Questions about TDS-3

Discussion in 'Trojan Defence Suite' started by Mark Lee, Jun 1, 2002.

Thread Status:
Not open for further replies.
  1. Mark Lee

    Mark Lee Guest

    I'm considering the purchase of TDS-3 but I have a few questions I need answered before registering so I'd really appreciate help from all you experienced users out there.

    1-What i'm really missing from this anti-trojan is the background monitoring like in other software, I believe that the execution protection feature is the same or is it? and do I need to keep TDS-3 running for it to be functional (i'm using the trial version)?

    2-I'd probably buy it right away if I knew for sure that TDS-4 would implement a feature that can scan incoming e-mails? Do any of you insiders know anything about the upcoming version?

    Thank you in advance and I hope somebody can answer my questions!
     
  2. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    Hi.

    You're in the same place I was a couple of months ago....

    1.  Execution protection is disabled on the trial version for commercial reasons - pretty pointless if you ask me, but its their company!   What it does is to catch malware executables as they start to try and execute.  Different to an A-V, where the background scanner can trigger as soon as you try and 'touch' the file, but just as effective.  As to running the app in the background - click on configuration / startup / run at windows startup / yes (on the right hand side of the window).  This will make TDS-3 run in pretty much the same way as a service would.

    As to resource use, on my system it is using 1,276k right now as it runs in the background, compared with almost 13,000k for the various pieces of my A-V system (NOD-32).

    2.  There is no A-T i've found which will scan emails automatically in the way that an A-V will.  Diamond are looking at introducing such a feature in the future, but I have no idea how far away that is.  I was worried about this at first, but remember that any virus or trojan is just junk on your HD until it tries to do stg.  TDS-3 will catch it at that point.

    I've just found the email they sent to me on the subject of email scanning:

    "We will be producing more parts for TDS-4 which will be ready later in the year, we will hopefully release a full active scanning component soon at a modest price."  Make of that what you will.......

    I've been very impressed with the quality of the support - there is a 'private' forum which is first rate, and subject to time differences, emails to support get turned round very quickly.

    The impression I get is that TDS-4 will be 'idiot-friendly' in a way that TDS-3 isn't, but that all the bells and whistles you get thrown in on the present version will still be there, but much improved.    Upgrade will be free.

    Hope this helps.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Bubs i fully agree with most of your answer, thanks a lot.
    Nobody knows yet how the new suite will be composed and what is included or can be included or run beside etc nor the possible difficulties to expect or possible "idiot proof" (find us an idiot first to proof). But reading Wayne we will be very happy and make lot in the security world workless, so it must be quite some suite! No time to lose, step in the world of registered users and be among the first to know all about it via the private forum and news letters.
    My FW does the email scanning, and there are others when i start them manually, those from the emails i just copy to my test zoo and interesting samples i forward to the TDS lab for further advice what to do with them, just in case.
     
  4. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    (find us an idiot first to proof).

    Jooske - you're reading his post!! :D :D

    Mmmmm - I bet nobody's thought of needing to find an idiot for beta testing - guess I'd better go on the list lol
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    When we were creating functions on our system i always looked for persons who hardly knew anything more from a keyboard than a normal typewriter and just asked them to do what they thought was to be done. Was good for testing purposes.

    In the forums here we have decided there are no dumb questions, so there will not be adequate idots either; school kids get computer education by the day, internet is most used in the age groups above 44 by women in each age class, so no need to look for an innocent granny somewhere as they might know sooner then others which buttons to press. So i'm sorry, the idiot proof testing is blown off, by lack of real innocent idiots.
    We'll have to do it ourself.
    Nice to see you in the private forum! :D
     
  6. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    To the best of my knowledge there isn't an email scanner in the upcomming TDS4 release.

    That being said, Wayne or Gavin may wish to disagree with me (since they know and I am speculating).

    I run NOD32 with the email scanner and it weeds out all the viruses, any tojan that gets through is saved to my private collection to be scanned with TDS-3.
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Personally, I see no real need for TDS to do mail duties - that's what our AV programs are for.

    Can't keep piling more and more stuff on TDS to do, IMO - you'll wind up with dilution of effort as re: having the program do what it's supposed to do to begin with.

    Someone please correct me if I'm wrong, but wouldn't TDS catch a Trojan received via email, anyway, as soon as it tried to execute? That's what exec protection does, right? Pete
     
  8. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Ja, execution protection does do, but we all have discussed that some damage could possibly be done before TDS could intercept. It is a good practice to save all attachments to HD and scan with every scanner ya got. If a friend sends me a pic that he told me he was sending (via telephone), I still scan with TDS, WG, and NOD32.

    As far as email scanning goes, I am mainly concerned with email that has no attachment, but runs automatically. That is what I want a email scanner for. I can scan unexecuted attachments myself.
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Then it would seem that plenty of options already exist for preventing that.

    Even OE (which everyone just loves, I've heard :) ) can prevent that if you (a) don't use the 'Preview' pane (b) have it handled in/under the 'Restricted' Zone rules (with the 'Restricted' Zone set up correctly, of course) and (c) keep up with the updates/patches for OE, which specifically address problems such as that.

    I'm a little confused as to why someone would want to add something to TDS that should already be covered by the way they are supposed to have their email program secured.

    So what am I missing? Pete
     
  10. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    lol all quite true Pete.

    Perhaps I was a bit vague there. I am against an email scanner in TDS, I was referring to the scanner from NOD32 which does what I need it to just fine.

    I agree with you 100%
     
  11. Mark Lee

    Mark Lee Guest

    Hello, thanks guys for all the responses. Just one more question to push me over the hump. Because I am using the trial version, does the execution protection slow down the computer, I read somewhere in the forum that it does slow down when opening apps, how true or how does it really affect the system. I don't have a super machine so it is a little concern.

    Thank you
     
  12. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    I'm not the best to answer, as whilst a p3 xeon 550 processor ins't anything exciting these days, 512meg RAM is quite a lot  :D :D

    I've never noticed any difference at all - but have never spotted the post to which you refer, so don't take my 2 1/2 pence worth as gospel.

    I just did a little experiment: ran task manager, then turned on my agfa (photo) scanner software.  TDS-3 remained at 4,276k mem usage before, during and after execution.  No other running process 'blipped' either (except for scanwise.exe of course).  I guess that means that it is using all it needs to provide execution protection on a continuous basis.  I don't think you're going to find your apps open more slowly.  Don't forget that execution protection is a rather different thing to A-V 'scan on opening'.

    Another thing to think of - just how much of your time at your PC to you spend turning apps on anyway? :)
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    My computer is rather slow and not the latest model either, and i never noticed any difference with or without exec protection on or not installed; quick computers might notice a few tenth of seconds in programs executed at starting them, maybe, but that is so little compared with al the extra security we get for those few seconds total maybe waiting over a full 24 hours with all the programs using and starting again and over again........
    I have seen such a posting only in the private forum once and it's the user's own choice to set priorities and it is no obligation to use it, i do, as i love my extra security, of course.
    I'm sure in the TDS version 4 is looked after everything possible as it's Wayne's special area of attention where possible to save space, time, resources, most certainly with such an important function we all love to use!

    There are so many possibilities in TDS which make it more then just a scanner and even as a scanner it enables us to dig in our systems file for file and monitoring all processes and hooks from them and every bit entering or leaving our systems and even changing those packets if necessary, for the NT users the possibility to search out their NTFS streams for infections, and not to forget the possibility to add functionality with our own scripts, which not necessarily are just the fun scripts i make, but serious security functions as well of course.
    We are all looking forward to the new version as this is good already but Wayne promisses the other will cause ahhhhhhhh's and ohhhhh's everywhere in the security world. I would not like to miss a single bit of that! :D
     
  14. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Think a lot depends on the system and activity, as i've seen people with Win98SE and others with the same OS with very different resources results, maybe depending on settings, activity, other finetuning.....
    When we do a full system scan or an interrogate scan on a portscanner, i think those are about the heaviest processes but the exec protection i'm not all sure of if that is all time the same % or at the moment of touching a file for executing a little higher and after that less again. Anyway, on my superslow Win98SE system i never have considered this function as a problem, like said before.
    Hope you enjoy your trial in the meantime!
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'm with Jooske and bubs in regard to the resource issue.

    Sitting here with WinME, NOD32, LnS firewall, SpyBlocker 4.75, Trillian, Internet Sweeper, CookieMuncher, MailWasher and TDS3 (with exec protection running and sockets initialized) all happily running their butts off down there in SYSTRAY, Opera browser going with 18 windows open.

    Are my resources low? You bet! (System:32%/User:32%/GDI:44%)

    Do I crash from lack of resources? Only very infrequently, and when I do, it's mostly my fault for ignoring system warnings - heck, all you've got to do is re-start the darn thing! (Note: Not using this computer for anything business-related, Internet Cruiser only).

    Would I run TDS  without exec protection going at all times?

    Not on your life.

    Best advice: Try it on your system and see how it does! If the resource issue worries you, closely examine what you have running in SYSTRAY and ask yourself what's running down there that you can live without (something non-essential, IOW).

    BTW, Mark - Exactly what are your system specs? You know, amount of RAM, HD size - I'm not even seeing what OS you have. Is it W98, W98SE, WinME, or what? Pete
     
  17. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I'd say exec prot may make a very small diff on my machine speed wise, less difference than Amon makes (the resident NOD32 scanner).

    The security is worth the speed in any case. CPU prices dropped by as much as 53% lately. If I really need a proccessor 3X faster, they are dirt cheap now.
     
  18. Mark Lee

    Mark Lee Guest

    I'm using WinXP with 256 megs of RAM. The reason I ask about the speed hit, and I might be imagining this, is because internet access seems slower since I installed TDS-3. I'm also using the sockets automated mode, could this be the reason it's slower?

    Another question, using sockets monitors common trojan ports, right? does it really add protection or does my firewall take care of this?

    Thanks for all your answers, you guys have been really helpful.
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Mark - it's kind of hard for me to comment on whether I've seen any kind of speed decrease since I started using exec protection and initialized the sockets.

    If it's slowed down at all, it certainly couldn't have been much, because i really haven't noticed any slow-down - but, I'm on dial-up and I  do have a 1.3 GHz processor - so maybe I wouldn't be  able to actually measure whatever slow-down there may be.

    About socket initialization, you asked this: "does it really add protection or does my firewall take care of this?"

    I'll leave the technical explanation of the sockets being initialized to someone else (and, yes, I have mine on the 'Automated' setting also), but I can say without doubt that if those ports get scanned, you'll receive an email similar to this:

    Subject: Mail from TDS-3: TCP connect on port 27374
    17:34:37 28-05-02
    TCP Connection request on local port 27374
    Source: 209.xxx.174.xx:4729

    or this
    Subject: Mail from TDS-3: TCP connect on port 12345
    17:34:37 28-05-02
    TCP Connection request on local port 12345
    Source: 209.xxx.174.xx:4730

    from your own TDS program!! Reporting the attempted probe to you!
    (I 'x'd out some of the IP).

    Needless to say, after looking up this particular individual's ISP and reporting him (using the TDS log entries as proof/verification), I haven't had any more scans from that location.

    This program is not only quite awesome in it's capabilities, it's just flat-out cool! HTH Pete
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Funny, my firewall blocks those so i hardly get any email alerts. But if i open the ports or use some of the emu scripts, opening those ports to listen on in case there is an attempt or i scan myself, yes, then i get them :)
    Very good Pete, you reported them and it's finished there, as so often we report and nothing happens at all, so some ISPs take our complaints serious! Maybe because they are impressed by "TDS" alerts and know it's serious! :) (as TDS is for advanced users knowing what they are doing and talk about and bla bla bla so they better don't go into any discussion, just accept our reports! Great!)
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Just for the record: only script kiddies will use their own system to use any trojan client. The "real" baddies will use a compromised eg infected system(s) owned by other(s), and will be safe, sound and undetected. Ergo: reporting might result in infected but innocent system owners loosing their ISP account. IMHO it's recommended when reporting to an ISP, such could be the case, merely to avoid innocent (infected) system owners loosing their account.

    Just my two sixpence  ;)

    regards.

    paul
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wouldn't the serious ISPs know this by now?
    When i found in my log "routings" over my system long ago (most of time originating from my own ISP) i alarmed them, so in case of any abuse they knew it was not me doing anything intentionally. It happens very seldom since as they refined their settings too.
    With our log-analysers we can tell if there are more attempts of the same IP.
    So my ISP was happy at the start of CR and Nimda with such overviews sorted by IP to be able to warn their users and thus prevent lots of unnecessary bandwidth etc.
    If scriptkids or others are infected, a good reason to clean them out. Most of time they first get a fair chance to clean out and with repeated alarms about them they might lose their account indeed.
    TDS has some very handy tools built in, for this, remember? :)
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Frankly, they don't care a bit. We've seen near to 1,000 accounts being terminated last year - very upset and innocent people, not knowing what the heck had been going on. We've had a cry for help from an outplaced multinational staff member, laptop infected, company secrets stolen, lost job, wife and being sued for over a million UK Pounds. ISP refused to cooperate in regard to log files.

    My esteem for ISPs isn't all that high  :rolleyes:

    regards.

    paul
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wow, that's real bad case. My ISP has a policy of investigating and asking and warning and not immediately closing accounts. Legally they have to keep at least three months all logs of every user for possible investigation so in other cases they asked me to warn if things would happen again from the same user; difficult with dynamic IP's.
    In TDS we have those tools for connecting and broadcasting to warn, but a portsniffer would know they're detected once we start resolving and tracing them. In the TDS Helpfile we find good recommendations for such things. Of course if possible and the person seems innocent (seems!) i'd prefer to solve it with such an immediate warning to themselves, but where it is impossible and less innocent.......
    since it cost me a whole pc thanks to the intruders (before i had and knew about TDS) i feel more for my own protection then for the portsniffers.
    With the ADSL and cable many have permanent IP addresses, which makes many people more careful, the badies will hide themselves better via different ways, and thus... your recommendation as described above is certainly something to think of to write in such reports.
    My most recent reports (several months ago i guess) were those collections of CR /Nimda infected people, in which i indeed also told them to ask those people to clean out as they were probably not aware of their infections, instead of closing accounts.
    You're right there are in some of those abuse helpdesks people who hardly know what they are doing, while my former experiences were the more devoted and serious, explaining and investigating; probably had to delegate it to less knowledgeable people.
     
  25. controler

    controler Guest

    Here is one thing you might think about.

    In the USA there is still a shortage of IT's
    Information Technology Specialists( people that administer networks) and ISP's
    The attitude of the government AND employers is ti hire young people in this field. Even though it is against the law here to discriminate here, they are still doing it.
    The FBI won't hire people over 40 and if you ever smoked pot before , forget working for them. Although you can have smoked pot before and become President of The United States LOL (Bill CLinton)
    OK in a nut shell, what I am seeing at state government level is very poorly administerd Networks from these young people.
    We are seeing alot of restructuring in the CIA and FBI now since 9/11 attacks. Trying to weed out what they call stupidness and what us older people call common sence ;)

    [glow=Blue,10,300]controler[/glow]
     
Thread Status:
Not open for further replies.