DCSMutex.DLL does indeed have a couple of plaintext strings, however these are trojan names and not signatures - the actual mutex signatures are encrytped.

    Lockdown does indeed have an external database, however it does also have signatures stored inside the main executable. Open it with a hexeditor and take a look :) There is no reason for this, or the signatures should be encrypted..

    The only ways NOT to detect this is to ignore the file itself, or reduce detection capabilities of memory scanning (no thanks). The next release of TDS will be updated to have removal of this, but a database update will not change anything of course.
     
  24. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    That is a fair enough answer for me.

    Unless you disagree controler, lets consider this topic wrapped up.
     
Thread Status:
Not open for further replies.