running other virus scanning software

Discussion in 'Trojan Defence Suite' started by zappa, Mar 1, 2002.

Thread Status:
Not open for further replies.
  1. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Any issues to one's hard drive or OS to have anti virus running in the backround and then fire up TDS and run both simultaneously?   My HD makes some interesting grinding sounds when I run both.  

    Is there a pdf help file available for TDS?  I like to print out help files and read off of dead trees instead of a screen.  

    I was notified of files changing after running CRC32.  I extracted the changes read it then saved it.   What does one look for when reading the changes?  
     
  2. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    1) Performance and wear and tear - both programs are scanning the HD simultaneously, so the read/write heads are constantly switching between two locations (thus impeding both operations).

    2) I'd like that, too
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Zappa, Checkout,
    good questions and good explanations :)
    The TDS Full System Scan and especially the Memory Scans are heavy processes, consuming many resources, if not all available.
    So besides the switching between the heads you might run into a resources/RAM problem.
    For the results it should not matter.

    The TDS helpfile is accessable from everywhere on your system, if you locate the full pathname to it.
    With one of my MSAgents desktophelpers script, which i made an exe, i included the TDS Helpfile, and as that script is voice commanded i just need to call "Help!" to have it opened, no matter what i'm doing.

    With the CRC32 changes depends on which file is changed and if you know the possible cause: for instance after updating the references, you'll see the radius file changed, after installing software, the win.ini might be changed, and so more of the kind. If it's unexpected then it's certainly reason to look deeper into the specific changed files.
    There are some CRC32 specialists here, hope they jump into this part.
     
  4. FanJ

    FanJ Guest

    with respect to CRC32-alerts:

    Yep, Jooske is right.
    It's a bit difficult to answer the question in general why a file is changed.
    Another example: let's say you have the files of your AV put in the CRCfile; when there is an update for that AV, big chance that one of those files is changed, so you will get a CRC-alert.
     
  5. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Understood about CRC32.  I haven't put any files in there though.

     Here are two that changed
    11:18:44 pm [CRC32] -ALERT- File has changed: C:\WINDOWS\System\icmp.dll
    11:18:45 pm [CRC32] -ALERT- File has changed: C:\WINDOWS\System\ws2_32.dll
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you do a right click scan from explorer on them either a scan of the windows\system directory from TDS Console | System Testing | Scan control
    search for the windows\system directory and check every available option and highest sensitivity,
    do they show up?
    In properties, you'll see a change and is it an hour you recognize of any legal action from your side?
     
  7. FanJ

    FanJ Guest

    OK, now the CRC-feature seems to have done its job, it's indeed the question: why are those files changed?

    First question is then: what were the changes that you made on your system since the last time on which you didn't get those alerts? Do you remember?

    Second question is then: can we find out what those files icmp.dll and ws2_32.dll do?
     
  8. FanJ

    FanJ Guest

    Info about version number and size etc. for dll files of MS can you find for example here:

    http://support.microsoft.com/servicedesks/fileversion/dllinfo.asp?fr=0&sd=msdn
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And you might like to do some investigation with this very nice tool on your system, "Fabertoys"
    www.faberbox.com which shows the processes running and the dlls, just like the Proces lists in TDS and also what the dlls do and with which they communicate, etc.
    so i know the ws2_32.dll = windows socket 2.0 32-bit .dll
    but i don't find a full name for the ICPM.dll, only see it communicating with the Kernel32.dll and other processes, you find it in explorer.exe for instance.
    If you don't trust the files, you can look with Windows | Start | Run | SFC what these files have changed and eventually get the originals back from your windows cd-rom.
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Big PS about the Helpfile:
    if you like you can download the helpfile from the DCS site, but why would you as you can access it all independently from TDS.
    Anyway http://tds.diamondcs.com.au on the downloads page. If you had in in pdf you would miss all these handy search options and it's large!
     
  11. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    In regards to the "help" file in PDF format let's start with the word help.  For those of you who can work your way around the program prior to reading the help file then it truely is a help file.    For those of us that need to read the help file so as to make our way around the product it is no longer a help file but an instruction manual.  


    I like to have my instruction manuals in paper format.  I brought home a package of 81/2 X 11, 20 lb, 500 sheet package of paper from the office and went at printing out the instruction manual.  I am through the first 5 tabs and have used around 300 sheets.  I need a wheel barrel to tote it around.  Damn there are about 5 more tabs left too.  I need another package of paper to finish.  My HP is getting a good workout.  I think the pdf would be a little more efficient.  One good result is two friends who visited both found it, how could you miss it, and really liked the features.  Two more future TDS3(4) users to be.  Darn thing sold itself.  Just think if one was mailed a nice little paperback instruction manual and on the cover a trojan in a mini skirt or something.  Now that would sell!!!

    I enjoy reading from paper rather then a screen.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So that's a lot of printing!
    And that beside the electronical Help/instruction/Manual to search for the places to look at it.
    Never realised it is that big! So that gives even more respect for all the work on it.    
    Of course TDS and wormGuard sell themselves, as they are really good products, no doubt about that.

    I ever made a little SS3 script with some first run instructions, which calls an .exe file with which you can voicecontrolled call for the helpfile and some more menu options, using the MSAgents for all that.  
    Not sure if with the new speech technology included in XP one could search and dig through the file all voice controlled as well, am expecting this, maybe even without the MSAgents help? (have to dig in the newsgroups and the microsoft.net sites).

    The miniskirt :) ....... It's an Aussie product eh? There is another Aussie "product" for which the Aussie people are really proud, the most downloaded woman on internet, really nice.
     
  13. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    I did a little research on those two dll's that changed.  Both names changed.    They both changed first letter from a small letter to a capital letter, thus Icmp.dll and Ws2_32.dll.  That is not how their names are at the microsoft dll page.  I do mean their name not description.   I don't know if that is normal either.  

    Then Ws2_32.dll now is twice as big as it should be at 16,384 bytes from 9600 bytes.  

    There are other icmp.dll's in my OS but not in system and they do match the microsoft page info exactly as far as size name etc.

    They are both in the system folder.    I did an extraction with TDS at the time of the ws2_32.dll.  There is language in the part I extracted of "mutex" but that may be normal computer mumbo jumbo talk.   Copy and paste now is the challenge, maybe I have to go in to edit it then it will let me copy it...further learning curve...don't like to mess with stuff when I do not know exactly what I am doing.   Have suffered under those circumstances with the crash factor.

     
    When TDS runs the CRC32 scan does it randomly pick 20 files, as it says scanning 20 files, or does it scan just in the System folder.  Since I haven't put any of my own choices for it to scan does it always scan the same files or folders.  

    PS-The massive print out of the manual is massive due to quantity of info but there are pages with just a definition on it and nothing else.  
     
  14. FanJ

    FanJ Guest


    It surely does NOT pick them randomly!
    There is a file called crcfiles in the config map in your TDS directory.
    In that file are put the files that the CRC32-feature will check for changes. By default there are some critical files put in it. But you can add or delete files there by yourself. And such files doesn't have to belong to your system folder (which means: they can belong to your system folder, or they doesn't; it's up to you).

    To add (or delete files) in that crcfiles:
    In the TDS-3 window:
    TDS > Edit Config Text Files > CRCFILES
    In that file you can add files which you want to be checked.

    See also this thread:
    http://www.security-pro.co.uk/yabb/YaBB.pl?board=dcstds;action=display;num=1014281034
     
  15. FanJ

    FanJ Guest

    About the changes that you saw in those dll files:


    1.
    Do you remember what were the changes that you made on your system since the last time on which you didn't get those alerts?

    2.
    When you do a full system scan with TDS-3, does it give an alert about an infection?

    3.
    The same question as 2 but now with your AV?
     
  16. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    I'm sorry but I do not remember what I was doing when the changes occurred. Secondly, I posted the TDS alerts in the thread called Slippery Trojan in Trojans section below.  I have not done a full scan since then but do perform a full memory scans every day and nothing new.  I did it in Windows system too by itself, nothing.

    One thing I get alerts all the time from TDS that  -autostart has changed, press cnrl+alt=A to view changes.-

    It's a little frustrating some times when weird stuff happens.  Last night for instance, left the computer on with firewall running, all internet access off, come in this morning and see my Enternet application flickering colors which means that info was either going out or coming in, and pull up the firewall status and see the kernel is connected and info is going out.  I had given kernel authorization before since I was told it is normal.  

    Enternet isn't supposed to fire up by itself and get connected but it did sometime after I went shuteye and it has happened before.  Oh well.  


    Are .dll's supposed to change their names as a normal course of business?  
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hope others jump in on the rest of your story, i can only tell you dll's certainly don't change their names all by themself. Thay can crash, get infected, overwritten, infections can change/ replace their names, they seem to be able to lose some content with crashes, but in normal circumstances they keep normal own size and name.
    Sure your full system scan was with all options checked and highest sensitivity? do it after each radius update at least.........
     
  18. FanJ

    FanJ Guest

    Hi Zappa,

    If I were you, I would do a full system scan as deep as possible, as Jooske suggested.

    And again:
    Which AV are you using? Did you do a full system scan with it (updated and well) as deep as possible? What was the result?

    One other thing:
    you said that you were told to give the kernel access to the internet.
    I'm eh surprised  o_O
    If I was you, I would give the kernel no access to the internet through my firewall. What happens if you don't give it access?
    Eh, what firewall?
    What other applications are given access to the internet?
     
  19. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    I use Norton FAnJ.  In the following thread I stated the items it quarantined and under waht circumstances:

    http://www.security-pro.co.uk/yabb/YaBB.pl?board=anti-viruses;action=display;num=1013885863

    I have a program called Process Explorer and it has an option to highlight the relocated dll's and Norton has the most highlighted at almost half of the dll's. I do not know if relocated dll's are negatively significant

    Through liveupdate with Norton I have not received any updates for 2 weeks which is unusual.  


    To answer the rest of your questions:
    In the DCS-TDS forum I was advised that access for the kernel is normal.  No one else disputed the statement so why would I?  I am learning and at some point in time one relies on others for waht appears to be reasonable info.  I think if the statement was born of distilled spirits someone would have questioned it.  

    My kernel is hyperactive, on steroids and very busy all the time.  If I don't grant it permission it drives me mad.  It wants out every 2 minutes minimum and  ALL THE TIME with no rest breaks.  I believe I went through some of those points in the aforementioned thread.

    I also asked if anyone else had a hyper kernel.   My kernel is larger too as many of the dll's that have changed names are.  Some as much as twice as big as original size.  

    To humor myself I spent a little time at the aforementioned MS dll check.  I found that many of the dll's I checked have in fact had name changes.  All of the changes were to the first letter of the dll from a small letter to a capital letter.   All the dll's were larger then the original version.   Some of the dll's had $ signs in the tab in properties where it describes version etc.  

    I can go through my Windows\System and find the dll's that have capital letters go to MS dll check and the name has changed and they ar all larger some by 2 times.


    I use Tiny FW.  Presently, these have outbound authority:
    1) krnl.386 on p-68
    2) TFW-with 2 TCP and 1 UDP
    3)  ethernet lan card with 2 UDP and 1 TCP.   Named as-System-
    4)  Enternet access program with 2 TCP and 1 UDP
    5) iexplore, browser
    6) Norton PROPOXY.EXE
    7) Hmmmm. 2 RealPlayer, did not gant it access, on p-4565 and 4566.  Will cut if off shortly.

    Jooske, no crashes, some freezes but no crashes.  

    ( krnl.386 went outbound 5 times while I was checking out admin tab in TFW)  



    I think I answered all the questions this time.
     
  20. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    I did the deep scan last night.   It appears my better half got to the PC before I did and closed TDS before I could get a look.

    The log file says I had 8 alarms but did not state what files.  I went through the search menu but could not find where to find the alarm log.  

    Do I need to rerun the deep scan or is there a log file I am missing?
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yes, true, the scan alerts are in the bottom window to look and analyse and send or delete files. From there you also can keep the names in the Scandump.txt file, but this is to be done manually.........
     
Thread Status:
Not open for further replies.