TDS-3 Questions ... and opinions, pls

Discussion in 'Trojan Defence Suite' started by msanto, Dec 6, 2004.

Thread Status:
Not open for further replies.
  1. msanto

    msanto Registered Member

    Joined:
    Aug 12, 2004
    Posts:
    214
    I use BOClean, but I'm thinking about supplementing it w/ an on-demand scanner.

    I was looking at TDS-3 and Trojan Hunter.

    a) Any issues w/ TDS-3 since it looks (from the trial) like the engine hasn't been updated since 6/2003?

    b) How often do they update defs?

    c) How is tech support?

    Any other comments / opinions would be appreciated.
     
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    a) On trial versions you will have to update manually (I think)
    b) Updates are usually daily except for weekends
    c) Most people think DCS tech support is excellent.

    As for which one is better...it depends on what you are looking for in a scanner. Just in general, from reading many threads, people that are more technically savvy on computers prefer TDS-3 because of all of the tools that come with it and people that are less savvy on a computer prefer Trojanhunter because the interface is simpler.

    Of course, that is only how things stand today. All AT's are in active development of their scanners and what you see today in a particular scanner may not be true a month or two from now. Also BoClean is developing BoClean5 which I read will have a on-demand scanner.

    Generally, a this scanner vs that scanner will bring out the heavily opinionated and usually the discussion degenerates into a argument. Both TDS-3 and Trojanhunter have trials. I would trial both and read both AT's dedicated board from beginning to end....usually your answers will appear somewhere within the many threads already in existence as well as your own personal trials.

    Generally, the answers of scanner A is definetely better than scanner B will not help you very much because scanner A might work better on my computer but scanner B might work better on yours. It depends on the set-up of your computer and also your own personal preferences.


    Starrob

     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Its probably also worth considering a different class of program that stops the nasties from running (and/or hopefully stops them from doing their worst if you let them run) to complement the AT programs by adding another layer of a different type of security

    Process Guard has been around for a while and has recently been updated to version 3, it has a free version as well for you test out. Its also a DCS program so it has a forum here. Have a look at this thread for a knowlegable users opinions on it

    System Safety Monitor isn't production yet so its still free for testing/trial (the home page describes it as "currently freeware")
    http://maxcomputing.narod.ru/ssme.html?lang=en

    Like AT pick the one you like, they have a different way of interacting with the end user. I don't know how different they are under the hood in terms of protection... seeing as PG is not expensive, rather than having to decide I am using both of them (for now at least)
     
    Last edited: Dec 7, 2004
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I agree with Starrob's and gottadoit's comments. I would recommend ProcessGuard over SSM for stability reasons.

    Rich
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And TDS complementing ProcessGuard.
    TDS is more then a scanner, it's a whole security system. Daily updates, free upgrade, etc.
    Important in the registered version is the exec protection which checks each executable for possible malware before it is allowed to execute. So possible malware is detected without it being installed. WormGuard works more or less like that with other kinds of files.
    TDS runs fine in combination with your BOClean.
     
  6. smbruce

    smbruce Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    10
    Location:
    Stockport, UK
    Jooske
    Can I just ask, when you say TDS "checks each executable for possible malware before it is allowed to execute" is that what BOClean does or is that different? (Please don't think I'm questioning what you say - it's just that I'm very much a beginner on the whole security thing and I'm just trying to understand which program does what, and what combination of programs I need.)

    Thanks.

    Steve
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again1 I'm no BOClean user so it's a bit hard for me to tell if it is working the same way or different, i do hope for BOClean it works in the same way and does not first need a file to be installed before it can be detected and maybe stopped -- guess not, for that could be rather dangerous!
    Hope other BOClean users can confirm this.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    smbruce,
    TDS has Execution Protection where a file is scanned as soon as it's loaded BUT before it's allowed to run. So if you try and run a trojan TDS will scan it, detect that its a trojan and prevent the trojan from running.

    There is no other dedicated anti-trojan program with this pre-execution scan capability (although some of the more advanced anti-virus systems have it), in the realm of anti-trojans it is unique to TDS and has been since the start of the decade so if you're using another anti-trojan then just be aware that it won't detect anything until an infection has taken place, at which time the trojan can simply terminate your anti-trojan program anyway unless it's being protected by ProcessGuard - just one of the reasons why both Execution Protection and ProcessGuard are so vital in their own rights.
     
  9. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Wayne,
    To be fair its probably worth mentioning that the trojan writers employ methods to hide their executable code and hence the signature(s) that all of the anti-trojan scanners use to find them

    Because there are so many ways to do this it is just not possible for any one product to always be able to cope with all the different types of unpackers and encrypters. The next generation of AT/AV scanners will probably do a better job of this

    All products can miss things, the better ones won't miss the more common methods. The unpacking/decrypting code in use (ie: the trojan'ed executable) needs to be sent to the companies so that they have the opportunity to do something about it.

    So there is a caveat on the execution protection, even some known trojans might be able to execute if they arrive suitably stealth'ed, its still important to not think you can now run high risk programs and be safe....
    [I'm sure you can figure out what is high risk for yourself]

    I would ask any vendor how they cope with these 'stealth' methods, both in their current product and in any future products. I wouldn't expect any product to be 100% and I'd ask lots of questions if someone made that claim...

    I'm a bit biased because I purchased TDS3, but based on my research at the time :


    • they put in the effort to create non-trivial signatures (hopefully that can't be avoided by just changing one byte or the entry point of an executable)
    • TDS3 sometimes needs to be started either before or after the other programs you run when you login (see here)
    • the definitions are updated daily according to the website and in practice I have found that there is an update there on weekdays
    • like most (if not all) products it doesn't unpack everything, its unpackers can be extended after installation (it takes a bit of effort)
    • tech support is excellent, just read the forum
    As Starrob mentioned earlier about the trials, make sure that you give each product a trial. If for some reason any of the software doesn't work for you, its far better for everyone to find out before you pay anything
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    gottadoit,
    That's correct, if it's an undetected file then Execution Protection will allow the execution, however it still prevents the infection of all known/detected malware and that's what's more likely to happen. Like virtually everything in security it's very good but still not 100%, and it's theoretically only as good as the scan engine it uses, but it's a much better option than waiting for known malware to infect your system before detecting it because at least then you're preventing the majority of infections (as you're much more likely to get an already-detectable worm in your email than a custom-built undetected trojan, for example).

    If you do find yourself in the situation where an undetectable trojan has infected your system, other layers of security can come into play including TDS3's plethora of system analysis tools and ProcessGuards process containment capabilities :)
     
Thread Status:
Not open for further replies.