TDS and resident protection?

Discussion in 'Trojan Defence Suite' started by Thorz, Feb 20, 2005.

Thread Status:
Not open for further replies.
  1. Thorz

    Thorz Registered Member

    Joined:
    Dec 29, 2003
    Posts:
    124
    I am shopping for a trojan cleaner and TDS looks like a robust offer. I am a little worried for the resources that it uses while scanning (60% of my 3Ghz P4 processor is a lot). I have had all the options activated during the scan.

    There is something that I could not find: Doesn't TDS come with a resident protection scanner module? The other program that I am testing is Trojanhunter and it comes with a resident protection scanner.

    What are the strong points of TDS over Trojanhunter, and maybe weak points over it? Resource speaking TH is much more light than TDS.

    I appreciate your help on this. Thanks a lot.
     
  2. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    TDS-3 does come with resident protection which can be accessed in the paid version...

    From the Help file:

    Execution Protection

    Execution protection is a unique system exclusive to TDS-3 and DiamondCS WormGuard that uses a non-resident hook which allows TDS-3 to intercept and scan files as they are executed (but before they are loaded) and actually prevent infection by blocking/aborting the execution if the file was deemed harmful. As the hook is non-resident it uses no extra memory or resources, and it isn't susceptible to the TerminateProcess issue that virtually all other hook mechanisms are susceptible to.

    How does it work? When you execute a file, the operating system - before it even loads the file - asks the DiamondCS execution hook "Allow this file to continue processing?", and then waits for a Yes/No response from the hook. This allows TDS-3 to scan inside the file and abort the execution if the file is deemed dangerous or has been identified as a trojan.
     
  3. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    NAMOR,
    I don't know the answer to your question, but I think it is a great question. I'm posting to ask Thorz a question based on the answer given. If this non-resident hook method is the best method of defense, why is TDS-4 supposedly implimenting a resident method?
     
  4. Thorz

    Thorz Registered Member

    Joined:
    Dec 29, 2003
    Posts:
    124
    Then TDS does have resident protection. How heavy is this protection on the resources of the machine? I am running NOD32 v2 as my resident AV with the recommended settings of this forum.

    @dallen: I have no idea, I am just in the evaluating period, but your question make a lot of sense.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Thorz,
    the exec protection is a hook only which lies there not using any resources at all, only the few moments of scanning for malicious code before an executable is allowed to run.
    During your full system scan close all unnecessary applications and browser windows, get a coffee and see the results.
    The full system scan is the haviest process of them all, so give it all room to speed up the process and with all other scanners closed TDS has free access to all files.
    We don't know about TDS-4 how and what that will be only know it will be all different. TDS-3 is still on top.
    Together with your NOD32 you have a very fine protection.
    Have a look at ProcessGuard to hammer that preventive part tight as well and we have more tips for you in this forum.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The resident part of TDS3 is called Execution Protection, this hooks the opening program and tries to identify any malware. So it is not a running process as such and uses bery little resources.
    On older systems you may notice a momentary delay when you start a program.

    Full scans in with all scan options enabled in TDS3 are time consuming, such a scan is very deep and therefore does use a lot of recources. Best to do a full scan, say weekly, when you are away from your machine for a while :)

    HTH Pilli
     
  7. Mem

    Mem Guest

    While everyone is correct on the execution protection low resource we need to mention that for it to work, TDS must be open (in use). This takes up resources and that may be the posters concern. On my box, TDS 3 right now is showing about 25,000 K Mem Usage and about 35,000 K in VM size.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The memory use depends per system, some the values you mentioned, some lower. But that is when scanning, it's much lower when it just sits there doing nothing.
     
  9. Minko

    Minko Guest

    Execution protection produces noticeable slowdown because it does not work with memory. I reckon the majority of TDS operators get fed up with it after a few days and turn it off.
     
  10. Minko

    Minko Guest

    Does not work at the memory level, I should say. It actually scans the file on the disk before it is opened. I just don't want you to get the wrong idea about this "feature." It is a very primitive implementation. TDS-4 is being designed to have a proper resident function mirroring those used by antivirus applications.
     
  11. Thorz

    Thorz Registered Member

    Joined:
    Dec 29, 2003
    Posts:
    124
    Thank you for all your comments. I can see that TDS3 users will get the TDS4 upgrade for free. I have also read that TDS4 is on the way and we will maybe have it on 4 months? That are good news. Is there going to be a price difference between buying TDS3 now and buying TDS4 at the momment of its release?
    I have seen that some users are concerned about the actual implementation of TDS3 resident scanner, not only the ones that posted here but some others in the forum.
     
    Last edited: Feb 21, 2005
  12. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thorz,
    I don't speak on the behalf of DiamondCS, only based on what I've read in this forum. It seems that there will be a few upgrade options that will give owners of TDS-3 different options to upgrade based on their needs. There has been talk of 2 or 3 new products that will consist of either active and/or passive components. Of course, DiamondCS is going to want your money as soon as possible, but I doubt that they will structure the pricing in a manner that will screw over their "old" customers in favor of the new. That would be bad business and would not be consistant with their previous practice, as it seems that owners of TDS products have been taken care of over the years. I hope this helps and I'm sure someone with first-hand knowledge will chime in soon and give further clarification.
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thorz - I'm wondering - when any memory/processor-intensive app of yours runs a "full" or an "in-depth" scan, don't they suck up large amounts of your processor too?

    In my limited experience here, anything that does an in-depth scan exhibits the same behavior. The answer, of course, is to run the scan while nothing else is running (that's how you're supposed to do it, anyway, so it can get access to as many files as possible that would otherwise be "in use").

    You've got a 3Ghz P4 processor - how much RAM and what OS? Resources aren't the issue here, I think.

    I wouldn't hold my breath waiting for TDS-4, if I were you - if you're confident in the capability of TDS-3, just go for it. But I'd definitely get ProcessGuard, too.

    Minko - I disagree. There's no "noticeable slow-down" here using exe protection at all. Personally, I see no use in NOT running exe protection - any of the modern OS' with even a marginally acceptable processor and sufficient RAM aren't even going to notice the load. Pete
     

    Attached Files:

  14. Thorz

    Thorz Registered Member

    Joined:
    Dec 29, 2003
    Posts:
    124
    Thanks spy1. You are right about the resources and the on demand scenner. At the end it doesn't matter so much, the machine can handle it. What has had me thinking after reading more threads here is that the resident module of TDS3 appears not to be the best one out there. I still think that the on demand scanner of TDS3 is between the best ones though.

    When I make my purshase I really like to invest in a product that can give me both excelent on demand AND resident scanners, I really don't like to buy 2 products for these tasks. When I bought NOD32 (and any other AV that I have had before it) it was for the complete package, not just for one of the modules. After looking arround here in the forums I have seen these other products:
    -Boclean: Very good resident protection, BUT NO on demand.
    -Ewido: It is new in the AT scene, but it appears to be a strong offer, with both on demand and resident modules. People appears to like the product here in the forums. I like their offer too.

    Whatever I choose I think that I will get ProcessGuard. This product is on a league of its own, and it will mix pretty well with my other 3 security layers of AV, AT and firewall.

    Thanks again for your comments.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS with exec protection enabled, ProcessGuard and NOD32 cover it all in fine cooperation to each other. Remember NOD has your resident protection for detection covered even though in the first place viruses but lots more nowadays, the TDS exec protection blocks executables, TDS scans lots more then trojans, worms and spyware, ProcessGuard to cover all files and processes protection from kernel level, you might like to add RegDefence to cover the registry protection from kernel level and it looks like your system is very well protected.
    Remember TDS-3 is already on top, and users can have their upgrade to the next generation for free. Might have taken a while to get there but it will come for certain while you protected your system very well.
    With this combination i would add Port Explorer as extra defence against and detection of trojans and the kind of hidden connection.
     
  16. Thorz

    Thorz Registered Member

    Joined:
    Dec 29, 2003
    Posts:
    124
    @Jooske: You have got PM (sorry for the double one, my browser crashed on me and I have retyped it :()
    A question: What is RegDefence?

    Why is the PM function so hided? It is cumbersome to send a PM here.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again,
    Got your PMs both :) and replied on one.
    Think the PM is hidden somewhat to save users from possible web crawlers spamming them? But on each page you canm click all in top on your private messages link to get into your forum mailbox and send a PM.

    For info about RegDefence best look in the forum here https://www.wilderssecurity.com/showthread.php?t=67698 where the developer describes it himself better then i ever could.

    Like i wrote above, ProcessGuard is a real must-have to protect your processes from kernel level and above against anything malicious and infections, protects against installation of rootkits etc.
    RegDefend works on kernel level to protect your registry for anything unwanted, so those two together are a wonderful new generation protection working nicely together and with the other applications such as TDS, Port Explorer and NOD32. Speaking about layered protection.
    Suppose you have a nice firewall installed already.
    You will love to grab all the DiamondCS free tools too, btw.
     
Thread Status:
Not open for further replies.