Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 28th, 2008, 1:59pm
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   TrojanHunter file gen.dll		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: TrojanHunter file gen.dll  (Read 335 times)
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 209
TrojanHunter file gen.dll
« on: Dec 1st, 2007, 11:21pm »		 Quote Quote  Modify Modify
Hi,
 
May I start a thread about the TrojanHunter file gen.dll ?
 
C:\Program Files\TrojanHunter 5.0\RuleFiles\Gen.dll
 
Some observations and some questions.
 
Like the .trf files, gen.dll is in the sub-directory RuleFiles
 
When a definition update is published, it are usually one or more of the .trf files which are updated; once in a while a new .trf file is added.
Sometimes, together with such an .trf file update, the file gen.dll is also updated.
Sometimes only the file gen.dll is updated.
 
I suppose that this file gen.dll covers the more Generic Trojan detections.
Am I right here?
 
What I am curious about, is this:
I have seen on occasion that, when gen.dll was updated, its checksum and date was changed but not its size.
And that is what puzzles me......
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 209
Re: TrojanHunter file gen.dll
« Reply #1 on: Dec 11th, 2007, 10:38pm »		 Quote Quote  Modify Modify
on Dec 1st, 2007, 11:21pm, Jrb wrote:

 
-snip-
 
 
C:\Program Files\TrojanHunter 5.0\RuleFiles\Gen.dll
 
Some observations and some questions.
 
Like the .trf files, gen.dll is in the sub-directory RuleFiles
 
When a definition update is published, it are usually one or more of the .trf files which are updated; once in a while a new .trf file is added.
Sometimes, together with such an .trf file update, the file gen.dll is also updated.
Sometimes only the file gen.dll is updated.
 
-snip-
 
What I am curious about, is this:
I have seen on occasion that, when gen.dll was updated, its checksum and date was changed but not its size.
And that is what puzzles me......

 
No reply from anyone?
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 209
Re: TrojanHunter file gen.dll
« Reply #2 on: Dec 11th, 2007, 11:55pm »		 Quote Quote  Modify Modify
On right, no reply was posted by Magnus and Gavin.
Don't ask me why they didn't post a reply, I really don't know, and I also don't know why the moderators didn't reply. I am completely in the dark....
And I also don't know why the folks who post TH updates at several boards didn't reply.
 
Does anybody here check their files and dates at all.....?
..........
 
So, let's get back to the file gen.dll
 
See my posting here:
http://www.misec.net/forum/board/RulesetUpdates/1197344389
 
Once again:
What is happening with gen.dll ?
Why do I see that file being updated while it's size isn't changed?
 
Here is a proof of the latest change, as shown by file-integrity-checker NISFileCheck:
 
===
Application: c:\program files\trojanhunter 5.0\rulefiles\gen.dll
Status:  Changed
Version old: N/A
Version new: N/A
Size old: 212992
Size new: 212992
Date old: 2007-11-29  14:08:34
Date new: 2007-12-11  22:28:04
RMD160 Hash old: 88CEAE3EB72CF045B19C80A60341D41C44E17704
RMD160 Hash new: 86F0C0368E2B8A85C240FC4B24007BFE166EF0CB
===
 
I have seen such a change before.
 
My question is not only about the theory behind it.
 
It is also about a very down-to-earth issue:
As I said earlier, sometimes only gen.dll is updated; and sometimes gen.dll is updated later when there was previous a ruleset update.
BUT : a gen.dll update might cause my date-stamp to go to the next day.
And that is causing confusion for those of us who are posting TH updates at other boards, because such a gen.dll update is usually not posted by Gavin/Magnus at the forum-section for updates.
 
So, my question has several parts (but not limited to these):
1- what does this file gen.dll do (being in the subdirectory RuleFiles)?
2- when is this file updated?
3- does a "change" of this file has any effect on the detection of Trojans, while its size has not been changed?
4- why do I not see a posting by Gavin/Magnus in the update-forum-section when this file has been "changed"?
5- when only a "change" in gen.dll (while the number of ruleset entries has not been changed and no posting by Gavin/Magnus is published in the update-forum-section) is causing a change in the date-stamp, what should the update-posters do?
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: TrojanHunter file gen.dll
« Reply #3 on: Dec 12th, 2007, 1:19am »		 Quote Quote  Modify Modify
I emailed Magnus/Gavin requesting that they respond.  I simply do not know the answers you are seeking concerning gen.dll.  
 
I "think" this specific DLL is used for detection of the "generic" block of Trojans.  That's about all that I know on it.  It's my understanding that this is modified/updated/released by Magnus only.  Gavin handles the rulesets releases.  
 
Sorry about the no response to your initial post.  To be totally honest, I read it and then it fell off my radar screen during a flurry of infection posts/corrective actions from some other users.   Sad
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4092
Re: TrojanHunter file gen.dll
« Reply #4 on: Dec 12th, 2007, 5:17am »		 Quote Quote  Modify Modify
Hi,
 
Gen.dll is part of the detection engine. If you see a change in the checksum but not the size, that is due to the way the PE format works - it's aligned on disk in 512-byte chunks for each PE section, and thus if only a small change is made it can fit within the existing section size and no change to the overall file size results. I wouldn't recommend update posters to post any notices as the file can change several times in a short time spam as we adjust the detection capabilities.
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 209
Re: TrojanHunter file gen.dll
« Reply #5 on: Dec 12th, 2007, 1:33pm »		 Quote Quote  Modify Modify
Hi Magnus,
 
Thank you very much !!!
I really appreciate your answer. Now I understand better what is happening (well, I'm trying to).
 
Thanks also to you Siliconman !!!
 
Warm regards,
Jan.
« Last Edit: Dec 12th, 2007, 11:50pm by Jrb » IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register