WinMHR: (Re)Introducing the Malware Hash Registry

Discussion in 'other anti-malware software' started by Malcontent, Aug 19, 2010.

Thread Status:
Not open for further replies.
  1. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    http://krebsonsecurity.com/2010/08/reintroducing-the-malware-hash-registry/
     
    Last edited: Aug 19, 2010
  2. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Can be circumvented pretty easily, malware just has to make some random change to each copy, say load a random value into a register, and this will result in different hashes for each copy..
     
  3. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
    This is even worse than an AV, which already can't cope with the sheer quantity of malware today. Terrible idea.
     
  4. andylau

    andylau Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    698
    Just see the screenshoot, I think a command line version will be better and comfortable for the advanced users.:D
     
  5. andylau

    andylau Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    698
  6. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Great news...:D Run a scan and I am quite happy at its performance...:D
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I wonder what have been your experiences with it so far? :D
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Cannot remove threats, so I didn't keep it.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, that's not its intent. It's a detection tool, not a tool to block/remove malware.
     
  10. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    Its a worthless tool. Its pretty obvious even to a novice PC user that their computer is infected. Why run one more tool to tell you whats already obvious through pop ups, slow downs, errors, etc.
     
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Not all infection are visible...
    And most novice users I know of wouldn't know they're infected most of the times...
     
  12. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,264
    Location:
    USA
    Yup and your point is? This tool will never be as effective as an AV software already on the market. They are years and years behind, it doesnt have behavioral detection, and its only limited to the samples they can get. What about polymorphic infections? Useless against those as well.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not everyone knows malware exists. Sad reality, but very much real. Not to mention, as user safeguy well mentioned, not every infection is visible. In fact, unless the malware creator has specific intentions to make it visible, like ransomware or rogue security software, I'd say they want to keep a low profile, wouldn't you say so?

    I have people such as those as safeguy mentioned. I'm working on a relative's laptop, which previously had Windows XP running in an administrator account, and this relative didn't even notice the antivirus was disabled! The system was heavily infected and just erased it with DBAN.

    Now, I installed Windows 7, after I advise it, because it makes usage of standard user accounts way easier (have in mind that tools that are available to make use of Windows XP limited accounts may not be provided in native language), and security improvements.

    I was just wondering if anyone would have installed WinMHR to relatives/friends just as one extra detection tool, if they can't bother themselves with tools like Sandboxie, etc.

    I know people who consider having autorun disabled, and having to open Windows Explorer to access a usb flash drive contents, a total waste of time! :D

    -edit-

    Note that I'm not seeing it as a replacement; rather as an auxiliary help for such people.
     
  14. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Installed it some time back and it was not bad for occasional on-demand scan.
     
  15. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    My point is to counter-argue your 2nd statement in your prior post where it seems to me you made it sound like malware is visible almost all the time. That's all.

    Now, the concept/purpose of this tool is simple - specifically to scan your PC against known badness (if they include behavioral detection, they might as well compete with other AVs but that's not the aim). It doesn't replace AV. Period.

    Here's a quote of what the service does for you:

    Source: -http://www.team-cymru.org/Services/MHR/-

    The appeal factor comes from the features/benefits it claims to provide such as "free for both non-commercial and commercial use", "no files or any file contents are sent across the network", and that "results aggregated by over 30 AV engines", etc etc.

    Check homepage here: http://www.team-cymru.org/Services/MHR/WinMHR/

    Perhaps, this may be useful to those enterprises that needs to check their PCs with no cost and within legal means. Or it may be useful to privacy-oriented folks. Who knows?

    If you still see no value in it, let me quote this for you:

    Source: -http://www.networkworld.com/news/2010/082410-free-tool-from-team-cymru.html-

    You see? Seems like there's a target market after all and that not all is lost.
    Simply said, the value or worthiness of something is only to those who are capable of having use for it. Beauty is in the eye of the beholder if I want to get linguistic here.:p
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Some thoughts on WinMHR:

    Would be nice to see when the program calls out and to where.
    Default screen size is too large, 640x480 or 800x600 would be better.
    Would be nice to see "unknowns/could not check" included in the list below detections in a different color (yellow).
    I can't shift>click to highlight multiple entries>copy to Clipboard>All columns for sharing.
    I would prefer to export the screen contents as is ordered within the program, WYSIWYExport.
    Where it says "Modules loaded by this process" I would like to see a number of how many modules were loaded.
    I would like to see a list of "OhSnap" deletions while the scan took place.
    I would like to see Tasks Scheduled in an understandable format.
    I would like to see internet connection log for interruptions with what scan procedures were running when the disconnection occurred.
    I would like to see a WinMHR Youtube video, I don't have Quicktime installed and probably won't install it.
    Would like to see kernel space processes verified.

    File detections included false positives, 3(4) suspects out of 12 total detections.
    FP's include Kernel Detective .rar and .exe, bsa.rar, OTS.exe, Superscan4 .zip and .exe, OSAM auto run manager 5.0 portable.rar, TFC.exe, L3m0nz Exploit Package.zip (<= :D ).

    It worked well, no conflicts with my software firewall.
     
  17. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Same here.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You may express those wishes to them at feedbackatwinmhr.com

    Who knows what comes out.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.