read somewhere that ewido has the best unpacker. Is this still true? How does TDS-3's unpacking capabilities compare to ewido. Thanks
Might do that in the future, but that's not possible now. I am a journalist and trying to sell an article first
I can at least tell you how it's working in tds-3: tds-3's unpacking is generic, although somewhat "manually". TDS has an interface for unpacking plugins. It scans a file, and if it finds pattern XY, it sends the file through program YZ and then scans the result. A few of those plugins come preconfigured with TDS, and you are free to add your own - but then you'll have to find a reliable unpacker (YZ) for your packed file format of choice and figure out what should be used as a "signature" to trigger this unpacking (XY). (To find unpackers would probably require going to some more or less malware site - sites that at least definitely are against TOS to post a link to here.) On the TDS licenced user's private forum, there has been a thread about some XY's and their corresponding YZ's, but it has been some time since - and when it comes to crypters instead of packers, it mostly doesn't work (since you won't find reliable uncrypting programs). A good idea, IMHO, but it was neglected a bit both by DCS and the users base, and now that we're dealing with more complicated packing and crypting mechanisms, you probably won't have another way than to have the "target" application handle its de-obfuscation itself. No stand-alone command-line tool will probably do and we're left with emulators and other generic unpacking approaches that are more difficult, and sometimes more dangerous. AFAIU, this is the route that Ewido takes, but I don't know any specifics. HTH, Andreas
It's nice to see that Ewido has a function from which you scan every file apart with a right mouse click. TDS-3 hasn't got that. The way Ewido looks into archives is also great to see, they unpack it on the fly to see what is inside a zip or rar file. And then test it immediatly. TDS has a much more diffuicult approach. As I see it, it looks a bit like Windows and Linux but then without the problems of windows
@Andreas1 Can you tell, which packers are supported by TDS-3 "out-of-the-box"? I wonder because according to some tests, even the most commen packers aren't supported by the filescanner... http://home.arcor.de/scheinsicherheit/tds.htm http://boardadmin.bo.funpic.de/viewtopic.php?t=22&sid=27a934546ab522963f1dbc6f3dfc48b7 Ewido's generic unpacking engine (based on emulation) can at least deal with several simple packers/crypters (might have further improved in the meantime): http://boardadmin.bo.funpic.de/viewtopic.php?t=7&sid=27a934546ab522963f1dbc6f3dfc48b7 Anyway, both Ewido and TDS-3 have a memory scanner, which in principle can deal with (almost) all packers/crypters.
What good does unpacking support do for TDS-3's memory scanner? When it scans memory on demand (the only way you can with TDS-3), isn't it scanning executables that have already been unpacked? (Since... They're already running.)
@nameless Yes, you're of course right, a memory scanner doesn't really have to "deal" with packers/crypters, as they scan the running processes in unpacked form. So, what I actually wanted to say is, mem scanners can (normally) easily detect any packed/crypted samples after execution.
@_anvil: I have messed around with these "plugins" a bit, and avoided re-installing TDS, so I cannot really be sure that this is what is there "out-of-the-box", but right now I have only upx in my TDS's Ext.Unpk dir. I've just now dug a bit in the archives (Tds's licenced users forum, search for Ext.Unpk), and have found user additions for pecompact, petite. In addition to these, I had two of my own, but can't seem to re-find them now. Note that often these will refer to older versions of the tools, and I'm not sure they still work on more recent versions. @_anvil & nameless: you're aware that nautilus claims - and I've still not found the time to verify it - that tds's memory scanner does scan the memory of running processes, but not the memory of the modules they have loaded? Instead, he says, it just scans their dll files (which might be compressed/crypted).
@Andreas1 Yes, I think he is right about that. AFAIK the DCS-guys don't deny that, promising improvement with TDS-4.
That really amazes me. What do you mean by outrageous CPU usage? When I look at what I see on my system: CPU use: 0, memory use: 12 kB. That's in my view not much
One thing that Ewido does have over TDS-3, from what I understand, is an active memory scanner. TDS-3 will scan memory on demand and keep something from executing until it scans it, where Ewido has more of a resident memory scanner. I think at this point TDS-3 really relies on the signatures for the trojan itself (before it's run) There are advantages to both, however. TDS-3 may not have quite the same memory scanning abilities, but it comes with pleny of other tools you can use to sniff out a trojan if you are suspicious of an infection. (same for individual files)
I do not have that option, as far as I can see... Where is it hidden? Oops...found it. Only at the My Computer section. It should be there as a normal function. Just like Ewido does!
Lol, I have the reverse problem, TDS-3 shows on my context menu everywhere but Ewido doesn't.. must be a conflict somewhere. edit: reinstalled Ewido and it seems to be there now.. <shrugs>
@edwin024: ...or have a look/ask at the tds forum. this has been discussed a couple of times, and I'm sure someone will come along at least with a registry setting to get this item to your context menus (whether or not the (re)install helps).
In my view, that's not much either (and I don't even come close to believing the "12-KB" memory use figure). Which brings us to something I have to keep repeating--what I see on my system may not be what you see on your system. They call this "YMMV". I'm seeing constant 4-8% CPU usage when certain programs are running, and ~80+% usage sometimes when browsing the internet. The CPU usage used to spike to 99+%, until a recent update of the Ewido guard executable. Still, I don't find ~80+% CPU usage acceptable or bearable. I'm also not the only person with this problem. Others have reported it too, in this forum. Not necessarily to the same degree.