tds-3 missed a trojan

Hi,

i ran avg pro v7 latest defs last night and it picked up a trojan in firefox's cache, so instead of deleting it i left it and ran tds-3 to see if it would catch it.

It didn't. I even gave it a helping hand by scanning the exact folder avg found it in.

the trojan was named

trojanhorse Collected.4.A0

So wasn't sure who to pass this info. onto so i posted it here.

cheers,

davlam

 

Hi davlam,

You can always submit that file to submit(at)diamondcs.com.au
Replace (at) with the obvious @

BTW, did you let TDS-3 scan while AVG was disabled?
It is always recommended to let TDS-3 do its scanning while there is no other scanner resident.

Thanks !
Cheers, Jan.

 

This seems strange to have users drop a line of defense to use another even for a short time. Maybe I am missing the logic in this. Can you please explain further? I just don't recall seeing any other AT's that recommend this unless I overlooked it somewhere.

Thanks,

Chris

 

Hi there,
Maybe others aren't as helpfull or knowledgeable?
TDS doesn't change the file nor access to it, so TDS never needs to be shut down when scanning with other scanners, only it's recommended not to have it scanning a full scan for instance at the same time, for matters of resources among others. In general scanning at the same time with more scanners could give the risk of scanners scanning each other in stead of files on the system.

It's discussed frequently here and in forums in general it's always best to close other scanners temporary when scanning with another scanner.
This is to give the scanner full access to all files, as many scanners block access to what they find suspicious while especially AVG is famous for hiding them completely from sight by any other scanner.
So it's not strange for us to read "My AVG was the only one that found it!"
Close AVG including it's resident protection temporary and give other scanners an honest chance to even access the files.
And then of course the question: must the other scanner detect the file?
I mean: if it would be a firus or a JS, a trojan scanner is not supposed to detect it. We are already very lucky TDS is detecting lots more then just trojans, for which it was originally written!

With the proper protection and save computer habits it's hardly a risk to close resident protection temporary. The other scanner would find risks immediately, preventive protection like ProcessGuard is even more important then a scan.

 

How can TDS-3 scan and detect if a file is a trojan if another AntiVirus program blocks access to the file in question?

But you are right, one shouldn't drop a line of defense to use another.

 

Maybe I'm wrong but I run scans with Trojan Hunter as well as Ewido and I never stop my resident AV (NOD32) but they still have picked up my keyloggers I intentionally installed and the like with no problem. Ewido even picked up stuff like Trickle from Gator (never tried with TH).

Thanks,

Chris

 

Hi kjempen,

Locking the infected file in that way is what an AV is supposed to do. I have never seen a TDS3 scan conflict with a resident AV, but I would expect some sort of collision, sooner or later, if both locked onto a target at the same time. The same could be said of any good AV/AT combo. When I used AVG, I remember that it was very aggressive when locking files.

Nick

 

Chris - Since you're a TrojanHunter user, you might want to see this thread on the TH forum: http://forum.misec.net/board/TrojanHunter;action=display;num=1110383220;start= .

It explains the whole issue there pretty clearly, but the gist of it is that once any real-time scanner locks on to a detection - and you've got it set to automatically quarantine said detection (or it comes set up that way) - then that particular file is no longer visible to any other scanner because most "quarantines" do a file name or file type (they change the file-type extension) shift as soon as the quarantine takes place. And any scanner a split-second behind simply isn't going to see it from that point on.

As you can also read from that thread I linked to above, Windows doesn't let other programs do anything with things in the System Restore area - it's designed that way - and that's the reason you have to turn System Restore off to clear it and then turn it back on again after the problem's gone. (And also why I don't use System Restore).

This is one of the reasons I have everything possible set to merely "Alert" and stop execution where possible - it helps avoid situations like this. HTH Pete

 

Pete I will PM you so I don't go to far off topic here. Hope you don't mind.

Thanks,

Chris

 

I mean temporary, during the scanning process with the other scanner, to close the other scanner(s) and certainly with AVG close it's resident protection till the other scanner is ready.
We've written this for many years in every forum.
I did not say you have to remove it or uninstall or change settings in your registry, just only temporary close it to give other scanners including TDS full access to all files to be scanned. TDS is not looking for filenames and extensions, it checks all possible code.
If you want you can even scan in safe mode.
I suppose you have exec protection installed so if there would be a nasty on your system it should be blocked from executing by your active TDS anyway.
How long does your full system scan take, an hour? more? less?
The other scanners with their resident protection should have disarmed found nasties anyway so why not letting TDS doing it's job to the fullest?
You might remember over a year ago a nasty difficult cleansing which was only possible once the user was convinced to close his AVG and the culpit of his problem (AppInit_DLLs) showed up in his HJT log, after which cleansing took just a few more postings. I'll have to google for it here in the TDS forum to find it back. https://www.wilderssecurity.com/showthread.php?t=41214

 

Hi everybody, you know its good to have all that advice ; but you all know
that having more than one Anti-Trojan scanner is a must now days. That dosent mean that you have them running all at the same time. If you have
a good anti-Virus like Nortons 2005 you shouldnt have any problems. Trojan
scanners are a second line of defense that dont need to be running in the background. If you do a scan about once a week you should be allright.
WormGuard and ProcessGuard should take care of the rest. Trojans arent
the only way Hackers get into your computer. Trojans are what hackers leave behind so they dont have to work so hard at hacking you the next time they come pinging so I guess that is where you would need Port Explorer. I think Jooske would agree that you need a Layered Security System
now days.

 

We all do. The DiamondCS guys have educated us in this since many years. Prevention first with ProcessGuard, RegDefence, WomGuard, the monitoring and protecting with Port Explorer, a firewall, checking with the exec protection in TDS and WormGuard, your email scanner, resident protection from your several scanners, av, at, as, aa, and then the scanners.
You can add to those layers at wish, router with NAT, the ZAPro Security Suite, whatever, email scanners, all the anti-spy/adware, etc.
If the prevention part is ok and well configured, the monitoring and resident protection ok, scanners have lots less to do.
But scanning is still necessary. But i would do them one after the other.
Especially AVG has the habit to hide and lock all access and make detection impossible for other scanners. Maybe there are settings possible in scanners to block all access or not, maybe their quarantine folder should be accessable for other scanners, whatever.
But for TDS: you can also scan in safe mode if you prefer so and it will have free access everywhere one should think.