Suggestion for TDS-4

Discussion in 'Trojan Defence Suite' started by Snook, Aug 25, 2003.

Thread Status:
Not open for further replies.
  1. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    An added feature I would like to see in TDS-4 is the ability to resize the main window and an option to select font size. Is this possible?

    Suggestions/comments?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Snook, nice to see you posting.
    It is mentioned as one of the items in the wishlist, so let's hope and see!
    I'm almost suer we can do something about it for the fonts size and colors with scripts, as there are some descriptions in the examples and if you've seen recently Dollefies script in the Private area you see in the screenshots he is using different colotred and sized texts.
    I suppose we should be able to make our own font configuration and add this somehow to a reg file, like in port explorer, but via a script might be much easier for the moment.
     
  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    ...or place the console at startup somewhere else then in the center??
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    i just drag it to another place.
    But indeed, the possibility at times to make it less high or stretch it although it never will need to be wider,
    and i would really like the possibility to have an option to have child consoles on top or they can move under other windows.
     
  5. Snook

    Snook Registered Member

    Joined:
    Jun 19, 2003
    Posts:
    182
    Thanks all for the input. I was looking for a TDS-4 wish list but could not find it. I hope the resize window feature is in fact included in TDS-4 upon it's release. :)

    How do I get to the "Private Area?" I made it once, but forget which link it is.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    See the link in my signature; you need to register for that forum and ask as a licensed operator access to the private areas inside the forum if you didn't register there yet. I remember to have seen you posting there yes :)
     
  7. nataliegrn

    nataliegrn Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    1
    Feature Requests for TDS-4

    Hi!

    I have been an extremely happy TDS3.2 user since I purchased it some 1.5 yrs ago. Now, having experienced it, I have given this wonderful software a lot of thought, and have some Feature Requests for this and/or the next version:

    - Additional Memory Scanning Locations: I believe that system RAM is the only memory area that's scanned by TDS. Technically, trojans can be hidden and loaded into *any* type of memory. Therefore, here's a few types of RAM that I would like to see specifically protected by TDS and WormGuard: Hard Drive buffer; Video RAM; CD buffer; Audio RAM. Note that the Video RAM is of particular interest, given that it is now in the 64-128MB+ range. However, trojans don't need much space to hide, so I believe that all areas should be considered. :)

    - Password Protect: I would very much like to be able to protect one of my favorite apps - TDS - with an encrypted password so as to guard it from being maliciously disabled. Same goes for WormGuard. There are already several trojans out there that try to stop TDS, and that really annoys me! :( This is very important to me. :)

    - Exclusion List: Currently, if I run to run a legitimate app like L0phtCrack with ExecProtect installed, it's stopped by TDS. I need to add this and other software and paths to the real-time and manual exclude lists. This, too, is very important to me.

    - Run as a Service: I think that TDS could benefit from running as a service. While this request is not as important to me as several of the others mentioned here, there are several reasons I can think of that would bolster the argument:
    a) It will load the app *before* any NTx user logs in. To me, this is important, given that a trojan or worm might want to use this time to load before TDS (yuck!);
    b) It can be managed in a networked environment.
    c) It can be loaded with System *or* a particular account credentials.

    - Installation Scripts: Can the configuration of TDS on one host be copied into a file, then used as an installation script for other installs, or at least as a backup to the current setup? I would like to have more of our clients install this software, but I would prefer an installation script to assist with this process, if possible. This Feature Request is a lower priority than many of the others here.

    - Use NTx Event Logs: Can you post entries into NT's Event Logs? Even if it's only Critical Events in addition to the proprietary logs generated by TDS, it would really help when auditing systems for problems, or even when using SNMP.

    - Update Authentication: When downloading TDS Updates, I have no way of knowing that the new signature is really from you! I would really prefer that these updates be automatically checked against a public/private key system before they're loaded into my system, so as to make sure that they are valid, genuine, and not corrupted.

    - Authenticity Database: I would like to see TDS capable of generating and using MD5 signatures on "key" files. There would be several included in a list by default, much as the CRC list is now, and it would be customizable; instructions and guidelines on how to configure it would also be appreciated. :) This list would include system and TDS files - particularly important are those that are, or have been, loaded into RAM. Perhaps one could periodically run a TDS job to scan certain folders for apps, give the files a signature, then put the results into an encrypted database. I dunno how it would work exactly, but this concept should at least get the idea going! :)

    - CRC / MD5 Usage to Reduce Initial Scan Requirement: Can something like the MD5 method (described above) be used to reduce the time required by TDS to scan the system after logging in? Perhaps TDS runs very differently than what I am thinking, but if I'm correct, then it might reduce the boot time by referring to its own encrypted database of files that it had previously verified. On my laptop, it takes upwards of 5 minutes for TDS3 to complete the full scan; granted, I have several security and connectivity apps loaded, but still....

    - RootKit Protection / Tools: I haven't seen much in the way of TDS3 being capable of protecting systems against RootKits. For those of you asking "huh?", a rootkit is software that runs *under* the OS, and thus invisible. I would personally like to see some more information on this and how TDS3/4 can/will protect the system.

    - Command LIne Interface: I would like to see the ability to use certain - or preferably all - features via the command line. That way, I can easily administer assorted hosts on my network - no matter where they are.


    THANKS SO MUCH!! :)

    Regards,
    Natalie
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi Natalie,
    Thanks for the feedback and suggestions. TDS4 is actually three programs (TDS4 Scanner, TDS4 Active Guard, and TDS4 Professional, the latter being the next version of the current TDS3), and although we can't go into details as to what is or isn't in TDS4, I think you're going to be very happy going from the suggestions you've listed

    Best regards,
    Wayne
     
  9. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    Natalie,

    I have recently played with several Windows Rootkits. I believe they are not completely stealth yet.

    1. Rootkits based on DLL Injection (like Aphex Rootkit)

    You can easily detect them if you scan the modules of a process. I have already tried to add a respective signature to Trojan Hunter's signature database ... and it works. I am pretty sure that TDS-4 will also support a similar way of detecting DLL rootkits.

    In addition there are tools like System Safety Monitor which install API hooks and warn you if a rootkit or trojan DLL is injected via function CreateRemoteThread etc. into another process.

    2. NT Rootkits which install a service driver (like Hacker Defender)

    Once again you can use a tool like Tiny Personal Firewall (including a sandbox) or System Saftey Monitor (probably, not tested yet) which will warn you if a service driver is to be installed and/or started.

    After the activation of the rootkit it is absolutely invisible to any AV/AT file scanners. However, you can use a freeware tool like Process Explorer. The "search option" of this tool will allow you to search for "non-ex" (i.e., any non-existing processes). They will be listed and you can kill them with a tool like pskill. Thereafter, the rootkit files will become visible again. In other words, process cloaking does not work perfectly yet. There is also a freeware rootkit detector from 3W Design which works pretty fine.

    In addition, current Windows rootkits are not "real" kernel patches and therefore rely upon an autostart entry in the registry in order to get activated. This makes them quite vulnerable although most of them feature Registry Cloaking. I believe that the Registry Cloaking feature only controls functions like NtEnumerateKey or NtEnumerateValueKey in order to prevent ordinary registry viewers from detecting them. However, there are registry tools like RegdatXP (from H. Ulbrich) which allow you to backup registry files like ntuser.dat or system (this is where Hacker Defender's autostart entry can be found). After they have been backed up you can open and examine them. A rootkit's registry cloaking feature does not prevent this (i.e., you can easily detect, for example, Hacker Defender if you watch the key HKLM/System/ControlSet.../Services).

    In addition there is always the option to boot your computer with a Boot CD (like ERD Commander or Bart's PE Builder). Thereafter you can see any files and registry entries which are normally hidden by the rootkit.

    Hope this was helpful,

    Nautilus ( return.to/scheinsicherheit )
     
Thread Status:
Not open for further replies.