Problem Scanning Drive Images (??)

Discussion in 'Trojan Defence Suite' started by mfreemanhcp7, Jan 29, 2004.

Thread Status:
Not open for further replies.
  1. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I am running XP Pro SP1 and have also found TDS 'NOT RESPONDING' on occasions. Recently I have added Drive images to a partitioned drive. Should TDS be able to scan a drive image? If not, how do I go about excluding a drive (ie H:/) from the Full System Scan?

    BTW the images have been created using Norton Ghost.

    Thanks.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Freeman,
    You can set the fyll system scan in the Scan files in TDS > Edit > Scans > Full system scan txt
    Have all logical drives included to have all partitions scanned (in your network), or specify the ones you want there.
    Can you try that and see if all is scanned now, including the images, before we try to get into that puzzle?

    Looking forward to your results!
     
  3. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I will do that, might be some time before the results are posted though, you know how long it can take to run a full scan!! :p
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can also from the scan console chose for that particular drive or partition , must be much quicker :)
    If it is scanned by chosing it individually it will be scanned from the full system scan too!
     
  5. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Hi Jooske,

    I went to Scan Control and selected my drives for scanning with all scan options selected.

    I don't think this is running an in-depth scan as with the Full Scan option - the scan was completed in less than six minutes! You'll also notice that the drive on which my 'Ghost images' are stored (G:\) was scanned in 0secs. These are the results of the scan:

    12:55:13 [File Scan] Scanning in C:\ ...
    13:00:36 [File Scan] Scanned 13756 files: 1 alarms in 323.7031 seconds (Avg 43.5 files/sec)
    13:00:36 [File Scan] Scanning in D:\ ...
    13:01:08 [File Scan] Scanned 745 files: 2 alarms in 31.42188 seconds (Avg 24.71 files/sec)
    13:01:08 [File Scan] Scanning in G:\ ...
    13:01:08 [File Scan] Scanned 4 files: 2 alarms in 0 seconds (Avg 1.#INF files/sec)
    13:01:08 [Scan] Finished
     
  6. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I guess it is right? I just ran a full system scan by selecting System Testing | Full System Scan and these are the results:

    13:18:09 [CRC32] Started - verifying 31 files ...
    13:18:15 [CRC32] Test finished.
    13:19:49 [Memory Scan] Memory scan started, please wait a moment ...
    13:19:50 [Memory Scan] Memory scan complete.
    13:19:50 [Mutex Memory Scan] Started...
    13:19:52 [Mutex Memory Scan] Finished (no trojan mutexes found).
    13:19:52 [Trace Scan] Started...
    13:19:55 [Trace Scan] Finished.
    13:19:55 [Service\Driver Scan] Scanning for services and drivers ...
    13:19:57 [Service\Driver Scan] Scanned 281 services and drivers.
    13:19:57 [File Scan] Scanning in A:\ ...
    13:19:58 [File Scan] Scanned 0 files: 0 alarms in 1.0625 seconds (Avg 1. files/sec)
    13:19:58 [File Scan] Scanning in C:\ ...
    13:25:09 [File Scan] Scanned 13759 files: 1 alarms in 311.3125 seconds (Avg 45.2 files/sec)
    13:25:09 [File Scan] Scanning in D:\ ...
    13:25:37 [File Scan] Scanned 745 files: 2 alarms in 27.53125 seconds (Avg 28.06 files/sec)
    13:25:37 [File Scan] Scanning in E:\ ...
    13:25:37 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
    13:25:37 [File Scan] Scanning in F:\ ...
    13:25:37 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
    13:25:37 [File Scan] Scanning in G:\ ...
    13:25:37 [File Scan] Scanned 4 files: 2 alarms in 0.015625 seconds (Avg 257. files/sec)
    13:25:37 [File Scan] Scanning in H:\ ...
    13:25:37 [File Scan] Scanned 0 files: 2 alarms in 0 seconds (Avg -1.#IND files/sec)
    13:25:37 [Scan] Finished.

    That's all physical, removable and virtual drives in seven minutes - can that be right?? It has taken up to an hour before?
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    This does most certainly not look right. You might like to keep your keyfile aside and other personal added data like scripts etc, maybe the last radius, uninstall the exec protection, uninstall TDS, reboot, and still with all AV/AT closed reinstall TDS in the same place, put back keyfile and all the other data you kept and reinstall the exec protection maybe reboot again and do another scan.
    I don't know if there are other options but this is what it looks like.
    There are more people who have drive images in other places or put back drive images and i never heard before they would not be scanned, the contary, never heard of any problems. So what corrupted your scans i don't know.
    Before you do this un- and re-install, look carefully at your full system scan txt file and if in the scan console really everything is checked.

    If after this re-install you would get the same results, i would most certainly go for an online av scan too.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No need to uninstall !!

    A drive image is usually 1 file, TDS doesn't know the image format which could include compression - so it cant see INSIDE the image. It looks at the file and skips it. This should hold true for any antivirus scanner, unless the format of the image was ZIP
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sorry Gavin, i see the drive image thing, but as that is one file how can that the normal original drives and memory are not scanned either anymore? Look at the lists, few seconds where they took more time before?
    I mean: i suppose the c:\ is an original normal drive / partition with all the amount of files mentioned in the statistics, and not one file? Thought from the story the drive image was in one of the other partitions only?
    That those are skipped as one file you explained.
    Or are the normal startup scans as before at starting TDS?

    Maybe the situation is not exact clear for me:
    i understood you either put a whole drive image back on one drive either stored an image of the system as a drive image in one partition.
    The stored image file i guess is Gavin's story, the put back (unpacked) image on one drive was my first story.
    I keep to the idea one file somewhere on a system should not change the scanning behavior on the rest of a normal working system. There are so many people putting back images on their drives (unpackled, installed) and never heard nobody complaining TDS would misbehave on those.
    This was the reason of my "reinstall" advice.
     
  10. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Thanks for the input.

    I can accept that TDS may not scan inside a 'ghost image', after all the image I have taken is of a drive that TDS has previously scanned and deemed clean. Hopefully nothing else can inbed itself into a ghost image - so, no real problem.

    I am concerned however that a Full System Scan is now incredibly quick! I also have a problem with exe protection which I have added to a thread started by -Jsa-. Don't know if this is related but would appreciate one of you guys (sorry Jooske, slip of the fingers) taking a look here also if that's OK.

    It looks like an uninstall/reinstall may be necessary - would you recommend downloading the trial version again or can I use the version which I downloaded last month?

    BTW - NOD32 is scanning my whole system in 60secs - this also sounds odd - I know this isn't a NOD discussion but it might shed some light,

    Some detial about my system if they help:

    AMD Athlon 2600+
    OS dows XP Pro SP1
    512MB DDR RAM
    40Gb HDD partitied into 10/20/10 drives
    Only about 6Gb used comprising mainly of OS and security/utility programs so perhaps scanning will be quick.
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi User, Just as an un-scientific experiment :) I did a full sytem scan on my server partition of 6GB, The scan was configured with all options except hidden streams & scan for clients edit servers.
    The scan was completed in 16 minutes on a machine that is very roughly half the speed of yours both CPU & memeory wise.
    So I reckon your scan time is probably OK :)

    BTW I had CS, PG, NOD32 running with Task Manager showing 37 processes running altogether.
     
Thread Status:
Not open for further replies.