Trojan Hunter 4.0 RC 1Beta is out

Discussion in 'other anti-trojan software' started by tosbsas, Aug 24, 2004.

Thread Status:
Not open for further replies.
  1. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    TrojanHunter 4.0 RC (Release Candidate) 1 is available for testing. Please read this entire post before deciding whether or not you want to try it.

    TrojanHunter 4.0 RC1 download:

    http://www.misec.net/test/TrojanHunter4RC1.exe

    TrojanHunter 4 has an entirely new, next-generation file-scanning engine. It may (probably will) still generate some false positives. If you encounter any, please post your scan report as a reply to this thread so that the false positives can be fixed. You should not clean any trojans that are found
    with this RC as the detection could be a false positive! You have been warned. Please post about all bugs and other issues that you encounter in this new version.

    If you are not a licensed TrojanHunter user you should be aware that installing the RC will start your 30-day trial period.


    What's new in TrojanHunter 4?
    -----------------------------
    - Code-based signatures! All signatures are now entirely code-based which makes them very, very strong. There is no way to hex-edit a trojan to avoid detection, short of decompiling the trojan, altering it in very specific locations and recompiling it. Most people who can do that would probably just write their own trojan.
    - Install-Time Updater allows trial users to update the detection rules during installation.
    - Ability to view and delete detected NTFS Alternata Data Streams
    - Improved startup time
    - TrojanHunter Guard's tray icon now automatically re-created after Explorer crashes
    - LiveUpdate handles several updates per day.
    - New custom scan option: Scan selected folders
    - Smaller ruleset files.
    - Bug fix: "Loading trojan icons" dialog would hang after running LiveUpdate on some systems.


    Ruben
     
  2. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Does this work against runtime-packed files?
     
  3. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Specifics about the new engine will be published when the release is finally out. As of now, you will have to try for yourself, or find one who will do it for you (can't help you there, tho, sorry). But personally, I would assume that "next generation scan engine" pretty much looks like something of this sort.

    Andreas
     
  4. ----------

    ---------- Guest

    How should it? Sorry but it doesn't work against runtime-packed files...
    And TrojanHunter can only unpack some upx packed files.
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I believe they can unpack zip files and winrar too. from their guard. and they uses stronger signatures, what the ... that may mean.
     
  6. ----------

    ---------- Guest

    i mean pe file packers, like upx, aspack etc.
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    the only at that does this is ewido...
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Yes, we were aware of the update Illuka but at the time of writing this whole thread, there was no mention of the second release.

    and for keeping us updated, we have the update area :D

    this was going to be a good thread, so I hope this can continue a little further.
     
  10. controler

    controler Guest

    "If you are not a licensed TrojanHunter user you should be aware that installing the RC will start your 30-day trial period."

    Which basicly means, if you have ever installed any other version of Trojan Hunter you will not be able to install and use this new version without reformating your hard drive lol

    Bruce
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    which is quite normal I guess, 30day trial, even for beta...nowadays.
     
  12. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
  13. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I contacted Magnus 2-3 days ago with my inquiry and provided him with a link to this thread. I did not receive a reply yet (but hopefully one will arrive soon), or better yet a reply in this thread from him.

    I had a similar feeling that the files would have to be unpacked in some way for there to be any benefits from the code-based signatures. Do you think the same goes with files that are encrypted? Like with morphine or something?

    Overall strong code-based signatures sound very promising, I just find the following quote a little confusing...

    Code-based signatures sound like they would be effective against hex-edited trojans, so i am not really arguing about that point. But if one were to pack the trojan and encrypt it, would that not be easier/require less knowledge than decompiling, altering, and recompiling?

    I do not mean to sound like i am bashing TH. I wuld just like to know a little more about it. TH hasn't been discussed here in awhile, and with this new release maybe it is a good time to get to know TH better (particularly in the area of detection).
     
  14. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    This may be true. But eventually the 'working code' has to end up in memory, and that’s where TH's real-time memory scanner - TH Guard - would kick in (operates much the same way as BoClean).

    I'm sure there’ll always be ways of disguising files from file scanners. Security software is nearly always playing catch-up against new techniques developed to aid hackers. But catch-up is better than standing still.
    Every new advance in programs like TH to prevent casual script kiddies from seeing my data is a good step forward in my books.

    TrojanHunter 4 currently unpacks almost all versions of UPX and some basic packers like Lamecrypt and Noodlecrypt, plus Magnus has indicated that the unpacking engine will be expanded once TH4 is released.
     
  15. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Good to hear ReGen, thank you for the info :)
     
  16. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    lol - yep, installed and ready to beta test but my trial is up!
     
  17. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    controler -
    can you elaborate on,
    ""If you are not a licensed TrojanHunter user you should be aware that installing the RC will start your 30-day trial period."

    Which basicly means, if you have ever installed any other version of Trojan Hunter you will not be able to install and use this new version without reformating your hard drive lol

    Bruce


    I guess you might think that a beta program tester is in a manner of speaking performing a service to the program developement, and/or that he or she has not evaluated the full version and certainly should be entitled to evaluate the full program before deciding wether to buy. Well...I agree. To software developers in general: You can't have it both ways! It's a beta program, or it is a commercial program with or without a free trial period.

    That said, Trojan Hunter 4.0 full version is out and it looks very good so far. Just one labeled "possible trojan" that i believe is legit program, and very fast with ease of use, and resident trojan guard feature. It spotted 4 trojans in an old archive volume. they were files i thought i had detected and deleted in the past, but knowing me, i later restored them with a restore having completely forgotten the trojans. Anyway, this is my 30-day trial.

    (BTW, I actually attempted purchasing TD3, but their website could not process the transaction, which does not inspire a whole lot of confidence in me. I have written them, but it is the weekend so I cant expect an answer for a while - Trojan Hunter by way of contrast uses "Kagi" to process their orders. By sheer coincidence I bought the Flaming Pear "Creative Pack" just last week through Kagi. I must say they were the epidemy of efficiency. By the time I checked my email the receipt and s/n were there. Some people think that's too much to expect, I guess).

    - HandsOff
     
  18. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129

    hmm interesting, perhaps I should give Ewido another look.
     
  19. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    About false positives--I just downloaded the evaluation copy of Trojan Hunter 4. and installed it and ran it. It found a copy of Steve Gibson's Leak Test.exe which I had in my Downloads folder and identified it as a Trojan and offered to clean (rename) it for me.
    This is just for your information.
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    the fact that trojanhunter sees leaktest as a possible malware doesn't say anything to me and it is sure a false positive. leaktests should not be flagged as malware cause the only thing they do is to test your firewall...

    just my two cents here.
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    Leak test exhibits trojan like behaviour.

    I believe some anti-trojan programs have removed that definition from their database.

    http://grc.com/lt/faq.htm
     
    Last edited: Nov 2, 2004
Thread Status:
Not open for further replies.