Discussion in 'Trojan Defence Suite' started by Mr.Blaze, Oct 8, 2004.
whaaaaaaaa omg my post is back
dcs forum is hunted
Will the Active Guard of TDS-4 will be compatible with Boclean, anti-virus like Kaspersky and McAfee and RegRun Gold?
ActiveGuard is what I mean. TDS-4 will more likely than not have a very powerful real-time monitor because all of their competitors are developing similar things.
If they didn't include it, I am quite certain that maybe one or two of their competitors would be running around saying that they have powerful features that TDS-4 does not.
No one except the developers know everything that is in TDS-4 but there is a few features that can be fairly accurately guessed at by knowing some of TDS-3 weaknesses and assuming that they will be strengthened.
For instance, I am sure TDS-4 will be much stronger at detecting the DLL's of DLL injecting trojans. Right now, TDS-3 can detect the injectors fairly reliably but the actual DLL's that are injected...well sometimes those are missed if they happened to be compressed.
TDS-4 will probably also have a much stronger unpacking engine too that will be able to unpack many more packers than they can now.
Also, in maybe one of the advanced versions of TDS-4 they might do something about trying to detect rootkits. I know one of their competitors has the detection of rootkits on their list of things that they eventually want to do, so I am sure that DCS is also researching on how to do this also even though it is a major problem to detect rootkits reliably....that is why ProcessGuard was developed. PG was developed to stop things like rootkits and DLL injecting trojans.
By putting out Processguard first, DCS is giving protection against those things for their customers which gives them more time to develop TDS-4. PG gives protection while a better scanner is being developed.
I agree with Starrob....... I do see an improvement with many features mentioned, even the ones that people don't usually use... ie port scanners and traffic bridge...... Traffic bridge at the moment uses tcp connections to bridge traffic to and from a computer. I like the original idea of the TCP connect to traffic bridge, then forward onto another connection, however I'd also like the idea of a LAN filtering system, where the packets are viewed as as it passes through the network......like SNORT, but perhaps going even further and manipulating those packets (if possible)..... Carnivore eat your heart out..
With the port scanners, there are some with super speed scanning, i'm not sure how TDS compares to these, but improvement over the GUI for this part of the program will appeal to many people.
With Active Guard, i do hope it uses PG style kernel drivers, I'm not sure, but am i right to assume its lower level than what Nortons Resident shield or other AV resident shields use? If PG is lower level.......and TDS-4 active guard uses the same technology, it will blow these other AV programs out the water.... A scan by Norton will FIRST alarm Active Guard as it passes over a trojanous server, and Active Guard will say there's a trojan onboard before the other AV resident shields alarm.
I can also see a feature in TDS-4/Activeguard where a packed trojan will be executed... and in the background an auto unpack and scan of the file to scan for trojan signatures..... and then maybe, if the packing engine is unique and TDS can't unpack before execute, then a dump of the memory and scan the memory space of the file...... hehe sorry, i'm day dreaming here, but these ideas are from already existing ones in TDS-3, just further implemented.
Thought there is rootkits detection in TDS?
There is a whole series in the primaries list.
Does the APM help you with the DLL injection / manipulation?
And the new APT which is in fact a test for ProcessGuard help with killing unkillable processes? have seen people using it for that as a real tool.
Think another strength is to split the new TDS in parts, like the separate ActiveGuard and a separate scanner, hope the other TDS-3 functions for networks and other do-stuff will be there somehow, liking them more and more while discovering their functionality over the years.
Like Rod for example reminds of the traffic bridge, in which we can change data code, we can use TDS as a proxy, i like to use TDS as a server occasionally, etc.
I do hope we'll have both the current autostart explorer (nice and quick overview for less experienced users) and the larger autostartviewer (large, complicated, changes are easy overlooked and misunderstood by less experienced users), it's a detail, but i like to use them both.
So also if Blaze's spector would be there is should show up somehow, no matter how hidden it would be. (it is detected already, don't worry, but i would like to see it if there would be autostart processes from anything on my system)
For the unpackers:
in the Private forum we were told long time ago how we can add all unpackers we like ourselves, which is not a too difficult process; but expecting them to be there in the next TDS-generation.
For the compatibility with other products:
we might ask ourselves "which other products?" by then, as we might not need or want them anymore besides TDS-4. But OK, since we're used to layered protection and second opinions, we most probably will keep what we have already. But if one still does not have them i would suggest waiting with buying them till we know what TDS-4 does. Each product will have it's specific use: for instance if KAV is very strong in unpackers and a large collection of them and if TDS-4 would have a smaller collection, to name a theoretical possibility, then i would certainly either add what is missing if possible, even if that means to keep KAV. Same with the generic /heuristic scanning, whatever the specific differences might be.
Generally spoken it's in the ways of DiamondCS products to be fully functional besides other products people might have installed; if there are ever compatibility problems history learned DiamondCS does all possible to help solving those problems as quick as possible, which can be changes in their own products or contacting the other developers etc.
Just read your autostart opinion jooske........ and Im not sure if this is what you meant, but an idea came in...
Process lists can be a little easier..... ie to colour code the process list....
Black for normal process
Blue for Process that starts during windows bootup
Green for Processes that have socket capabilities
Purple for processes that have socket cabolities and start during windows...
RED for processes that have socket capabilites AND start during windows bootup and is HIDDEN..... good indication that this may be a trojan...
Just like PE...
If possible that sounds like a great improvement to enhance readability /understandability.
And some sign to indicate changes since former times:
even if that would be deleted keys and new keys or changed arguments and which they were and it would be super if we could with a rightclick find a date when it happened and kind of properties what the settings mean.
True...... colour coded again to show signs of 'added, modified, deleted' autostart keys.....
Hrmmm Registryprot still does its job, and its well over 3 1/2 years old...
Sorry Blazie, Your topic has been a little sidetracked!
Having said that it is a very informative thread, it will be interesting to see what DCS makes of all this speculation
Personally I prefer prevention rather than cure, Process Guard achieves much in preventive protection, all scanners are secondary to prevention. Resident monitors or guards are preferable to the average user. Any security software that can see & stop malware without defintions, daily updates etc. has to be the way to go.
IMHO security for the average user should be transparent and not become a chore. Process Guard manages this well now with it's new learning tool and providing the user is not changing their software continuously it is very unintrusive.
Heya Pilli is your Cryptosuite chatserver up? maybe nice for a sunday chat today?
Sure there are signatures for rootkits in TDS. Almost all the good products on the market have signatures for rootkits. The main problem with both rootkits and trojans is that people with know how can easily modify them so that they go undetected.
I go around to many black hat sites just to see what the dark side is doing. Some of what I found is downright scary. There are people on the internet that will sell you "private builds" that are undetectable by most of the major scanners...yes, there is stuff that can get by Kaspersky, TDS-3, BoClean, Trojanhunter, NOD32 or any other major scanner.
I seen websites selling these private builds in price ranges of anywhere from $50 to $600. This is why Processguard was created. It doesn't matter if it private build or not with Processguard...it will block it...you will be alerted that something new has executed or that a driver has been blocked from installing.
The newest version of Hacker defender is extremely difficult to detect and it is still under development to make it even harder to detect than it is now. Even if the scanner has the definitions for it, sometimes it is still possible to get infected by it.
I don't get over-confident with any scanner. I am very careful on what I click on and every time i see a new exploit, I plug it immediately.
I read a lot of articles on the internet and talked to a lot of security people and I have come to realize that there are millions of holes to be exploited in windows operating system. The AV/AT scanners can't keep up with all the new malware being created every day...the definitions can't keep up. As soon as one thing gets detected 5 more take it's place. Malware is like Al Queda these days.
ProcessGuard was created because it prevents the infection in the first place. It will most likely be always the most important software on my machine. Most of my security centers around it and as good as ProcessGuard is...believe me there are people out there expirementing with things to "try" to bring ProcessGuard down....We are just lucky DCS is working to stay ahead of them.
The other solution being worked on is that security software will start becoming more and more behavioral based. I would not be surprised to see some or even a lot of behavioral based solutions in some part of TDS-4. I have seen more than a few security guys gives hints of that is where most major security companies are headed.
TDS and ProcessGuard together are a team yesh!
I do agree with what you're saying, let's see how others jump in here too. And of course there is the discussion in the ProcessGuard forum for the new threats! Fortunately TDS still has a very important part to play and detect and clean and protect etc.
I agree, PG is in a market of its own...... proud to be a licensed user!
Yep, "there is no equal". Or how about:
But what color, if a process has more/all mentioned capabilities?
Would not Processguard stop that anyway as long as you are running it?
As far as I am aware the dropper would have to be allowed to run first and it would need to get access to the kernel, it would also need to install a driver/service. This would be stopped by ProcessGuard providing the Disable install of drivers/services was enabled, even if the dropper was allowed to run ProcessGuard would still stop it.
theres always stuff out there like that
as much as we update are stuff the bad guys update theres lol
I'm new here, where should I start?
I popeyeray, Was that a general request or specifically for DiamondCS product information / support?
Separate names with a comma.