The Download Blog

Editors' note: This article was first published on February 27, 2008, and was titled, "Clean your PC with Trend Micro HijackThis." It was updated on May 21, 2009.

Malware has gotten more sophisticated at hiding its tracks compared with a few years ago. Adware, it seems, with its pop-ups and unwanted browser toolbars, has taken a backseat to the sly, ever-dangerous, and much more lucrative realm of the botnet, also known as that class of malware that conscripts your computer into an army of spam-spewing zombies, or worse.

If you suspect your Windows computer may be compromised, you should always try running standard adware-removal programs first. Ad-Aware and Avira AntiVir Personal Free are two good starts. If they can't seem to keep the nasties at bay, Trend Micro HijackThis digs deep. For most, HijackThis will be diagnostic software for Windows XP (with high compatibility for Vista) that creates a log of your Windows Registry and file settings. It is not a spyware removal tool. However, its capability to identify commonly abused methods of altering your computer can help you (and the Internet community) determine your next course of action.

Step 1: Install it

Version 2.0.2 of HijackThis contains an installer, unlike the previous version that launched from a ZIP file or EXE. If you're using that legacy version, be sure to update. You'll find that this build also downloads a desktop icon for quick-launching.

Step 2: Scan your system

If you scan without a log file, you can always create one later on.

Trend Micro HijackThis opens with a simple interface that offers limited instruction. Running the program and interpreting its results can be confusing. Click either of the two "system scan" buttons to bring up a list of registry and file entries. Expect to see a mess of entries--even a Firefox plug-in on a completely healthy computer can produce multiple listings. If you choose to scan the system only, you can still save a record after the scan by selecting the "Save log" button on the bottom left. This will save the log as a plain text document that you'll be able to open in Notepad.

Step 3: Identify problems

Add safe entries to the Ignore List to speed up future scans.

Here's the rub--now that you've got a long list of your computer's contents, how do you determine which results are critical, and which benign?

There are a few determining factors. Some entries may be obviously tied to a legitimate program you installed. A browser helper object like Adobe PDF Reader Link Helper is clearly harmless and installs with the Adobe Reader application. Listings like these you can ignore or can add to the Ignore List to bypass in future scans. To excuse any entry from showing up in the results list in the future, click the adjacent box to add a check mark and choose the button reading "Add checked to ignorelist." See it in action in this video (Note: The video accurately demonstrates using the ignore list on a previous version of HijackThis.)

For the last few months, I've been hearing some well-regarded security people tell me they are considering ditching their antivirus protection all together. They haven't done it, but these individuals feel the days of having a special application scan to remove malware on your desktop are numbered. Malware has changed, but the applications to ferret them out have not.

Antivirus programs, as we know them today, are based on 20-year-old technology of pattern matching. Pattern matching may have worked in the days of the Micheangelo virus and even as recently as Netsky, but methodically matching each and every file on a computer against a list of known malware is getting tedious, if not archaic. In 2007, Symantec detected more than 1 million viruses, with two-thirds created within the calendar year. Loading 1 million signatures, or even a percentage of that if generic signatures are used, is a pretty serious undertaking.

That's why vendors are talking to me about newer strategies for 2009 (and beyond). Among these is the exact opposite of signature file databases--something called whitelisting. If pattern matching is just another way of saying certain bad files have been blacklisted, whitelisting goes to the other extreme: it only allows certain trusted files to run on your machine.

That's more or less what Symantec CEO John Thompson called for at this year's RSA: "If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting--where we identify and allow only the good stuff to come in--will become critical." He actually didn't say much more about whitelisting, yet everyone talks about this speech as though Thompson had provided clear guidance the year of whitelisting.

So how viable is whitelisting? Turns out we've been using it to defend against spam for years.

To see how whitelisting works on an enterprise level, I spoke with Tom Murphy, chief strategy officer for Bit9, a Massachusetts-based company that has been quietly leading the way in whitelist technology.

For several years Bit9 has been building what it calls a Global Software Registry or GSR (formerly called Bit9 Knowledgebase), cataloging "known good" and "known bad" applications and files. Murphy said Bit9 uses three methods--MD5, SHA1 and OMAC--to create a unique hash of the file and ensure that the file is what it says it is. For the moment, the catalog is used for Bit9's enterprise products. But they've entered into an agreement with Kaspersky, who will be using the registry for its 2009 desktop security products.

Bit9 is not alone. SecureWave's Sanctuary, Savant Protection, and DriveSentry have also been creating whitelisting technology for the enterprise. What's interesting is that the big guys Google (Green Border Technologies), Microsoft (Winternals Software's Protection Manager, and now Symantec have started paying attention to whitelisting.

Which gets us back to antivirus software.

If hosting a million antivirus signature files is daunting, how many "clean" files might there be? Think about all the versions of software that exist, not to mention the files those products create.

The downside of whitelisting, indeed the main argument, is that all those clean files outnumber the bad guys by a considerable margin. Right now, maintaining a whitelist file is impractical for the desktop.

Trend Micro (if it wants to get into the whitelist space) thinks it has the answer. For the last few years, Trend Micro has been building servers around the world to provide continuous service to its Software-as-a-service enterprise systems. Last month, Trend Micro CEO Eva Chen told me it's time to bring that SaaS service down to the desktop. Instead of having all the signature files on the desktop, the desktop app would instead ping "the cloud" and get results from the much larger database of known malware stored there.

Make no mistake, Trend Micro is still using antivirus signature databases. Chen said even after 20 years, there are still advantages to pattern-matching antivirus signature files. For one thing, she says it's faster than firing up a heuristic sandbox and testing each individual piece of malware. True, although we're talking about shaving nanoseconds between the two processes. Still, with several thousand files, those saved nanoseconds do add up. So instead of running the operation on the PC, the PC sends all its unknowns to a server in the cloud and gets the results back lickety-split. An added benefit, says Chen, is that new samples are submitted in real time and evaluated quickly. In her estimate, Trend Micro can have a new signature file for an unknown threat ready within 15 minutes.

Fifteen minutes is also the new mantra over at Symantec. For its 2009 Norton products, Tom Powledge, vice president of consumer product management at Symantec, told me the new products are lighter and faster in part because they've jettisoned the multiple copies of the signature database found in previous versions. They're also not scanning each and every file. Instead, the 2009 products will be building a trust index--that is, the app will declaring certain files (say photos or MP3s) clean and then not scan them again unless the files change. He showed me a graphic where roughly 70 percent of a given machine is trusted, and only that last 30 percent is actively scanned.

Like Trend, Norton is experimenting with faster new malware turnaround. Powledge says Norton should be updating not every 15 minutes, but every couple of minutes. This is a vast improvement from hourly or even daily updates by some antivirus vendors.

Given the improvements to the traditional antivirus programs proposed by Trend Micro and Symantec, are the days of antivirus applications numbered?

Yes.

I asked Murphy if white lists worked well enough to replace traditional antivirus protection at some companies. He answered, very diplomatically, "if (a customer) feel(s) that they have a control over the environment, some customers have removed antivirus off their machines."

I'm still not convinced that white listing is the way to go, but I do know that security solutions in the enterprise space have a way of trickling down to the desktop.

As Trend Micro releases an upgrade to their PC-Cillin Web security product, they've renamed it Internet Security 2008.

It's a bit less glib and reflects the way in which malware attacks have proven to have serious, life-altering consequences in the real world. CNET's Rob Vamosi has given the trialware five stars, and it's hard to argue that Trend Micro doesn't offer a comprehensive suite of tools to keep you safe.

However, user complaints about previous versions indicate mixed reviews. Some loved PC-Cillin, others felt that the cure was worse than the disease. Take a look at the product yourself and let us know what you think in TalkBack below or in our newly revamped forums.

My father's Motorola E815 from Verizon is suffering chronic SMS, or text message, spam. At first, the unwanted messages trickled in--religious messages with pictures of saints one time, pharmaceutical marketing another. Then the spam rate escalated. After one spammy text message yesterday and two this morning, Dad decided he wanted out.

Carriers let you block messages, but won't filter spam.

(Credit: CNET Networks)

"Out" in his case, and in the case of most North American mobile phone users, is as much about the phone bill as it is receiving unwanted texts. Service providers like Verizon and T-Mobile charge for inbound and outbound SMS activity, either per message, generally 10 cents to 15 cents per outgoing text message, or as part of a larger service, usually between $5 and $10 more per month depending on the plan. Data downloads cost extra too, so spam texts with image attachments ratchet up the bill. "This was becoming an expensive habit," says Dad.

The kicker, of course, is that it's not his habit.... Read more