Worrying about Trojan Hunter 3.9

Hi,

Last night i downloaded a zip file from kazaa and when i tried to open it, my mcafee virus scan enterprise came into to action saying that the file inside was a trojen and it that it had deleated it. But the worrying thing is, is I also have Trojen hunter 3.9 installed (with definitions updated a week ago) and it did absolutely nothing. I have the real time scanner option enabled (which shows a magnifying glass in the task bar) but like i say it did nothing.

What gives.

 

yes, try the new upgrade version 4, this will give more security but if you want real security try tds-3 or ewido

have you submitted the file to Magnus?

trojanhunter scans only 5100 trojans , this is a lot but not what you expect from a 50$ app.

try to upgrade and see if it detects it, maybe the trojan is packed in a way th can not find it?

dunno

 

If the file hasn’t been executed then TH Guard won’t detect it. TH Guard is a ‘real time memory scanner’ not an ‘on access scanner’. Even during a file scan with AT software the AV scanner will often react first – presuming the AV has a definition for the Trojan. In the case you mention here, your AV would have blocked the file from execution during its on access scan, so your memory would have stayed clean. Had the file been packed with an unknown packer and reached memory then TH Guard would have reacted – presuming it also had a definition for this particular Trojan.

 

I very much like the look of Ewido myself and I have the free version that I use regularly as a back up to TH. But its sudden elevation to the top ranks of AT software by some people and the high recommendations it receives I find a little scary at times. The software is relatively new and very little public testing has been done that I’m aware of. On what grounds do these high recommendations come?

 

Yes, I WAS being carefull of the hype regarding Ewido and Prevx. In case of Ewido: I am licenced to tds-3, Trojanhunter and Ewido (just a week) the fact they have a real monitor running on access and at the end not so slowing down anymore (I use less processes now ) the fact they update daily with a huge database, what else do we need. it found some spyware allready and I am happy with it. really.

the day Fish told me they were releasing an update fixing the resource usage, putting a process scanner in it (LIKE TDS-3) and some other stuff, I purchased it immediately. at this time: besides tds-3 there is no at better. this is my personal opinion and opinions change, I am aware of that.
I love internet security and it is a real passion. I want the best. that is all

 

Another fact: trojanhunter (which I like) has signatures for 6100 trojans for a 50$ app. ats has 9100 or so, ewido a lot more, tds-3 a lot more, boclean (dunno, not so clear to me)

I NEVER wanted to sound like I am bashing on TH. I purchased it when it was practically the only at besides tds-3. but it seems they were lacking of updating regularly (sometimes one time/two times a week) and only the last three weeks there has been improvements on this side, and I think, if ewido didn't existed yet, the upgrade was far more away then now) they feel it they gotta get their acts together. not THAT correct if you ask me. opportunistic even if I may say.

bye

 

What worries me, is that I haven't get a reply from Magnus (or anyone else from the TH-company) about some false positives I did submit late monday-night this week: 7-Sept-2004, 0:26, Dutch time.
At least I would like to get some reply....
(this at TH 4).

I have not yet scanned with the update that has just been released.

Jan (licenced user of BOClean, TDS-3, TrojanHunter, The Cleaner, and some more...; and yes: I did pay for them).

 

First, about the trojan detected by McAfee: Your virus scanner's monitor will always scan any files before any other scanning software. If it detects malware it will block access to it, so there's no chance for anything else to detect it. This is to be expected - it's not a deficiency in any other security software you have installed, it just means that your virus scanner is kicking in first.

Second, about trojan definitions. You can't compare trojan scanners by comparing the number of trojan definitions. I have always tried to keep the quality of TrojanHunters database high and not add unnecessary definitions just to artificially inflate the database. There are several scanners out there that add a new trojan definition if:

- A trojan is compressed with e.g. UPX
- A trojan has an EditServer
- A trojan has a client

Sure, we could do this and easily quadruple the size of TrojanHunter's trojan definitions, but what's the point? Like I said, you can't compare scanners by looking at definitions since each vendor will count differently. TrojanHunter has over 20,000 ruleset entries and it is most certainly a "real" trojan scanner.

 

FanJ:

There was a false positive that was fixed with today's update. If your FP is still not fixed please email me at magnus(at)misec.net

 

Thanks Magnus for coming here !

Did you receive my email about FP's ?

 

off course you did pay for them, are you a dutchman?

in belgium they have a saying bout them then.

regarding your false positives, on their forum at the time of Version 4 being beta (3 weeks ago I believe) there were A LOT of false positives. they made a second beta only for the fp's.

but still members experiencing fp's. I had a fp regarding one of their own dll's (.gen) I believe.

 

Jan,

I've found your mail - thanks. I will make sure those FPs get fixed with the next update if they haven't already been fixed. Sorry about the delay but it's been pretty crazy with the recent release of TrojanHunter 4.

 

Oops sorry Magnus, our postings crossed (I didn't see your reply).

I am going to download it and scan with it.
In case something wrong, I will let you know

Regards, Jan.

 

Magnus, thanx for all the updates lately!!!

 

Don't thank me, thank Aaron

 

yes, Magnus, keep it up, doing good, real good and sorry if I was too direct regarding TH and indirectly to you.

it was not meant like this.

 

Hi Magnus,

Thanks for your postings !
I've send you an email.
I fully understand that you all were been very busy with the new upgrade !


=====

Heya my dear Belgium neighbour

Yep, I'm a Dutchie
Yep, I DID pay for them !!!

Us neighbours (Belgiums and Dutchies) understand the joke

Cheers, Jan.

 

there are quite a few nederlanders on this board isn't it? Perfect.

yes, Wilders rules.

 

@Magnus

You may want to try the following /w TH 4:

1.
Take shimgapi.dll (original UPX-packed backdoor component of dangerous MyDoom worm).

2.
Scan it /w TH file scanner: it will be detected. Same applies to unpacked shimgapi.dll.

3.
Inject shimgapi.dll into editor.exe etc.; scan it with the mem scanner: it will not be detected.

4.
Repack the DLL with Armadillo: Neither the file scanner nor the mem scanner will detect it.

5.
Inject a standard, non-manipulated, non-reverse Beast 2.05 DLL into editor.exe: TH will wrongly detect it as a 1-900 Dialer.100 instead of a Beast trojan DLL.

--> Conclusion: There is likely a problem with the mem scanner/the mem sigs.

(Btw.: The file scanner does not detect the following DLLs: Coldfusion 1.08 & 1.10; Optix Pager 2; Optix Pro 1.32 Cloaker DLL, and others.)

ntl

 

Absolutely! Thank you for that, Magnus. So many people go by the size of the database. Also, I think you are to be commended for your very user-friendly interface. I have never liked programs that are horrible to navigate, and are unnecessarily complex, for the sole purpose of making one think they are using a "high-tech" security tool that not "everyone" can understand. It's the old, "If it's hard to navigate - it must be a serious security tool." Frankly there's too much of that - it's an "image" over substance, imo. TrojanHunter is made to work - simply and easily - for everyone.

Thanks again!

 

to Nautilus: is this done with version 3.9? try to do it with version 4. I do think it is far more better then 3.9.

I

 

luv2bsecure: Thank you for being someone who "gets it".


Nautilus:

Could you please email the DLL files that you say are undetected to me at magnus(at)misec.net? Thank you.

 

To Magnus: I do understand that without good unpackers you can have all the signatures in the world and still not detect as much as you want to detect. that is quite obvious. That is why I asked about which unpackers TH supports on the trojanhunter forum (which you answered btw and I thank you for that!!!)
I never wanted to sound ungreatfull or immature regarding TH or TH's staff. I love it the way it is going now. and I wish you all the luck in the world (and all the unpackers and all the trojans )
sorry.

 

@Magnus

On January 16 and 19, 2004, I sent to you: Coldfusion 1.08 & 1.10 DLLs, Optix Pager 2 DLL and others.

That's why I believe that there may be a prob with the signature database and/or the mem scanner. (I experienced a similar issue with the newly released ewido plus which failed to detect samples that had been detected by the original ewido free suite using the old signature database.)

I will forward to you the old e-mails from January. In addition, I will attach the DLLs referred to above.

@INFINITY

Test system: WinXP SP2, Prescott 3,0 /w HT, TH 4

 

With all due respect, but I still get alerts about AtGuard and RefreshEm:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\Program Files\Atguard\iamdrv.vxd (IcqUkr.100)
Found trojan file: C:\Program Files\Atguard\iamdrv.zip/iamdrv.vxd (IcqUkr.100)
Found trojan file: D:\RefreshEm\refrsh10.zip/refrsh10.exe (Fragglerock.200)
Found trojan file: D:\RefreshEm\refrsh10.exe (Fragglerock.200)
4 trojan files found