Help - TDS-3 isn't stopping subseven

Discussion in 'Trojan Defence Suite' started by Soul_Flame, Apr 6, 2002.

Thread Status:
Not open for further replies.
  1. Soul_Flame

    Soul_Flame Guest

    Ok, some good news, and a minor concern.  After uninstalling and reinstalling with 3.2.1., the trojan now cannot execute.  When i attempt to launch them, i get this showing up in tds:

    07:57:39 [ExecProt] WARNING: c:\my downloads\sub7\sub7.exe has been blocked from executing
    07:58:14 [ExecProt] WARNING: c:\my downloads\sub7\sin.exe has been blocked from executing
    07:58:27 [ExecProt] WARNING: c:\my downloads\sub7\editserver.exe has been blocked from executing

    The concern I have is, tds-3 gave me NO NOTICE that it had done this.  I have it running minimized in my sys tray.  If I hadn't right clicked on it and selected 'show', i wouldn't have known that a nasty was trying to launch.  So, how do I configure tds-3 to TELL ME when it's stopped a nasty?

    I don't know what's different now, but at least it's working so that makes me VERY happy.  One thing I noticed when I did the uninstall, I could not delete the exec protect dll until i rebooted.  Something was still using it, so I don't know if repeated attempts to install execution protection locked it up or something, maybe that was it.  

    One other thing, the only way I could find to check accurately what version I was running was in the control panel/add or remove programs app.  There it listed tds as 3.2.1..  I find it very confusing that when it initially loads it shows the wrong version, and in the help/about menu it shows NO VERSION.  This is something that should be remedied.
     
  2. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    Agreed !  I was about to download again, thinking i had downloaded  wrong version !
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the private forum Wayne posted, they have not changed the tds.exe, so we keep for the moment the 3.2.0. displayed in our console. Not sure if they change that in a coming new version. Now we know this, i don't really mind.
    It is true" before uninstalling TDS you should uninstall the exec protection, as this hooks or is hooked to by Windows for all executables. After uninstalling the exec protection you can uninstall TDS (might be you need the reboot as windows keeps hold on it really tight) and you can continue.
    Now you get the warnings as you should, it seems you're better installed now somehow.
    I run TDS big, till it finishes all the scanning at starting TDS, to see if there is anything which needs attention, like changes in autostart or other alerts.
    After i might click it under another window or minimize it, just depends.
    I think it must be possible to write a little script with voice telling about alerts or when the full system scan is finished to tell this and include something like "fss is finished, xx alerts found on drive C, xxx on drive D, (etc) which needs your attention." Same can be done in the startup procedure or like your exec protection alerts. I'm used to the WormGuard popping up in case of alerts, till now (knock on wood) never had an exec prot alert, can imagine your wish for a popup/ sound/ voice alarm.    
    For sure Wayne is alerted to add such wishes to the wishlist by now.
    The one thing i can add: when i check /right click scan a file i first look at the scan results before doing anything at all with it any further, so i would have had the TDS console large and checking the results.........
     
  4. Soul_Flame

    Soul_Flame Guest

    jooske......are you telling me that it's standard functionality that if tds-3 execution protection stops something from executing, that it's NOT going to present an alert message to me telling me about it?  You've gotta be kidding me.  What am I supposed to do, bring up TDS every few hours and make sure nothing's happening?  That's what I paid $50 for.  If TDS won't even do that, I'm might have to reevaluate my choice in anti trojan software.  That seems pretty darn basic to me.  If there's a problem and something is trying to run on my system, TELL ME ABOUT IT!
     
  5. Soul_Flame

    Soul_Flame Guest

    And yeah, when it first fires up and does startup scanning, I keep it maximized, too.  But once it's completed I minimize it to the systray.  From that point forward, I should be able to forget about it unless there's a problem, at which point tds should notify me that something is going on.  If it doesn't, that's a HUGE problem in my estimation.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Like said, i never had an exec prot alert myself yet, so i am not sure about the way how we get an alarm for that. Better ask Wayne/Gavin about that, or the guys who tested that part.
    The snippit from the alert from you and Dan is from the console text.
    With WG i get the console popping up to do my stuff, not sure if exec prot would just block the thing from executing completely or give you options to do more with it, like examening the file, delete it, send it in, run it anyway, whatever........
    What did you get exactly for an alert this time of which you posted the snipped? If it is blocked anyway completely it can not harm, of course.
    I'll post in the private forum asking this part. Hope you have access there soon too to study all!
     
  7. Soul_Flame

    Soul_Flame Guest

    hi jooske.....thanks for asking for this info and taking it to the private forum.  i tried registering again last night and again it didn't work.

    i had tds running minimized in the sys tray when I attempted to launch sub7.  nothing at all happened on my screen.  nothing.  so, i right clicked on the tds-3 icon and selected show and saw the messages in the control panel.  that's what i copied and pasted.

    here's my gig:  after initial startup scan, I don't want to be thinking about trojan protection.  in fact, in xp i want to select 'always hide' for the tds icon so it doesn't even show.  i don't want to ever think about it unless i NEED to think about it, and if i don't get something popping up when execution protection runs, then i'll have no choice but to periodically 'show' tds, and I don't want to have to do that, i have enough to think about.  that's what i'm paying tds-3 to do for me.  Stopping it is one part, albeit the most important part, of the process, but if it doesn't TELL me about it so I can delete the offender, then it's not doing the complete job.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    :) I understand what you're saying here - TDS is actually working exactly the way I want it to, just the way it is. Good programs should do exactly what they claim to do and not distract me in the process.

    However, it would be nice (for the people who want it) to have on-screen alerts when something evil is attempting to happen. All of your firewalls have that selectable feature (whether to show alerts or not) AFAIK, so it shouldn't be that hard to add it (if it is, indeed, absent) - maybe in TDS-4? Pete
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You would see it when examining the console and results of full system scans, with all the kind of opportunities to look deeper into the alerts.
    For me TDS is kind of central basic tool from which i do a lot of other tasks, as you have seen in the few fun scripts, but of course there are also lots of serious tasks like analysing and protecting etc. I know the FW is blocking most of the intruders, TDS is a second block behind that and a possibility to look into data streams (so i ever discovered the CodeRed packets with the port listen) and a lot more for analysing intruders and connections, processes, of course all that analyses in the memory and files, etc etc etc and so much more we discover little by little.
    TDS is not exactly a trojan scanner which detects and deletes a nasty automatically, as it is now it runs behind/working together with the firewall, and beside AV/AT software, an a lot of tools to actually handle files, connections, data, processes.
    Not to forget the NTFS files, even able to strip them (there is a nice explanation on the DCS site about that), and so much more........
    Nobody knows yet how the TDSuite 4 looks like, maybe more options, maybe more background options, i really don't know yet! At least the new suite will be surprising, not to forget the WormGuard with that.
    The latter runs all in the background, popping up when needed for an alert like i think exactly you want it to.

    Edited:
    PS: you did in the meantime send a registration requests for the private forum to support@diamondcs.com.au i think? (with the name and i think the email address you used for your TDs registration?) You should have it now really soon, for sure, first thing monday morning i guess.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    S_F - Guess you realize that people here would be trying to help you more with your registration issue at the private forum, but since you're not registered here, no one knows who to tell them to help (maybe you giving them your screen name here when you email them might help?). Pete
     
  11. Soul_Flame

    Soul_Flame Guest

    Pete.....as Jooske recommended, I've sent an email to the support email addy.  In addition, Wayne said he's working on it this weekend, so hopefully all will be remedied soon.

    It appears you understand my point exactly.  I don't want to see NAV, ZAP OR TDS in my sys tray.  I have no reason to.  The basic assumption with the first two is, unless those programs tell me differently, they're doing their jobs and all is well.  I would sure like TDS to work in similar fashion.  

    See, with me the problem is, I'm kind of an anal retentive kind of guy, so if there is the POSSIBILITY that a rat is trying to execute but I don't know about it because TDS won't popup an alert message, then in the back of my mind I"ll always be wondering if all is well.  I just don't want to devote the mental space to it.  I want to 'fire and forget', with emphasis on the FORGET part.

    If this capability is not present in the package, I see two ways to remedy it.  First is a simple alert box.  The other is, if execution protection fires off to stop something, then simply auto-maximize the screen console and let the message that's already there serve this purpose.  Either way is fine with me, just don't make me go looking to make sure all is well.  That's silly.
     
  12. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Pete, part II.....that said, your suggestion to register here was a good one, not doing so previously was an oversight, not a conscious choice.

    Now that has been remedied.

    :)
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Soul_Flame
    welcome as a registered user of this forum again :)

    I have my FW as well to only popup real hard things, all the rest is just logged.
    With TDS could be ok the maximizing console for real alerts as well. Like said, after a scan i always check the finds before closing the thing.
    Any special extra alert read from the console in a SS3 script can be done, of course, depending if you would run other scripts as well (one a a time this moment, but jumps between scripts are possible of course.)
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Soul_Flame - Thanks for registering! I'm glad to hear your problem's getting addressed and wish you the best of luck.

    According to another post I'm reading here, there may still be problems after your registration on the private forum - I'm hoping nothing like that affects you!

    I, too, had to have Gavin do my registration manually - but once he did, I never had a problem logging in or moving about the board there. Pete
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There are two URLs possible; for me the one causes the problems mentioned, the other goes smoothly, since i changed the settings as i was told to, and via the console i can get in all time ever since.
    Hope this works for every member!
    This is no abracadabra, the members will know :)

    The alerting part: Gavin emailed you personally in the meantime and some is added to the wishlist for v4.
     
  16. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Just wanted to close the loop on this topic, especially for anyone who is reading this who is considering purchase of TDS-3.  Gavin from DCS DID indeed email me, several times in fact.  We had an nice exchange of emails and the bottom line is they WILL be adding some time of alert notification to TDS-4.    It may be a flashing icon in the systray, or an explicit alert message, but SOMETHING will happen which will inform the user there is something for them to do.  

    I'm gratified by this for two reasons.  First, it's something the product absolutely needs.  Second, it shows me a very encouraging level of responsiveness by DCS towards their customer base.  I'm not dialed into the time difference between California and Australia, but I'll bet I had emails on the registration and alert issues very early on their Monday morning.  Can't ask for more than that.

    Thanks to everyone who participated and offerred assistance.

    Oh, and Spy1, I had to tell you this after reading your signature about caffeine.  I saw a bumpersticker at a coffee shop once that I thought was hilarious:

    "Drink coffee.  Do stupid things faster and with more energy!"
     
  17. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Good to hear! A satisfactory resolution for your (and others) concerns, and a chuckle at the end!

    Doesn't get much better, indeed! Pete
     
  18. Checkout;

    Checkout; Guest

    More than ever, I'm convinced to accept TDS-4 (when it appears) and acquire (don't panic, I mean buy) when V4 appears.  :)
     
  19. Checkout;

    Checkout; Guest

    Waitamminit - previous post - guest?  Guest?  I'm logged in, for Pity's sake!

    Hey, Paul!  It's gone wrong again!!
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi, glad to hear about the contacts. We here have a saying "new brooms wipe clean" of which i don't know an english equivalent, but it means new people can have fresh ideas in an existing situation, and you proof it here again as truth.
    Version 4 will have many more nice parts, for sure, we're all looking at.
    If you now also have your access to the private forum in order we are all very happy! Looking forward to read you there too!
    Think all operators do share your feelings for the support and the family feeling.
     
  21. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Almost identical, Jooske.  "A new broom sweeps clean."
     
  22. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Hey Checkout (and any lurkers out there)......that's a sound approach.  I"ll tell ya, I devoted a LOT of mental energy and not an insignificant amount of time researching anti trojan software and I feel confident that TDS-3 is the most technically advanced product on the market.  When I was asking questions both before I purchased, and with respect to this thread, both Wayne and Gavin were kind enough to send me personal emails, some of which shared some of the enhancements that are coming in TDS-4.  I don't know if what they shared is common knowledge or not, so I'll keep it to myself so as not to share something that perhaps wasn't meant for public consumption, but I will say this.  Right now, I feel a credible case can be made that TDS-3 is the strongest anti trojan package going.  With what I know is coming in TDS-4,   it won't even be close.  TDS will be miles ahead of any competitor in the field.  It's gonna be very, very cool.  I'd strongly suggest anyone reading this thread to get onboard with TDS, because you're gonna really like where this train is going.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It's not common knowledge Soul-flame. Once you can access and post a lot in the private forum you might get the status of beta-tester there and be among the first to test all those new gems.
    For sure they suit the name of this gem for their company name, brilliantly, don't they in every sense?

    The problem can rise when they are far ahead of hackers and trojan/worm writers, how to keep them busy?
     
  24. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Jooske.....yeah, beta testing this product would be awesome.  My job is actually as a software designer and tester for a relatively small company that makes manufacturing software for aerospace and defense companies.  

    I haven't had time to test my access to the private forums yet, but will do so probably later today.  See you there!
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Interesting job Soul-Flame, there will be certainly enough work for you. So get your private access and post a lot ; with all your investigation and the brilliant ideas (and attitude) you've exposed already you might win the beta-tester status soon.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.