Can TDS-3 automatically delete any malware samples contained in a directory?

Discussion in 'Trojan Defence Suite' started by ttt, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. ttt

    ttt Guest

    I want to scan a malware archive and I want TDS-3 to automatically delete any malware samples found. Is this possible? (I do not want to manually delete the detected samples.)

    Background: The TDS-3 scan log frequently includes more than one entry for a single malware sample. Therefore, you cannot reliably determine the detection rate of TDS-3 with the help of the scan log summary.

    TIA.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No, it doesn't and we would not like it to delete automatically either. think of suspicious files with only double extensions, the possibility for false positives, etc.

    You mean a zip with some files in it the zip and the files are counted; it will tell you in advance how many files are scanned and how many of those caused alarms.
    30-6 07:05:56 [File Scan] Scanned 34 files: 22 alarms in 15,98047 seconds (Avg 3,13 files/sec)
    30-6 07:05:56 [File Scan] Scanning in c:\06-29-04 ...
    30-6 07:05:57 [File Scan] Scanned 1 files: 22 alarms in 0,9902344 seconds (Avg 2,01 files/sec)
    30-6 07:05:57 [File Scan] Scanning in c:\06-30-04 ...
    30-6 07:05:59 [File Scan] Scanned 8 files: 29 alarms in 1,310547 seconds (Avg 7,1 files/sec)
    30-6 07:05:59 [Scan] Finished.

    One of those files from the first series for instance was a file part-2.zip
    positive identification (embedded in file) worm.netsky.AA part-2.zip
    suspicious filename (in archive) Excessive space characters part-2.txt <lots of spaces> ........ .exe
    positive identification (in archive) worm.netsky.AA part-2.txt <lots of spaces> ........ .exe

    In this series were 3 files with such 3-fold detection because of excessive spaces and dual extensions so you could say we're talking about 6 lines less, so 23 detections total.
    BUT:
    TDS does continue detection, for instance if your archive would be a file infected with the one nasty, packed and zipped and infected with another nasty again and another time packed whatever, i have seen strange files at times, all those are detected individually, while i uploaded such a file sometime for analyses elsewhere and only one virus or possible bot was detected or even nothing! As many scanners say with the first detection, ok, file is malware and don't continue scanning if there is more the matter.
    I've seen it with such a spybot infected with some virus and the whole lot infected with some other virus, while scanners told me it was just one virus (think the last of the three layers) but Gavin detected all the other stuff and the order of infections. TDS is not for viruses detection unfortunately :cool: it has so much already!
     
  3. ttt

    ttt Guest

    "No, it doesn't and we would not like it to delete automatically either."

    I agree that, in principle, TDS-3 should not automatically delete any suspicious files found.

    On the other hand, if TDS-3 does not have any hidden parameters etc. allowing a tester to produce an accurate scan log how can it be reliably tested? I wonder whether there are any reliable tests regarding TDS-3 and how the testers have solved this problem.

    (Btw.: I am completely aware of the fact that the combined detection rate of TDS-3's file and mem scanner is better than the detection rate of the file scanner used on a stand-alone basis.)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  5. ttt

    ttt Guest

    It seems to me that this review does not concern TDS-3 but Port Explorer (another good product from DCS).
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sorry, you're right, wrong link but interesting indeed; don't see the TDS reviews links at this time. Sure Wayne knows, the test reviews are on the level of that article at least.
    Maybe in those tests they didn't have "complicated files" like those?

    He! i'm happy, just made Gavin very happy with a very very nasty NEW and complicated piece of malware, consisting of 21 files in one and NTFS ADS streams exe files and lots of real bad intentions. Don't know it's name yet, it just came in as a spam email attachment -- good that i didn't believe other scanners, detection in the next database tonight. Great! So let's see if that gives 21 detections for one file :cool:
     
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
  8. ttt

    ttt Guest

    @TazDevil

    I believe the second test did not need to address my problem since "Tests were performed with six files". Almost the same applies to the first test ( http://www.anti-trojan-software-reviews.com/database-currency-test.htm ). By contrast, I would like to use a malware archive containing several hundred files.

    The third test does not seem to be a real test. Moreover, this website seems to belong to a DCS reseller (look for a link leading to http://hop.clickbank.net/hop.cgi?vanish/diamondcs).
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi ttt,

    That is something we didn't include in TDS-3, sorry.

    We should be including some suitable logging options and delete options in TDS-4 which will help collectors. They could create a copy of their collection, scan and delete found trojans leaving only undetected files. This could then be submitted, we hope you will do this when you scan your collection with TDS-4 :)
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just FYI, anyone can resell our products. But yes it would make you question the test. From memory, this test was conducted before the user in question signed up as a reseller. You might want to email them and ask :)
     
  11. ttt

    ttt Guest

    Gavin:

    thank you for your explanation!

    (Btw.: I do not have a problem with DCS resellers testing DCS products. However, DCS should consider to ask such testers to identify themselves as resellers. But this is really "off topic" now. And ultimately it's your responsibility to make up your mind on this issue which has already been discussed a few weeks before.)
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The effects of even testing an individual file affect us personally as TDS users. See above how happy i was with a new find? Loving to have another nasty unveiled and helping other users to even one more addition to the detection database, the feeling to do something nice for the internet community. And i know by testing such finds online those developers add them to their databases for detection too, so more people are helped with that, even though at this moment they said it was all clean.
    So you see human detection can not be ruled out by no means!
    And not holding back to spread the word as we see with own eyes and prove it happening each time again.
    See my own story in the lightblue link in my sig, think it is what happens to many users who come new to the web and now happy to be able to help out other users.
    I think for many convinced users it doesn't make a difference being reseller or not, as they just help spread the word after being helped out and convinced themselves.
     
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Currently, the realtime component of TDS-4 allows you to decide what you want to do with the file if you want an automatic response, this includes deleting it. The scanner on the other hand will not have any automatic responses. I don't think it would be good to have an option where you cannot see what the program is doing, as it would be in this case. At the moment the scanner lists all the detected files, and at the end you can choose what you want to do with the files it detects with one or two mouse clicks. I think this is a better compromise, 2 mouse clicks instead of none is hardly "that much more" of a pain, in my opinion. :)
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    That's exactly how I'd do it if anyone asked. Good compromise between minimizing unintended consequences with false positives and speed. Queuing things to the end for a response session is a whole lot better than stopping midstream and waiting for an answer, which some programs still do.

    Blue
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Blue,
    i also like it, waiting till the end and save to text, then looking if anything needs special attention.
    It's a golden rule never to delete anything without a copy to submit@... unless it's a normal positive identification or a normal double extension.
    All suspicious and possible <adv> etc go immediately to submit@.....
    I thought one time with an online scanner to set it on "ignore" and "apply for all" and hoped it would continue while i stepped away from the system, to discover when i came back it had waited with the next alarm for my confirmation again before continuing scanning.
    Or scanners where one can't save the alerts log, or only displaying the names of the nasties found without the full pathnames and file in which it was found, etc.
     
Thread Status:
Not open for further replies.