Outragious behavior of moderators :(

LOL I agree tECHNODROME Human beings were attacking or being attacked long before anyone thought about computers. All we can do is try to build a layered defense.

 

Pardon me,

but I understand that the two topics (trojan hunter & tds papers) were closed because they are under examination by wizard!?

what´s the result of the examination? are the papers wrong or right?

re th: paper is old. imho, it was basically right but th has a heuristic now!

re tds: there is a discussion at the source of the tds paper (techboard forum) were the author of the paper is "attacked" by someone else. it seems to me that an important question is whether tds (stilll?) uses case sensitive signature or not.

any comments?

Headrash (my hd did really crash...and it sucks! i can#t access mz password, can#t login and need to use this terrible backup puter ,-(

 

Who wants to know and why?
Besides that, TDS has more ways to detect malware.
Dolf

 

I want to know. because case sensitive signatures are insecure if case sensivity is not required.

if tds still uses case sensitive signatures this should be changed in the forthcoming version (no matter whether tds supports other ways to detect malware).

Headcrash

 

We had complaints about the documents therefore both were removed for review by the whole mod team.

In both cases (TDS&TH) the mentioned examples did not work with the current releases.

I think the problem was noticed by DiamondCS people and mainly removed (at least on the last few trojans I briefly checked myself). But maybe a DiamondCS spokeman (Wayne or Gavin) could answer this more precise.

wizard

 

Very good reply.

Thanks, Wizard.

 

I doubt if any developer is going to share any security issues on their product, besides that, changing all code to mixed or any other case is a lot more work than writing a new piece of malware.
Dolf

 

@Dolf

Don' t think so. You could either automatically change the sig database and include mixed case sigs. However, this would increase the size of the sig database.

Alternatively, you could improve the scan engine and make it interpreting the sigs in a non-case sensitive manner.

Anyware, the only important thing is that DiamondCS is aware of the problem (if there is any problem at all) and commits itself to find a solution.

Headcrash

 

Some of TDS-3's sigs feature ASCII characters that are checked in binary mode. These are old signatures that are included to be thorough when doing certain scans. The facts are though that TDS-3 doesn't just use these sigs, only a small percentage (less than half a percent) of the database have these types of signatures. Even though code signatures are used also, its still good to have those old sigs there, even if someone can hex edit it and that sig is no longer valid. Its almost like saying is it better to have 5 different signatures for a trojan or just one. Even if one of those 5 is easier to hex edit to not be detected (ie change the case of a letter), I would still rather it in there to pick up trojans which havn't changed it.

Would you be happy if another product which had only one code sig for a trojan, missed a trojan that TDS-3 might detect simply because they hex edited the code so the code sig wouldn't be detected anymore, but didn't bother changing the other 4 sigs that TDS detects?

When people change malware to not get detected by antivirus/antitrojan programs they install the most popular subset of these programs and then do whatever they need until the file isn't detected by any of them. So in the end does it really matter what byte(s) they change to get it past these programs? You can only hope that you can make the person who is hex editing the malware stop trying to get it past your program and be happy that it isn't detected by most others.

TDS-4 is an evolutionary step over TDS-3, as it should be. We have incorporated all user feedback into it, and used all the latest documented and undocumented techniques to make it the best. So rest assured we know of TDS-3's shortcomings and they will be fixed and improved.

-Jason-

 

I am unhappy that elsa's funny post has been deleted from the AT thread. Yes, it did make DCS looking extremely stupid.

However, Wayne's new post re TDS-4 ("Process termination protection - at least one other anti-trojan company said 'it can't be done' (that's the anti-trojan company that you rely on for anti-trojan protection)") makes Kevin McAleavey looking extremely stupid.

Both postings are not entirely wrong or right. Both postings are not very polite.

Thus, why are the admins protecting DCS from criticism but allow them to critcise?

I believe that DCS will actually lose sympathies if they cannot be criticised in an explicit way. DCS does code good programs. And from time to time the DCS guys do talk non-sense and agressively advertise their products. It is important that DCS gets positive AND negative feedback. Otherwise, people may come to the conclusion that the main purpose of this forum is designed to lure people in a trap (= purchasing products from DCS, Eset etc.).

 

guest/"dornkart",
To put things in perspective, the only criticisms we're receiving are from one person (Andreas Haak, who also develops anti-trojan software so I'm sure you can figure out why he's attacking our anti-trojan software), and about two other people here who're only posting anonymously as guests (who're probably all the same person) - people that this forum has never seen before, so it's _just a bit suspicious_ they come here now all of a sudden with such passionate views. (1 + 1 = ...)

We encourage constructive criticism about our software - it's such criticism which has helped take our software to the top, and if you think there's any way at all that we can improve any of our programs then please email us! But there's a big difference between helpful/constructive criticism, and attacks from _competitors_ - I just hope users can see that.

 

Paul:

"Well, you'll have to live with it. The way I see it, the post had one intention only: causing havoc. And we will not allow that, period."

Yes, I have. You are the admin. But I see it in a different way: Mischel Internet Security has developed a successful marketing strategy ("only scanner which removes Beast"). DCS countered ("disinfection works fine but infringes security guidelines"). Elsa has proven that the arguments of DCS were not entirely consistent. Now her posting has been removed and DCS looks like the clear winner.

"There's a frequent and good contact between PSC and DCS. IMO your conclusion is coming close to trying to cause some more havoc over here, putting up two respected software developpers against one another - with no avail for your information."

This is certainly not my intent. How about editing my post? (I can't do it myself.) And perhaps Wayne finds a more polite wording, too?

"To keep the record straight: interfering has been done by us - DCS played no role in this in any way."

Absolutely true. And please note that I have absolutely nothing against Gavin, Jason and Wayne.

"And from time to time the DCS guys do talk non-sense and agressively advertise their products. --> That's your personal opinion. Everyone my take this remark as the please."

Yes. I believe that from time to time everybody talks nonsense (including me - hopefully not this time). The only way to figure out who is right or wrong is to allow an open discussion.

"Furthermore, we are a non profit board, hosting support forums for various sorts of software - commercial and freeware alike. I'm pretty sure visitors can draw there own conclusion here."

I certainly do not question your integrity, Paul. But you know and I know that some people believe that this forum is oriented too much towards the software producers. That's what I am concerned about. Perhaps you may want to reconsider my arguments and try to see them through the eyes of a third party.

"Finally: I invite you to register, instead of starting threads and posting comments on different user names, like cguest for example. It surely would attribute to your credibility."

Please don't do this, Paul. It is one of the outstanding features of this forum that you are allowed to post as a guest. If you start tracking IPs and endanger the anonymity of your users you will destroy something very important of this community. Note that there are sometimes legit and important reasons for posting anonymously. Moreover, please let me know if you do not want me to post in this forum. In such case you will never see me again.

In addition, I am sure that cguest would be happy if you let us know your opinion regarding disclosure policies.

 

Paul,

I think we have exchanged most of our arguments regarding the closed thread. Therefore, let's leave it at that.

However, I do want to comment on the following sentence:

"Posting anonymously is OK in this context. one and the same person posting as a guest using different "guest names" is quite a different story."

I believe that such rule should be expressly mentioned in the TOS which does not mean that I would have a problem with it. I could imagine, however, that it sometimes makes sense to use different or featureless names because this may help to focus on the content of a posting (by taking out all personal elements). It agree that you can also cause havoc by using several different names. But let's face the truth. There is no absolute control: people can use proxies, register several different nick names, spam the board, post crack links, etc.

Moreover, you should always remember that the use of the same IP address does not always mean that the same person is posting. Please perform a /whois on my static IP and you will understand. But please do not post this IP. In summary, there is no reliable way to determine whether two guest names belong to the same person. If you deem it necessary to provide for additional "security" you may do the same thing like dslreports and automatically reveal the IP of each guest name (which would be a good way to get rid of me and others).

Finally, I want to point out that I am familiar with but not identical to cguest.
___
And on behalf of cguest I would like to point out that the persons concerned do know (or should know) whom they are talking to because it has been intentionally referred to private email correspondence ("rotating signatures"). Alas, no need to panic. Btw.: Your opinion on reliable disclosure policies is still appreciated. Not because this will cause havoc but because you are a reviewer with a good reputation (i.e., your opinion would be of importance).

 

In that case, I would just IM the Admin with the news, and post with a possible breach in security.
This way, mods won't have to go through the trouble of locking or temporarily deleting the post, and the poster feels better that it was not locked or deleted.