Discussion on:

10 ways to detect computer malware

In The 10 faces of malware I discussed the makeup of malware.

http://blogs.techrepublic.com.com/10things/?p=881

Next in the series 10 ways to detect malware discusses how to find and remove it.

for collecting those up and placing them near to my fingertips!

That it was of some help.

not to be of help.

edit
reedeeep

On, "some".

Michael does not solve all the problems of humanity. But, he goes a long way in his self-deprecatory manner to make me sit up and inventory mine -- dare I say: ours?

*deep bass, at that*

I specially liked learning about GMER.

As always, your insight is appreciated.
Thanks again

I was concerned about it not being very well-known at first. Then I ran it in a sandbox without issue.

It has been successful, with the best compliment being that the bad guys are focused on it along with MBAM.

GMER does more than remove rootkits. One feature I really like: in the Processes tab, press "Kill All", this leaves the absolute minimum of processes running - even fewer than Windows Safe Mode.

Then go to the bottom of the window, there's a field labeled "Command", press the "..." button next to it, browse to an AV/malware scanner, select it, then press the "Run" button.

This lets you run a scan that's even better than scanning in Safe Mode - and it's faster than rebooting into Safe Mode. It doesn't work with all scanners, though.

Did not know that. Thanks for sharing that very helpful hint.

I did not know that either. Great tip. I also like the Get System Info tool from Kaspersky. easy to use, especially with the on-line parser.

A huge amount of experience with Kaspersky GSI, but it's been favorable. Has yours been the same?

Thought I would have a look at your recommendation for Malwarebytes MBAM. Is there any good reason to download frusa.download.com which seems to want to download in parallel with MBAM from download.cnet.com. Seems pretty dodgy to me as it comes from http://ad.fr.doubleclick.net, when doubleclick seems to me to be malware itself and whose cookies I seem to get rid of whenever I run a malware detection.

While I am here - what about the ones I use - Adaware, Spybot and Windows Defender? I think you should cover the programs that most people use. Why stick to 10 - is it the new holy number?

I didn't link download.com. So I don't know about that. I would suggest using the link I provided. It's the real deal.

the link was from the Tech Republic site, and the obvious one to click to get to MBAM. What about the second half of my post - if you see this. What about Adaware, Spybot and Windows Defender? all of which I imagine are in more common usages than the programs you suggest. MBAM found a couple of registry items on my machine, but nothing dangerous or significant, suggesting my existing defence is quite adequate. Thanks in advance.

I guess my thoughts were to write about detection applications more so in this post. The next one in the series may either be 10 more ways to detect computer malware or 10 ways to remove malware. Not sure yet.

The applications you mentioned are good to be sure.

If you use Adaware, spybot and Windows Defender as your primary protection (this is really what MOST people use?) you are using outdated and/or poor excuses for up to date security. Maybe I'm being extreme but with those three as your primary protection it's sort of like going to a gun fight armed with a knife. Sorry but I know of no 'free' total security protection (or as total as possible) and second best is a poor plan when dealing with all the talent out there trying to steal something from you.

I also use Spyware Doctor (free via Google Apps), ThreatFire both of which work pretty well as well as Secunia. I have now added MBAM thanks to Michael. Hopefully these will keep the talent you refer to out. It has so far, but thanks anyway for your (somewhat patronising) advice.

While I agree with your statement about relying on free anti-virus/anti-malware applications as a primary protection, I would be curious as to what you WOULD consider adequate. From my C|EH days, I recall using a number of tools that slide right past Symantec, AVG, Kapersky, and several others. One exploit still works against Symantec's Endpoint Protection 11 MR4.

I think the original article of 10 ways to detect malware is a valid one. However, if you begin the discussion of what provides total protection I believe you'll quickly come to the answer "none". Given enough time, resources and desire, I believe anyone can break into any system.

I was trying to point out that the free versions do as good a job as the paid versions. As you mentioned, Symantec Endpoint does not perform any better.

My other point was to use layers of protection and that is the best that we can do.

Thank-you, Michael for your recommendations and comments. From personal experience (except with #4, so far), folks who suspect that a malware process might be running on a computer can include some of the following in their investigation.

(1) According to Microsoft, if running the command NETSTAT -a -b -v -n from the Windows XP command line produces one or more connections for which the line "-- unknown component(s) --" is included among the binaries, then there is a problem -- which is most likely (?) the presence of malware that is hidden from the operating system.

(2) Sometimes a firewall log contains data that reveals the presence of malware which is doing something unauthorized, such as trying to establish a connection to another computer via the Internet. (Yes, we would expect a firewall to display an "alert" about such an event, but it didn't detect or recognize it as such. Instead, the firewall logged the fact that it dropped an outbound packet sent via a closed port.)

Or, a firewall might alert that a program which is being launched has been changed since the program exited from its most recent execution. If that executable has not been updated since its most recent execution, then you should check that out further.

(3) Microsoft TCPView (by Sysinternals) is a relatively basic tool, somewhat like having a real-time version of the NETSTAT output updated at the interval which you specify (5 seconds by default?). If you watch a while, you might notice one or more connections are CLOSE_WAIT and assigned to System Idle (PID 0), but their Remote Address is not one that was previously shown for any of the other processes on the TCPView display. That happens when a process that TCPView cannot detect and display has closed a connection that the unknown process made previously.

If anyone can suggest a comparable tool that can record its output automatically either in a video file or a text file, please feel free to let me know.

(4) Although I've installed it, I haven't used it, but reportedly Wireshark (with Windows Packet Capture, WinPcap) is good for determining where packets are being sent and from whence packets are arriving. Firewalls don't always block unauthorized outbound traffic because there are many methods for evading them. You might want to check out:

http://www.matousec.com/projects/proactive-security-challenge/

As usual you have good insight into some more ways to detect malware. I'm thinking about the third in the series being 10 more ways to detect computer malware.

have saved my bacon or shortened my investigations many times.

Good post Ocie!

I notice the latest tests with Matousec didn't give Avast a very good score. Avast recently changed it's hueristic engine, wonder if it is because they didn't own the original one.

I think GDATA is using the old engine, plus a scanner without real time protection built into one console. AV comparatives gave them high marks at the end of 2009.

I believe the scanning engine is from BitDefender on the German company that makes GDATA.

I like the HIPS on it for XP users, and it is very affordable, but I couldn't get their 64bit version to work on my install.

I'm using Avast Pro v. 5 and I like it, I notice a marked performance improvement over NIS2010, which wasn't bad either, but I just don't trust Symantec's heuristic engine yet.

I didn't get near as many malware process blocks on it as I do with Avast, on my honeypot. I'm skeptical about Matousec on that one, but with all the changes going on, I can't throw it out either.

Avast now has GMER technology, as well as an autoscript blocker, also.

you have used either Darkspy, a squared free, a squared hijack free, winpatrol, mgtools, or icesword for malware detection?

Also, well does spybot search and destroy and avira do?

And, by the way, how do you distinguish between a maverick phantom and a run-of-the-mill phantom?

Isn't it like parsing "this" nothing in relation to "that" nothing?

The Shadow knows.

won't tell me though.

Don't tell nobody nuttin'.

what another (in this case, the writer of the original article) would answer, eh?

There are no distinctions that can be explained. It's like art, pr0n, or science fiction (sci-fi, sf, speculative fiction, whatever): you'll know when you see it.

When I can parse nothing, I'll let you know.

It is a meaningless flag of convenience?

then all I have to say is this:

I've used Darkspy exactly once, during a pre-backup anti-malware crusade- it didn't detect anything that I didn't already cleared was safe.

Though a squared hijack free worked pretty well at monitoring processes and was a great help in finding malware (and a rootkit), there was nothing there that I hadn't seen elsewhere.

A squared free finds a lot of crap (way too many false positives from files I know are safe).

Winpatrol is a decent system monitor, in my opinion, though the free version tends to react slowly to system changes.

I've never had a computer problem serious enough to justify use of mgtools, so I have never used it.

I use Icesword, GMER, and Rootkit Revealer back-to-back whenever I suspect rootkits.

Spybot search and destroy is currently on the third ring of my anti malware arsenal (I haven't used it on my own computer for a while, but it has found malware missed by superantispyware and malwarebytes' anti malware).

I currently use avira as my antivirus (as at the time I was leaving AVG I found out about avast! and avira; while avast! in general impressed me more during initial testing, avira eventually won me over after seeing how badly viruses 'stomped avast! on my sister's Dell- though with the computer habits of the people at that house, avg, avira, Eset, norton, and mcafee have been at times annihilated by malware). Along with online armor, nothing seems to faze my system.

That is not what I mean by what you think you mean that I mean.

How does avira stack up to avast in regards to footprint and system resources while it is running? Those reasons alone switched me over from avg.

I've seen infected avast machines in households like you speak of. And avg, and symantec corporate and dozens of others. There is no protection from click happy local admins.

I couldn't really tell the difference on my new laptop (with 2 gb of ram and a 2.4 ghz processor) as far as impacting performance. Task manager showed avast having slightly (approximately 2,000 kb) higher ram usage overall when running in the background (i.e. not while running an on-demand scan).

I just can't let the statement about viruses stomping Avast go!

I've been intensively testing many of the popular AV for the last three years, and the only stomping I see is Avast kicking butt on the maleware.

It is true that Avast will let a lot of malware lay dormant; but that is because the malware coders are getting smart, and they program their malware to be firewall,anti-virus, and network aware; among several other things Michael points out.

So in my experience Avast will kick @ss once the malware makes a move and not before. It has been very successful and I've not had to do scans with it, unless I just want to test it's performance.

CCleaner usually removes anything left in the download files that is laying dormant, so I never find anything, even if I double check with an online scanner, or NIS2010, NOD32, or Prevx.

that I'm confused.

And while I'm wasting internet space to say the above, I'll ask the following:

Did your manner of writing come about naturally, or is it the result of years of practice?

Both. And a third.

The realization as a boy, "I am confused."

Then, the lifetime setting-about to clear it up.

One instant result being that you waste no space.

You grace it.

and on that note, I'll leave (way too much work to do tomorrow.)

May your computer remain ever free of crap.

Details, details, details.

That was a pointless post, and incorrect to boot. Let me highlight your failure:

----------------------------------
http://en.wikipedia.org/wiki/Et_cetera
Et cetera (in English contexts pronounced /ɛt ˈsɛtərə/) is a Latin expression that means "and other things," or "and so forth." It is taken directly from the Latin expression which literally means "and the rest (of such things)" and is a loan-translation of the Greek "και έτερα" (kai hetera; and the others). Et means "and;" cetera (plural of ceterum/caeterum) means "the rest."

Typically, the abbreviated versions should always be followed by a full stop (period), and it is customary?even in British English where the serial comma is typically not used?that "etc." always be preceded by a comma. Thus:

A, B, C, etc.

not:

A, B, C etc

----------------------------------

Troll smarter, not harder.

I spoke of a line in his post; not, his title.

Smart, Ken.



_______
titivation

I carry around a flash drive with my favorite tools (Malwarebytes, Spybot, whatever I've tried lately) to save time downloading it to suspect PCs. After installing and updating the latest file definitions, I typically run the apps in safe mode after cleaning out temp files, Prefetch, recycle bin, Recycler. Question: how do you then check the flash drive to see if it's been infected? I hesitated before using the flash drive on my PC. The first thing I did was to scan it on my PC but I think by then I'd already been infected. What an idiot!

I have an old 512 with a physical write protect switch on it so I can flip it to read only with hardware. I know some floppy drives ignore the diskette read only tag if told to (thy don't use the physical pin and spring to check it in the newer ones) so by that same token, I could see software being able to get around it in some cases. It's better than a read/write flash drive with no physical read only switch though.

If your really not sure, burn the apps to a CD so you can dump and install. I keep the latest CCleaner and various win32 hunting app installs on a disk along side an Avira liveCD in my tool bag. Scan with Avira to see what it finds then reboot and go at it with the win32 tools after.

No malware found, Michael.

Only a departure from baseline formality when you employed "was" for past subjunctive ("I wish it was that simple").

As in, "I wish it were that simple."

As simple as the sentence was, it does enfold a putative within a possibility. Be glad you are people. We people are imaginative enough to do that. Only, we really must keep track of our enigmas hidden within puzzles within mystery. Else, we go off the deep end. That's why I have so much fun cruising the threads. Lotta people deep-sixing themselves without a clue.

That was the only thing that leaped out at me in your piece. This means that I got through it from beginning to end without snags and delaying travail and I gained for it. I, like the others, thank you for it.

If only I were not such a backslider in these security things...

I am in offline communication with the author.

He asks what I thought of it.

I thought well of it (which I thought I said, Michael). I also mentioned recidivism. I think I will propose -- hell, I do propose -- that he write a 10-step program for the unconfessed sophisticates here, re malware.

I delude myself into thinking I know of these things. Then I screw up big time.

You recommend Superantispayware. Does that go for the free download, or is the paid version the one you tested? Same for any other recommendations on this list.