confused, need help?

Discussion in 'Trojan Defence Suite' started by tobamore, Sep 12, 2004.

Thread Status:
Not open for further replies.
  1. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    I'm running tds3 and it loads fine, just seems to sit there in the tray. I have NEVER seen any sort of tds3 related alert other than when performing a manual scan of my system. (these were removed but only double extensions)
    What is tds3 supposed to do? should it pop up and alert me or identify a problem and wait for me to open the interface, furthermore, is there anywhere I can test tds to see if all is well?

    mtia,

    T.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    TDS is on demand; in the registered version you can install the exec protection which quickscans every file before it is allowed or blocked from executing. This might or might not gie a popup warning or you see it in a new line in the GUI. To have that exec protection functioning TDS needs to be started, you can minimize it to the systray, still functioning.
     
  3. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Thank you for your help. So it seems that after tds has loaded and completed a scan, a trojan could infest my system (assuming exec prot is off) and tds would know nothing about it? Therefore, since I'm running process guard, there is no reason to run tds automatically at each startup? Instead, running it weekly for example?

    Am I correct in my assumptions, or way off the mark?

    mtia,

    T.
     
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Tobamore.

    First to use the test method outlined below with RTM [Real Time Monitoring] you have to have paid and registered the program and then have the RTM of Exec Protection installed, ok!! :)

    Go to
    THIS THREAD and see my posting/instructions on it.

    Of course, if interested in a trojan simulator one GO HERE

    You can follow the instructions of the trojan simulator one by doing the 'Install' and then doing an On Demand scan with TDS if you have not got the fully registered version with RTM. ;)

    I cannot even get it to download, Kaspersky keeps alerting and deleting it :)

    Cheers, TAS
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Yes you are correct if you do not have TDS running [even with Exec Prot installed] you can be infected. PG will stop an unknown Process from running until you either Allow/Deny.

    By startup, are you talking Windows Startup, or just starting TDS itself if you do not run it normally as in Real Time Monitoring?

    Vast majority here do not have it starting with windows, we start it manually once windows is loaded, as it can hang a bit, especially with Process Memory Space Scan checked.

    Now, if you do not have TDS running with Exec Prot as a normal RTM app, then you want to do a full system scan, you may as well have the majority of the checks it does on startup turned off, as it will only go through all of those again when you select Full System Scan.

    Hope that is clear.

    Cheers, TAS
     
  6. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    I registered the program about a year ago and until recently, only used tds to scan my entire system monthly.

    I tried the trojan test you suggested and did the install, tds did nothing (with exec prot on and latest update!) This can't be right, surely?
     
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    okie dokie then.... have fun testing :D

    TAS
     
  8. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Hello, let me explain, I'm running tds3 in my systray (registered with exec prot - on) I then downloaded the dummy trojan detailed in the above post, allowed it to run once (via process guard) and tds spotted nothing! I then shut down tds and re-started it, then and only then did it recognise the trojan and allow me to remove it, this is shutting the stable door AFTER the horse has bolted, surely?
     
  9. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    *bump* Could someone please advise?
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tobamore, In scan control make sure that you have Scan Clients/edit servers enabled and all the other scan options. TDS should see it then. :)
     
  11. tobamore

    tobamore Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    128
    Ahh, now that's more like it! :) Thanks. Why isn't this enabled by default? This is surely a loophole if left unchecked?
     
  12. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hi, Pilli! :)

    Now I'm a little confused. The only option in Scan Control that I have NOT selected was Scan Clients / Edit Servers. I got the impression that for a stand-alone PC like mine, that was not appropriate.
     

    Attached Files:

    • es.gif
      es.gif
      File size:
      7.7 KB
      Views:
      149
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Daisie, Yes when doing a full scan it is recommended to disable it but if you are running exec protect then it is better IMO to leave it on just in case. :)
    As you can see
    17:20:28 [ExecProt] WARNING: c:\docume~1\***\locals~1\temp\temporary directory 1 for trojansimulator.zip\tsserv.exe has been blocked from executing
    17:20:40 [ExecProt] WARNING: c:\docume~1\*****\locals~1\temp\temporary directory 2 for trojansimulator.zip\trojansimulator.exe has been blocked from executing


    As the help file explains the client/server by itself is not malware.

    Scanning for Clients and Editservers is purely optional. We do recommend that home users have this feature disabled as it will slow down the scan that TDS-3 performs.

    Clients and EditServers are programs that are used by the actual hackers themselves and would not necessarily be found on a victims computer. Many anti-virus and anti-trojan applications detect these programs as being actual trojans where as in fact this is incorrect. Victims are very unlikely to have these files on their systems. However due to demand by large corporations, TDS-3 now detects these applications used by hackers. The reason being is so that they can detect any employees that are using these tools on their networks to get onto other systems they are not supposed to.

    However users have the option to detect these files and the database is separated from the primary signatures. Files that do get detected as Clients or Editservers are noted in the scan window as actually being a utility and not an actual trojan. This is to differentiate between the different types of files, and not to cause a false sense of insecurity to the user.

    Home users should disable this when scanning for trojans.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It should read something like:
    In normal circumstances normal home users could leave it disabled.....
    but in testing conditions any user should enable this option.
     
  15. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    to me this is a bit strange:

    Because i read it here in all the treads that if you've missed a Trojan:

    (Like Pilli wrote:)
    So to me it seems as it is NOT a good idea to DISABLE this option.

    Is this because of the newer Trojans(kits/Packages)?

    Perhaps that was the case (history) but not now i guess.

    And why would you scan without it?
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tuatara, The TDS is help file is probably out of date now as work on TDS4 is more important, so I guess in the light of new malware this could be altered somewhat. Having said that the client/servers are, as the help file states, not usually Trojanic in themselves.
    Obviously doing a full scan with all options selected will have a detrimental effect on scan speed so it is better to do it when you are not using the computer much.
     
  17. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Thanks for that clear answer Pilli,

    And i don't want to refer DCS to update the helpfile if they can work on TDS-4
    instead :>)

    And on PG version 2.xx ..... ('within 2 weeks') ...

    It is good that this forum answers a lot of questions for them,
    let them do,what they do best .... making great programs !

    :>)
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not V2.xx it will be Version 3 and yes hopefully it will be out in the next couple of weeks.

    Thanks for your kind words. Pilli
     
  19. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    phew..... I left last night and did not see this reply, sorry tobamore, but I see it's been fixed, thanks Pilli. :)
    and Yes, I should hav told you to make sure that was enabled in configuration :(

    That's why I recommended the simple Leaktest option, as it's already like a trojan 'would' be and not in the Client/EditServer state.

    Cheers, TAS
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    One of my reasons to recommend to have ALL options checked and the sensitivity slider on highest.
     
  21. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    PG version 3 ....... wow ...can't wait ...

    :D
     
  22. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Agreed. As a side comment, I would suggest some strong wording somewhere in the user guide that instructs users what do when installing software (turn learning mode on). Can really make a mess if you don't.
     
Thread Status:
Not open for further replies.