Worrying about Trojan Hunter 3.9

Discussion in 'other anti-trojan software' started by AnthonyG, Sep 10, 2004.

Thread Status:
Not open for further replies.
  1. AnthonyG

    AnthonyG Registered Member

    Joined:
    Aug 3, 2004
    Posts:
    614
    Hi,

    Last night i downloaded a zip file from kazaa and when i tried to open it, my mcafee virus scan enterprise came into to action saying that the file inside was a trojen and it that it had deleated it. But the worrying thing is, is I also have Trojen hunter 3.9 installed (with definitions updated a week ago) and it did absolutely nothing. I have the real time scanner option enabled (which shows a magnifying glass in the task bar) but like i say it did nothing.

    What gives.
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yes, try the new upgrade version 4, this will give more security but if you want real security try tds-3 or ewido

    have you submitted the file to Magnus?

    trojanhunter scans only 5100 trojans , this is a lot but not what you expect from a 50$ app.

    try to upgrade and see if it detects it, maybe the trojan is packed in a way th can not find it?

    dunno
     
  3. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    If the file hasn’t been executed then TH Guard won’t detect it. TH Guard is a ‘real time memory scanner’ not an ‘on access scanner’. Even during a file scan with AT software the AV scanner will often react first – presuming the AV has a definition for the Trojan. In the case you mention here, your AV would have blocked the file from execution during its on access scan, so your memory would have stayed clean. Had the file been packed with an unknown packer and reached memory then TH Guard would have reacted – presuming it also had a definition for this particular Trojan.
     
  4. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    I very much like the look of Ewido myself and I have the free version that I use regularly as a back up to TH. But its sudden elevation to the top ranks of AT software by some people and the high recommendations it receives I find a little scary at times. The software is relatively new and very little public testing has been done that I’m aware of. On what grounds do these high recommendations come?
     
    Last edited: Sep 10, 2004
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Yes, I WAS being carefull of the hype regarding Ewido and Prevx. In case of Ewido: I am licenced to tds-3, Trojanhunter and Ewido (just a week) the fact they have a real monitor running on access and at the end not so slowing down anymore (I use less processes now :D ) the fact they update daily with a huge database, what else do we need. it found some spyware allready and I am happy with it. really.

    the day Fish told me they were releasing an update fixing the resource usage, putting a process scanner in it (LIKE TDS-3) and some other stuff, I purchased it immediately. at this time: besides tds-3 there is no at better. this is my personal opinion and opinions change, I am aware of that.
    I love internet security and it is a real passion. I want the best. that is all :ninja:
     
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Another fact: trojanhunter (which I like) has signatures for 6100 trojans for a 50$ app. ats has 9100 or so, ewido a lot more, tds-3 a lot more, boclean (dunno, not so clear to me)

    I NEVER wanted to sound like I am bashing on TH. I purchased it when it was practically the only at besides tds-3. but it seems they were lacking of updating regularly (sometimes one time/two times a week) and only the last three weeks there has been improvements on this side, and I think, if ewido didn't existed yet, the upgrade was far more away then now) they feel it they gotta get their acts together. not THAT correct if you ask me. opportunistic even if I may say.

    bye
     
  7. FanJ

    FanJ Guest

    What worries me, is that I haven't get a reply from Magnus (or anyone else from the TH-company) about some false positives I did submit late monday-night this week: 7-Sept-2004, 0:26, Dutch time.
    At least I would like to get some reply....
    (this at TH 4).

    I have not yet scanned with the update that has just been released.

    Jan (licenced user of BOClean, TDS-3, TrojanHunter, The Cleaner, and some more...; and yes: I did pay for them).
     
    Last edited by a moderator: Sep 10, 2004
  8. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    First, about the trojan detected by McAfee: Your virus scanner's monitor will always scan any files before any other scanning software. If it detects malware it will block access to it, so there's no chance for anything else to detect it. This is to be expected - it's not a deficiency in any other security software you have installed, it just means that your virus scanner is kicking in first.

    Second, about trojan definitions. You can't compare trojan scanners by comparing the number of trojan definitions. I have always tried to keep the quality of TrojanHunters database high and not add unnecessary definitions just to artificially inflate the database. There are several scanners out there that add a new trojan definition if:

    - A trojan is compressed with e.g. UPX
    - A trojan has an EditServer
    - A trojan has a client

    Sure, we could do this and easily quadruple the size of TrojanHunter's trojan definitions, but what's the point? Like I said, you can't compare scanners by looking at definitions since each vendor will count differently. TrojanHunter has over 20,000 ruleset entries and it is most certainly a "real" trojan scanner.
     
  9. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    FanJ:

    There was a false positive that was fixed with today's update. If your FP is still not fixed please email me at magnus(at)misec.net
     
  10. FanJ

    FanJ Guest

    Thanks Magnus for coming here ! :)

    Did you receive my email about FP's ?
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    off course you did pay for them, are you a dutchman?

    in belgium they have a saying bout them then. :D

    regarding your false positives, on their forum at the time of Version 4 being beta (3 weeks ago I believe) there were A LOT of false positives. they made a second beta only for the fp's.

    but still members experiencing fp's. I had a fp regarding one of their own dll's (.gen) I believe.
     
  12. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Jan,

    I've found your mail - thanks. I will make sure those FPs get fixed with the next update if they haven't already been fixed. Sorry about the delay but it's been pretty crazy with the recent release of TrojanHunter 4.
     
  13. FanJ

    FanJ Guest


    Oops sorry Magnus, our postings crossed (I didn't see your reply).

    I am going to download it and scan with it.
    In case something wrong, I will let you know ;)

    Regards, Jan.
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Magnus, thanx for all the updates lately!!!
     
  15. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Don't thank me, thank Aaron ;)
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yes, Magnus, keep it up, doing good, real good and sorry if I was too direct regarding TH and indirectly to you.

    it was not meant like this.
     
  17. FanJ

    FanJ Guest

    Hi Magnus,

    Thanks for your postings !
    I've send you an email.
    I fully understand that you all were been very busy with the new upgrade ! ;)


    =====

    Heya my dear Belgium neighbour :)

    Yep, I'm a Dutchie ;)
    Yep, I DID pay for them !!!

    Us neighbours (Belgiums and Dutchies) understand the joke :D :D

    Cheers, Jan.
     
  18. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    there are quite a few nederlanders on this board isn't it? Perfect.

    yes, Wilders rules. :cool:
     
  19. --ntl--

    --ntl-- Guest

    @Magnus

    You may want to try the following /w TH 4:

    1.
    Take shimgapi.dll (original UPX-packed backdoor component of dangerous MyDoom worm).

    2.
    Scan it /w TH file scanner: it will be detected. Same applies to unpacked shimgapi.dll.

    3.
    Inject shimgapi.dll into editor.exe etc.; scan it with the mem scanner: it will not be detected.

    4.
    Repack the DLL with Armadillo: Neither the file scanner nor the mem scanner will detect it.

    5.
    Inject a standard, non-manipulated, non-reverse Beast 2.05 DLL into editor.exe: TH will wrongly detect it as a 1-900 Dialer.100 instead of a Beast trojan DLL.

    --> Conclusion: There is likely a problem with the mem scanner/the mem sigs.

    (Btw.: The file scanner does not detect the following DLLs: Coldfusion 1.08 & 1.10; Optix Pager 2; Optix Pro 1.32 Cloaker DLL, and others.)

    ntl
     
  20. luv2bsecure

    luv2bsecure Infrequent Poster

    Joined:
    Feb 9, 2002
    Posts:
    713
    Absolutely! Thank you for that, Magnus. So many people go by the size of the database. Also, I think you are to be commended for your very user-friendly interface. I have never liked programs that are horrible to navigate, and are unnecessarily complex, for the sole purpose of making one think they are using a "high-tech" security tool that not "everyone" can understand. It's the old, "If it's hard to navigate - it must be a serious security tool." Frankly there's too much of that - it's an "image" over substance, imo. TrojanHunter is made to work - simply and easily - for everyone.

    Thanks again!
     
  21. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    to Nautilus: is this done with version 3.9? try to do it with version 4. I do think it is far more better then 3.9.

    I
     
  22. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    luv2bsecure: Thank you for being someone who "gets it". :)


    Nautilus:

    Could you please email the DLL files that you say are undetected to me at magnus(at)misec.net? Thank you.
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    To Magnus: I do understand that without good unpackers you can have all the signatures in the world and still not detect as much as you want to detect. that is quite obvious. That is why I asked about which unpackers TH supports on the trojanhunter forum :) (which you answered btw and I thank you for that!!!)
    I never wanted to sound ungreatfull or immature regarding TH or TH's staff. I love it the way it is going now. and I wish you all the luck in the world (and all the unpackers and all the trojans ;))
    sorry.
     
  24. ---------

    --------- Guest

    @Magnus

    On January 16 and 19, 2004, I sent to you: Coldfusion 1.08 & 1.10 DLLs, Optix Pager 2 DLL and others.

    That's why I believe that there may be a prob with the signature database and/or the mem scanner. (I experienced a similar issue with the newly released ewido plus which failed to detect samples that had been detected by the original ewido free suite using the old signature database.)

    I will forward to you the old e-mails from January. In addition, I will attach the DLLs referred to above.

    @INFINITY

    Test system: WinXP SP2, Prescott 3,0 /w HT, TH 4
     
  25. FanJ

    FanJ Guest

    With all due respect, but I still get alerts about AtGuard and RefreshEm:

    Registry scan
    No suspicious entries found
    Inifile scan
    No suspicious entries found
    Port scan
    No suspicious open ports found
    Memory scan
    No trojans found in memory
    File scan
    Found trojan file: C:\Program Files\Atguard\iamdrv.vxd (IcqUkr.100)
    Found trojan file: C:\Program Files\Atguard\iamdrv.zip/iamdrv.vxd (IcqUkr.100)
    Found trojan file: D:\RefreshEm\refrsh10.zip/refrsh10.exe (Fragglerock.200)
    Found trojan file: D:\RefreshEm\refrsh10.exe (Fragglerock.200)
    4 trojan files found
     
Thread Status:
Not open for further replies.