|
Posted by Geoff on June 28, 2008, 8:55 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> wrote:
>>
>> >What is strange, there is 4 running svchost.exe processes..
>>
>> Not strange at all. Svchost.exe is the service executive. It's the process
>> that starts service processes. (RPC, DNS, Auto update, windows audio,
>etc.)
>> There are several instances of it depending on the configuration of the
>> machine and the kinds of services that are started.
>>
>> As for validating executables, see www.sysinternals.com for process
>> utilities like Process Explorer that can check for signed code from
>> Microsoft and others.
>> http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
>>
>> Be aware, not all Microsoft code is signed but they have been making great
>> strides in signing their code. Just be careful and don't delete a suspect
>> binary just because it's not signed.
>>
>> Autoruns, another good tool from the same place also verifies signed code
>> and allows easy access to the registry keys and binary files.
>> http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
>>
>> Sysinternals was bought out and merged with Microsoft but Mark and Bryce
>> still develop the products.
>------------
>
>Very helpful utilities. I want check drivers. I just run a console tool that
>list all drivers installed in my system; 124 drivers where detected. Does it
>possible check whether all of the drivers are legitimate or not?
>
>Thanks.
You're welcome.
It's very difficult to know for sure which drivers are legitimate. Autoruns
will verify signatures but if the publisher doesn't sign the code then this
method fails and you have to look into each driver and evaluate it
yourself. Many driver vendors don't sign their code. There is no sure tool
that I am aware of that will validate a driver automatically without some
kind of code signature. The Drivers tab of Autoruns will list all your
drivers.
As far as malware or viruses are concerned, your principle indicators will
be:
1. Strange behavior of computer.
2. Strange filename or location of executable.
3. Lack of publisher name.
4. Not signed.
5. Program or driver phones home or accesses TCP/IP.
6. Executable is compressed or obfuscated.
7. Multiple instances of the binary of the same length, same date/time
under different names in the system32/ or system32/drivers file with very
strange version information blocks.
You cannot effectively use the filename alone as an indicator.
Using Autoruns or Process Explorer you can search online (google) by
selecting the item and hitting ctrl-M. This presents a list of hits that
you can research. Very handy. Of course, some of what is written about some
of these files is written by non-experts or the occasional troll, so you
must judge what is reasonable, valid information.
| 
XML site map