Wait I thought TDS3 should scan through mulltiple rars

Discussion in 'Trojan Defence Suite' started by tempnexus, Feb 13, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I recall long time ago one of the selling points was to take a trojan and pack it, zip it rar it and use TDS-3 and it will still find it. I just discovered that it's not true. I have X-rat and delerium of disorder which are ziped and then rared and when I scan them through right click context menu I had nothing. When I unpack them and just scan the first packed file I get positive ID. So this means that I can double pack a trojan and it will evade TDS-3?
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    And what use would it be ? The file still needs to be extracted before it will be run. The same goes for many scanners, TDS-4 will probably scan only a few layers deep to avoid ZIP exploits wasting processing power. By this I mean a 40kb zip file which actually contains many many layers of zips inside zips, and faked 4GB files in each of the last level of zips - 4GB files which are actually 0 bytes. A scanner which tried to scan all of these would go on nearly forever :)
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Ok does the same goes for exec packers? If I triple pack an exec with different packers will TDS-3 still detect via right click context menu? How about if I placed the triple exec packed exec into an zip or rar or what have you and try to scan that?
    Just wondering.
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Those cases i think are when someone aims you in particular and forges a nasty thing for you.
    All In The Wild trojans, packed or not, will be detected by TDS.
     
Thread Status:
Not open for further replies.