TDS exe protection

@FanJ

comctl32.ocx (Windows 9x/NT/2K) v6.0.80.22 YES

tabctl32.ocx (Windows 9x/NT/2K) v6.0.88.4 YES

richtx32.ocx (Windows 9x/NT/2K) v6.0.88.4 YES

comdlg32.ocx (Windows 9x/NT/2K) v6.0.84.18 YES

- - - - -



riched32.dll (Windows NT/2K) v5.0.2134.1 YES

asycfilt.dll (Windows 9x/NT/2K) v2.40.4277 YES v2.40.4522.0

msvcrt.dll (Windows 9x/NT/2K) v6.1.9359.0 YES v6.1.9844.0

msvbvm60.dll (Windows 9x/NT/2K) v6.0.84.95 YES v6.0.96.90

mscomctl.ocx (Windows 9x/NT/2K) v6.0.84.98 YES

 

I have uninstalled and reinstalled TDS-3 and still have the same problem with Exec Protn not working. To confirm, this is the manner in which the uninstall/reinstall was undertaken.

Shut down all running processes
Uninstall TDS-3
Re-boot
Delete all empty TDS-3 folders and references including registry files and DLL files
Re-boot
Shut down all running processes
Install TDS-3
Re-boot
Insert keyfile and updated Radius & Config files
Configure TDS to personal requirements (scanning and config),
Re-boot
Install exec protn - confirmation of install components message recieved
Re-boot

Exec Protn still not working

 

Not sure what the problem is User,
I take it you are running TDS as Aministrator? If so we will have to wait until DCS can reply unless, of course, someone else has any other ideas.

 

Hi mfreemanhcp17 .

Before uninstalling TDS via Add/Remove Programs, did you remove Execution Protection first from within TDS?:

TDS>Execution Protection>Remove

and then uninstall TDS via Add/Remove Programs.

Regards,
Jade.

 

If not it could maybe help to remove reboot install exec protection again; maybe in the removed state it could be useful to check the registry if it is away from there before you install exec protection again.

 

Where should I look in the registry to see if Exec Protn is installed, and what name will it have? Should I also be able to see it as a running process in Task manager or through one of the DCS products (TDS Running processes or PE perhaps)?

After I had removed the program I ran search in the registry (using JV16 Power Tools) for every file containing TDS in its description and deleted all that was obviously related to TDS-3. Can someone please list (or e-mail) all registry entries that TDS is likely to leave behind so that I can delete them all and ensure a clean install.

Thanks all.

 

Hi user-etc,

No, you will not see Execution Protection as a running process because it is NOT a running process!

It is a so-called "hook".
Check in TDS-3: System Analysis > Process List, and you will not see it there (or for example in TaskInfo2003).

 

From the Help-file:

"If ExecProt is enabled, executing a file will cause the operating system to ask TDS-3 to scan the file before it is allowed to execute."

That's why TDS-3 must have been started (either by yourself or at Windows start-up) for ExecProt to be working in the way it is supposed to be.
If TDS-3 has not been started, ExecProt (= Execution Protection) will give that file back to the Operating System and let the OS do with it what it wants

Execution Protection is a dll file in your TDS-3 directory:
execprot.dll

 

Question for Wayne:

Sorry Wayne,
Could you please jump in here on the questions why some posters don't seem to have Execution Protection giving an alert on for example LeakTest?

 

Leak test is a demo, as i see it in my detection for the copies i have, might be a valid known demo is not stopped?

 

I've been following this with interest - 'cause I had the same experience as the original post, ie Leaktest not stopped ('cept by ZA)
I've solved the problem by uninstalling my original version of TDS3 (from about 2 years ago can you believe) and installing the latest.
Now TDS stops it in it's tracks before ZA can even ask. Interestingly enough, the "Trial Trojan" I tried was detected by my original TDS. Hope this helps
Catcha Later

 

Sorry guys,

I still have a problem with my exe protn - I have done all that I think I can - where do I turn now? I am still very, very happy with all my DCS purchases and the support received from everbody thorugh this forum, but I would appreciate some response from someone at DCS please. If only it is to be told that you don't know why it's not working and I'll have to live without a monitor 'till TDS4, that'll be fine - I'll just but BOClean or something. I'd just like to know please. Would you preferred I made a post in the user TDS private forum?

Thanks

 

Hi User, Sorry to read you are still having problems with EP
If you post in the private forum or direct to support@diamomndcs.com.au You may get a faster response, especially as it is now the weekend in Australia.

 

Sorry to say I've had no response over the past few weeks from either this forum, the private forum or through support e-mail. Guess I'm at a loss.

 

This thread has become so long i was lost already long time ago to understand what was the exact problem, and i have no time to wrestle through all these pages again, can you please in a few lines tell what is the exact problem on your system so we might be able to react on that again? Thanks for the trouble.

 

mfreemanhcp17 - (Print this sucker out before undertaking this) -

(1) I'm not seeing in any of your latter responses whether or not you disabled exe prot prior to trying another un-install/re-install.

Did you?

If not, you need to do the following -

(a) From the TDS main interface, click on "Configuration" and on the "Startup" tab, where it says "Run At Windows Starup" make sure that the dot is in front of the radio button before "No" (if it's not there, put it there and then click "Save").

(b)Then click "TDS" on the main interface, highlight "Execution Protection" and on the context menu that pops up, click on "Remove" and wait for the success message to show up.

(c) Click "TDS" again and then click "Quit".

Only now are you completely ready and in the proper "state" to do the un-install, so go to Control Panel - Add/Remove Programs and find both the "DiamondCS TDS ExecProt Module" and "Diamond TDS3" and click on BOTH to un-install them, making sure that both entries disappear properly from the list and that you don't get any error messages.

I also want you to un-install the "leak" test and the "trojan" test at this time!

Re-start your computer (don't worry about hunting down anything else).

(2) When you re-installed TDS, did you do so using a freshly d/l'ed copy of the program - or did you still have and use the one you started with originally?

If you did not use a freshly d/l'ed copy of the program, please do so this time. D/l your fresh copy from here:

http://tds.diamondcs.com.au/index.php?page=download

and write down the MD5 string of numbers on that page! (You'll see why in a minute).

Now, go here: http://www.slavasoft.com/hashcalc/overview.htm and use the "Download" button to get that.

Re-start your computer (I'm trying to eliminate any possible problems/conflicts here with these multiple re-starts here, so bare with me).

After the re-start, click on "hashcalc.zip" and install it. Run it (you can read the readme later). On the HashCalc interface, you'll see a blank white box at the top that has "Data" over the top of it with a little square box off to the side that has a bunch of dots in it - click on that box and navigate to wherever you just d/l'ed your fresh copy of TDS-3 to (hopefully, the Desktop). Click on the "tds3setup.exe" that you'll find in that Explorer-like window, and that entire path should pop up in the "Data" window of HashCalc. Then click on the "Calculate" button in HashCalc and compare the "MD5" of HashCalc to the letters and numbers of the MD5 you copied down from the TDS d/l page. You should have an exact match.

Assuming that you do, go ahead and re-install TDS-3 and set it up - including activating "Execution Protection" and updating the DB. (Do not have TDS starting with Windows!!!!). Make sure you "Save" all your selections.

Re-start your computer (I know, I know - humor me, okay?).

After the re-start, open HashCalc again and navigate to the exeprot.dll and "Calculate" it - it should read:
f698b26c00de6dc320c36b69a0accfe6

Only now do we know if you've got (a) a good d/l of TDS-3 and (b) a good exeprot.dll. If you do, then go ahead and re-d/l the "leak" test and the "trojan" test and see if your results differ from before.

That's my best shot (and where did my morning go?). Sorry I'm not with DCS - I'm just me, trying to help. Pete

 

I'll be damned. I just re-d/l'ed TrojanSimulator "Install"ed it and guess what? TDS's exe.protection never let out a peep! lol! I had to do a "System Testing"/"Process File Scan" from the main interface screen of TDS before it picked it up! What's up with that?

Shut down TDS and re-started it, and it picked it up then (due to the ProcessFile and trace scans I've got set at start-up) - but only because I have TDS doing a "Process File Scan" and the "Registry and File Space Scan" at start-up - if it weren't for that, it wouldn't have detected it at all (unless I did a re-start or a full scan).

IOW, instead of the guy I was trying to help having done anything wrong - or having a corrupted d/l or file, the simple fact of the matter is that TDS's "Execution Protection" doesn't do squat when it comes to protecting you against the "TrojanSimulator" exploit and - had it been a real exploit of some kind - it would have just merrily launched itself and done whatever the heck it wanted to without TDS ever intervening in time to do me any good!.

Someone want to "splain" this to me? Because from where I'm sitting right now, it looks to me like TDS just failed this one - miserably. Pete

 

BUMP!

 

So let me get this straight. When TDS is running (either starting with Windows or on demand) it works great and intercepts Leak Test and the like. When it's not running, it doesn't. I just tried it. Got the same results as Spy1. It has a monitor right? What good does it do to use all of my resources just to get it to work?

 

Executive protection only runs when TDS3 is running, that is providing the TDS GUI or TDS icon are running all the time & that Executive Protection is installed - After the initial scans TDS3 has a very low resource usage when Executive protection is running. Executive Pretection monitors every opening programme and you will only notice a very slight lag as each programme loads.

You will not be able to run Trojan simulator when Executive Protection is installed & a right click scan on Trojan simulator will flag that it is a Trojan as will a full scan.

See screenie below:

HTH Pilli

 

OK, I did again some testing on that TrojanSimulator.
Some screenshots will follow.

It looks to me that it depends on whether or not you have enabled scanning for clients/editservers in the TDS3 scancontrol.

 

When I have it enabled (checkmark in that box), then ExecProt will block as soon as I double click on Trojansimulator.exe

12:37:28 [ExecProt] WARNING: d:\trojan simulator\trojansimulator.exe has been blocked from executing

 

I can then let TDS-3 delete the file trojansimulator.exe.

And no reg-entry is made.

 

Now what happens if I have no checkmark in that box in scancontrol.
So TDS-3 will not scan for clients.

I can then double click on trojansimulator.exe.
No warning from TDS-3.

I can click on "Install" in the Trojansimulator menu.
No warning from TDS-3.

I look in the process-list of TDS-3, and I see TSServ.exe running.

 

I double click on TSServ.exe on my system, and then ExecProt blocks it.

12:20:07 [ExecProt] WARNING: d:\trojan simulator\tsserv.exe has been blocked from executing