TDS-3 Exec Protection - REALLY?

You have TDS-3 installed and running on your computer (program is open or minimized in taskbar).

It shows Exec Protection: OK Installed

Now you run a .exe program. Assuming the file you just ran is clean and trojan-free, should there be any indication on the TDS-3 Control Console that it has scanned (or is scanning) that file?

Or, does the file simply get executed?

I know on WormGuard there's no indication UNLESS there's a problem with the file, but on TDS-3, isn't there supposed to be some type of activity or confirmation of scanning on the Control Console?

Please post your answer...THANKS!

 

Hi Mark,
as long as TDS is running with exec protection installed all executables are scanned and only if there is an alarm you are alerted.
Imagine the many programs you're starting in short time: if every exe/com found OK was mentioned it would be really annoying and you would look for means to disable such messages --even if those were lines in the console mounting the console log to many lines a minute-- other then just close TDS.
I'm trying to think of a test file like we described some tests in the WormGuard forum which could affect TDS to jump up if you click to run it. It should be some you create and save as test.exe on your desktop, but now thinking about a nasty line to put in it as a test.

 

You might have seen my test file in WG like creating a test.vbs or with a double extension like test.exe.vbs and inside a line like Msgbox "This is a VBS script running"
An easy way to do with notepad, save with such a name and click on it; it is innocent so you would only see a messagebox telling about the VBS script running, but in the second case WG will warn for the double extension and give opportunity to check in safe mode.
For TDS exec protection there should be something more malicious inside, maybe just a line telling "delete directory" or "del file.com" and saved as test.exe, maybe test.bat will do too and see which is first to block it.

 

Jooske:

Perhaps there is just such a test file. I've downloaded a "Trojan Simulator" from www.misec.net/trojansimulator.

As far as I can tell, my copy of TDS-3 ( registered ) with Exec Protection enabled did not detect it and warn me in any meaningful way. That is, it did mention that the registry had been changed ( press Control-A ), but did not find the file where I had placed it ( C:\Program Files\Trojan Simulator). It did not warn me that it was running in memory on any of Process Memory Space, Mutex Memory Space, or Process File Scan. I did see it as TDS-3 scanned by it, but I could not expect to be watching and spotting trojans by eye - no highlighting , warning, or any such alarm.
Perhaps I do not have TDS-3 properly configured, although I tried to use the Standard Configuration mentioned on this Forum.

Would someone take a look at this "Trojan Simulator" and let me know what I should expect ?

TIA,

Ed

 

Hmmm, I just used notepad and placed the following lines in a file:
delete directory on line one, and del file.com on line two.

Saved it as an .exe and ran it. TDS-3 made no intervention or warning and neither did WormGuard.

TDS-3 is running & Exec Protection says OK.

Any ideas?

 

I don't think the trojan simulator is in the TDS database yet (thus the execution protection probably wouldn't catch it).

Best regards,

-Javacool

 

Paul:

I rather suspected that that might be the case - a custom-made "trojan" that nobody but the builder could find.

I guess my concern was that I thought that TDS-3 had a degree of generic detection capability that would find a running process and mark it as suspicious based on the characteristics of the process. Evidently the builder knows how to disguise them.

Back to the old drawing board - maybe TDS-4 will be more sensitive ( generically ) ?

Thanks,

Ed

 

ditto Forum Admin

You guys might like to look at this:
www.dslreports.com/forum/remark,5507340~root=security,1~mode=flat

discussion on the trojan test.

edit: sorry you will have to cut and paste, link break. copy the whole link/paste should work.

put the URL between tags (press the blue globe icon on the left bottom corner when posting - and "paul" will do just fine

 

TDS has the kind of generic detection, as it detects on malicious code without the name in such cases, and will display something like "suspicious" or "positive ident" if it is malicious. If known innocent you will not see it this moment, but soon it will.
The "leaktest" has been added by name as something innocent and is mentioned as such in the database, where you will see a thing like "positive identification" and "not a trojan".

Need better test ideas, i'm sure Gavin will give better examples for own creations. Good that i fail for a nasties writer