TDS-4 questions part II

"helloworld",
Yes, I understand your concerns and they're all very valid points.

Yes, I only said "every week" for now as an example, but whether it's every second day or every week or something else is still yet to be decided.

TDS3's execution protection and TDS4's execution protection are both very different, but they're both very low on resources. Execution protection essentially only comes into play when a program is executed - at all other times it's basically using 0% CPU.

You're spot-on in that it's not a be-all function, but yes it's a very powerful capability. Really it comes down to individual needs/wants - some people only want on-demand scanning, others only want resident/automatic scanning, and some want both. So to meet these needs/wants, we've broken TDS4 down into three programs

 

As wayne asked And as a DiamondCS moderator & TDS user I would prefer that execution protection is kept in TDS4, I think that it would be the most harmonious solution.

 

Pilli,
Seeing as TDS4 Active Guard is a resident-only scanner, and TDS4 Scanner is an on-demand-only scanner, it'd make sense that TDS4 Professional had both capabilities so we're not ruling that out

Dallen,
It's currently 2am here in Perth and I'm about to leave the lab but I've left Gavin a note (he's more familiar with the CPR trojan than I am) and he'll get back to you later in the morning at a more respectable hour with more information about this trojan . Until then, 1) if the file is running, terminate it's process, and 2) move it to another folder so that it can be analysed later - that should be all that's required to neutralise the trojan.

Best regards,
Wayne

 

Thanks Wayne.

I replied to an IM from dallen: here is the gist of the text in my reply:

Regarding updates I can see how much of a strain that can put on a small company like DCS and I can understand that a premium for daily updates may follow that of other AV & AT companies.

One of the things that DCS is good at is customer support and, to me, that is worth it's weight in gold.

DCS also provides a range of free utilities which obviously requires yet more resources, Wayne has stated that he intends to keep the ratio of freeware to payware the same. Let us not forget all of this added value

 

For the trojans:
i created a special folder to put the suspicious stuff in, zip them, submit to the lab and waiting for their answer.


For the exec protection:
i've TDS always up because of that function and it has stopped a few times some programs from running; suppose when i see it in the taskmanager it has just stopped something too even when i don't see popups for it. (guess that needs another thread? as i think it's my aggressive firewall blocking all popups)
I don't mind in which program it is, as long as i have it somewhere available and if possible all time.
The many win9x series users which systems are more vulnerable for security risks then the nt/2000/xp series will be really gratefull for every extra bit of protection.
If it's a problem make it an extra stand alone tool for registered users of one of the three (four? five?) programs.

 

1. Execution Protection

Personally, I do not think that this feature is important but others do. The problem with removing it from TDS-4 is that all existing TDS-3 users will lose this feature (or certain other features) depending on whether they upgrade to TDS-4 Pro (or another TDS-4 version). I understand that an upgrade is required since there will be no more updates for TDS-3. That's why I recommend not to remove execution protection from TDS-4 Pro. People may get angry.


2. Signature Updates

An official update policy would be helpful since you cannot determine the value of a scanner w/o knowing how long you can use it.

I consider it quite important that manual updates will still be available. Personally, I would never use a scanner's autoupdate function.

Maybe it would be a fair compromise to offer weekly updates for free (for a guaranteed minimum period) and daily updates for cash? For private users it is typically not that important to get daily updates. (Remember, we are talking about trojans. Usually, they do not instantly destroy your computer.) Corporate users require daily updates and have enough money to pay for them.

However, if TDS-4 were to use rotating signatures a weekly update procedure would compromise security.


3. Anonymous Purchase

Would be great if there were a way to do so. I don't like to be registered with anyone.

 

I have been following this discussion with a lot of interest and now I'm confused. In 3 I thought that Execution Protection was needed to catch trojans when they try to execute. Am I wrong ? I for one want something to keep watch over things .

 

Hi all,
WilliamP, you'd need Execution protection in two cases: 1) you are launching a program you cannot trust (i.e. you haven't manually scanned it beforehand) and/or 2) you trust/have scanned the program beforehand, but it was packed/encrypted in a way that the scanner finally wasn't able to correctly detect whether it was clean or not.
Since AFAIU TDS-4 will practically resolve problem 2) it all depends on your safe hex practices.



@All, @DCS:

And, to also add my two cents to the ExecProt/Updates "poll":
I have installed TDS's ExecProtection. Only there are times I am not running TDS at all, but then there are times i have it always running in the background. So it depends a bit on how risky i feel each day. That being the case, I probably wouldn't spend much (?) money on a resident scanner in addition to tds-4 which I will upgrade to. But I would feel a bit disappointed if the upgrade path was such that i would be left without ExecProtection. But i can understand that this may be a valid option and i said "a bit" disappointed only.

I would agree even more (and I would certainly spend the money) if the decision finally was made to deliver daily updates only for subscription users. The difficult part will be how to have the non-subscribers have their systems equally well protected with a paid-for TDS-4 program. On another forum there was a discussion about generic detection versus positive identification (non-subscribers getting alerted on the same trojans, but only generically, subscribers being told what malware/version/variant exactly it is that was found), don't know if that is feasible? Or have daily updates downloadable for everyone, but only via the webpage at a randomized (not-scriptable) location, subscribers from a constant location with account/password.? Or finally (but this creates some security gap I think), daily vs. three-day updates... I'd prefer a cost in terms of useability for the non-subscribers to a cost in terms of protection, you get the idea.

To Sum up: Please keep ExecProt in the Pro, but okay, go ahead and introduce some subscription scheme.

Andreas

 

I agree with Andreas(W) regarding the execution protection despite the fact that I'm not as knowledgeable as he. I would recommend leaving it as a part of TDS-4 Pro, unless there is a good reason not to.

P.S. Andreas(W) why do you hang on to Port Explorer v. 1.700 and not upgrade to v. 1.800? Just curious.

 

Hi dallen,

Luckily this is an adware downloader, and like so many new adware/spyware detections its labelled a "trojandownloader". I never thought we would be adding downloaders which download spyware or adware, but they really are something users dont want. Most AV's are also detecting them as they receive them.

Im still a little unsure. Should TDS detect spyware ? Adding JUST detection is easy, as trojans actively fight security programs. If spyware removal was worked on, it would mean longer development for TDS.

For now they are added if they are downloaders as this one was Run your adware/spyware program which should find cpr.dll I think it was, and something else

 

@Andreas

All future TDS and Wormguard and ? ? ? programs can use the one single execution control DLL that will be shipped with them all. If execution protection is already installed, the program will basically add itself to the list to get a go at scanning something. If nothing is detected by for example Active Guard, it will pass control onto Wormguard 4 which will then pass the execution and the program will run.

 

Yes, exec protection in one of the programs is OK for me, so if f.e. WG has it already installed and i install Active Guard or Pro it sees the installed hook and it shows as installed there so no need to do it again.

The explanation about safe computing practises and then not needed is fine, but many people are in a home environment where very rapid kiddy fingers can do very unexpected things to add to the computer experience.
And grownups also can have their moments of not knowing what not to click on plus we like to have some assurance when we click something we shouldn't it is stopped before it can do any harm.

 

Hi,
I suppose I should have italicized the "need" in my theory about when you actually need ExecProt. That description was in fact meant more theoretically - because, as Jooske pointed out, in practice you never can be quite sure of how secure your safe hex practices are and how consequent you will be with them...


Gavin, that sounds good. And to me it sounds like it wouldn't make things very complicated leaving ExecProt in TDS-4 Pro. Rather just a matter or UI, volume of support questions to be expected from it etc.

Ehm. What I didn't upgrade was my signature. Will do so right now. I'm actually on PE 1.800 (I think beta5 which worked fine enough for me)...

CU,
Andreas

 

Hey! congratulations, Port Explorer registered 366 days ago, so yesterday was it's first birthday!
Great program and 1.800 (final) on my system.

Thanks for the italics Andreas, that makes all the difference here and there

 

Jooske

08/11/2002 05:07a 834,326 pedemosetup-1100.exe

Its 1st birthday was on Saturday - it's come a long way since then

 

Right, i get those 366 days because of my keyfile when i click the "About" but true, the 1100 exe was three days earlier.
Have TDS and PE up all time together, and lots of fun seeing some stuff coming in with the Socket Spy and after looking with TDS deeper into such a file.

 

For what it's worth, I don't believe TDS should spend the development time (and all the time keeping up with it thereafter) on adding adware-related detection/cleaning.

We all know there are already two excellent free programs out there for this - SBS&D and AA.

Duplication of effort, FP's, higher bandwidth cost and more demands on technical-support time from DCS are bound to follow if you pursue that path.

Bad idea. Pete

 

Maybe if wanted / necessary / possible in future update / extra module / stand alone / whatever........
Maybe it can just be added as it is in the same way with trojans, dialers, keyloggers, rats, worms, spybots, whatever.
I could imagine a separate extra scan/database as the scanning process for trojans is already first choice and rather heavy/time consuming on slower/smaller systems, so i guess i would like a future spyware thing separate.
I do hope the updates are less frequent for the spystuff but i guess they are growing too.

 

So when there are comparisons that say TDS didnt detect

TrojanDownloader.Win32.Swizzor

-insert hundreds of names here-

Noone will care ?

 

I'm very happy that it does/did Gavin!
I remember several months ago i got a positive identification of a downloader from what i thought a respected site myself and i'm really grateful it was detected. Bij TDS. While i have the habit of checking every d/l with other software too which let it through unmentioned.
It was stopped by the exec protection in the first place when i thought to run it anyway, after which i did other scans on the file with TDS to see what was wrong, even submitted it to be really sure "as it really came from a good site", i remember my comments.

 

Dear Wayne,

"Re:TDS-4 questions part II
« Reply #22 on: November 11, 2003, 11:11:59 AM »
Can I please ask are you currently a TDS3 registered user, and if so, do you use Execution Protection? We've found that only a minority seem to use it, with most TDS3 users just using TDS3 for on-demand scanning, which is the main reason for us considering removing Execution Protection from TDS4 Pro. But again, this isn't set in concrete yet!"

I have TDS-3 Active Guard on from the moment I log on - and it stays on together with several other fine DCS products until the power goes off!
So YES, I use TDS-3 actively and passively every day.

However what's important to me personally is that your execution protection is there, so if..

"Re:TDS-4 questions part II
« Reply #36 on: November 11, 2003, 09:03:00 PM »
..execution protection is already installed, the program will basically add itself to the list to get a go at scanning something..."

and if I have WG4 installed and TDS4 can 'piggyback' on that execution protection (WG--> TDS--> Execute) fine.
(If I'm understanding Gavin's comment correctly -
(and I suppose I should put an End statement for all those IF's!)
).

Regards
Mike

 

Hey Mike! where did you get your copy of Active Guard? As that is not even released yet. You probably speak about the exec protection is up at the moment.

The piggyback is the way we mean and hope for.

 

Dear Jooske
- thank you for the technical correction it is of course exec protection that I'm using in TDS-3 daily, I was confused (easily done!) after following such a long thread!

However the fundamental question remains.

I have several of the EXCELLENT DCS products, of which some have exec protection.

It appears from this thread that SOME of these products will upgrade for free and will carry SOME form of exec protection with them - (some may not?? - to be decided....).

My question (based on my understanding of the issues raised in the thread to date) is simple.

I'm a DCS fan and I've got DCS products that have exec protection.

If I choose a TDS version that hasn't BY DEFAULT got exec protection (eg it's an on-demand scanner ONLY), BUT I've got my OTHER DCS products (which include exec prot), will the on demand scanner be added to the list

"to get a go at scanning something..."

as in answer 36 ?

Regards and Best Wishes
Mike.

 

Mike,
At this stage it's likely that exec protection will be available in both TDS4 Active Guard and TDS4 Pro. We were considering taking it out of TDS4 Pro, but as there are a lot of TDS3 Pro users who like it, we'll leave it in. Either way, before you even download the program you'll know from the website description whether or not it has exec protection capabilities.

Enjoy the weekend,
Wayne