Trend Micro Anti-Threat Toolkit (free)

Discussion in 'other anti-malware software' started by MrBrian, Sep 19, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,636
    Location:
    Toronto, Canada
    Very nice set of tools, thank you for links. I was starting to miss Trend Micro's old Sysclean package that I used to clean client machines with years ago. And now with Trend Micro's detection rates up again these days, it's great to have these small (free) scanners that can be run from a usb drive and so on. Awesome!
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @WildByDesign: You're welcome :).

    Maybe someone can compare Trend Micro Anti-Threat Toolkit with Trend Micro HouseCall.
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,636
    Location:
    Toronto, Canada
    Housecall uses different and much smaller virus signature (pattern) file which you get also if you click on your link and go to "Clean ZBot and Cryptolocker infection using ATTK". The pattern file is named as such icrc$oth.xxx (x being numbers) approx. 35-40mb in size. So Housecall is comparable to that which I think they refer to as a specific threat cleaner. Now the main scanner from your link when you go to "Clean infected computers" loads their main larger virus signature (pattern) file name as such lpt$vpn.xxx (x being numbers) approx. 70+mb and that is similar to their old Sysclean package and realtime scanners. I have no idea why the difference between the signature files though. I'm guessing one is a more broader range while the other may be a more specialize one to focus on more common/current threats.

    So to sum it up, THREAT_CLEAN_64.exe from your link is basically and offline version of Housecall. All of the internals are comparable with the exception of a few visual differences to the GUI design of course.

    EDIT: Here is the info I was able to dig up on differences between Trend pattern files.

    lpt$vpn.xxx Enterprise Pattern
    The Official Pattern Release or OPR is Trend Micro's latest compilation of patterns for identified viruses. It is guaranteed to have passed a series of critical tests to ensure that customers get optimum protection from the latest virus threats.

    icrc$oth.xxx Smart Scan Agent Pattern
    These patterns are used by Trend Micro products that include the Smart Scan feature. The "Smart Scan Agent Pattern" resides on the users’ local client workstation.

    Links describing Smart Scan vs. Conventional:

    http://esupport.trendmicro.com/Pages/The-Smart-Scan-pattern-vs-Conventional-pattern.aspx
    http://esupport.trendmicro.com/solution/en-us/1053817.aspx
    http://docs.trendmicro.com/all/ent/officescan/v10.0/en-us/osce_10.0_gsg.pdf

    So it seems that the Trend products (eg. Housecall, THREAT_CLEAN_64.exe) that use Smart Screen patterns (icrc$oth.xxx) must also get some extra assistance from the cloud. While Trend's main offline scanner from your link (attk_ScanCleanOffline_gui_x64.exe) utilizes the full virus signature patterns (lpt$vpn.xxx) and does not need extra assistance from the cloud, similar also to their old Sysclean package as well as some of their real time solutions also use full virus sigs (lpt$vpn.xxx) but I'm assuming for the consumer products it may be an option to enable/disable.

    I remember with the old Sysclean package you could also use dozens of command line parameters with it which was great. I don't think that is possible with these new tools though unfortunately. But these new tools are great.
     
    Last edited: Sep 19, 2014
  5. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Looked good until the results automaticaly fixed some "tampered memory"

    APIHook apr:zwcreateprocess

    Can ignore files like eicar test file but auto fixes memory "problems"
     
  6. controler

    controler Guest

    I ran the toolkit and yes it did everything in a dos screen and when done sent me to a web page where a Temporary ID number was assigned. never got a gui
     
  7. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are five different downloads for x64 and five different downloads for x86.

    I downloaded all five x64 downloads. As of today, these are the approximate file sizes and date of digital signatures:
    "Collect suspicious files and system information": 5 MB; Jan. 16, 2014
    "Clean infected computers" - "Online Scan": 25 MB; Sep. 17, 2014
    "Clean infected computers" - "Offline Scan": 49 MB; Sep. 17, 2014
    "Clean MBR and Rootkit infection using ATTK with Cleanboot": 95 MB; July 23, 2013
    "Clean ZBot and Cryptolocker infection using ATTK": 26 MB; June 24, 2014
     
  9. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Yeah, did the same for me.
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,969
    Location:
    U.S.A.
    FYI. If you click the Cancel button, on the applicable License Agreement pages, you land here (detailing all downloads):

    https://spnsupport.trendmicro.com/Default.aspx

    You still need to agree, to download any of them.
     
  11. controler

    controler Guest

    Yes I see now that the first download just gathers info in DOS , then sends you to that web page but as I tried the others they worked just fine. Nothing found.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    "Clean infected computers - Online Scan" and "Clean infected computers - Offline Scan" allow three options for what to scan: Quick scan, Full scan, and Custom scan.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    IMHO "Clean infected computers - Online Scan" should be your first choice amongst the downloads.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,636
    Location:
    Toronto, Canada
    I have cleaned a few client systems in the past few days successfully and with ease thanks to your suggestion of these tools from Trend Micro, and I thank you for creating this thread here. Naturally, since these systems were clearly infected I opted to sever Internet connection prior to cleaning and of course needed the Offline options for these particular use cases. However, if just using as a second opinion scanner I can understand your suggestion of using the Online packages. Although I am curious, why do you suggest the Online ones? Is it because it can potentially use newer definitions from the Trend servers and such?

    I also noted during these recent client system cleanings that the package "with Cleanboot" of something like that, the definitions provided in the package were nearly a year old. So it seems that Trend doesn't necessarily update these packages too often. So I suppose that is all the more reason to use the Online packages as you suggest. Cleanboot option would have been great since it creates a bootable environment to scan/clean the system prior to Windows booting up and running. I also noted that I was able to squeeze the most recent (and proper matching) virus definition files and cleanup patterns from Trend's site as well, manually. Although at that point I had already did the final cleaning scan with Kaspersky's most recent AVP Tool. Trend's Offline package did the initial cleaning though. I'm looking into finding better ways of using these tools from Trend as well by extracting to USB, updating definitions and so on. No idea if it is technically legal or not though. Not reverse engineering or anything like that though, of course. It's really quite simple and basic methods I am using.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @WildByDesign: You're welcome :).

    I indeed suggested "Clean infected computers - Online Scan" because of the possibility of newer definitions from the Trend servers.

    If it's not possible or desired to have Internet access, then I recommend to try "Clean infected computers - Offline Scan". This might be out of date though; as of yesterday the download was dated Sept. 17, 2014.

    "Clean MBR and Rootkit infection using ATTK with Cleanboot" might be a superset of "Clean infected computers", but as you noted its definitions and software are currently quite old. Thank you for noting that there are technical means of integrating newer definitions into "Clean MBR and Rootkit infection using ATTK with Cleanboot".
     
Loading...