Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Tool HijackThis Goes Open Source

Posted by samzenpus on from the check-it-out dept.

wiredmikey writes "The popular free security tool HijackThis has been open sourced by its owner, Trend Micro. The tool scans systems to find settings that may have been modified by spyware, malware or other programs that have wiggled their way onto a system and caused problems. Downloaded over 10 million times, HijackThis generates reports to help users analyze and fix an infected or problem computer. But the tool is not designed for novices – and doesn't actually determine what's good or bad. That's up to you, but it is a good way to keep an eye on things and possibly locate anomalies that may have been missed by other security products. Trend Micro warns that if you don't know what you're doing, it's probably not a good idea to make any changes to your computer settings and system files. Trend Micro acquired the tool from creator Merijn Bellekom in 2007, and has offered it for free ever since, but now is making the code available to the public. The code, originally written in Visual Basic, is now officially available at Sourceforge here."

31 of 101 comments (clear)

  1. Free = no good by Ritz_Just_Ritz · · Score: 4, Funny

    My PHB says that free stuff can't be any good. Surely, we'd be much better off by throwing 7 figures at Symantec. ;)

    1. Re:Free = no good by bws111 · · Score: 4, Insightful

      More likely he says that free stuff without vendor support is no good, and for most businesses he is right.

    2. Re:Free = no good by jo_ham · · Score: 3, Funny

      If you use Symantec you'll certainly be throwing *something* at them.

    3. Re:Free = no good by Lumpy · · Score: 4, Funny

      7 figures? you guys only buylow grade garbage. you should by 8 or 9 figure solutions.

      --
      Do not look at laser with remaining good eye.
    4. Re:Free = no good by Creepy · · Score: 4, Insightful

      That is if you need to have accountability, such as selling or providing to a customer (this would be the latter - IT provides for its "customers" which are end users to them) but I think our developers use notepad++ for editing files more than any other program, so there are exceptions, and let's face it - if that tool breaks, there's always notepad. It is on our site license approved software download page even (for free and commercial tools we have a site license to download and self install), so it has passed through upper management and legal, but I'll admit the one there is an old GPL-2 licensed version - I don't know if it hasn't been updated because of legal concerns about GPL-3 or they just haven't gotten around to it, though (I know GPL-3 libraries are forbidden, but not sure about apps).

      In the case of HijackThis you are responsible for your own accountability, since it doesn't remove anything unless you tell it to, and a good IT person will back up the registry before making any changes to it (and know what is and is not a legit program).

    5. Re:Free = no good by newcastlejon · · Score: 2

      If you were a hobbyist, Linux was great, and it goes without saying that it had what it took to be turned into something great. Still, when you ask a pro what he thinks of what was, at the time, a toy, the response was predictable.

      What galls me in retrospect is that I was a hobbyist, and the admin was not what I now consider a pro, considering how badly run the network was in those days. With respect to your comment on Linux being a toy at that time, all I can say is that you've overestimated my age by quite a bit: at that time Red Hat were doing pretty well, all things considered.

      Of course, if I was looking for enthusiastic encouragement then talking to an overworked admin that had to deal with a couple of thousand students was probably a bad idea.

      --
      If God forks the Universe every time you roll a die, he'd better have a damned good memory.
    6. Re:Free = no good by mysidia · · Score: 2

      So whats the business need of Symantec's Endpoint Client? Malware steamrollers over it all the time, even with the latest definitions.

      That's because the software fails to do what it's actually supposed to do. If the software were effective, the featureset would make it a clear winner over the free product. Because in actual practice the Symantec software doesn't do what it's supposed to do, an Engineer experienced with it could tell you that all those checkboxes are worthless.

      In a number of large companies, corporate management fails to make a distinction between what the software vendors' salespeople say their software does, and what it actually does in practice.

      I'm definitely not holding up Symantec as a product you should consider using. But there are many alternatives that do what they are supposed to do, and have the must-have features you really need for assuring Enterprise security.

      And HJT still isn't the answer for endpoint security.

    7. Re:Free = no good by Rakishi · · Score: 2

      If the infection beats the protection, then the cleanup must be fast and fully automated, otherwise it's more efficient to re-image in this situation.

      Define more efficient. Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count? What about the time spent reloading data from backups? And the time making an image because the last backup was a week ago? Then having to manually reload the files that have changed since that time?

    8. Re:Free = no good by mysidia · · Score: 3, Insightful

      Does the hours upon hours someone spend re-installing and re-configuring their system after a re-image count?

      The image is supposed to be taken after the install is fully configured with all the role-specific software.

      What about the time spent reloading data from backups?

      No data requiring backup is allowed to be on endpoints. Any documents should be in the user's profile which gets redirected to a place on the server.

    9. Re:Free = no good by onepoint · · Score: 2

      it's a tool, and the tool is only as good as the person using it.
      I love it since it helps me examine the problems before trying a solution.
      is it and endpoint solution for the masses ... nope not one bit.
      is it a good tool for the IT department to have on the flash drive at all times ... Yep, it's a tool to look inside before doing the surgery.
       

      --
      if you see me, smile and say hello.
    10. Re:Free = no good by X0563511 · · Score: 2

      Not everyone works in a functional cubicle where they all use the same software to do the same thing, and the only thing that shouldn't be persistent is the output data itself.

      You're confusing bean counters, data entry, and script readers with just about everyone else who needs some flexibility.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  2. Still in Visual Basic by svick · · Score: 5, Informative

    Since it was "originally written in Visual Basic", I wonder what language does it use now?

    It turns out, it still uses Visual Basic. Not sure why was the summary written that way.

  3. Re:Where? by Foxhoundz · · Score: 5, Informative

    They're using Subversion to manage the code: http://hjt.svn.sourceforge.net/viewvc/hjt/

  4. Java trapped by tepples · · Score: 2

    Say I find a Windows PC, remove its hard drive for analysis, put it in a USB enclosure, and mount it read-only on a Linux box to make the scan process immune to boot-sector malware. Is there a Free compiler capable of compiling Visual Basic code? As of a year ago, there wasn't. If not, the program is Java trapped.*

    * The term's origin is historical; Java itself is no longer Java trapped, but plenty of other languages and APIs are.

    1. Re:Java trapped by Anonymous Coward · · Score: 4, Insightful

      You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

    2. Re:Java trapped by Voyager529 · · Score: 5, Informative

      You could always get a life, realize that operating systems are not the end all of existence, and use a Windows machine to scan the hard drive.

      This.

      If you're that averse to installing Windows on something, check out some of the bootable diagnostic tools like the UBCD4Win project, the newer releases of Hiren's Boot CD (That are now pirated-software free), or HawkPE. They run right off the disc and have HijackThis - along with a plethora of other cleanup tools - pre-configured.

    3. Re:Java trapped by icebraining · · Score: 2

      Despite the similar name, they're not the same. Mono supports Visual Basic .NET, which is a language both syntactically and semantically different.

      --
      Dilbert RSS feed
    4. Re:Java trapped by LordLimecat · · Score: 2

      It doesnt matter terribly much. As anyone who does this type of thing might know, most (basically all) of these type of Windows-based programs which access the registry rely on kernel and system mechanisms to read/write the registry.

      In other words, its great if you have it running under wine, but it wont actually do anything because Wine doesnt provide mechanisms for reading an actual NT registry. There are two programs I know of which re-implement those mechanisms under Linux: the NT Password reset / editor, and Raw Registry Editor-- either of which will allow Linux to open an NT registry.

      And honestly it makes sense, since there is no reason to expect one to use HijackThis outside of Windows in 99% of the cases, and it would be rather like expecting The Gimp to implement ext4 read / write functions so that one can launch it under windows and access files on a Linux FS: it adds an enormous amount of complexity to the project with minimal gain.

    5. Re:Java trapped by LordLimecat · · Score: 2

      The point of the thread was whether it would compile under linux. It might, but it wouldnt do anything as it would be relying on functions that Linux does not supply.

      I mean, im sure HJT runs fine under Wine, but Ill bet the scan comes up empty every time.

    6. Re:Java trapped by eldorel · · Score: 2

      I hate to feed the troll, but people reading this thread might not be aware of this.

      FACT: Attempting to clean a virus with the same os it was designed to infect is NOT a good idea.

      There are a lot of viruses that are designed to exploit things like malformed shortcut files, bugs in the way windows mounts hard drives, or even bugs in the code that checks for the amount of free space on a drive. Ref:(google: "lnk exploit")

      If you connect a drive infected with one of these viruses to a windows computer, it WILL get infected.

      Most of the examples I gave have been hotfixed via windows update, but new exploits are discovered daily.

      Move the drive to a different system, scan using live cds or a write protected linux drive, and flash the bios of the original pc.
      Otherwise you run the risk of the virus infecting your cleanup system.

    7. Re:Java trapped by jackbird · · Score: 2

      Then you boot from a windows repair DVD that you burned from an ISO downloaded from Microsoft, open a shell, and type either fixmbr \device\harddisk0 or bootrec /fixmbr to overwrite the boot sector with a good one. Then you can at least trust the boot sector.

    8. Re:Java trapped by LordLimecat · · Score: 2

      Because its goal is to scan said proprietary platform, using said proprietary platform's system files?

      Im not seeing the problem here. It was written for windows, using Windows APIs, to scan the Windows registry, using a MS programming language.

      Do you really have the nerve to ask them to rewrite the whole thing in Java or C++, and also would you please re-implement all the registry and NTFS APIs so that it can run from Linux? How bout everyone be greatful that we have some source, instead of being whiney OSS fanatics?

  5. Not just for helpdesk and your family by ReallyEvilCanine · · Score: 5, Interesting

    Hijacjk This ain't jsut for helpdesk monkeys; we use it constantly in Enterprise software testing. Server works fine, Client works fine, OS checks out, software ain't working. Run HT and find the culprit pretty quickly, and when your customers are telcos and banks doing short-cycle upgrades for occasionally legit reasons, your on-site guys need to find fast answers.

    1. Re:Not just for helpdesk and your family by DigiShaman · · Score: 4, Informative

      I prefer Autoruns, Process Explorer, and Process Monitor.

      Short of nuke and paving the machine, I can clean up even the most foul and neglected of servers and workstations. Sometimes it's just more cost effective to replace it with a new one including data migration. YMMV.

      http://technet.microsoft.com/en-us/sysinternals/bb545027

      --
      Life is not for the lazy.
    2. Re:Not just for helpdesk and your family by LordLimecat · · Score: 2

      Second. HJT was replaced by the Sysinternals top 3 (Autoruns, ProcessExplorer, Process Monitor) about the time TrendMicro acquired it and stopped maintaining it.

      It was useful for some things, but Autoruns very quickly surpassed it, and virus removal (what HJT was supposedly better at) wasnt really doable once advanced rootkits started appearing around that time and HJT took no countermeasures.

      Autoruns is also a lot better laid out, and is constantly updated with new features.

    3. Re:Not just for helpdesk and your family by ReallyEvilCanine · · Score: 3, Interesting
      I love SysInternals and have the original Winternals files on an old 3.2 SCSI-II somewhere (or maybe buried somewhere in a /win//utils/OS/win directory on my server). Run as many SysInternals as you want and find me the BHO that's preventing an ActiveX control from passing info through a hidden helper browser window. You can sit all day with Proc* looking for that. I want to find a bad thread or spin or memleak, yeah, SysInternals all the way.

      HT is by no means dead; you can spend a lot of extra time putting a screw through a board with a hammer but a screwdriver is probably the better and more efficient choice for the job.

    4. Re:Not just for helpdesk and your family by Trax3001BBS · · Score: 2

      Oh ya I'm on top of www.SysInternals.com became a fan with Process Explorer.

      Sysinternals Suite is in my path as I find Process Monitor very helpful as well as WHOIS.

      I've found with WinXP and below at least. if you run process monitor (log) and get a blueScreenOfDeath
      searching the log for faultrep.dll -your problem is just lines above it (depending upon your filters).

      But I also use Hijackthis and have suggested it to a lot of people in my time on alt.24hoursupport.helpdesk

      It's a down and dirty way of seeing how things look, I'll run it every so often then paste the results
      to http://hijackthis.de/en bypassing the need to log in to Trend Micro.

  6. Many thanks to HijackThis's creator! by acidradio · · Score: 3, Insightful

    I think the IT world collectively owes Merijn Bellekom some beers. Think about how many of us his tool has helped out over the years!

  7. Auto detect? by Anonymous Coward · · Score: 2

    I would like so much to have an HijackThis that runs after every program installation (and possibly every hour) that warns me each time my configuration has changed, just to know that something fishy has possibly happened.

  8. Re:Which license, bitches? by liamevo · · Score: 5, Informative

    http://sourceforge.net/projects/hjt/ /me looks under license /me looks at you

    Was that hard?

  9. A second vote for Russinovich's tools by Sycraft-fu · · Score: 2

    I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.

    I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.