tds-3 missed a trojan

Discussion in 'Trojan Defence Suite' started by davlam, Apr 4, 2005.

Thread Status:
Not open for further replies.
  1. davlam

    davlam Registered Member

    Joined:
    Sep 20, 2004
    Posts:
    11
    Hi,

    i ran avg pro v7 latest defs last night and it picked up a trojan in firefox's cache, so instead of deleting it i left it and ran tds-3 to see if it would catch it.

    It didn't. I even gave it a helping hand by scanning the exact folder avg found it in.

    the trojan was named

    trojanhorse Collected.4.A0

    So wasn't sure who to pass this info. onto so i posted it here.

    cheers,

    davlam
     
  2. J at A

    J at A Guest

    Hi davlam,

    You can always submit that file to submit(at)diamondcs.com.au
    Replace (at) with the obvious @

    BTW, did you let TDS-3 scan while AVG was disabled?
    It is always recommended to let TDS-3 do its scanning while there is no other scanner resident.

    Thanks !
    Cheers, Jan.
     
  3. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    This seems strange to have users drop a line of defense to use another even for a short time. Maybe I am missing the logic in this. Can you please explain further? I just don't recall seeing any other AT's that recommend this unless I overlooked it somewhere.

    Thanks,

    Chris
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    Maybe others aren't as helpfull or knowledgeable?
    TDS doesn't change the file nor access to it, so TDS never needs to be shut down when scanning with other scanners, only it's recommended not to have it scanning a full scan for instance at the same time, for matters of resources among others. In general scanning at the same time with more scanners could give the risk of scanners scanning each other in stead of files on the system.

    It's discussed frequently here and in forums in general it's always best to close other scanners temporary when scanning with another scanner.
    This is to give the scanner full access to all files, as many scanners block access to what they find suspicious while especially AVG is famous for hiding them completely from sight by any other scanner.
    So it's not strange for us to read "My AVG was the only one that found it!"
    Close AVG including it's resident protection temporary and give other scanners an honest chance to even access the files.
    And then of course the question: must the other scanner detect the file?
    I mean: if it would be a firus or a JS, a trojan scanner is not supposed to detect it. We are already very lucky TDS is detecting lots more then just trojans, for which it was originally written!

    With the proper protection and save computer habits it's hardly a risk to close resident protection temporary. The other scanner would find risks immediately, preventive protection like ProcessGuard is even more important then a scan.
     
    Last edited: Apr 5, 2005
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The reason TDS didn't find it is because it probably doesn't actually exist on the computer

    FF cache is the equivalent of IE temporary internet files folder and many AV's including AVG detect links in the cache that use exploits to download trojans etc to the computer

    as the infected file isn't actually on the computer but on a website then TDS won't detect it
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    How can TDS-3 scan and detect if a file is a trojan if another AntiVirus program blocks access to the file in question?

    But you are right, one shouldn't drop a line of defense to use another.
     
  7. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Maybe I'm wrong but I run scans with Trojan Hunter as well as Ewido and I never stop my resident AV (NOD32) but they still have picked up my keyloggers I intentionally installed and the like with no problem. Ewido even picked up stuff like Trickle from Gator (never tried with TH).

    Thanks,

    Chris
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi kjempen,

    Locking the infected file in that way is what an AV is supposed to do. I have never seen a TDS3 scan conflict with a resident AV, but I would expect some sort of collision, sooner or later, if both locked onto a target at the same time. The same could be said of any good AV/AT combo. When I used AVG, I remember that it was very aggressive when locking files.

    Nick
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Chris - Since you're a TrojanHunter user, you might want to see this thread on the TH forum: http://forum.misec.net/board/TrojanHunter;action=display;num=1110383220;start= .

    It explains the whole issue there pretty clearly, but the gist of it is that once any real-time scanner locks on to a detection - and you've got it set to automatically quarantine said detection (or it comes set up that way) - then that particular file is no longer visible to any other scanner because most "quarantines" do a file name or file type (they change the file-type extension) shift as soon as the quarantine takes place. And any scanner a split-second behind simply isn't going to see it from that point on.

    As you can also read from that thread I linked to above, Windows doesn't let other programs do anything with things in the System Restore area - it's designed that way - and that's the reason you have to turn System Restore off to clear it and then turn it back on again after the problem's gone. (And also why I don't use System Restore).

    This is one of the reasons I have everything possible set to merely "Alert" and stop execution where possible - it helps avoid situations like this. HTH Pete
     
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Pete I will PM you so I don't go to far off topic here. Hope you don't mind.

    Thanks,

    Chris
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    A lot depends on whih AV you have

    As many av now detect some of the trojans and adwares and scumwares that TDS detects the AV will lock access to the file to prevent any acccess to it if it's in it's database

    It all depends on the spped of the scanning engine. I use KAV and TDS in combination and unless KAV hasn't got the trojan in it's definitions scanning with TDS & KAV active is a waste of time as on almost every file I get a can't examine file locked message
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I mean temporary, during the scanning process with the other scanner, to close the other scanner(s) and certainly with AVG close it's resident protection till the other scanner is ready.
    We've written this for many years in every forum.
    I did not say you have to remove it or uninstall or change settings in your registry, just only temporary close it to give other scanners including TDS full access to all files to be scanned. TDS is not looking for filenames and extensions, it checks all possible code.
    If you want you can even scan in safe mode.
    I suppose you have exec protection installed so if there would be a nasty on your system it should be blocked from executing by your active TDS anyway.
    How long does your full system scan take, an hour? more? less?
    The other scanners with their resident protection should have disarmed found nasties anyway so why not letting TDS doing it's job to the fullest?
    You might remember over a year ago a nasty difficult cleansing which was only possible once the user was convinced to close his AVG and the culpit of his problem (AppInit_DLLs) showed up in his HJT log, after which cleansing took just a few more postings. I'll have to google for it here in the TDS forum to find it back. https://www.wilderssecurity.com/showthread.php?t=41214
     
    Last edited: Apr 7, 2005
  13. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Hi everybody, you know its good to have all that advice ; but you all know
    that having more than one Anti-Trojan scanner is a must now days. That dosent mean that you have them running all at the same time. If you have
    a good anti-Virus like Nortons 2005 you shouldnt have any problems. Trojan
    scanners are a second line of defense that dont need to be running in the background. If you do a scan about once a week you should be allright.
    WormGuard and ProcessGuard should take care of the rest. Trojans arent
    the only way Hackers get into your computer. Trojans are what hackers leave behind so they dont have to work so hard at hacking you the next time they come pinging so I guess that is where you would need Port Explorer. I think Jooske would agree that you need a Layered Security System
    now days. :eek: :eek: :eek:
     
    Last edited: Jun 4, 2005
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    We all do. The DiamondCS guys have educated us in this since many years. Prevention first with ProcessGuard, RegDefence, WomGuard, the monitoring and protecting with Port Explorer, a firewall, checking with the exec protection in TDS and WormGuard, your email scanner, resident protection from your several scanners, av, at, as, aa, and then the scanners.
    You can add to those layers at wish, router with NAT, the ZAPro Security Suite, whatever, email scanners, all the anti-spy/adware, etc.
    If the prevention part is ok and well configured, the monitoring and resident protection ok, scanners have lots less to do.
    But scanning is still necessary. But i would do them one after the other.
    Especially AVG has the habit to hide and lock all access and make detection impossible for other scanners. Maybe there are settings possible in scanners to block all access or not, maybe their quarantine folder should be accessable for other scanners, whatever.
    But for TDS: you can also scan in safe mode if you prefer so and it will have free access everywhere one should think.
     
Thread Status:
Not open for further replies.