TDS3 and Test your E-Mail Defenses

Discussion in 'Trojan Defence Suite' started by TAG97, Apr 26, 2002.

Thread Status:
Not open for further replies.
  1. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Hello:
            I had Jasons Toolbox "Test your E-Mail Defenses" sent to my E-mail address to test Two resident anti virus software that I'm fooling around with. Neither Anti-Virus alerted me when I open the Test scriptvbs E-mail. o_O Guess what show up to scan the vbs script o_O  Yep TDS3! I do not run TDS3 in resident. Soooo my question is what happen o_O It ran like a right click file scan and idenify the Testvbs script but all I did was open the attachment.
                      Anyone have any idea why TDS3 open up. Not that I'm piss off or anything. Could this be a preview of TDS4 ;) ;) ;)
                                          Regards
                                                       Tim
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Tim,
    do you have an URL for that Jasons Toolbox, like to try and to find out what you mean. Thanks.

    Sounds like the exec protection stopped a file from running? Sure it was not the WormGuard?

    Not expecting TDS-4 previews yet, has not been offered for beta-testing yet.
     
  3. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Hi Jooske:

    I'll save Tim the effort.  Go here: http://www.jasons-toolbox.com/test-defenses.asp  to use Jason's "Test your E-mail Defenses".  I didn't have Tim's experience when I tried it.  In my case, the firewall (Outpost) renamed Jason's vbs file attachment and that was that.

    Bob
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot!
    As expected the several layers did block it, but i did not get TDS-3 jumping in here, WormGuard did of course.
    I like WormGuard with the look into the file in the safe mode, so was easy to give that permisson to run it.
     
  5. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Hi Jooske:
                  I don't have Wormguard. The weird thing is TDS3 is not in Resident.When I first click on the attachment I get a message from I beleave from Outlook about opening attachments and a choice of putting it on disk or opening it. I choose to open it. Next TDS# appears with this message. "08:46:24[file scan]Scanning file C:\WINDOWS\TEMPOR^!\CONTENT.IE5\5A52GFXP\TESTEM^.VBS
                      The question is why does TDS3 appear if it is not running or minnize in system tray o_O
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Where and how do you get this message? in the TDS console? Exec protection loaded i might suppose (which blocks all kinds of nasties from being run)
    Never had those warnings myself yet, even though i have a whole zoo in my test base. WormGuard saved my pc life very often, would not like to be without that WG!
    But running it, nothing on my console or popups or whatever from TDS after the WG and other warnings.....
    The line from your message only says it it scanned, it does not say in what you snipped if it is ok or a dangerous file. Were there more lines?
    Do you have more innocent test files, like for instance the DCS tool with the mIrc Cleaner or from various av/at sites you can get the Eicar test file, etc, just to see what happens testing those.
     
  7. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Jooske the message always appears on the TDS console.It always appears like a right click file scan. I guess if the file is clean it shows no results. The console also appears when I do a Windows Updae. I have one that never finishes and keep trying. I'll try it again and show you the message in the console.
    09:50:44[filescan] Scanning file C:\TEMP\INSTALL.JS
                         Thats a windows update that always stops in the middle of the installation. TDS will always appear at every Windows Update I do! Very weird.
                               So what do you think?
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I don't think much, as i never have seen such warnings.
    But your TDS is running anyway, to be able to scan.
    Seems a javascript file, and that is very sure from the MS / windows update site?
    And only that file or more?
    If you right-click scan it is there any alarm?
    Is your registry extra protected so the thing can't register correctly?
    You don't have WG you say, could have been such a protection.
    Moer thinking of your proxy/firewall here, blocking a proper connection.
    Did you block any of the java settings in the browser, which would make this also more difficult.
    Do you have any anti-virus/anti-trojan running when updating via that site?
    ALWAYS disable av/at when updating there or installing any other software (TDS is an exception, but if you feel better also close that one, depending on the kind of software you're to install)
    I have set my downloads to scan any new file after the download (and at opening it happens always if there is any reason) and before unzipping/installing so maybe you did a thing like that in your settings as well?
    Would explain the scanning.
    Hope this helps, please keep us informed!  
     
  9. AAPlus

    AAPlus Guest

    Hello,All

    Ok i just gave this E-mail test a try

    & noting picked it up so what i am i

    do wrong know  

    Thanks All
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You didn't anything wrong, your email protection might have this test file already in it's "false alarms" database.
    Did you clicjk the attachment and trying to run it?
    My email protection had changed the extension already and popped up at opening it, after which it was immediately blocked by WormGuard, still insisting to run it i just got the msgbox of it as expected.
    What OS and possible protection are you running?
     
  11. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hey,Jooske

    Thanks for the reply sorry about that

    first post i am having 1 hell of a bad day

    noting is going myway ok here it is i went

    & tryed  this E-Mail test & none of my app's

    stops it i think

    Thanks Jooske   oh am on WinxpHome

    sorry about the name i could not get

    AAPlus to work for me
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Welcome TDS man! Good that you say you're the same person. :)
    We all have such days, and then it's best to be away from the computer and do somesting nice for yourself, take a walk, a nap, watch tv, anything you like.

    Strange, but good you discover this now.
    If you make a file in notepad, with something in it like "delete file" or "infect file" and save it with VBS extension on your desktop, and click it, does your WG jump up to warn you?
    Do you have any email protection running from your av/at scanners or in the FW or any other product?

    Many av/at scanners don't scan the email in the email client, as in most cases a whole folder is there in fact one large file they can't handle but if you save individual emails and their attachments in another place you can scan them fine right-clicked on them or in a scan.
    If you download the free tool Mirc Clean from DCS which has a harmless test file included, you can see how scanners react on it.
     
  13. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hey,Jooske

    I have no idea what you are

    talking about when you say

    make a file in notepad

    Thanks Jooske
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You know what is notepad on your system, which you normally use for a txt file?
    Windows > Start > Programs > Acessoires > Notepad
    open notepad, type in a thing like "delete file" or "infect file" , save as test.vbs on your desktop.
    I have a line in it
    Msgbox "this is a vbs test file running", so pressing the file i get that messagebox; if i add the infection or delete line WG jumps up.
    I use notepad so much, made a shortcut to it in my task bar.
    With this test.vbs you can do such scanning tests, complete harmless.
     
  15. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Someone ask this question in another forum that I thought was rather interesting,Could a script be made for this o_O

    Thanks guys.

    What I really want to do is have an A-T scan inbound email attachments as they some in thru my email server, before they pass further into my LAN.

    My server enables this, and my A-V works fine with it (NOD32). It's a bit like the POP3scan piece of NOD, but works by the server app 'requesting an A-V scan' with what it terms as a 'generic file locking scanner' each time it receives an attachment.

    Can TDS-3 be set up this way, and how much of a memory hog will it be?

    FWIW I've got 512 meg RAM too - but use lots of it with my work.
     
  16. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hey,Jooske

    Ok i tryed the notepad & all i get

    when i click on it is a notepad with

    delete file is this right becaus nothing

    happens none of my apps do anything o_O

    at all :'(  :(  :mad:
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Supposing you store them temporary in a special folder?
    Just like with the right-click scan you should be able to scan that folder.
    Maybe can try to make under TDS >> Edit scan files >> create a new emailscan.txt with the path/name of the folder, thing like that and have the scan done on that folder.
    You did already an email scan with NOD32 and maybe other security, for sure there will be people with better technical ideas to work this out in a practicle way.

    For the RAM i'm not really affraid, as i've even been running TDS-3 on a 64RAM pc for a while, together with firewall, email, other scanners etc but that was about the limit i guess. I've posted somewhere in one of the forums what i saw in active memory usage and in RAM which was not too much, have to find that posting back.
    (If you have TaskInfo2000 or thing like that you can see it changing when scanning etc) Also this was on my Win98SE system, which asks more of the RAM then on NT/XP systems i was told, which are far more efficient with memory. If i find  figures, i'll edit this again.

    In the meantime: how do you like TDS and maybe you try WormGuard in combination with that?
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS Man,
    Put as first line the whole one i put here below:
    Msgbox "This is a VBS script running"
    Saved as test.vbs on the desktop. Clicking on it i get the messagebox telling this text
    This is a VBS script running .
    (left click to open it, not right click, but you might like to scan it anyway :))
    Do you block any of the warnings, popups, whatever? I do, but still get that msgbox.
    If i add the "delete file" or "infect file" line WormGuard jumps in too. But it has no trojan code so i'm not expecting alarms during a TDS scan. (just tried: no alarms).
    I wonder why you don't get the box nor any other alert....... Are you sure your email is scanned anyway?
    Firewall (mailsafe) maybe?  
     
  19. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hey,Jooske

    Thanks for the help & reply

    now i just tryed what you posted

    & i do not get a Msgbox what i

    do  get when i click on it is just

    test.vbs-notepad with

    Msgbox "This is a VBS script running"

    & i do not get any warnings, or popups

    at all

    Thanks
     
  20. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hey,Jooske

    I was just thinking could it be because

    i disabled  Windows Scripting Host  hmmm
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Seems like it then. I didn't find any rason to disable that and cripple my system unnecessary, since i have WG.
    Several weeks ago in a test site with some tools i checked some vulnerabilities which were not found and i'm not 100% sure if i used one of the online(?) tools there or downloaded it, but the result was when i needed the more advanced functionality i couldn't run some scripts. Worse, the site of those tools was down a few days so i couldn't get back to those tools or search for their proper names so i couldn't even enable the WSH again, completely blocked in the registry, against my will! Only solution was to get a higher upgrade (beta) which fortunately worked.
    So all that blocking and patching and crippling of our systems is not always necessary.
    You can make the same Msgbox in TDS by typing that line in the console. If it doesn't work there either, time to repair your WSH, as you're running WG anyway for your protection.
     
  22. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hey,Jooske

    I just put back the WSH

    & i installed  that  Script Sentry v2.5.1

    or do you think i need it is there

    someway that i can get a script to

    try on TDS

    Thanks again
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you now get the Msgbox when you try the test.vbs you made earlier or in tds typing that same line?
    You might also like in the SS3 scripts examples for instance in xMenu to load the Menu examples, which have Msgboxes as well to jump up for you. But these are innocent, of course.
    To play is good to add some line to the test.vbx you had already.
    I know Script Sentry only by name, never worked with it...
    I wonder what will happen now if you do the Jason test again with the emails. Do you have email protection from the firewall or some av/at program?
    If there is none active, you won't expect much action i might suppose, but if they run they should really alarm somehow. If you move the email or attachment to the desktop for instance, and try to run it from there, do you get alarms then? anmd with a rightclick scan on it?
     
  24. TDS_Man

    TDS_Man Registered Member

    Joined:
    Apr 27, 2002
    Posts:
    18
    Hi,Jooske

    Yes i do get that MsgBox now

    also in  tds when i type it

    i am using  NOD32  ZAP

    Thanks Jooske
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome! Nod32 and ZAP both have email protection, so you can see ZAP changed the attachment into something un-runnable, when you click on it you should get a ZAP warning and question if you really want to run it, while i'm not sure what NOD did: before or after quarantine the file maybe?
    Does Script Sentry do something more if you insist running the script?
    WormGuard jumps up and gives options to look into the thing in the safe mode.
    So also you did not get the TDS console with the warning like in the first postings in this thread?
     
Thread Status:
Not open for further replies.