Hey - DCS! Congratulations!

Discussion in 'Trojan Defence Suite' started by spy1, Mar 22, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You guys did an absolutely GREAT JOB with the test against re-based malware that was conducted on that site that I can't link to! (and you did it without having to change/add to anything you already had in place!!! ).

    [move]WAY...TO...GO!![/move] Pete
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Of course they have. Congratulations! ;)
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yep - 10 out of 11 ain't bad at all (NOD did the same when Advanced Heuristics were being used): Beast 1.92 remained undetected (by TDS) and TheefLE 1.11 was not detected. (by NOD).

    Wonder how come just one can slip through and the others couldn't?

    Anyone from TDS looking into that? Pete
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pete, I am surprised at that, look in your TDS primaries list and it is listed. I'm sure Gavin will answer soon
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I don't care that it didn't detect a re-based Beast 1.92, Pilli - I'm more curious as to why it would detect the others that were re-based but not that one.

    And, I haven't seen any effort to answer that on DCS's part as of yet. Pete
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743

    LOL Pete and I will congratulate BOClean for you..but who the heck still uses the[move] CLEANER[/move]


    :eek:
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, Maybe DCS do not know where to look? I do not, so maybe an email to Gavin will help, with the appropriate link. Also maybe posting in the private TDS licenced ops forum would help.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Pilli - NP, I'll do it in a minute.

    John - A lot of people still use The Cleaner. Sales-wise, I'm surprised it wasn't included to start with in ntl's test on that page. Pete
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Rebasing is a good example of why automatic signature extraction is insufficient for detecting malware, because rebasing will almost certainly throw off detection. It takes us a bit longer to manually disassemble, analyse and find a quality signature, but the result is a strong signature (a strong signature being 1) a signature that's not easy to modify, 2) a signature that will comprehensively make a positive detection, and 3) a signature that won't give off any false alerts). This is the main reason why TDS did so well in Nautilus' rebase test, and it's a tribute to Gavin's analyses and TDS' detection techniques. I'm not sure why the Beast variant failed the test, especially because all others passed. I just tried then with a rebased Beast and it detected it ok so that's a strange one, but just to be safe we'll have a closer look at it later this afternoon and if a change needs to be made it'll be included in tonights database update.

    Best regards,
    Wayne
     
  10. FanJ

    FanJ Guest

    Heya John,
    Please forgive me my friend (!!!), but this is the TDS-3 public support forum-section and not the "Other Anti-Trojan" forum-section ;).

    Warm regards, Jan.
     
  11. --ntl--

    --ntl-- Guest

    It should be noted that (due to its inherent nature) object mem scanning will not be affected by rebasing. TDS supports object mem scanning.

    Object mem scanning was not part of the rebasing test since it has nothing to do with it.

    In consequence, it would be misleading to say that TDS did not detect the rebased Beast sample at all. On the other hand, it would also be misleading to say that TDS passed the rebasing test in respect of this sample. (Please note that object mem scanning can be easily bypassed. Therefore, it does not substitute but merely complements ordinary scanning techniques.)
     
Thread Status:
Not open for further replies.