Why buy TDS-3 not stg else?

Discussion in 'Trojan Defence Suite' started by ukbubs, Apr 27, 2002.

Thread Status:
Not open for further replies.
  1. ukbubs

    ukbubs Guest

    Have registered (as bubs) - just waiting for my password.......

    Am looking at TDS-3 or TrojanHunter - found interesting thread on on another board where those who have TH spoke in its favour.

    What are the reason why you guys favour TDS-3 over the competition?
     
  2. UKBUBS

    UKBUBS Guest

    have now read around a bit - might make sense to state my needs:

    small LAN of three machines, one as gateway, with mail server.  Mailserver has generic scanning feature - parks inbound attachments so the resident scanner can have a look - works fine with NOD32 with the Eicar test.

    Tiny Trojan Trap - sandbox - on all three - should stop any trojan from executing 'by accident'

    Plan to buy 1 x A-T scanner so that I can:
    1. Have inbound email attachments trojan scanned automatically.
    2. Do a manual scan on any executables I want to run on the LAN before I override Tiny Trojan Trap - i.e as an extra defence against my doing somthing dumb.  I'm good at that!
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Ukbubs,
    welcome aboard!
    i'm sure DCS will take care of the keypart as soon as possible.  
    You know you can have TDS scan all your logical drives and the exec protection will block executing suspicious files.
    If nobody did dumb things this world would be so colorless, so nothing wrong with that.
    I am crazy for WormGuard in this combination, which saved my computer's life quite some times with blocking and warning without tasking any resources nor crippling the system any further.
    Deciding for TDS was quick several years ago after having looked around and finding this software and support, the explanation and education, no long lines via anonymous support mailboxes but immediately with the developers, the protection and even better and new detection methods and better again now and in the coming version 4 quite revolutionair (we are told, we don't know details yet) so why would i shop around for other products? Of course i looked, but in TDS we have even the possibility to add own functions (the smart guys working together on that via the private forum) if we like.
    With all that TDS is rather central on my system, as you might have seen here in the forum i don't use it just for security what it is for but also for a lot of other practical and fun parts.
    In the v4 we will see new features which make TDS with all the quality and experience behind it even more interesting and the strongest for your needs.
    I love to be able to react on anything that happens and detect and scan to know for sure what's going on, around 20 ways to detect a rat, all those tools.......
    and comiong more soon!

    With AT software as well: you have already NOD32 for the viruses and email protection, so do take your time for the AT scanner and try some for a while: as you have TDS already too you can risk to take some time that way (when i did something dumb i take an online scan somewhere as an extra) before deciding definitely.
     
  4. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    TDS and EMAIL - THE GORY DETAILS!

    Jooske - Thanks for the encouragement.

    Might make sense to outline the detail a little:

    To quote from my mailserver help file:


    "When a message is received it is parsed to determine if their are any attachments in the message, if there are then FTGateLite extracts each attachment into a folder on the hard disk. It then attempts to open the file to read back its contents (this would not trigger an infection if the file carried a virus).

    If the file were infected the virus scanner will either prevent access to the file, delete or quarantine the file, in which case the attempt to read the file would fail and FTGateLite would know the attachment was infected. It would then move the whole message to a quarantine folder and notify the postmaster."



    As I understand it, if the attachment is 'executable', then opening it amounts to executing it.  Thus TDS should be able to do what I want.

    DCS don't make it possible to trial TDs 'running in the  background', so I'm relying on you guys to help me here!

    ALSO - how CPU-heavy is TDS when its in 'execute' mode?  It sure hogs my CPU when scanning (piii xeon with 512mb ram ran up to the line throughout......)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can you scan that parking folder with TDS from for example TDS Console > System Testing > Scan Control > Scan Disk/File?
    If you know the exact location of that folder you can make a TXT file in the TDS Console > TDS > Edit Config Text Files , where you can make a new file, for instance Scan alert folder, which you will find after reloading of TDS in the list mentioned above as a one-click option.
    If so, it's possible to make a script to scan that folder automatically. But with exec protection the file would be prevented from running anyway.
    You might like to put some more files in that folder for a test, like grabbing the MIrc Clean file from the free tools at the DCS site, which has an innocent test file, which you might like to attach to an email to yourself to test, as well as that jason tools test file, and maybe you have more like the eicar file, all should come in that folder if you send them to yourself and you can see what the scanning makes of it.
    It might be though, that the specific files are already in an exclusion list in TDS to prevent false alarms and panic. But you might like the try.

    For the resources i'm not quite sure, as it depends on the action to be taken. The full system scan is one of the heaviest processes which might take lot of the available space to make it as quick as possible, but also this depends on the OS you are runnign and configuration. I heard different experiences, in load as well as time for a certain amount of data.
    You will like the NTFS check (i suppose you run something like NT/2000/XP?) which most scanning systems don't look at, but which most certainly is an important security matter and you even can clean them out with TDS.

    My intuition tells me you have a rather good combination with the NOD32 for the viruses and TDS for the other worms/trojans, and you might like WormGuard as well. In the free tools and on the site are so many more practicle info and tools and tests available, which you might like to add.

    And then comes the TDS version 4 soon with bunches of new ways and features for the job.

    If others are able to tell this more in technical sense and explain this original question about the email scanning, please jump in!
    We might like to use it on our own systems too if possible.
     
  6. Dan Perez

    Dan Perez Guest

    The exec prot does not take very much resources at all and as I understand it, the implementation under TDS4 will take even less. As to the feature you mention for FTGate, I find it a rather intriguing idea and I am not too sure of its extensibility but it might have some other benefits such as accepting the inclusion of a generic deny rule for all .vbs (or whatever) files. I am going to try to play with it tonight and will let you know how compatible it is with TDS's exec prot feature.
     
  7. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    Hi Dan - I was told you might show up :D

    I know its off-thread :oops:, but I rate Floositek very highly.  (They happen to come from the East Anglia, like me and the USAAF B-17s) :cool:

    A very 'light' program and very good value for money.  I suspect the feature i outlined can be dovetailed in with stg like TDS-3.

    If it can, it boosts multilayering of defences, and will doubtless give added traction to TDS if they market it right......   It could certainly be another one in the eye for Redmond and MS Exchange!!! (Never came across a CPU hog like MSE - like having a barrel of treacle in your task mgr :mad:)

    Thanks for your time
     
  8. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    Jooske:

    The parking folder is only occupied momentarily - hence my focus on exec prot'n.

    You wrote:
    If you know the exact location of that folder you can make a TXT file in the TDS Console > TDS > Edit Config Text Files , where you can make a new file, for instance Scan alert folder, which you will find after reloading of TDS in the list mentioned above as a one-click option. If so, it's possible to make a script to scan that folder automatically.

    Are you saying that with right script, you can have TDS switched on (but waiting for a command), and as soon as a file goes into that folder, TDs will wake up and have a good sniff?

    As to the following:
    You might like to put some more files in that folder for a test, like grabbing the MIrc Clean file from the free tools at the DCS site, which has an innocent test file, which you might like to attach to an email to yourself to test, as well as that jason tools test file, and maybe you have more like the eicar file, all should come in that folder if you send them to yourself and you can see what the scanning makes of it.
    It might be though, that the specific files are already in an exclusion list in TDS to prevent false alarms and panic

    I'll try MIrc - thanks.  Jason - hmm - hadn't thought of that.  I've tried Eicar, and TDS ignores it completely.  
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi bubs,

    TDS doesn't currently scan email. Your email program doesn't sound like it actually executes attachments either, this would be very dangerous. By opening this would mean viewing, and the scanning occurs then. If there WAS any execution, then execution protection abilities available in both TDS and Wormguard would be of great benefit to you.

    Email scanning will be considered for upcoming versions, we would recommend TDS and Wormguard for any system where attachments may be viewed and executed (could be executed automatically just by viewing - by something like the IFRAME vulnerability, or possibly through a new undiscovered, similar problem)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I mean indeed having the folder outside the inbox/email folders sniffed. I do this often myself, be it manually:
    copy the suspicious email complete with attachment to a separate folder where i keep my test zoo outside the email program, right click scan the thing from there or scan the whole folder including that new possible nasty.
    So with this work around i have my email scanning with TDS, be it not in the way we would like it and it is done with your NOD32 email protection. What Gavin says a possible new implementation of email scanning in TDS 4 will be welcomed!
    So with this action you can try already what happens scanning that special folder where your FTGateway parks their suspicious files for further examination, so that part you have already automated,
    then would the next step be to call for the scanning of that folder or it's content individually, so only for that part a script would be needed with some command or timer to activate it.
    That's why i thought of creating a special scan action name in the TDS scans list, which scans that specific folder, so a script can call for that specific scan under circumstances like time or changing size/content of the park folder. You understood exactly my way of thinking.

    I'm comparing it with for instance a download, which i've set to scan immidiately after the download and before doing anything with it, which i do for instance with one av/at program which is only called for that scan while it was not running, while i can decide to have the whole download folder scanned with for instance TDS as an extra. For a right-click scan also a not running TDS would be called in the same way. But i've TDS running all time, so also the exec protection is on all time. Etc.

    For the test i mean the Mirc Clean tool from the free tools at DCS (a very handy little and super fast scanner, btw) , not the Mirc program itself :)
    TDS might have Eicar as innocent in the databases, would be nice if it did react on it and telling it is an innocent test file, like it does with the GRC leaktest as well for instance.

    With TDS and WG and their other tools i'm sure they respect our systems's resources and will use as little memory as possible, but it's hard to give exact figures, like told. Did you look with TaskInfo2000 or kind of that to look at those on your system?
    I wonder about the other program you mentioned?
     
Thread Status:
Not open for further replies.