TDS exe protection

Does exe protection give warnings of malicious files and is there a test like eicar i can run on it?

thanks
JSa

 

Hi,

The answer on both questions is "yes"

Here comes the example: Leaktest from Steve Gibson:
http://grc.com/lt/leaktest.htm

Is Leaktest in the definitions of TDS-3?
Yes, see screenshot of the primary list:

 

And here come the test.

TDS-3 was started before the test was done, and Execution Protection enabled.

WormGuard and my AV were disabled.

I downloaded the file LeakTest.exe from the GRC-site onto my desktop.
Then I double clicked it to start it.

Immediately TDS-3 jumped up and blocked it.

 

I right clicked on that warning, and got the following options:

 

I choose "Delete", and got a question whether I was sure.

PS:
I have the Dutch version of Windows, so you will see two Dutch words:

ja = yes
nee = no

 

I choose "ja" (="yes").

And here comes the confirmation from TDS-3 that the file was deleted:

 

That's all

 

I wanted to try this.

I have downloaded the leaktest to my desktop upon execution I choose to 'test for leaks'. My firewall then jumps in and asks if I want the application to connect to the internet.

I have wormguard installed and Exec protn is enabled on TDS3. Should I have been able to run the test

 

Hi User da da da da

If your radius definitions are up to date and your TDS is configured correctly then you should not have been able to run the leaktest without TDS intercepting it. I confirmed here just in case they put a really new version on the grc site that may "elude" the test definitions, but it intercepted right away. You might want to try scanning the directory leaktest is in from TDS and if it finds it you know there is something wrong with your execprot (maybe removing execprot, rebooting, re-adding, rebooting will do the trick)

As an additional test, there is a safe Trojan Simulator that includes both a client a server component that you can test TDS against. It can be found here...

http://computercops.biz/article1981.html

Hope this helps

 

Was TDS-3 started before you did the test?
Execution Protection works only if
1- TDS-3 has been started (either automatically at windows start-up or by yourself), and if
2- Execution Protection is enabled.

 

I am a little worried now, I removed and then added exec protection with reboots as advised.

TDS is running, but I can still run the leaktest.

I also downloaded the Trojan Simulator (thanks to Dan Perez) and TDS doesn't pick it up unless I run a manual scan of the containing folder. (I even shut down all other running security processes).

I then restarted all other security processes (including NOD32, Tauscan trial version (as TDS has no monitor to speak of) and Adaware.

I wouldn't expect NOD to pick up the Trojan Simulator but Tauscan also failed - the only one to notice a change was Adaware!!

I know we're not here to discuss other programs but I am concerned as to why my Exec Prot doesn't seem to be working. I have the latest Radius update (27.01.2004).

Any comments most gratefully received.

 

This is strange (to say the least).

Can you give more details on your OS and service pack?

Also, when you launch TDS does it confirm that it shows execprot as active?

Also, I think your radius defs are out of date, can you try an update and see if the values match mine shown below?

Code:

11:42:16 [Init] Trojan Defence Suite v3.2.0  - Registered to Dan Perez 
11:42:16 [Init] Started 29-01-04 11:42:16 Pacific Standard Time (UTC: 8), Internet Time @862.69 
11:42:16 [Init] Loading TDS-3 Systems ... 
11:42:16 [Init] ? Priority         :   OK. 
11:42:16 [Init] Token successfully adjusted. 
11:42:17 [Init] ? TDS Privileges   :   OK.      Adjusted TDS-3 token privileges to maximum 
11:42:17 [Init] ? Plugins          :   OK.      Loaded 13 
11:42:17 [Init] ? Exec Protection  :   OK.      Installed 
11:42:18 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 
11:42:34 [Init] ? Radius Advanced Specialist Extensions on standby for 13 trojan families 
11:42:35 [Init] ? Systems Initialised [31483 references - 11266 primaries/9002 traces/11215 variants/other] 
11:42:35 [Init] Radius Systems loaded. <Databases updated 29-01-2004> 

I'm sure the real TDS experts will have plenty of input as well.

 

Hi,

TDS-3 does have most certainly a "monitor" !!!
It is called Execution Protection !
Tauscan cannot even think about the security that TDS-3 gives you !
I'm sorry to say; I have both.

We were trying to test TDS-3 Execution Protection.
Disable other AV's and AT's.
Make sure that Execution Protection is enabled in TDS-3.
Reboot.
Let either TDS-3 start up with Windows or start it yourself.
Then download that file LeakTest.exe and double click it to start it.
In case TDS-3 does NOT jump up, then there is a problem, and then we need Wayne to jump in here to help you.

 

I am running Windows XP Prof SP1.

As you can see - Exec Protn is installed - you can also see however that my radius database does not match yours!! You will also notice that I have tried to update but the report tells me I am already up to date - not so when compared to yours?

19:20:44 [Init] Trojan Defence Suite v3.2.0 - Registered to Mark Freeman
19:20:44 [Init] Started 29-01-04 19:20:44 GMT Standard Time (UTC: 0), Internet Time @847.73
19:20:44 [Init] Loading TDS-3 Systems ...
19:20:44 [Init] • Priority : OK.
19:20:45 [Init] Token successfully adjusted.
19:20:45 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
19:20:45 [Init] • Plugins : OK. Loaded 13
19:20:45 [Init] • Exec Protection : OK. Installed
19:20:45 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
19:20:47 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
19:20:47 [Init] • Systems Initialised [31180 references - 11094 primaries/8913 traces/11173 variants/other]
19:20:47 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
19:20:47 [Init] TDS-3 Ready. <Administrator@127.0.0.1 - United Kingdom>
19:20:47 [TDS] Good evening Administrator.
19:20:49 [Memory Scan] Memory scan started, please wait a moment ...
19:20:51 [Memory Scan] Memory scan complete.
19:20:51 [Mutex Memory Scan] Started...
19:20:53 [Mutex Memory Scan] Finished (no trojan mutexes found).
19:20:53 [Trace Scan] Started...
19:20:56 [Trace Scan] Finished.
19:20:58 [CRC32] Started - verifying 31 files ...
19:20:59 [CRC32] Test finished.
19:35:19 [Radius Update] Database already up-to-date - transfer aborted.
19:52:21 [Radius Update] Database already up-to-date - transfer aborted.

 

Just to confirm FanJ - as mentioned in my post, I had disabled all other AVs/ATs & Others.

Also I do not expect any other AT to match TDS-3 but am trialling other ATs which have active monitors - I know there is exec protn but I have read here that this does not match up to the like of BoClean - unfortunately they do not have a free trial so I am trialling others - I am not defecting.

It does seem that I have a problem with my application. Maybe I have to uninstall/Re-install, but I hope it doesn't come to that - advice please.

 

Yeah, it may be that you need to uninstall/reinstall but I would hold off until you get work from the DCS folks as they may advise additional registry cleaning between the uninstall and reinstall.

In the meantime, you may have an out of date "update.cfg" so you might want to go to the page below to get a fresh copy of one

http://tds.diamondcs.com.au/index.php?page=update

If after that the "Update TDS Databases" thing doesn't work you can always manually download the latest radius file from the same page as above.

BTW, it has been a while since I last tested against Trojan Simulator so I did it just now and it was properly intercepted by TDS so definitely something is wrong with your install

 

Hi,

First: sorry Dan, I didn't see your posting before I was posting; sorry !

User-etc:
Some remarks:

As Dan wrote, you definitely have to get the latest defs !
I have the same number for the "primaries" as he has.
Get it here:
http://tds.diamondcs.com.au/index.php?page=update
Get from that same page the latest file update.cfg
Quote:
Important: The Automatic Update program (update.exe) requires an up-to-date server list (update.cfg) in order to download the database. This file can be downloaded here (Right-click | Save Target As...). Please save the file to your TDS directory, overwriting the existing update.cfg file. Remember to ensure that the filename is update.cfg, and not update.cfg.txt or anything else.
- end quote -

But to be honest: I doubt that the fact that you don't have the latest defs (Radius-file) is causing the problem; but only trial-and-error will prove that.....

Does your firewall block access to one of the sites in update.cfg?

When was the last time that you installed a new version of TDS-3?
Last summer (summer 2003) there was the so-called Final version of TDS-3.

I only have Windows 98 SE.
I really don't know whether any issue involved with running as Admin/poweruser/etc might cause this

 

Thanks Dan Perez. I downloaded the latest update.cfg and this has enabled me to download the latest Radius update. It seems strange though that I was able to update only two days ago without any problems - have you nedded to download the update.cfg file in the past few days??

This seems strange to me and something is definately adrift here. Look forward to some DCs input here.

Thanks guys.

P.S. FanJ - I only bought and installed TDS-3 this month so am sure it's the latest version. I am logged in as Administrator.

 

No need for apologies at all! The more input the better!

I have not had occasion to change the update.cfg since I last upgraded ~ 6 months ago? but as I understand it, the update.cfg is changed periodically at the webpage you went to so as to help distribute the load amongst all the available servers. Under the assumption that the server at the top of your old list had an older (and possibly corrupt) radius file I thought we would get another update.cfg to almost certainly direct you first to a different server.

I agree though with Jan that this would almost certainly not address the main issue you are having, which seems to be a bad config somewhere that will not allow proper operation of execprot.

The DCS gurus will be awake and eager to provide more detailed assistance in about 6 hours and I'm sure they will have a quick resolution to the issue.

 

thanks for the replies all

I've try'd the tests suggested and they don't work for me either ,my OS is windows2k sp4

I noticed that since installing exe protection launching programs takes a fraction longer so i guess it's doing something but it did not report either leaktest or trojansimulator.

 

This was a tst of the trojan simulater trying to install. Also I do know that Dan runs W2K, This PC is XP Pro

Please Note: Thre three bolded items.

10:38:50 [Init] Trojan Defence Suite v3.2.0 - Registered to Pilli
10:38:50 [Init] Started 30-01-04 10:38:50 GMT Standard Time (UTC: 0), Internet Time @485.30
10:38:50 [Init] Loading TDS-3 Systems ...
10:38:50 [Init] Token successfully adjusted.
10:38:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:38:50 [Init] • Plugins : OK. Loaded 13
10:38:50 [Init] • Exec Protection : OK. Installed
10:38:50 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:38:53 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:38:53 [Init] • Systems Initialised [31483 references - 11266 primaries/9002 traces/11215 variants/other]
10:38:53 [Init] Radius Systems loaded. <Databases updated 29-01-2004>
10:38:53 [Init] TDS-3 Ready. <Pilli@127.0.0.1, 192.168.2.62 - United Kingdom>
10:38:53 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning inside the memory space of processes
10:38:54 [TDS] Good morning Pilli.
10:38:58 [Mutex Memory Scan] Started...
10:39:00 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:39:00 [Trace Scan] Started...
10:39:13 [Trace Scan] Finished.
10:39:16 [Radius] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:39:19 [Radius] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:39:19 [Radius] • Systems Initialised [31503 references - 11282 primaries/9006 traces/11215 variants/other]
10:39:19 [Radius] Radius Systems loaded. <Databases updated 30-01-2004>
10:39:19 [Radius Update] Update complete.
10:41:42 [ExecProt] WARNING: c:\documents and settings\alan\local settings\temp\temporary directory 2 for trojansimulator.zip\tsserv.exe has been blocked from executing

 

It's NOT an update problem,I have the latest radius installed

05:52:52 [Init] Loading TDS-3 Systems ...
05:52:52 [Init] ? Exec Protection : OK. Installed
05:52:53 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
05:53:03 [Init] ? Radius Advanced Specialist Extensions on standby for 13 trojan families
05:53:03 [Init] ? Systems Initialised [31503 references - 11282 primaries/9006 traces/11215 variants/other]
05:53:03 [Init] Radius Systems loaded. <Databases updated 31-01-2004>
05:53:03 [Init] TDS-3 Ready. <xxxxx@xxx.xxx.xxx.xx, 127.0.0.1 >
05:53:03 [TDS] Good morning xxxxx, all systems are ready.


Here is a screenshot showing trojansimulator in memory alongside TDS
http://members.lycos.co.uk/bmge500/Capture008.jpg

If I do a scan control / live process files scan then i get a warning

Scan Control Dumped @ 05:58:42 31-01-04
Trojan Client\EditServer found: Demo.TrojanSim (Client)
File: d:\files\trojansimulator\trojansimulator.exe

Positive identification: Demo.TrojanSim
File: d:\files\trojansimulator\tsserv.exe


Obviously something is wrong with exe protection.

JSa

 

Hi JSa,

Maybe off topic:
I see for example in your posting this:

05:52:52 [Init] ? Exec Protection : OK. Installed

I have this:

15:13:01 [Init] • Exec Protection : OK. Installed

So, where you have: ?
I have: •

Maybe this is caused during your process of copying it to the posting, I don't know.
Do you have that • on your TDS-3 screen?

Could you please check your Required System Files?
See here:
https://www.wilderssecurity.com/showthread.php?t=13794

I don't think this has anything to do with the right function of Execution Protection, but it may be a good idea to check it...

 

Ah, I just saw that in reply # 11 of this thread Dan also had that "?" instead of the "•", so I guess it is only caused by the board-software or during the copying-process