ewido

Discussion in 'other anti-trojan software' started by JayTee, Nov 22, 2004.

Thread Status:
Not open for further replies.
  1. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    read somewhere that ewido has the best unpacker. Is this still true? How does TDS-3's unpacking capabilities compare to ewido. Thanks
     
  2. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I am testing both and so far Ewido wins clearly.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Care to elaborate?
     
  4. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Might do that in the future, but that's not possible now. I am a journalist and trying to sell an article first :)
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    I can at least tell you how it's working in tds-3:
    tds-3's unpacking is generic, although somewhat "manually". TDS has an interface for unpacking plugins. It scans a file, and if it finds pattern XY, it sends the file through program YZ and then scans the result. A few of those plugins come preconfigured with TDS, and you are free to add your own - but then you'll have to find a reliable unpacker (YZ) for your packed file format of choice and figure out what should be used as a "signature" to trigger this unpacking (XY). (To find unpackers would probably require going to some more or less malware site - sites that at least definitely are against TOS to post a link to here.)
    On the TDS licenced user's private forum, there has been a thread about some XY's and their corresponding YZ's, but it has been some time since - and when it comes to crypters instead of packers, it mostly doesn't work (since you won't find reliable uncrypting programs).

    A good idea, IMHO, but it was neglected a bit both by DCS and the users base, and now that we're dealing with more complicated packing and crypting mechanisms, you probably won't have another way than to have the "target" application handle its de-obfuscation itself. No stand-alone command-line tool will probably do and we're left with emulators and other generic unpacking approaches that are more difficult, and sometimes more dangerous. AFAIU, this is the route that Ewido takes, but I don't know any specifics.

    HTH,
    Andreas
     
  6. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    It's nice to see that Ewido has a function from which you scan every file apart with a right mouse click. TDS-3 hasn't got that. The way Ewido looks into archives is also great to see, they unpack it on the fly to see what is inside a zip or rar file. And then test it immediatly. TDS has a much more diffuicult approach. As I see it, it looks a bit like Windows and Linux but then without the problems of windows ;)
     
  7. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @Andreas1
    Can you tell, which packers are supported by TDS-3 "out-of-the-box"? I wonder because according to some tests, even the most commen packers aren't supported by the filescanner...
    http://home.arcor.de/scheinsicherheit/tds.htm
    http://boardadmin.bo.funpic.de/viewtopic.php?t=22&sid=27a934546ab522963f1dbc6f3dfc48b7

    Ewido's generic unpacking engine (based on emulation) can at least deal with several simple packers/crypters (might have further improved in the meantime):
    http://boardadmin.bo.funpic.de/viewtopic.php?t=7&sid=27a934546ab522963f1dbc6f3dfc48b7

    Anyway, both Ewido and TDS-3 have a memory scanner, which in principle can deal with (almost) all packers/crypters. :)
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    What good does unpacking support do for TDS-3's memory scanner? When it scans memory on demand (the only way you can with TDS-3), isn't it scanning executables that have already been unpacked? (Since... They're already running.)
     
  9. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @nameless
    Yes, you're of course right, a memory scanner doesn't really have to "deal" with packers/crypters, as they scan the running processes in unpacked form.
    So, what I actually wanted to say is, mem scanners can (normally) easily detect any packed/crypted samples after execution. :)
     
  10. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    @_anvil:
    I have messed around with these "plugins" a bit, and avoided re-installing TDS, so I cannot really be sure that this is what is there "out-of-the-box", but right now I have only upx in my TDS's Ext.Unpk dir. I've just now dug a bit in the archives (Tds's licenced users forum, search for Ext.Unpk), and have found user additions for pecompact, petite. In addition to these, I had two of my own, but can't seem to re-find them now. Note that often these will refer to older versions of the tools, and I'm not sure they still work on more recent versions.

    @_anvil & nameless:
    you're aware that nautilus claims - and I've still not found the time to verify it - that tds's memory scanner does scan the memory of running processes, but not the memory of the modules they have loaded? Instead, he says, it just scans their dll files (which might be compressed/crypted).
     
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    That's fine with me; I just uninstalled TDS-3, which has become antiquated anyway.
     
  12. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    And did you install Ewido or another one?
     
  13. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Yeah, Ewido. Now I'm dealing with outrageous CPU usage caused by the Ewido guard.
     
  14. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @Andreas1
    Yes, I think he is right about that. AFAIK the DCS-guys don't deny that, promising improvement with TDS-4. :)
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    That really amazes me. What do you mean by outrageous CPU usage?

    When I look at what I see on my system: CPU use: 0, memory use: 12 kB. That's in my view not much ;)
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    One thing that Ewido does have over TDS-3, from what I understand, is an active memory scanner. TDS-3 will scan memory on demand and keep something from executing until it scans it, where Ewido has more of a resident memory scanner. I think at this point TDS-3 really relies on the signatures for the trojan itself (before it's run) There are advantages to both, however. TDS-3 may not have quite the same memory scanning abilities, but it comes with pleny of other tools you can use to sniff out a trojan if you are suspicious of an infection.

    (same for individual files)
     

    Attached Files:

  17. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I do not have that option, as far as I can see... Where is it hidden? ;)

    Oops...found it. Only at the My Computer section. It should be there as a normal function. Just like Ewido does!
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Lol, I have the reverse problem, TDS-3 shows on my context menu everywhere but Ewido doesn't.. must be a conflict somewhere.

    edit: reinstalled Ewido and it seems to be there now.. <shrugs>
     
  19. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Maybe I should reinstall TDS-3 too then? ;)
     
  20. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    @edwin024:
    ...or have a look/ask at the tds forum. this has been discussed a couple of times, and I'm sure someone will come along at least with a registry setting to get this item to your context menus (whether or not the (re)install helps).
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    In my view, that's not much either (and I don't even come close to believing the "12-KB" memory use figure). Which brings us to something I have to keep repeating--what I see on my system may not be what you see on your system. They call this "YMMV".

    I'm seeing constant 4-8% CPU usage when certain programs are running, and ~80+% usage sometimes when browsing the internet. The CPU usage used to spike to 99+%, until a recent update of the Ewido guard executable. Still, I don't find ~80+% CPU usage acceptable or bearable.

    I'm also not the only person with this problem. Others have reported it too, in this forum. Not necessarily to the same degree.
     
Thread Status:
Not open for further replies.