What should TDS do if infection is found?

Discussion in 'Trojan Defence Suite' started by hojtsy, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I wanted to test the behaviour of TDS3 on demand scanning in case of infection. I temporarily disabled execution protection, and started the Beast 2.06 trojan creation toolset, which is by itself not directly harmful, but detected by TDS as hostile file. After starting the on-demand scannig, or the automatic startup scan, the file is detected as hostile, but no counter-measueres were done. I expected TDS to kill the hostile process, and offer to delete or rename the hostile file, but nothing like this happened. The hostile process were still running. :doubt: So for example if you rely on automatic startup scanning of TDS, you should go and check the TDS scan results after each and every scan, else you could host a trojan for indefinite time. This means that TDS simply can not be used in a set-and-forget manner: it needs your continuous attention.

    Even worse idea is putting the CRC checking into the startup scans, because CRC checking is unseparably followed by CRC overwriting, so any CRC errors will be reported only once. If you do not check that particular scan result when the CRC error was reported then you will just feel false security when later CRC checks succeed.

    Please change this behaviour in the next TDS release! Let the user choose what kind of alarm he wants in case of hostile file found (on demand/exec scan): dialog box, flashing icon, sounds, automatic kill, automatic rename, etc.
    Also let the user choose what kind of alarm he wants in case of CRC error: flashing icon, sound, dialog box with buttons to accept, delete, rename.

    With giving this configuration choice to the user you can satisfy everybody.

    -hojtsy-
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Hojstsy, Thanks for your comments, the new versions of TDS4 will offer a quite different interface and I know that user control is and always has been one of DCS's main aims for the new release.

    Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi, do you remember TDS keeps you in the driver's seat, and you're supposed to act on the alarms? Like investigating the file, maybe send them in for extra expert opinion, google what the file could belong to, maybe rename or zip it and see if it is missed before you delete it permanently, closing system restore so it is not back with next reboot, etc etc etc.
    In the helpfile are several descriptions about what to do with a possible alarm.

    If you have the mainconsole logging you can find the former results and messages in your logs. The alerts from the bottom console you can save as text file, in the directory you can decide to save with another name for another occasion to compare it. etc etc.

    I'm used to look after startup or on demand scans at the results and act accordingly.....
    Also i'm used to look at the running processes, netstat, autoexec .. all part of a certain routine.

    But like Pilli wrote let's see what's in the next version.
     
Thread Status:
Not open for further replies.