TDS-3 Exec Protection - REALLY?

Discussion in 'Trojan Defence Suite' started by Mark W, Jan 1, 2003.

Thread Status:
Not open for further replies.
  1. Mark W

    Mark W Guest

    You have TDS-3 installed and running on your computer (program is open or minimized in taskbar).

    It shows Exec Protection: OK Installed

    Now you run a .exe program. Assuming the file you just ran is clean and trojan-free, should there be any indication on the TDS-3 Control Console that it has scanned (or is scanning) that file?

    Or, does the file simply get executed?

    I know on WormGuard there's no indication UNLESS there's a problem with the file, but on TDS-3, isn't there supposed to be some type of activity or confirmation of scanning on the Control Console?

    Please post your answer...THANKS! :doubt:
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Mark,
    as long as TDS is running with exec protection installed all executables are scanned and only if there is an alarm you are alerted.
    Imagine the many programs you're starting in short time: if every exe/com found OK was mentioned it would be really annoying and you would look for means to disable such messages --even if those were lines in the console mounting the console log to many lines a minute-- other then just close TDS.
    I'm trying to think of a test file like we described some tests in the WormGuard forum which could affect TDS to jump up if you click to run it. It should be some you create and save as test.exe on your desktop, but now thinking about a nasty line to put in it as a test.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might have seen my test file in WG like creating a test.vbs or with a double extension like test.exe.vbs and inside a line like Msgbox "This is a VBS script running"
    An easy way to do with notepad, save with such a name and click on it; it is innocent so you would only see a messagebox telling about the VBS script running, but in the second case WG will warn for the double extension and give opportunity to check in safe mode.
    For TDS exec protection there should be something more malicious inside, maybe just a line telling "delete directory" or "del file.com" and saved as test.exe, maybe test.bat will do too and see which is first to block it.
     
  4. EdBB

    EdBB Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    24
    Jooske:

    Perhaps there is just such a test file. I've downloaded a "Trojan Simulator" from www.misec.net/trojansimulator.

    As far as I can tell, my copy of TDS-3 ( registered ) with Exec Protection enabled did not detect it and warn me in any meaningful way. That is, it did mention that the registry had been changed ( press Control-A ), but did not find the file where I had placed it ( C:\Program Files\Trojan Simulator). It did not warn me that it was running in memory on any of Process Memory Space, Mutex Memory Space, or Process File Scan. I did see it as TDS-3 scanned by it, but I could not expect to be watching and spotting trojans by eye - no highlighting , warning, or any such alarm.
    Perhaps I do not have TDS-3 properly configured, although I tried to use the Standard Configuration mentioned on this Forum.

    Would someone take a look at this "Trojan Simulator" and let me know what I should expect ?

    TIA,

    Ed o_O :'(
     
  5. Mark W

    Mark W Guest

    Hmmm, I just used notepad and placed the following lines in a file:
    delete directory on line one, and del file.com on line two.

    Saved it as an .exe and ran it. TDS-3 made no intervention or warning and neither did WormGuard.

    TDS-3 is running & Exec Protection says OK.

    Any ideas?
     
  6. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    I don't think the trojan simulator is in the TDS database yet (thus the execution protection probably wouldn't catch it). :)

    Best regards,

    -Javacool
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Agreed. One can compare this one with Gibson's "Leaktest" - now databased by most antitrojans and antiviruses, for no reasons actually - the .exe doesn't have a malicious payload. As the designer from this "test trojan" states in "ways of detection: one of these is a posible registry change. This is exactly what TDS detects (see attached screen shot). No antitrojan/antivirus detects this one at the moment as a full positive - other than the database-updated TrojanHunter - from one and the same software designer. Hex the server, scan with TrojanHunter: it goes undetected.

    In this context, TDS does the job as well as possible, detecting the registry change. In the end, a full positive alert comes down to databases and database updates.

    regards,

    paul
     

    Attached Files:

  8. EdBB

    EdBB Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    24
    Paul:

    I rather suspected that that might be the case - a custom-made "trojan" that nobody but the builder could find.

    I guess my concern was that I thought that TDS-3 had a degree of generic detection capability that would find a running process and mark it as suspicious based on the characteristics of the process. Evidently the builder knows how to disguise them.

    Back to the old drawing board - maybe TDS-4 will be more sensitive ( generically ) ?

    Thanks,

    Ed :doubt:
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Ed,

    Well, all I can say is: TDS4 is a totally new design - and well worth waiting for ;).

    regards.

    paul
     
  10. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    ditto Forum Admin

    You guys might like to look at this:
    www.dslreports.com/forum/remark,5507340~root=security,1~mode=flat

    discussion on the trojan test.

    edit: sorry you will have to cut and paste, link break. copy the whole link/paste should work.

    put the URL between tags (press the blue globe icon on the left bottom corner when posting - and "paul" will do just fine ;)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS has the kind of generic detection, as it detects on malicious code without the name in such cases, and will display something like "suspicious" or "positive ident" if it is malicious. If known innocent you will not see it this moment, but soon it will.
    The "leaktest" has been added by name as something innocent and is mentioned as such in the database, where you will see a thing like "positive identification" and "not a trojan".

    Need better test ideas, i'm sure Gavin will give better examples for own creations. Good that i fail for a nasties writer :)
     
Thread Status:
Not open for further replies.