Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Using Sysinternals to check running Processes for Malware


  • Please log in to reply
7 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 23,207 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 12 December 2015 - 12:47 PM

Interesting article and video showing Sysinternals using Virustotal to check running processes. If you are not sure what you are doing then don't delete the process. It may be a false positive.

 

http://www.csoonline.com/article/3014290/security/a-free-almost-foolproof-way-to-check-for-malware.html



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 AM

Posted 12 December 2015 - 03:12 PM

Didier Stevens created a similar video a few years ago...Using Process Explorer's Find Window's Process

If you prefer reading rather than watching a video, then this 10 lesson tutorial is very comprehensive...Using Sysinternals Tools like a Pro.

These are some other tools that allow you to submit files for online analysis. Right-clicking on a process in ProcessHacker or System Explorer allows you to send it (File Check) to Jotti's virusscan or VirusTotal. Process Hacker also allows sending it to Comodo. Right-clicking on a process AnVir TaskManager Free allows you to send it to VirusTotal. Right-clicking on an entry in AutoRuns allows you to send it to VirusTotal.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 23,207 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 12 December 2015 - 03:35 PM

Thanks for those links quietman7. I have used AutoRuns but never knew you could send a process to VirusTotal.


Edited by JohnC_21, 12 December 2015 - 03:37 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 12 December 2015 - 03:48 PM

There's also the really popular "Malware Hunting with Mark Russinovich and the Sysinternals Tools" presentation.

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B368

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 AM

Posted 12 December 2015 - 03:55 PM

Thanks for those links quietman7. I have used AutoRuns but never knew you could send a process to VirusTotal.

You're welcome.

The integration was added earlier in the year.
SysInternals Autoruns introduces Virustotal integration...starting with version 13 released in February 2015.
Startup Manager Autoruns 13 introduces Virustotal integration
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 23,207 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 12 December 2015 - 03:59 PM

There's also the really popular "Malware Hunting with Mark Russinovich and the Sysinternals Tools" presentation.

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B368

Very Nice. Thanks.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 12 December 2015 - 04:29 PM

There's also the really popular "Malware Hunting with Mark Russinovich and the Sysinternals Tools" presentation.

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B368

 

This is a recording of a presentation by Mark at TechEd North America 2014.

 

Every year Mark does a couple of presentations at TechEd (North America and Europe). He also has a series of presentations called "The Case of the Unexplained" where he also showcases his Sysinternals' tools.


Edited by Didier Stevens, 12 December 2015 - 04:29 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 PM

Posted 12 December 2015 - 04:32 PM

Thanks for those links quietman7. I have used AutoRuns but never knew you could send a process to VirusTotal.

 

I wrote a couple of Internet Storm Center Diary entries on Sysinternals' tools and VirusTotal.

Here is the one on AutoRuns: https://isc.sans.edu/forums/diary/Autoruns+and+VirusTotal/19933/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users