TDS-3 CRC32-test Guidelines

Discussion in 'Trojan Defence Suite' started by FanJ, Sep 13, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    I have posted here in the past about the CRC32-feature of TDS-3.
    Although not the most important part of TDS-3, it is a very nice feature.


    Let me start more in general about the CRC32-feature of TDS-3.
    What can it do for you?
    It checks whether files are changed.
    Which files?
    There is a file called crcfiles.txt in your TDS-3 directory.
    In that file crcfiles.txt you see a list of other files with their full path.
    The CRC32-feature of TDS-3 will check, every time you run the CRC32 test, whether those files are changed.
    If such a file is changed, you will get an alert in your TDS-3 console.
    Such an alert looks like this:

    17:54:23 [CRC32] Started - verifying 120 files ...
    17:54:27 [CRC32] -ALERT- File has changed: C:\Program Files\Lavasoft\Ad-aware 6\sites.txt
    17:54:27 [CRC32] Test finished.

    Another warning could be like this:

    17:40:31 [CRC32] Started - verifying 117 files ...
    17:40:42 [CRC32] File doesn't exist: C:\Program Files\Lavasoft Ad-Aware\Ad-aware.exe
    17:40:45 [CRC32] Test finished.


    So you will be alerted whether a file, which is listed in crcfiles.txt, is changed or does not exist.
    And that can be very useful.
    But you have to decide for yourself whether such a change is legitimate or not.
    You could have made the change by yourself (for example you uninstalled a program), but it could also have been caused by some malware.
    In case you think that you yourself did NOT make any changes (like for example the installation of a new program, uninstallation of an existing program, update or upgrade), then it certainly is time to do a full system scan with your (updated!!!) anti-virus- and anti-Trojan-programs, and your other scanners like for example Ad-aware or SpyBot S&D.

    I want to make one thing absolutely clear:
    The CRC32-test checks only for FILE changes and NOT for REGISTRY changes.

    By default there are some files listed in your crcfiles.txt.
    The HelpFile of TDS-3 can show you that default list:
    see the chapter "System Files and CRC32" in the HelpFile.
    But you can easily add more files yourself to it.
    Don’t forget that you must add files with their full path.

    How can you open crcfiles.txt?
    In the mainwindow of TDS-3:
    TDS > Edit Config Text Files > crcfiles.txt
     

    Attached Files:

  2. FanJ

    FanJ Guest

    And this screen:
     

    Attached Files:

  3. FanJ

    FanJ Guest

    Then crcfiles.txt will be opened in Notepad.
    Don’t forget to hit Save after you have made some changes in crcfiles.txt.

    In your file crcfiles.txt you might see some strange things listed.
    I am talking about these ones for example:

    %WINDIR% this means your Windows directory.
    %WINSYSDIR% this means your Windows\System directory in Windows 95-98-ME and system32 in NT-2000-XP.
    %TDSDIR% this means your TDS-3 directory.

    For example:
    %WINDIR%\win.ini
    means in Windows 98:
    C:\WINDOWS\win.ini



    You can let TDS-3 do the CRC32 test every time TDS-3 starts up.
    In the mainwindow of TDS-3:
    Configuration > Startup Tab > Startup Scanning column > put a checkmark in the box CRC32 System Files Test.
     

    Attached Files:

  4. FanJ

    FanJ Guest

    You can also do the CRC32 test yourself manually:
    In the mainwindow of TDS-3 > System Testing > System Files CRC32 Test.
     

    Attached Files:

  5. FanJ

    FanJ Guest

    You can also let TDS-3 do the CRC32 test during for example a Full System Scan.
    In that case the following line must be in your file Full System Scan.txt:
    System Files CRC32
    To see whether that line is indeed in your Full System Scan.txt:
    In the mainwindow of TDS-3:
    TDS > Edit Config Text Files > Scans > Full System Scan.txt.
    And then Full System Scan.txt will be opened in Notepad.
     

    Attached Files:

  6. FanJ

    FanJ Guest

    Remember:
    The CRC32 test of TDS-3 is NOT a real time test.
    It is only performed by yourself or in case you let TDS-3 do some testing (at TDS-3 startup or for example during a Full System Scan by TDS-3).


    I will give you now an example in which I will add several files of Ad-aware to crcfiles.txt so they will be checked by the CRC32-check of TDS-3.
    Files must always be listed in crcfiles.txt with their full path.
    In case you have not added some Ad-aware files in the past, you might do it now.
    You have to decide for yourself which files from Ad-aware you want to add.
    Some suggestions:
    C:\Program Files\Lavasoft\Ad-aware 6\aawhelper.dll
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Lavasoft\Ad-aware 6\alert.wav
    C:\Program Files\Lavasoft\Ad-aware 6\default.det
    C:\Program Files\Lavasoft\Ad-aware 6\description.ini
    C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    C:\Program Files\Lavasoft\Ad-aware 6\sites.txt
    C:\Program Files\Lavasoft\Ad-aware 6\unregaaw.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Unwise.exe

    Decide for yourself which files you want to be monitored by the CRC32 test.
    Of course you might have installed Ad-aware in another directory.
    Then you must make the appropriate changes.
    Note: I have the pro version of Ad-aware.


    If you decided to add those Ad-aware files, then after the installation of a new reference-file for Ad-aware, you will see an alert like this:

    00:03:09 [CRC32] Started - verifying 120 files ...
    00:03:13 [CRC32] -ALERT- File has changed: C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    00:03:14 [CRC32] Test finished.


    Just like we have done now for Ad-aware, you can add any other file, which you want to be checked for changes, to crcfiles.txt.
    You could for example add important files of your anti-virus program. It’s all up to you.


    Some other examples of files that I have added myself to crcfiles.txt:

    %TDSDIR%\Radius.TD3
    This is the Radius file of TDS-3 for which you can download almost every day an update.

    %WINDIR%\HOSTS
    This is your HOSTS file in Windows 95-98-ME.
    In Windows NT-2000-XP it can be found here:
    %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS

    I use Steve Martin's Hosts file to which I have added myself a lot of other entries.



    Of course you can find more info about the CRC32 test in the HelpFile of TDS-3.
     
  7. FanJ

    FanJ Guest

    As I told you, you have to add files in crcfiles.txt with their full path.
    The full path has to be in the so-called "Long-File-Name" format.

    You can find some free programs that will make it easy for you to get the full path of a file in the following thread:

    Right-click-context-menu in Windows Explorer


    https://www.wilderssecurity.com/showthread.php?t=13098
     
  8. FanJ

    FanJ Guest

    Some final remarks:
    You could also use other utilities to monitor files for changes.
    For example: FileChecker from Javacool, NISFileCheck, AdInf32, Inspector in KAV Personal Pro, etc.

    I hope this all helps a little bit.
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Jan, very useful information there, hopefully readers will take advantage of your kind offerings :)
    After you've been on the Internet for a few years you typically take things like checksums/integrity checks for granted, but a _lot_ of people don't know about such things so hopefully your posts will help raise awareness and help protect people in this area :)
     
Thread Status:
Not open for further replies.