Trojan Hunter 4.0 RC 1Beta is out

TrojanHunter 4.0 RC (Release Candidate) 1 is available for testing. Please read this entire post before deciding whether or not you want to try it.

TrojanHunter 4.0 RC1 download:

http://www.misec.net/test/TrojanHunter4RC1.exe

TrojanHunter 4 has an entirely new, next-generation file-scanning engine. It may (probably will) still generate some false positives. If you encounter any, please post your scan report as a reply to this thread so that the false positives can be fixed. You should not clean any trojans that are found
with this RC as the detection could be a false positive! You have been warned. Please post about all bugs and other issues that you encounter in this new version.

If you are not a licensed TrojanHunter user you should be aware that installing the RC will start your 30-day trial period.


What's new in TrojanHunter 4?
-----------------------------
- Code-based signatures! All signatures are now entirely code-based which makes them very, very strong. There is no way to hex-edit a trojan to avoid detection, short of decompiling the trojan, altering it in very specific locations and recompiling it. Most people who can do that would probably just write their own trojan.
- Install-Time Updater allows trial users to update the detection rules during installation.
- Ability to view and delete detected NTFS Alternata Data Streams
- Improved startup time
- TrojanHunter Guard's tray icon now automatically re-created after Explorer crashes
- LiveUpdate handles several updates per day.
- New custom scan option: Scan selected folders
- Smaller ruleset files.
- Bug fix: "Loading trojan icons" dialog would hang after running LiveUpdate on some systems.


Ruben

 

Does this work against runtime-packed files?

 

Specifics about the new engine will be published when the release is finally out. As of now, you will have to try for yourself, or find one who will do it for you (can't help you there, tho, sorry). But personally, I would assume that "next generation scan engine" pretty much looks like something of this sort.

Andreas

 

How should it? Sorry but it doesn't work against runtime-packed files...
And TrojanHunter can only unpack some upx packed files.

 

I believe they can unpack zip files and winrar too. from their guard. and they uses stronger signatures, what the ... that may mean.

 

i mean pe file packers, like upx, aspack etc.

 

the only at that does this is ewido...

 

actually its now RC2

http://forum.misec.net/board/TrojanHunterBeta/1093462002

 

Yes, we were aware of the update Illuka but at the time of writing this whole thread, there was no mention of the second release.

and for keeping us updated, we have the update area

this was going to be a good thread, so I hope this can continue a little further.

 

"If you are not a licensed TrojanHunter user you should be aware that installing the RC will start your 30-day trial period."

Which basicly means, if you have ever installed any other version of Trojan Hunter you will not be able to install and use this new version without reformating your hard drive lol

Bruce

 

which is quite normal I guess, 30day trial, even for beta...nowadays.

 

I contacted Magnus 2-3 days ago with my inquiry and provided him with a link to this thread. I did not receive a reply yet (but hopefully one will arrive soon), or better yet a reply in this thread from him.

I had a similar feeling that the files would have to be unpacked in some way for there to be any benefits from the code-based signatures. Do you think the same goes with files that are encrypted? Like with morphine or something?

Overall strong code-based signatures sound very promising, I just find the following quote a little confusing...

Code-based signatures sound like they would be effective against hex-edited trojans, so i am not really arguing about that point. But if one were to pack the trojan and encrypt it, would that not be easier/require less knowledge than decompiling, altering, and recompiling?

I do not mean to sound like i am bashing TH. I wuld just like to know a little more about it. TH hasn't been discussed here in awhile, and with this new release maybe it is a good time to get to know TH better (particularly in the area of detection).

 

This may be true. But eventually the 'working code' has to end up in memory, and that’s where TH's real-time memory scanner - TH Guard - would kick in (operates much the same way as BoClean).

I'm sure there’ll always be ways of disguising files from file scanners. Security software is nearly always playing catch-up against new techniques developed to aid hackers. But catch-up is better than standing still.
Every new advance in programs like TH to prevent casual script kiddies from seeing my data is a good step forward in my books.

TrojanHunter 4 currently unpacks almost all versions of UPX and some basic packers like Lamecrypt and Noodlecrypt, plus Magnus has indicated that the unpacking engine will be expanded once TH4 is released.

 

Good to hear ReGen, thank you for the info

 

lol - yep, installed and ready to beta test but my trial is up!

 

controler -
can you elaborate on,
""If you are not a licensed TrojanHunter user you should be aware that installing the RC will start your 30-day trial period."

Which basicly means, if you have ever installed any other version of Trojan Hunter you will not be able to install and use this new version without reformating your hard drive lol

Bruce


I guess you might think that a beta program tester is in a manner of speaking performing a service to the program developement, and/or that he or she has not evaluated the full version and certainly should be entitled to evaluate the full program before deciding wether to buy. Well...I agree. To software developers in general: You can't have it both ways! It's a beta program, or it is a commercial program with or without a free trial period.

That said, Trojan Hunter 4.0 full version is out and it looks very good so far. Just one labeled "possible trojan" that i believe is legit program, and very fast with ease of use, and resident trojan guard feature. It spotted 4 trojans in an old archive volume. they were files i thought i had detected and deleted in the past, but knowing me, i later restored them with a restore having completely forgotten the trojans. Anyway, this is my 30-day trial.

(BTW, I actually attempted purchasing TD3, but their website could not process the transaction, which does not inspire a whole lot of confidence in me. I have written them, but it is the weekend so I cant expect an answer for a while - Trojan Hunter by way of contrast uses "Kagi" to process their orders. By sheer coincidence I bought the Flaming Pear "Creative Pack" just last week through Kagi. I must say they were the epidemy of efficiency. By the time I checked my email the receipt and s/n were there. Some people think that's too much to expect, I guess).

- HandsOff

 

hmm interesting, perhaps I should give Ewido another look.

 

About false positives--I just downloaded the evaluation copy of Trojan Hunter 4. and installed it and ran it. It found a copy of Steve Gibson's Leak Test.exe which I had in my Downloads folder and identified it as a Trojan and offered to clean (rename) it for me.
This is just for your information.

 

the fact that trojanhunter sees leaktest as a possible malware doesn't say anything to me and it is sure a false positive. leaktests should not be flagged as malware cause the only thing they do is to test your firewall...

just my two cents here.