Problem with TDS-3 right click scan caused by WormGuard

Discussion in 'Trojan Defence Suite' started by Devinco, Aug 13, 2004.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Everyone,

    If you right click a file and select Scan with WormGuard, then you will no longer be able to right click a file and select Scan with TDS-3 (well you can, but it won't do anything) until you reboot.

    I have confirmed this on 2 different systems same problem. Right click scanning of file with anti-virus is unaffected. Only right click scanning with TDS-3 does nothing.
    So it must be some kind of interaction between the two programs causing this behavior.

    So don't right click scan with WormGuard and it won't deactivate your TDS-3 right click scan.

    Does anybody know why this happens?

    Thanks.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    First time i read this.
    Does it make any difference for you which kind of file you're scanning, folders, text, exe, html, vbs, zip whatever?
    Did the same files scan properly before your rightclick WormGuard scan?
    Is this on XP home or Pro?
     
  3. johndilliinger

    johndilliinger Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1
    Location:
    USA
    Maybe if you try reinstalling tds-3 on a diffrent directory than your other scanner...
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the TDS SS3 scripts is one to add rightclick scan to all file kinds in case you want that, give that a try?
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Jooske,

    I tested some more, rebooting after each test to make sure.
    For folders, I don't get the context menu for WG (I think this is normal because it scans just files).
    Tried it on text files, same problem.
    Tried it on exe files, same problem.
    Tried it on html files, same problem.
    Tried it on vbs files, same problem.
    Tried it on zip files, same problem.

    If I reboot the problem goes away until I right click scan with WG again.
    If I remove WG protection (without reboot) then TDS-3 right click scan works.
    But once I reenable WG protection (without reboot) then TDS-3 right click scan fails.
    I can prove that it fails because a FileScan log in the TDS-3 status window is not created.

    The answer to your second question:
    Yes, TDS-3 scanned the files properly before right click WG scan.
    Once you do a rightclick scan with WG then the TDS-3 right click scan no longer works.

    I am using Windows XP Pro.

    SS3 Scripts sound tempting, but I really want to keep it simple now. This should work without extra scripts.

    Hi John Dilliinger,
    TDS-3 is in a different directory than WormGuard. (It is also a different directory than AV)

    The behavior of this problem seems to indicate an interaction issue between WormGuard and TDS-3.
    Any ideas how to resolve this?
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Devinco...

    Those are interesting results, so I tried mine.

    I tried several times, scanning first a single file with WG, then scanning the folder it was in with TDS and in each time I got the alert from WG [it's a test file I use] and in each case I then selected via Right Click Context Menu Scan with TDS3 and it did so.

    Worked each time. Either got alert or got 0 alert but that it had scanned so many files, etc.

    I also scanned different files inside different folders with WG and any with double extensions, got an alert or no reaction, then immediately scanned the same with TDS3, and got either alert on the double extensions or just 0 found.

    I cannot duplicate the same results you had. Mine is working as I should think it would.

    See my pic.... the file I highlighted in yellow I scanned with WG [test file] and then scanned the folder with TDS [both WG and TDS using the Right Click Context Menu options] and still got alert from TDS.

    So, upon reflection, it appears it's an anonomaly with your system?

    TAS
     

    Attached Files:

  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    PS: I've thought about it and I do remember adding a script to TDS for Right Click Scan a good while back to enable single file scanning via right click.

    So, maybe that's keeping it 'active' ;)

    TAS
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you ever installed the SS3 Scripts pack in TDS, in UserSubmitted\Allan\RightClickAll.SS3 would be the file to be loaded only once from TDS to add the proper registry values for the action and hope all is well since for you.
    Would be interesting if you could give it a try please?
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    A second interesting test would be:
    In TDS > System Testing > Scan Control > Disc\File scan
    Search one file and in the bottom of that selection console press the button with that file name on it, X-it, only that file should show up in the scan window and scan.
    If you press the Add button in top of that selection console the whole folder/directory is added.
    I suppose you get it but it could be interesting to know if that could be effected too in the current situation.
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi TAS,

    Thanks for trying it out on your system.
    This is happening the same way on two different systems.
    This is getting weird.
    I tried it on a third computer and it works.
    On the computer that it works on, I rightclick scan with WG a TEST.TXT file (3KB with some text). A tiny pop up window appears:

    DiamondCS WormGuard
    ANALYSING FILE
    One moment please...

    Directly after scanning, I rightclick scan with TDS-3 and it works.

    I copy the same 3KB TEST.TXT file to the other two computers with the problem (thinking it must be something to do with the file) and try it.
    On these two computers, the Rightclick scan produces NO POPUP WINDOW for WG. There is in fact no indication that the file was scanned at all by WG. After that a right click scan with TDS-3 fails unless I deactivate WG or reboot.

    What is weird is that the computer that it works correctly on is less stable then the other 2 computers. Nothing major, just little annoying Windows issues with control panel and such. These are all XP Pro SP1 all updates current.

    So this anomaly occurs identically on 2 out of 3 machines.
    I bet it is connected to the lack of WG pop up window and thus probably more WG related, but I don't know how to proceed.

    Also, on the two problematic machines I am able to right click scan with TDS-3 if I don't use the WG rightclick scan.
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Jooske,

    I downloaded and put all the scripts in the scripts folder, but I don't think I messed with them. Well maybe I did, but it was a long time ago and don't remember.

    I ran the script from TDS-3 as you suggested and TDS-3 modifyed the registry. Now there is an additional context menu option: Scan with TDS-3 (with no tiny icon to the left) located directly above the Scan with WormGuard option.
    So now there are 2 context menu Scan with TDS-3. The original one with the tiny icon which is affected by the WG rightclick scan. And the new one with no tiny icon which is not affected by the WG right click scan.
    The script lets me work around the WG problem, but the WG issue is still there.

    Based on my latest results on the third working computer, it appears that WG is not actually scanning the file when doing a right click scan(no pop up) on the 2 problematic computers.

    How should I proceed?
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Jooske,
    When the default TDS-3 rightclick scan option(with tiny icon) is not working (after right click scanning with WG), I tried what you suggested. TDS-3 was able to complete the scan (via scan control). The status window would show: [Scan] Finished. As opposed to when right click scanning the status window would show [File Scan] Scanning file C:\TEST.TXT

    I hope this helps to isolate the problem. Any other ideas?
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Devinco:

    Let me get this straight in my head so we are on the same page here. :)

    First, you Right click this test file, Scan with WG, and WG pops up this on one machine:

    But it does NOT do that on 2 others.... that is interesting, because I've NEVER seen that in the first place.

    Whenever I scan something with WG and there is nothing wrong, I get NO alerts, nothing at all.

    Now, to the TEST.txt you scan on.... why should it alert for you, what have you put in it to "Test" WG's ability?

    Just having a file with something in it, no matter what the wording, and it's only a genuine .txt file, WG will give no reaction at all. [Unless you do have some sort of script in it].

    To give it a true test, do what you have, but add double extensions to it ending in say .bat .com .pif whatever... then double click it.... WG should jump up all over it.

    or.... try it on a file that's in your Blocked Editor's Lists.. like WSH VBS, if you have those added.

    I am going to post 2 pics, first showing the general warning you will get if you try to run a script that is block.... I put VBS in blocked editor's list. So tested with a dummy .vbs file... [Ignore the wording, I put that in myself for the Warning Box :) ]

    The next post will be the warning you get if you have double extensions/or plus extra spaces.

    What you are describing that you don't get any pop-up from WG is normal if everything is OK. As I said, I've never seen that "one moment please....."

    TAS
     

    Attached Files:

    • 023.GIF
      023.GIF
      File size:
      10.9 KB
      Views:
      110
  14. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    This is warning on test file I have with double extensions and extra spaces

    TAS
     

    Attached Files:

    • 022a.gif
      022a.gif
      File size:
      16.7 KB
      Views:
      106
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Devinco, I hope this is one concern you have with WG scan, that can be alleviated for you. :)

    Now, as to the TDS Right click/Scan with TDS problem, you say it's working now, if you select the one Scan with TDS that appeared after running the script?....

    I know it's not quite the answer you are looking for, but as long as that one works, I would be just happy with that until TDS/WG4. :doubt:

    Just make sure it still works after doing a test with WG then trying with the TDS scan from right click.

    Cheers, TAS
     
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi TAS,

    Thanks for helping with this.
    You know, I had TDS-3 and WG for a long time, but I never rightclick scanned with WormGuard, just TDS-3 and AV, so this issue never came up. It is only after increasing my security knowledge (courtesy of all of you at Wilder's :)) that I now scan downloaded files "Nine Ways to Sunday" (US slang).

    Yes, running the script that Jooske suggested adds another Scan with TDS-3 to the context menu. This additional context menu option is different because it does not have a tiny icon next to it in the menu.
    I can bypass the TDS-3 filescan failure using this new Scan with TDS-3 option.
    Do you have the original Scan with TDS-3 (with the tiny icon) in your context menu?
    If you do, could you please try the sequence: WG rightclick scan then TDS-3 right click scan(with the tiny icon)? Does TDS-3 update the status line? Try it on a regular text file.

    How do I remove the Scan with TDS-3 (with the tiny icon) from the context menu?

    To answer the previous questions and update the status:

    There is nothing special about the TEST.TXT, just a 3 KB file with some text.

    Yesterday, the 3rd machine would make a pop up while WG right click scanning the text file:
    DiamondCS WormGuard
    ANALYSING FILE
    One moment please...
    This would disappear after 1 or 2 seconds. I would be able to right click Scan with TDS-3 (with tiny icon) and it would work correctly.

    Today, the 3rd machine has the same problem like the other two.
    Except the only difference is on this 3rd machine, when you enable WG protection, an error window appears about Run Once Wrapper (runonce.exe). I click OK and test. Protection is enabled. On this 3rd machine, it makes the error every time I enable protection. Other than this error, this 3rd machine now behaves the same as the other 2.

    On all 3 machines now if I right click Scan with WG then right click Scan with TDS-3(with tiny icon), TDS-3 will not scan the file.
    I changed TEST.TXT to TEST.TXT.VBS and tried it. WG did pop up with an alert about double extensions. But the TDS-3 right click scan(with tiny icon) still didn't work. This occurs now on all 3 machines.
    So it appears that wormguard is functioning, but it is somehow interacting with the original Scan with TDS-3 (with tiny icon) context menu option to prevent it from working.
    What is the difference between the two context menu options?
    The original has a tiny icon next to it and the new script created one doesn't.
    Is there something else that is different between them (maybe in their respective registry entries) that is causing this behavior on 3 different machines?
    I wouldn't know what to look for in the registry, so I can't say.

    So I can bypass the problem for now with the script.
    I can (and would be willing to) further isolate the problem with your help, or Jooske, or DCS...

    Thanks again
     
  17. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Devinco....

    Well, just scanning a normal text file gets NO results from WG OR TDS, lol....

    I only get results from TDS if I scan the entire folder that the normal text file is in.

    However, if I scan my 'test' files, it alerts on the double extensions, etc.

    I am at a loss unfortunately, and also I just had my very first trouble with that .inf file you posted about in another thread, lol....which I fixed by downloading the .inf file from DCS, then changing the attributes to 'Read Only' ;)

    Oh. Deleting the extra Scan with... from the context menu.....

    man... I googled till death and there is a myriad of sites, but unfortunately, it's to do with adding/deleting from the "New" context option, nothing on how to delete something that was put in by a program itself not under the 'New' section. [Not that I could find]

    I also searched thru TweakUI's options, no luck, only the 'New' section available.

    Also searched thru XTeq's massive options and found nothing pertaining to an actual single entry like TDS has, once again only in the 'New add/delete section.

    Suggestion, ask Jason/Gavin/Wayne, maybe they can help with the Registry entry.
     
  18. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    TAS,

    You get no TDS-3 status message at all about scanning the text file?
    What happens if you remove WG protection and then right click Scan with TDS-3 (with tiny icon)?
    Do you get a TDS-3 status message similar to this?:
    [File Scan] Scanning file C:\TEST.TXT

    If you do, then you may have the same problem.

    I would contact DCS, but I don't want to take any of their time away from TDS-4 programming, it's too important. Now that Jooske provided a workaround (Thank you Jooske!), I can at least make it work.

    Thank you for searching so much TAS. I appreciate it.

    Cheers! :D
     
    Last edited: Aug 16, 2004
  19. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Devinco...

    Sorry mate, I worded my last post badly.... I really meant that I got no results as in an "alert" from WG or TDS when scanning a normal text file... and only got something because I scanned the full folder with TDS which also happened to have those "test" files I use.

    But, YES, I did get a line in TDS saying it did scan a single "normal" .txt file all right, just no alerts as in a warning in TDS.

    YES, it was done after a scan with WG, with and without protection install in WG, made no difference to TDS. I tried a normal text file 3 times [3 different text files also, see pic]

    Sooooo..... that's about it from me on the problems mate, I am at a loss now.

    Cheers, TAS
     

    Attached Files:

Thread Status:
Not open for further replies.