TDS-3 and BOClean

Discussion in 'Trojan Defence Suite' started by octogen, Jan 8, 2003.

Thread Status:
Not open for further replies.
  1. octogen

    octogen Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    212
    I have recently downloaded a licensed version of TDS-3. :) :D I currently have BOClean running resident as my AT. Would I be able to run TDS-3 execution protection as well, or will this cause a conflict? Will this cause a problem on a 1.2 GHz AMD Athlon with 256Mb RAM running Win98SE? Thanks in advance.
     
  2. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    I have had success with this combination on Windows ME and Windows XP systems. And I don't see there would be a conflict (although if you throw your anti-virus into the mix, it might cause the issues - NOD32 and Norton don't seem to cause problems, however, with both of those ATs running resident). :)

    Best regards,

    -Javacool
     
  3. Gladiator

    Gladiator Guest

    TDS-3 does not have a file system filter driver so it should not be a problem.

    As i know or better guess it uses shell extensions (exefile->command->load) in the registry.

    If this is true (i assume this)
    Then it acts like a filter at application level.
    That means TDS gets called with each EXE File which is executed.
    TDS Scans the file and if it is clear it starts a new process with the given path+file -> this is then your process/program which should be clean.

    Hope this helps
    Michael
     
  4. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    TDS's execution protection is a shell extension, yes (or at least a main component of it is). The dll is set-up up as an administrator approved shell extension (based upon its CLSID) and then is placed under the ShellExecuteHooks key in the registry (again with its CLSID). Since it IS a shell extension based on my tests (or again, at least part of it is), I'm fairly sure it doesn't scan the file then start a new process - it probably just simply scans the file and either tells the system to "pass it on" or to "stop execution", and it won't go any further down the chain (which is a required function or the system can get hung up over that file - shell execute hooks have to return a value).

    Best regards,

    -Javacool
     
  5. Gladiator

    Gladiator Guest

    If it's a hook (in your case) or a kernel mutex / spin (driver) you have only to pass the handles as success or failed.
    Means for instance you return the value "ACCESS_DENIED" if a backdoor was found - all ok. :)
     
  6. octogen

    octogen Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    212
    Thanks to all who have responded and will respond. ;)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Octogen, severaql people are using BOClean beside TDS-3 with no problems, being BOC the resident scanner and TDS-3 on demand with the exec protection as a permanet extra.
     
  8. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol yup thats a newbys best combo hmmm will i have had problems with boclean v4.9 tds with windows me

    4.10 seems to work fine except in cases of low ram when tds scans boclean it sta;;s for long time in many times it dosent freeze it just seeme like it does cause it takes forever but if you wait it keeps going.

    ram seems to be a big issue with tds and boclean working all at once.

    but there really no excuse for low ram

    for old machince you can get a stick of 256 sd ram for 30 bucks for 60 bucks you can max out your pc

    i think at best buy i saw 512 ddr ram or what ever that new rams called for like a 120 bucks that means for like 249 you can have 1024 ram or something crazy like that

    of course i see no practicle use for that kind of ram to the max lol
     
  9. FanJ

    FanJ Guest

    Hi,

    W 98 SE here.
    No problems with BOClean and TDS-3.
    Pentium 3, 600 MHZ, 512 MB RAM (and when I had lesser RAM in the past (384 MB): no problem too); motherboard Asus P2B.

    PS1: on W98 SE you can have no more than 512 MB RAM.
    PS2: be carefull with the kind of RAM you buy; there are lots of different kinds out these days; you have the buy the right kind of RAM for your motherboard.
    PS3: Blaze, did you manage to get your RAM problem solved? I really do hope so!!! If you like to tell us, do so in that thread at TenForward which you started not so long ago about it.



    Quote from the TDS-3 Helpfile:
    [hr]
    Execution Protection

    Execution protection is a unique system exclusive to TDS-3 and DiamondCS WormGuard that uses a non-resident hook which allows TDS-3 to intercept and scan files as they are executed (but before they are loaded) and actually prevent infection by blocking/aborting the execution if the file was deemed harmful. As the hook is non-resident it uses no extra memory or resources, and it isn't susceptible to the TerminateProcess issue that virtually all other hook mechanisms are susceptible to.

    How does it work? When you execute a file, the operating system - before it even loads the file - asks the DiamondCS execution hook "Allow this file to continue processing?", and then waits for a Yes/No response from the hook. This allows TDS-3 to scan inside the file and abort the execution if the file is deemed dangerous or has been identified as a trojan.
     
  10. FanJ

    FanJ Guest

    And to add some more:

    right this moment while posting running BOClean, TDS-3 Execution Protection and AMON from NOD32.
     
  11. octogen

    octogen Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    212
    Thanks again, javacool, Gladiator, Jooske, MrBlaze and FanJ. I now have TDS-3 up and running with exec protection installed. No problems with programs running resident (Kerio, NOD32, IEClean, BOClean and Proxomitron). I look forward to learning more about this powerful tool. :) Thanks again! ;)
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    well what you want to know where all here now lol
     
  13. FanJ

    FanJ Guest

    Blaze,

    If BOClean keeps giving you problems, you could try the following. Kevin once told it me, and I just saw it mentioned again in a thread at the GRC-forum where someone posted the same trick which Kevin told him.


    1. Shutdown BOClean.
    2. Open the file boclean.ini (located in the directory C:\windows ) in NOTEPAD
    3. Under the [Prefs] heading add the following new line:
    Memtiming=200
    4. Then hit SAVE (instead of "Save as" in the file item up top) and then stop.
    5. Restart BOClean.

    This will make BOClean to wait 200 milliseconds.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hey Octogen, looking forward seeing you in the private DCS forum too then soon! Lots to learn there too!
     
  15. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Häh ?

    Don't make me nervous,man.Thought,my TDS-3 is the tornado-deluxe-defender.
    What do you mean by "permanent extra" ?

    Hank
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Hank,

    It is ;)

    As long as you have execprot enabled, there's no need for any "extra". Some people prefer using TDS as an on demand antitrojan, running a separate resident running extra antitrojan in conjunction.

    regards.

    paul
     
  17. Hank

    Hank Registered Member

    Joined:
    Jan 8, 2003
    Posts:
    31
    Location:
    good old europe
    Ah yes - like Norton AV in the morning,Kaspersky at high noon and in
    the evening all together now.Makes sense - especially for the ram-sellers.

    - Hank-
     
  18. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi hank and welcome.

    Yes, Paul is correct. Even though a lot may run an extra app for AT, I consider TDS to be the Primary, Secondary and Back-up for AT's. :)

    I do not run a secondary app for AT's at all, but that's me.

    In conjunction, I also run Wormguard. No other anti-worm there either. [Apart from the overlap that AV's provide]

    However, I do run a primary AV plus a secondary one [new, in Alpha stage, GladiatorAV ~ GAV] as it specialises in getting deeeep into unpackers, compressors, etc. and "DeCrunches" them no end.

    Feel free to ask any questions you like re TDS, WG, etc. as there are many talented people in here to help you in any way they can. :) :)

    Do not be afraid to ask a "foolish" question, as Paul's [and my] motto is: The only "Foolish" question is the UNASKED one, lol.

    EDIT ~ ALSO: If you are looking for more security/cleanup/nice apps [FREE] go to:
    http://www.wilderssecurity.com/showthread.php?t=5970;start=30

    and read my post. Also javacool has just realeased a great new proggy as well called SpywareGuard [stops installation of spyware in conjunction with SpywareBlaster] available also in download section of this site.

    Cheers, TAS
     
  19. octogen

    octogen Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    212
    Thanks, Jooske. Look forward to visiting that forum! :)
     
Thread Status:
Not open for further replies.