Best Trojan Horse detector?

Hi there. Newbie of sorts to PCs. What's the best program for detecting Trojan Horses? I didn't find much in your archives, and was hoping someone experienced would be kind enough to share some knowledge.

Thanks very much in advance. It seems as if XP is more vulnerable to TJs - is this so? If so, I'm going back to Macs.

Thanks again!

 

Any good AV program should pick up Trojans as they will other viri. There are several "specialist" programs around designed just for Trojans but I haven't needed to mess with any since Norton has kept me clean for some years now.

A good firewall that screens for outbound as well as inbound packets is a good idea since if you do get hit with a Trojan that sneaks thru, it will trap any attempts to "phone home" and let you know you have a problem.

Microsoft systems are no more and no less vulnerable to Trojans than Mac/Linus/whatever. But since the same code won't work on more than one OS and since the M$ market is a nice, large target, there are more written to infect those systems than the others.

 

"Linus" hee hee

ain't he charlie browns buddy??


Newt You crack me up!


Mike

 

Thanks for the info!

Much appreciated! I have the latest Norton with Firewall protection, so I guess I'm good to go. Thanks for the information!

 

xpirinxpuser

I agree with Newt but a very good dedicated Trojan/worm scanner is the online at:

http://www.anti-trojan.net/at.asp?l=en&t=onlinecheck

Mike

 

Ok, so...

If I use this and no open ports are found then that's good news I assume. Isn't that what it's going to check for - open ports?

That's really all I know about TJs, just the open port issue.

Thanks for trying to educate this novice!!!

 

does Norton av protect against trojans?

The people who sell anti-trojan programs claim that common
anti-virus programs do not protect against Trojans ?
Is this true ?

 

This is an old(ish) test/comparison but I think the results still hold good. The type of Trojans which there is a realistic of you encountering will be detected by either an AV or an AT.

HTH.

 

That app will check for port issues but there is a little more to the whole Trojan Horse thing.

- They are often bundled with other viral payload and will do some damage not related to they Trojan itself. Disabling your AV program and software firewall is a common Trojan add-on .

- The classic Trojan Horse is a client piece for remote control. Once it is loaded, it can announce itself and anyone with the host piece can connect to and control your PC.

To do the remote control, there will have to be a TCP/UDP port open that the Trojan is equiped to use. If none is available, the host can't reach the client piece. But the client piece is perfectly happy waiting for years.

Problem is, you will have a few ports open if you do anything on the internet at all. Port 80 for http. 25 & 110 for mail. 20 & 21 if you do FTP. And others for any of the messenger apps, online games, etc.

The simpler firewalls like the ones that come with the home router/switches or the one built into XP are port open/port closed apps so a trojan that can use port 25 will work if you use email.

The better firewalls (stateful, for example) will also check the traffic thru a port and decide if it "fits" or not. So HTTP packets would be able to use port 80 but trojan remote control ones wouldn't. These firewalls will also warn you if an app on your PC is trying to send thru a blocked port so you can look for a critter.

 

not too long ago i finally started to look at security as a multi-layered defense comprised of many processes, rather than as a single program... which caused me to turn my attention to anti-trojan tools.

i did a lot of research, read a lot of reviews and newsgroups and forums. i opted for a free trial period with Tauscan, but quickly grew dissatisfied with their underwhelming tech support.

i then switched to a free evaluation period with TrojanHunter, and i'm currently about a week or so into that. i must say that i am real pleased with TH, for a variety of reasons. i have been learning a ton of stuff about AT tools, and i am now convinced that they are a necessary component for anyone's security system.

TH has sensational tech support, the scanner is fast, nicely configurable, there is a memory resident scanner in addition to a file scan engine, the heuristics have been enhanced, and a user can add their own detection rules. admittedly i am not sophisticated enough yet to be writing rules, but i like that the capability exists with TH.

some folks will say that an AT is not necessary if you have a good AV coupled with a good firewall to snag outbound attempts, yet increasingly trojans and viruses are written to disable these lines of defense. i have come to believe that it is better to be proactive in my search for trojans on my machine, rather than to rely on a firewall to stop any of them from "calling mommy ".

an additional bit of research i did was to try to identify how many trojans were currently in the symantec (norton) database. i saw that currently there were about 63,000 viruses in the data base, and i know that that figure includes trojans, but i could not find a separate list of trojans... so i went here and punched in .trojan into the search engine and it spewed out this list of 3500 trojans.

now i have no easy way of verifying this, but i believe (because of the high number) that the 3500 couldn't be "unique" trojans, because that's more than any of the anti-trojan tools have in their databases (1,700 is a current normal or average number of unique trojans, or actual trojan servers, in a vendor's database). so i concluded that the 3500 from symantec must be a combination of unique and variants.

and since i'm seeing anti-trojan tools with about 11,000 variants in their databases, my conclusion would be that symantec's trojan database is about 1/3 of the amount one finds in a tool like TrojanHunter or BOClean.

finally, Mischel Internet Security (TH) has an informative paper titled The Complete Windows Trojans Paper , that i recommend to anyone who wants to learn more about trojans. the paper seems a tad outdated, but i think it is being updated from time to time... still excellent reading.

i believe that i will be purchasing a couple licenses from TH before my trial period expires. i am currently running the software on three different operating systems, win2000, winxp home and win98se. it runs beautifully and i am feeling good knowing i have it loaded. there are also about a dozen or more extra cool things about TrojanHunter that i am sure i failed to mention. check out the support forums too, for more insights.

hth!



mark

 

Great information mr.mark. My guess is that while the AV packages may not have the signature of every Trojan out there, the behavior is similar enough that it will scream "I'm a bug" to the AV package.

 

thanks, newt! as i recall, it was one of your posts that had some helpful links included that got me started off on this investigative road.

in order for the AV to scream, "i'm a bug ", each user had better have his or her heuristics cranked to maximum levels, i would think.

i'm really looking at 'configurable vulnerabilities', newt, focusing lately on how default settings can let a user down when a tight perimeter is most needed.

one example i see is nav's email scanning settings. there are about five options to select from, to tell nav what to do if it detects an incoming virus. one of the choices is 'Ask me what to do'. that's a problem setting, imo.

if someone using the puter isn't familiar with security issues, maybe they'll just click anything just to get rid of the prompt. or even if the user is knowledgeable, a mistake can be made when rattled by the virus warning.

i recommend the nav setting that says, "Repair then quarantine if unsuccessful ". imo, that is a perfect choice! interestingly, that is NOT nav's recommended setting! nav recommends "Automatically repair the infected file ", with no mention in the setting of what is to be done if the file can not be repaired. i've often wondered why nav would choose that setting to recommend.

just some things for folks to think about



mark

 

i've had ample time to test the program on three operating systems... winxp home, win2000 and win98se. i began with v2.54 and subsequently upgraded to v3.0 and then v3.01.

i've encountered only very minor probs here and there, some due to program updates and some due to operator (moi) error or lack of knowledge. <g> the minor program bugs were addressed very quickly and very efficiently, i.e, they were fixed right away!

the tech support i have received from magnus and from the folks on the TH forum has been superb. i am super happy with the product AND with the support.

fwiw i purchased a 2 user license tonight.



mark