Help - TDS-3 isn't stopping subseven

Conejo/Soul_Flame, I'm glad you were able to resolve your problem regarding SubSeven, and can now feel confident in TDS-3's execution scanning.

 

I have a few viruses and trojans on my machine on purpose to make sure TDS-3  and NOD32 are operating properly. If they miss these files, I know there is a problem.

 

Its nice to know Im not the only insane person.  
(I downloaded and attempted to infect myself with Sub7)
AVG wouldnt let me (and I didnt disable it) but a TDS-3 system scan turned up all the files (first in the compressed file and later in the recycle bin)

Think maybe Ill load a few onto a CD for testing, keeping them on a HDD is just a bit scary.

 

In fact you're right (yes, two words, and fact with an A !)
I have several in the test zoo as well, and putting them somewhere apart would be better.

 

hello jooske,

do you mean that TDS3 would not clean my system of trojans?  based on the TDS logs of the other posts, does execprot and TDS just stop the trojan but not clean or delete it?  would you please correct me if i misunderstood you?

 

Hi Zak_dashiell,

It is stopped from running indeed, and you are alerted which file it is all about, so you can investigate and decide to delete it or whatever you want with it.
In the Helpfile is a very nice illustration and explanation how it works and what we can do under
Disinfection - Removing trojans; while there are fine explanations about hunting even unknown trojans, the hidden datastreams and cleaning (NTFS data streams) etc. And the Scan alerts and quarantine parts give very good explanation how and what to as well.
I'm happy with the possibilities to look deeper into the alerts and find out when and maybe how they came on my system.
With unchecking "scan for compressed executables" you would get only the life infections, with checking that option you get them all in zip files too.

I don't know what more to expect in this area in the new v4 later this year.

 

thanks a lot Jooske... now i am more confident that my tds can and will really do what it is intended for... actually just right now, it caught 4 "possible keylogger"s in 4 system volume information folders... does this mean they are in the system restore files?... i just wonder how they come to be there with tds' execprot enabled... maybe it was the time before i opened tds (i don't autostart it)... i just deleted them from tds... could i still use these files if the need arises?... the parts i deleted were dll files...

 

You say it said "possible keyloggers" so these were no defenite identifications. Gavin recently added a few hundreds more detections of keyloggers codes to the references, so lots of programs which were on your system might have such suspicious code in them.
If you don't know the code/files they are in, do submit them to TDS lab, so they can investigate for you if they are and if not that enables them to refine the database even more and prevent possible false positives that way.

Restore? which windows version are you using?
In infections removal instructions i see often people first disable restore, then remove the files, reboot and enable restore again (winME for instance)

Exec protection blocks files from running/executing, but it is not on your ports blocking them from entrance on your system. I think you have your firewall, maybe WormGuard, email scanning and scanning of every new download on your system for that part.
You look what is alarmed on, is it a file you know, was it recently modified, are you able to compare it with a possible original? or wehere there legal resons for the changes like a new install, update, etc.

I'm not deleting when i'm not sure! zipping them or renaming their extension, submitting to the lab and ask advice in cases. You might still have them in the restore and have another look. See if there are strange processes, were there autoexec notifications and changes there, etc.
The helpfile gives such fine instructions with step by step images for "how to hunt an unknown trojan" for instance, i'm sure this part gives you lots of insights and confidence how to handle and not to panic.
With this i lost my fear for intruders and infections, as with TDS we are able to handle and get educated in how to handle too.
You could even zip them, see if the system still functions and in the scan disable the "scan compressed exes" to know if there are life infections/keyloggers, after you might like to enable that again.
Even in windows original install files you'll find a warning for a file with password stealing capacity, i just leave it there. Etc.....

 

Interesting in this matter is also Wayne's answer in this thread:
http://www.security-pro.co.uk/yabb/YaBB.pl?board=dcstds;action=display;num=1022210943

So the future v4 might offer some relief in this kind of matters, be it that we still are on the watch what to do in cases of alarms.

 

Greetings to you all
I was thinking of buying and using TDS after i got hit with subseven  and i was talking about  buying TDS in chat on irc and a lot of people gave me and the whole room this url
http://www.geocities.com/hellfirez65/

which seems to me contains a pretty bad review of TDS now dont get me wrong i have no problem with TDS i was just would like to know whats what before i shell out my money

can you help with this
Thanks

 

Hello Master,
welcome here.
That's been an old discussion all over internet, which you might find in about every security forum and newsgroup, GRC and DSL among others.
The question is not really difficult: let us put it this way: the one developer likes his product because of some reasons or other emotions. The other develops quality and security for their users in the first place.
I like the TDS as a user because i look at quality and what i can do with it, the further developments and what i experience for my safety. DCS on their sites say "please shop around" and that is exactly what i did and i'm glad it convinced me TDS is the right product for me. Not to forget the wonderful support in every way and the new products in the build. I know DCS is based on a very trustworthy company and i like their way of doing business and the support, the education, the operators helping others, the two official forums, etc etc.
You can only test drive TDS yourself and look if you like it; for that is a trial version you can download at http://www.diamondcs.com.au
Please tell how you like your trial!

 

Hello The_master... please take a careful look over "Hellfirez" site. There isn't an ounce of credibility to this person. He attacked Steve Gibson and the GRC servers when Steve called him a "script kiddie" - this is the sort of person "Hellfirez" is. His real name is Gavin Holmes and his URL used to be http://websites.ntl.com/~gavin.holmes/
He was exposed several years ago as having links to Lockdown and Michael Paris, and he has written and released several worms and trojans.
I wouldn't trust a review this guy wrote on _any_ program, let alone an anti-trojan program. He wrote that review in the peak of his work to promote Lockdown while attacking TDS at the same time.

If you want a Sub7 detection review that isn't bias, I recommend Eric L. Howes' independent anti-trojan tests - http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests.htm
They're very comprehensive unlike virtually all other tests I've seen

Best regards,
Wayne

 

Hi The_master_,

The version of TDS used was not even updated. While this has already been discussed by many, just let me point that simple point out. SubSeven 2.2 which was tested, was released long after the TDS version on "trial"

Unfortunately I cannot be sure of the database reference count at the time which is a pity, because since joining DCS I have added a huge number of trojans to detection. The reference count back then would have been below 7000, it now comes close to 14500 with tonight's update which is nearly ready.. please just test drive it yourself

You may refer to Eric Howe's more unbiased tests, which are very thorough, and using one of the most common trojans, and some compressed variants

http://www.staff.uiuc.edu/~ehowes/trojans/tr-tests.htm

 

Ya I noticed that too. The TDS-3 console said updated 95 days ago, and hellfire says that the sub7 version was 30 days old. Odd no?

Oh well, I personally don't have time for that stuff. I have sub7 on my machine in a folder and TDS-3 has no trouble detecting it.

To be sure, download the trials of many AT progs and make your own decision. That is the only way to see through all the BS.