Scanning Archives

Hi,

I'm Evaluating TDS-3 and have a few queries about some of the results I've recieved from scans.

Running an XP pro SP1 system, with all the TDS configuration options checked (inc. "ZIP/RAR Archives") and saved. Generic sensitivity is set to highest.
Archives made with standard windows zip utility, and no other compression applications installed either.


1. I made an folder and placed serveral dual extensions inside (.txt.vbs .txt.shs .txt.shb .txt.exe .jpg.bat etc.). When scanned, TDS found them all. However when I zipped them, TDS only found ."any-File-Extension-Here".exe files, but none of the other types like .txt.bat or .jpg.vbs.

Does this mean TDS descriminates about what it wants to scan for in archives? If so, what?
Or did it just fail in detecting them?

2. I found a link to a trojan simulator in one of the posts in these forums (from computer cops, i think), and downloaded it.
TDS found this pseudo-trojan, both zipped and unzipped. However when I placed it in a zip file within another zip file, TDS could not find it.

Does this mean TDS can't detect malicious wares that have been archived within an archive?

After This I installed winRAR Trial v3.20, where neither dual extensions or the trojan simulator were detected when archived once with WinRAR.

Of course I don't really care about the detection of dual extensions, but am just curious that if these can be concealed within archives, how would TDS fare with real trojan horses or malicious programs which are probably far more complex to identify.

Thanks in advance!

 

Hi Fluce, welcome!
Did you have every scan option checked, including advanced deep search and all the generic options too?

 

Hi Jooske, and thanks for such a quick reply.

Yes, as I mentioned above

"with all the TDS configuration options checked (inc. "ZIP/RAR Archives") and saved. Generic sensitivity is set to highest." which were located in "TDS scan control".

Were these results just unique to my system alone, or is this common behaviour of TDS?

In case the problem was my particular installation of TDS, I thought I might try re-installing TDS-3 again, but the results are the same.

If this does'nt happen on anyone elses system and just mine, then I'll try installing TDS from a fresh ghost backup, where only Norton Ghost 2003 has been installed (I use this backup for troubleshooting).

Please note that I had all other security programs turned off or disabled whilst installing TDS and when i did the scanning.
These were Norton Internet Security 2003, SpywareGuard, SpywareBlaster, Spybot, AD-Aware, MRU-Blaster, PE Trial version, and ID-Blaster. Everything else which need'nt be running, had also been turned off or disabled.

Any help would be much appreciated!
Thanks Again!

 

Yes. TDS-3 does not support recrusive archive scanning. But this is not a big deal as no malicious software in a zip file could do any harm. So therefore archive scanning is just a nice to have feature but no real 'security' need.

wizard

 

"no malicious software in a zip file could do any harm" - Wizard

But couldn't another seeming harmless program, bundled along with whatever you may have downloaded, be it a batch file or whatever, unzip and execute the concealed archived trojan, when clicked upon - After all why would ANY scanner alert to such "innocuous" code as routine extraction and execution of files!

I'm no programmer, but would this assumption be correct or not?

Thanks!

 

That's why you also have Exec Protection, so malware is prevented to be loaded in memory.
How many times has a nasty to be detected
Dolf

 

Dolf thanks, As always, if a file cannot run then, to all intents and purposes, it is harmless

 

Of Course!
I completely forgot about exec protection, because this feature is absent in the evaluation version I'm Running.

But I can still think of a need where malware detection is paramount over it's prevention from execution.
For example, archived malware burnt to CD-R and executed on a previous backup(image) by autorun, before you can install TDS. But most critically where you will transferring files to another systems, which may not have a any form of Execution protection installed, like file-sharing, emailing or simply lending friends a CD you thought was clean because you "Deep-Scanned" scanned it first.

Or is full system scanning made obsolete with execution protection, and that this is all that is required to be secure?

Now that would be cool! - Fluce

 

I perform only a file scan when downloading it from the net or before I open an attachment. I scan it with my AV, TDS and WG, never perform a system scan.
Dolf