TDS exe protection

Discussion in 'Trojan Defence Suite' started by -JSa-, Jan 27, 2004.

Thread Status:
Not open for further replies.
  1. -JSa-

    -JSa- Guest

    Does exe protection give warnings of malicious files and is there a test like eicar i can run on it?

    thanks
    JSa
     
  2. FanJ

    FanJ Guest

    Hi,

    The answer on both questions is "yes" ;)

    Here comes the example: Leaktest from Steve Gibson:
    http://grc.com/lt/leaktest.htm

    Is Leaktest in the definitions of TDS-3?
    Yes, see screenshot of the primary list:
     

    Attached Files:

  3. FanJ

    FanJ Guest

    And here come the test.

    TDS-3 was started before the test was done, and Execution Protection enabled.

    WormGuard and my AV were disabled.

    I downloaded the file LeakTest.exe from the GRC-site onto my desktop.
    Then I double clicked it to start it.

    Immediately TDS-3 jumped up and blocked it.
     

    Attached Files:

  4. FanJ

    FanJ Guest

    I right clicked on that warning, and got the following options:
     

    Attached Files:

  5. FanJ

    FanJ Guest

    I choose "Delete", and got a question whether I was sure.

    PS:
    I have the Dutch version of Windows, so you will see two Dutch words:

    ja = yes
    nee = no
     

    Attached Files:

  6. FanJ

    FanJ Guest

    I choose "ja" (="yes").

    And here comes the confirmation from TDS-3 that the file was deleted:
     

    Attached Files:

  7. FanJ

    FanJ Guest

    That's all :)
     
  8. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I wanted to try this.

    I have downloaded the leaktest to my desktop upon execution I choose to 'test for leaks'. My firewall then jumps in and asks if I want the application to connect to the internet.

    I have wormguard installed and Exec protn is enabled on TDS3. Should I have been able to run the testo_O
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi User da da da da ;)

    If your radius definitions are up to date and your TDS is configured correctly then you should not have been able to run the leaktest without TDS intercepting it. I confirmed here just in case they put a really new version on the grc site that may "elude" the test definitions, but it intercepted right away. You might want to try scanning the directory leaktest is in from TDS and if it finds it you know there is something wrong with your execprot (maybe removing execprot, rebooting, re-adding, rebooting will do the trick)

    As an additional test, there is a safe Trojan Simulator that includes both a client a server component that you can test TDS against. It can be found here...

    http://computercops.biz/article1981.html

    Hope this helps
     
  10. FanJ

    FanJ Guest

    Was TDS-3 started before you did the test?
    Execution Protection works only if
    1- TDS-3 has been started (either automatically at windows start-up or by yourself), and if
    2- Execution Protection is enabled.
     
  11. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I am a little worried now, I removed and then added exec protection with reboots as advised.

    TDS is running, but I can still run the leaktest.

    I also downloaded the Trojan Simulator (thanks to Dan Perez) and TDS doesn't pick it up unless I run a manual scan of the containing folder. (I even shut down all other running security processes).

    I then restarted all other security processes (including NOD32, Tauscan trial version (as TDS has no monitor to speak of) and Adaware.

    I wouldn't expect NOD to pick up the Trojan Simulator but Tauscan also failed - the only one to notice a change was Adaware!!

    I know we're not here to discuss other programs but I am concerned as to why my Exec Prot doesn't seem to be working. I have the latest Radius update (27.01.2004).

    Any comments most gratefully received.
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    This is strange (to say the least).

    Can you give more details on your OS and service pack?

    Also, when you launch TDS does it confirm that it shows execprot as active?

    Also, I think your radius defs are out of date, can you try an update and see if the values match mine shown below?

    Code:
    11:42:16 [Init] Trojan Defence Suite v3.2.0  - Registered to Dan Perez 
    11:42:16 [Init] Started 29-01-04 11:42:16 Pacific Standard Time (UTC: 8), Internet Time @862.69 
    11:42:16 [Init] Loading TDS-3 Systems ... 
    11:42:16 [Init] ? Priority         :   OK. 
    11:42:16 [Init] Token successfully adjusted. 
    11:42:17 [Init] ? TDS Privileges   :   OK.      Adjusted TDS-3 token privileges to maximum 
    11:42:17 [Init] ? Plugins          :   OK.      Loaded 13 
    11:42:17 [Init] ? Exec Protection  :   OK.      Installed 
    11:42:18 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 
    11:42:34 [Init] ? Radius Advanced Specialist Extensions on standby for 13 trojan families 
    11:42:35 [Init] ? Systems Initialised [31483 references - 11266 primaries/9002 traces/11215 variants/other] 
    11:42:35 [Init] Radius Systems loaded. <Databases updated 29-01-2004> 
    
    I'm sure the real TDS experts will have plenty of input as well.
     
  13. FanJ

    FanJ Guest

    Hi,

    TDS-3 does have most certainly a "monitor" !!!
    It is called Execution Protection !
    Tauscan cannot even think about the security that TDS-3 gives you !
    I'm sorry to say; I have both.

    We were trying to test TDS-3 Execution Protection.
    Disable other AV's and AT's.
    Make sure that Execution Protection is enabled in TDS-3.
    Reboot.
    Let either TDS-3 start up with Windows or start it yourself.
    Then download that file LeakTest.exe and double click it to start it.
    In case TDS-3 does NOT jump up, then there is a problem, and then we need Wayne to jump in here to help you.
     
  14. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    I am running Windows XP Prof SP1.

    As you can see - Exec Protn is installed - you can also see however that my radius database does not match yours!! You will also notice that I have tried to update but the report tells me I am already up to date - not so when compared to yourso_O? o_O

    19:20:44 [Init] Trojan Defence Suite v3.2.0 - Registered to Mark Freeman
    19:20:44 [Init] Started 29-01-04 19:20:44 GMT Standard Time (UTC: 0), Internet Time @847.73
    19:20:44 [Init] Loading TDS-3 Systems ...
    19:20:44 [Init] • Priority : OK.
    19:20:45 [Init] Token successfully adjusted.
    19:20:45 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    19:20:45 [Init] • Plugins : OK. Loaded 13
    19:20:45 [Init] • Exec Protection : OK. Installed
    19:20:45 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    19:20:47 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    19:20:47 [Init] • Systems Initialised [31180 references - 11094 primaries/8913 traces/11173 variants/other]
    19:20:47 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
    19:20:47 [Init] TDS-3 Ready. <Administrator@127.0.0.1 - United Kingdom>
    19:20:47 [TDS] Good evening Administrator.
    19:20:49 [Memory Scan] Memory scan started, please wait a moment ...
    19:20:51 [Memory Scan] Memory scan complete.
    19:20:51 [Mutex Memory Scan] Started...
    19:20:53 [Mutex Memory Scan] Finished (no trojan mutexes found).
    19:20:53 [Trace Scan] Started...
    19:20:56 [Trace Scan] Finished.
    19:20:58 [CRC32] Started - verifying 31 files ...
    19:20:59 [CRC32] Test finished.
    19:35:19 [Radius Update] Database already up-to-date - transfer aborted.
    19:52:21 [Radius Update] Database already up-to-date - transfer aborted.
     
  15. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Just to confirm FanJ - as mentioned in my post, I had disabled all other AVs/ATs & Others.

    Also I do not expect any other AT to match TDS-3 but am trialling other ATs which have active monitors - I know there is exec protn but I have read here that this does not match up to the like of BoClean - unfortunately they do not have a free trial so I am trialling others - I am not defecting. ;)

    It does seem that I have a problem with my application. Maybe I have to uninstall/Re-install, but I hope it doesn't come to that - advice please.
     
  16. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Yeah, it may be that you need to uninstall/reinstall but I would hold off until you get work from the DCS folks as they may advise additional registry cleaning between the uninstall and reinstall.

    In the meantime, you may have an out of date "update.cfg" so you might want to go to the page below to get a fresh copy of one

    http://tds.diamondcs.com.au/index.php?page=update

    If after that the "Update TDS Databases" thing doesn't work you can always manually download the latest radius file from the same page as above.

    BTW, it has been a while since I last tested against Trojan Simulator so I did it just now and it was properly intercepted by TDS so definitely something is wrong with your install
     
  17. FanJ

    FanJ Guest

    Hi,

    First: sorry Dan, I didn't see your posting before I was posting; sorry !

    User-etc:
    Some remarks:

    As Dan wrote, you definitely have to get the latest defs !
    I have the same number for the "primaries" as he has.
    Get it here:
    http://tds.diamondcs.com.au/index.php?page=update
    Get from that same page the latest file update.cfg
    Quote:
    Important: The Automatic Update program (update.exe) requires an up-to-date server list (update.cfg) in order to download the database. This file can be downloaded here (Right-click | Save Target As...). Please save the file to your TDS directory, overwriting the existing update.cfg file. Remember to ensure that the filename is update.cfg, and not update.cfg.txt or anything else.
    - end quote -

    But to be honest: I doubt that the fact that you don't have the latest defs (Radius-file) is causing the problem; but only trial-and-error will prove that.....

    Does your firewall block access to one of the sites in update.cfg?

    When was the last time that you installed a new version of TDS-3?
    Last summer (summer 2003) there was the so-called Final version of TDS-3.

    I only have Windows 98 SE.
    I really don't know whether any issue involved with running as Admin/poweruser/etc might cause this :oops:
     
  18. mfreemanhcp7

    mfreemanhcp7 Registered Member

    Joined:
    Jan 3, 2004
    Posts:
    37
    Location:
    England's Sunny South Coast!!
    Thanks Dan Perez. I downloaded the latest update.cfg and this has enabled me to download the latest Radius update. It seems strange though that I was able to update only two days ago without any problems - have you nedded to download the update.cfg file in the past few days??

    This seems strange to me and something is definately adrift here. Look forward to some DCs input here.

    Thanks guys. :)

    P.S. FanJ - I only bought and installed TDS-3 this month so am sure it's the latest version. I am logged in as Administrator.
     
  19. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    No need for apologies at all! The more input the better! ;)

    I have not had occasion to change the update.cfg since I last upgraded ~ 6 months ago? but as I understand it, the update.cfg is changed periodically at the webpage you went to so as to help distribute the load amongst all the available servers. Under the assumption that the server at the top of your old list had an older (and possibly corrupt) radius file I thought we would get another update.cfg to almost certainly direct you first to a different server.

    I agree though with Jan that this would almost certainly not address the main issue you are having, which seems to be a bad config somewhere that will not allow proper operation of execprot.

    The DCS gurus will be awake and eager to provide more detailed assistance in about 6 hours and I'm sure they will have a quick resolution to the issue.
     
  20. -JSa-

    -JSa- Guest

    thanks for the replies all

    I've try'd the tests suggested and they don't work for me either ,my OS is windows2k sp4

    I noticed that since installing exe protection launching programs takes a fraction longer so i guess it's doing something but it did not report either leaktest or trojansimulator.
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This was a tst of the trojan simulater trying to install. :) Also I do know that Dan runs W2K, This PC is XP Pro

    Please Note: Thre three bolded items.

    10:38:50 [Init] Trojan Defence Suite v3.2.0 - Registered to Pilli
    10:38:50 [Init] Started 30-01-04 10:38:50 GMT Standard Time (UTC: 0), Internet Time @485.30
    10:38:50 [Init] Loading TDS-3 Systems ...
    10:38:50 [Init] Token successfully adjusted.
    10:38:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    10:38:50 [Init] • Plugins : OK. Loaded 13
    10:38:50 [Init] • Exec Protection : OK. Installed
    10:38:50 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    10:38:53 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    10:38:53 [Init] • Systems Initialised [31483 references - 11266 primaries/9002 traces/11215 variants/other]
    10:38:53 [Init] Radius Systems loaded. <Databases updated 29-01-2004>
    10:38:53 [Init] TDS-3 Ready. <Pilli@127.0.0.1, 192.168.2.62 - United Kingdom>
    10:38:53 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning inside the memory space of processes
    10:38:54 [TDS] Good morning Pilli.
    10:38:58 [Mutex Memory Scan] Started...
    10:39:00 [Mutex Memory Scan] Finished (no trojan mutexes found).
    10:39:00 [Trace Scan] Started...
    10:39:13 [Trace Scan] Finished.
    10:39:16 [Radius] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    10:39:19 [Radius] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    10:39:19 [Radius] • Systems Initialised [31503 references - 11282 primaries/9006 traces/11215 variants/other]
    10:39:19 [Radius] Radius Systems loaded. <Databases updated 30-01-2004>
    10:39:19 [Radius Update] Update complete.
    10:41:42 [ExecProt] WARNING: c:\documents and settings\alan\local settings\temp\temporary directory 2 for trojansimulator.zip\tsserv.exe has been blocked from executing
     
  22. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I regularly get this update problem. It's all due to my ISP having a transparant webcache and I have to frequently change the proxy server setting inside TDS to be able to autoupdate.

    Luckily (?) I use NTL in the UK and have achoice of 3 proxy servers just by changing 1 digit and that normally solves the problem for me.

    If you continually get problems then use a proxy server inn the TDS settings
     
  23. -JSa-

    -JSa- Guest

    It's NOT an update problem,I have the latest radius installed

    05:52:52 [Init] Loading TDS-3 Systems ...
    05:52:52 [Init] ? Exec Protection : OK. Installed
    05:52:53 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    05:53:03 [Init] ? Radius Advanced Specialist Extensions on standby for 13 trojan families
    05:53:03 [Init] ? Systems Initialised [31503 references - 11282 primaries/9006 traces/11215 variants/other]
    05:53:03 [Init] Radius Systems loaded. <Databases updated 31-01-2004>
    05:53:03 [Init] TDS-3 Ready. <xxxxx@xxx.xxx.xxx.xx, 127.0.0.1 >
    05:53:03 [TDS] Good morning xxxxx, all systems are ready.


    Here is a screenshot showing trojansimulator in memory alongside TDS
    http://members.lycos.co.uk/bmge500/Capture008.jpg

    If I do a scan control / live process files scan then i get a warning

    Scan Control Dumped @ 05:58:42 31-01-04
    Trojan Client\EditServer found: Demo.TrojanSim (Client)
    File: d:\files\trojansimulator\trojansimulator.exe

    Positive identification: Demo.TrojanSim
    File: d:\files\trojansimulator\tsserv.exe


    Obviously something is wrong with exe protection.

    JSa
     
  24. FanJ

    FanJ Guest

    Hi JSa,

    Maybe off topic:
    I see for example in your posting this:

    05:52:52 [Init] ? Exec Protection : OK. Installed

    I have this:

    15:13:01 [Init] • Exec Protection : OK. Installed

    So, where you have: ?
    I have: •

    Maybe this is caused during your process of copying it to the posting, I don't know.
    Do you have that • on your TDS-3 screen?

    Could you please check your Required System Files?
    See here:
    https://www.wilderssecurity.com/showthread.php?t=13794

    I don't think this has anything to do with the right function of Execution Protection, but it may be a good idea to check it...
     
  25. FanJ

    FanJ Guest

    Ah, I just saw that in reply # 11 of this thread Dan also had that "?" instead of the "•", so I guess it is only caused by the board-software or during the copying-process :rolleyes:
     
Thread Status:
Not open for further replies.