Security Tool HijackThis Goes Open Source 101
wiredmikey writes "The popular free security tool HijackThis has been open sourced by its owner, Trend Micro. The tool scans systems to find settings that may have been modified by spyware, malware or other programs that have wiggled their way onto a system and caused problems. Downloaded over 10 million times, HijackThis generates reports to help users analyze and fix an infected or problem computer. But the tool is not designed for novices – and doesn't actually determine what's good or bad. That's up to you, but it is a good way to keep an eye on things and possibly locate anomalies that may have been missed by other security products. Trend Micro warns that if you don't know what you're doing, it's probably not a good idea to make any changes to your computer settings and system files. Trend Micro acquired the tool from creator Merijn Bellekom in 2007, and has offered it for free ever since, but now is making the code available to the public. The code, originally written in Visual Basic, is now officially available at Sourceforge here."
Re:Where? (Score:5, Informative)
Free = no good (Score:5, Funny)
My PHB says that free stuff can't be any good. Surely, we'd be much better off by throwing 7 figures at Symantec. ;)
Re:Free = no good (Score:5, Insightful)
More likely he says that free stuff without vendor support is no good, and for most businesses he is right.
Re:Free = no good (Score:5, Insightful)
That is if you need to have accountability, such as selling or providing to a customer (this would be the latter - IT provides for its "customers" which are end users to them) but I think our developers use notepad++ for editing files more than any other program, so there are exceptions, and let's face it - if that tool breaks, there's always notepad. It is on our site license approved software download page even (for free and commercial tools we have a site license to download and self install), so it has passed through upper management and legal, but I'll admit the one there is an old GPL-2 licensed version - I don't know if it hasn't been updated because of legal concerns about GPL-3 or they just haven't gotten around to it, though (I know GPL-3 libraries are forbidden, but not sure about apps).
In the case of HijackThis you are responsible for your own accountability, since it doesn't remove anything unless you tell it to, and a good IT person will back up the registry before making any changes to it (and know what is and is not a legit program).
Re: (Score:2)
I can't see how a program could be forbidden just by being GPL3. From my understanding, the GPL does not "protect" or "infect" (depending on your perspective) program output - merely said program's code (be it for execution or linking (and execution)).
Re: (Score:2, Insightful)
More likely he says that free stuff without vendor support is no good, and for most businesses he is right.
It's not just about Vendor support; it's also about Tool capabilities, Tool quality, and meeting a business need. Businesses don't want to spend a lot of time manuallg "cleaning up" after malware infections; they want to prevent them.
If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.
HJT is for
Re: (Score:2)
Wrong. Kind of hard to improve upon a program when it's closed source and only distributed via a compiled binary.
Re: (Score:2)
More likely he says that free stuff without vendor support is no good, and for most businesses he is right.
It's not just about Vendor support; it's also about Tool capabilities, Tool quality, and meeting a business need. Businesses don't want to spend a lot of time manuallg "cleaning up" after malware infections; they want to prevent them.
So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.
Re: (Score:3)
So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.
That's because the software fails to do what it's actually supposed to do. If the software were effective, the featureset would make it a clear winner over the free product. Because in actual practice the Symantec software doesn't do what it's supposed to do, an Engineer experienced with it could tell you that all those checkboxes are worthless.
In a number of large comp
Re: (Score:3)
it's a tool, and the tool is only as good as the person using it. ... nope not one bit. ... Yep, it's a tool to look inside before doing the surgery.
I love it since it helps me examine the problems before trying a solution.
is it and endpoint solution for the masses
is it a good tool for the IT department to have on the flash drive at all times
Re: (Score:2)
it's a tool, and the tool is only as good as the person using it.
A tool is also only as good as the functionality it provides. You don't use a hammer to make a chocolate cake.
HiJackThis is a useful tool, but its application is extremely constrained -- its a tool to be used by an expert/specialist to attempt to manually remove an infection.
This has many applications, but its uses are not compatible with IT best practices for Enterprise security. In the Enterprise, the main job of security software is
Re: (Score:3)
If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.
Define more efficient. Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count? What about the time spent reloading data from backups? And the time making an image because the last backup was a week ago? Then having to manually reload the files that have changed since that time?
Re:Free = no good (Score:4, Insightful)
Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count?
The image is supposed to be taken after the install is fully configured with all the role-specific software.
What about the time spent reloading data from backups?
No data requiring backup is allowed to be on endpoints. Any documents should be in the user's profile which gets redirected to a place on the server.
Re: (Score:3)
Not everyone works in a functional cubicle where they all use the same software to do the same thing, and the only thing that shouldn't be persistent is the output data itself.
You're confusing bean counters, data entry, and script readers with just about everyone else who needs some flexibility.
Re: (Score:2)
You manually reinstall your software? We just network boot the machine to reinstall Windows from our gold image, and once done the software will automatically push to it and install with no user intervention. Reconfiguring indeed.
Re: (Score:2)
Re: (Score:2)
While I do use Comodo myself, don't think for a second that it's anti-virus engine is very good. It's not. If you want a good AV scanner, go with Kaspersky or Bitdefender, although neither are free :(.
Where Comodo shines it's defense plus engine, which let's you know that something suspicious is going on. Answer properly the pop-ups, and nothing will get through. But that's the key, "Answer properly".
Re: (Score:2)
Re: (Score:1)
I'll update that to say:
More likely he says that free stuff without *good* vendor support is no good, and for most businesses he is right.
I've seen several cases these days with large vendors where their support was quite shoddy. Their support people don't seem to know much about their product (especially for win-centric products with a linux component), they take forever to turn around a case and love to play wheel-of-blame where they'll try and put any possible issues on your system/configu
Re: (Score:3, Funny)
If you use Symantec you'll certainly be throwing *something* at them.
Re:Free = no good (Score:5, Funny)
7 figures? you guys only buylow grade garbage. you should by 8 or 9 figure solutions.
Re: (Score:1)
I'll assume that the beeping I hear so loud is the sarcasm-meter.
It's a move that'll give them good PR with the Open Source guys AND possibly leave them off the hook on maintaining the tool. Or maybe they just want to be good guys and let the tool evolve by other means (if it evolved at all in these past few years). No idea, tho.
Re: (Score:2)
Back when I was in high school I heard about something called "Lee-nux", so I asked our network admin, who was more knowledgable than the actual IT teachers. His reply could be summed up as "Pfft! It's a waste of time! You get what you pay for, boy."
Thinking back, I could kick him for setting my curiosity back by what must have been years.
These days I still don't use Linux, but not because it's free. I did recently retire an old fileserver running BSD, though.
Re: (Score:2)
Thing is... he was right, from a professional perspective. Do not underestimate the amount of work that was needed to turn Linux into a kernel that could support an enterprise level requirement. If anything Linux was more a triumph of the open source model than a triumph of Linus' code (although that certainly was not terrible).
If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what wa
Re: (Score:3)
If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what was, at the time, a toy, the response was predictable.
What galls me in retrospect is that I was a hobbyist, and the admin was not what I now consider a pro, considering how badly run the network was in those days. With respect to your comment on Linux being a toy at that time, all I can say is that you've overestimated my age by quite a bit: at that time Red Hat were doing pretty well, all things considered.
Of course, if I was looking for enthusiastic encouragement then talking to an overworked admin that had to deal with a couple of thousand students was pro
Re: (Score:2)
Get off my lawn.
Re: (Score:1)
Re: (Score:2)
I'm pretty sure IBM and Red Hat were some of the major players that did the work he is talking about.
Still in Visual Basic (Score:5, Informative)
Since it was "originally written in Visual Basic", I wonder what language does it use now?
It turns out, it still uses Visual Basic. Not sure why was the summary written that way.
Java trapped (Score:3)
Say I find a Windows PC, remove its hard drive for analysis, put it in a USB enclosure, and mount it read-only on a Linux box to make the scan process immune to boot-sector malware. Is there a Free compiler capable of compiling Visual Basic code? As of a year ago [stackoverflow.com], there wasn't. If not, the program is Java trapped [gnu.org].*
* The term's origin is historical; Java itself is no longer Java trapped, but plenty of other languages and APIs are.
Re:Java trapped (Score:4, Insightful)
You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.
Re:Java trapped (Score:5, Informative)
You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.
This.
If you're that averse to installing Windows on something, check out some of the bootable diagnostic tools like the UBCD4Win project, the newer releases of Hiren's Boot CD (That are now pirated-software free), or HawkPE. They run right off the disc and have HijackThis - along with a plethora of other cleanup tools - pre-configured.
Re: (Score:2)
there are a bunch here
http://livecdlist.com/purpose/windows-antivirus [livecdlist.com]
I've had better luck finding rootkits with bitdefender and kaspersky than Hiren, but taking a look at their page it looks like they've shored up the rootkit detection (MalwareBytes is pretty good at that - didn't have any luck with rootkitrevealer when I tried it, though - it failed to detect a rootkit that bitdefender found, and I knew the machine was rootkitted as well as the rootkit name - I also pulled off 3 yet unidentified virus vari
Re: (Score:2)
That are now pirated-software free
How so, if they contain Windows?
Re: (Score:2)
To be honest, I too questioned that a smidge, given that the UBCD4Win project distributes a builder that requires a Windows CD to work, whereas Hiren distributes an ISO. While common sense says "if you have an XP disc for the purpose you've fulfilled the legal requirements", especially if you also have a hosed hard disk that carries a licensed copy of Windows requiring disinfecting, it'd be down to a group of lawyers to determine whether it's entirely legal or not.
What I was referring to was the fact that t
Re: (Score:2)
Hiren's Boot CD (That are now pirated-software free)
No they're not. Windows PE is only licensed for use with approved software under a contract arrangement with Microsoft. Hiren's Boot CD is not one of them, hence the Windows environment used on Hiren's CD is pirated.
Re: (Score:2)
Then you will have a hard time reading the Windows registry anyways, since HijackThis uses Windows APIs to do that.
Re: (Score:3)
The point of the thread was whether it would compile under linux. It might, but it wouldnt do anything as it would be relying on functions that Linux does not supply.
I mean, im sure HJT runs fine under Wine, but Ill bet the scan comes up empty every time.
Re: (Score:3)
Because its goal is to scan said proprietary platform, using said proprietary platform's system files?
Im not seeing the problem here. It was written for windows, using Windows APIs, to scan the Windows registry, using a MS programming language.
Do you really have the nerve to ask them to rewrite the whole thing in Java or C++, and also would you please re-implement all the registry and NTFS APIs so that it can run from Linux? How bout everyone be greatful that we have some source, instead of being whiney O
Re: (Score:2)
Considering it's designed to clean up problems specifically on that proprietary platform, I don't see that as an issue at all.
Re: (Score:3)
Then you boot from a windows repair DVD that you burned from an ISO downloaded from Microsoft, open a shell, and type either fixmbr \device\harddisk0 or bootrec /fixmbr to overwrite the boot sector with a good one. Then you can at least trust the boot sector.
Re: (Score:3)
FACT: Attempting to clean a virus with the same os it was designed to infect is NOT a good idea.
There are a lot of viruses that are designed to exploit things like malformed shortcut files, bugs in the way windows mounts hard drives, or even bugs in the code that checks for the amount of free space on a drive. Ref:(google: "lnk exploit")
If you connect a drive infected with one of these viruses to a windows computer
Registry (Score:2)
You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.
True, but why does mounting a USB hard drive read-only require modifying the registry [motersho.com]?
Re: (Score:2)
True, but why does mounting a USB hard drive read-only require modifying the registry [motersho.com]?
Because 99.9999% of the users never have any desire to mount anything other than read/write.
I wrote a little app that toggles this registry setting back-n-forth. It's in the startup on all our machines containing sensitive data. By default all the usb stuff gets mounted read-only. If you want to write to it, you need to run the app prior to plugging it in to temporarily allow read-write mounting. (Yes I realize it's not a foolproof solution, but it does add some protection against accidental data spilla
Re: (Score:2)
Re: (Score:1)
So it's not open source enough?
It wasn't open source at all until recently!
Re: (Score:1)
Is there a Free compiler capable of compiling Visual Basic code?
A quick google search led me to several sites that say Mono now includes a Visual Basic compiler. I haven't verified this myself.
Re: (Score:3)
Despite the similar name, they're not the same. Mono supports Visual Basic .NET, which is a language both syntactically and semantically different.
Visual Fred (Score:2)
Re: (Score:2)
Yep... it was called Visual Basic.Net ... I haven't tried in the newer versions, but the first VB.Net (2005 was it?) did a pretty horrid job with my relatively small VB 6 apps. I actually ended up just re-writing them all.
Re: (Score:3)
It doesnt matter terribly much. As anyone who does this type of thing might know, most (basically all) of these type of Windows-based programs which access the registry rely on kernel and system mechanisms to read/write the registry.
In other words, its great if you have it running under wine, but it wont actually do anything because Wine doesnt provide mechanisms for reading an actual NT registry. There are two programs I know of which re-implement those mechanisms under Linux: the NT Password reset / ed
Separate service to read the registry (Score:2)
it would be rather like expecting The Gimp to implement ext4 read / write functions so that one can launch it under windows and access files on a Linux FS
You're right. A better idea is to implement a network redirector service and point GIMP at its drive letter. Likewise, a port of HJT to Linux might include a way to read registries other than that of the boot volume, possibly relying on a separate service to interpret the NT hive files.
Re: (Score:2)
Not sure why was the summary written that way.
They are anticipating the translation to Javascript + HTML5. Isn't that what Microsoft replaced VisualBasic with?
Easy enough to port to a faster language then (Score:1)
Like Borland Delphi, AND, that said? 64-bit ports are easy too (Delphi XE2).
* The reason I note this, is that this program, like so many others like it, read the registry (for malware traces, doubtless based on a single C/C++ style structure/Pascal-Object Pascal record variable that holds the signatures to look for so they can all be treated as a SINGLE variable whose elements get parsed & compared to a registry entry scanned...), and filesystems.
(No, I haven't SEEN the sourcecode, but I wager that's ho
The reason I noted doing a 64-bit port... (Score:1)
Is that a 32-bit program does NOT have "full" registry hives access in 64-bit systems... hence, possibly WHY a 64-bit port's a GOOD idea - for now though? As long as malwares do NOT go "64-bit" as well?? 32-bit CAN & WILL "do the job"... for now, that is.
APK
P.S.=> Am I interested in this? No... got plenty of code to work on here myself, but it's worth pointing out for those who MAY indeed, be interested in this... apk
Re: (Score:2)
Not an expert on this, but a program does not need to be 64-bit to access all parts of the registry, it just needs to be able to call another program that DOES have access to those parts. Theres no reason I couldnt write a 32-bit program which calls "reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node" in order to get its results.
Re: (Score:2)
Not just for helpdesk and your family (Score:5, Interesting)
Comment removed (Score:5, Informative)
A second vote for Russinovich's tools (Score:3)
I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.
I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.
Re: (Score:2)
I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.
I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.
They also got the author, Mark Russinovich, who knew the ins and out of some of the MS internals better then Microsoft themselves.
Yes, the sysinternals stuff really kicks butt.
Re: (Score:3)
Second. HJT was replaced by the Sysinternals top 3 (Autoruns, ProcessExplorer, Process Monitor) about the time TrendMicro acquired it and stopped maintaining it.
It was useful for some things, but Autoruns very quickly surpassed it, and virus removal (what HJT was supposedly better at) wasnt really doable once advanced rootkits started appearing around that time and HJT took no countermeasures.
Autoruns is also a lot better laid out, and is constantly updated with new features.
Re:Not just for helpdesk and your family (Score:4, Interesting)
HT is by no means dead; you can spend a lot of extra time putting a screw through a board with a hammer but a screwdriver is probably the better and more efficient choice for the job.
Re: (Score:2)
Oh ya I'm on top of www.SysInternals.com became a fan with Process Explorer.
Sysinternals Suite is in my path as I find Process Monitor very helpful as well as WHOIS.
I've found with WinXP and below at least. if you run process monitor (log) and get a blueScreenOfDeath
searching the log for faultrep.dll -your problem is just lines above it (depending upon your filters).
But I also use Hijackthis and have suggested it to a lot of people in my time on alt.24hoursupport.helpdesk
It's a down and dirty way of seeing
Re: (Score:2)
Re: (Score:2)
http://www.nirsoft.net/ [nirsoft.net] is also pretty good with its utilities.
I'd be interested... (Score:1)
Re: (Score:2)
Re:Which license, bitches? (Score:5, Informative)
http://sourceforge.net/projects/hjt/ [sourceforge.net] /me looks under license /me looks at you
Was that hard?
Many thanks to HijackThis's creator! (Score:4, Insightful)
I think the IT world collectively owes Merijn Bellekom some beers. Think about how many of us his tool has helped out over the years!
Auto detect? (Score:2)
I would like so much to have an HijackThis that runs after every program installation (and possibly every hour) that warns me each time my configuration has changed, just to know that something fishy has possibly happened.
Re: (Score:2)
That is the whole issue with using a power tool like hijackthis. Define "fishy". Besides that, you are too late after the fact. With rootkits nowadays you only find 95% of the evil stuff.
You need some virtualisation/sandboxing/fine grained access list to have an early warning system.
Fixing after the fact is the same as system restore in windows....
Re: (Score:1)
Another unit test for the malware writers (Score:2)
If they aren't already doing this, an open source product should make it a bit easier for the malware writers to test out how well hidden their product is (or how closely it represents the noise experienced during a normal day of computing).
Re: (Score:2)
And while I'm commenting