|
Posted by SANTANDER on June 30, 2008, 9:36 am
If you were Registered and logged in, you could reply and use other advanced thread options
> wrote:
>
>>
>>> On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER"
>>> wrote:
>>>
>>> >What is strange, there is 4 running svchost.exe processes..
>>>
>>> Not strange at all. Svchost.exe is the service executive. It's the
>>> process
>>> that starts service processes. (RPC, DNS, Auto update, windows audio,
>>etc.)
>>> There are several instances of it depending on the configuration of the
>>> machine and the kinds of services that are started.
>>>
>>> As for validating executables, see www.sysinternals.com for process
>>> utilities like Process Explorer that can check for signed code from
>>> Microsoft and others.
>>> http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
>>>
>>> Be aware, not all Microsoft code is signed but they have been making
>>> great
>>> strides in signing their code. Just be careful and don't delete a
>>> suspect
>>> binary just because it's not signed.
>>>
>>> Autoruns, another good tool from the same place also verifies signed
>>> code
>>> and allows easy access to the registry keys and binary files.
>>> http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
>>>
>>> Sysinternals was bought out and merged with Microsoft but Mark and Bryce
>>> still develop the products.
>>------------
>>
>>Very helpful utilities. I want check drivers. I just run a console tool
>>that
>>list all drivers installed in my system; 124 drivers where detected. Does
>>it
>>possible check whether all of the drivers are legitimate or not?
>>
>>Thanks.
>
> You're welcome.
>
> It's very difficult to know for sure which drivers are legitimate.
> Autoruns
> will verify signatures but if the publisher doesn't sign the code then
> this
> method fails and you have to look into each driver and evaluate it
> yourself. Many driver vendors don't sign their code. There is no sure tool
> that I am aware of that will validate a driver automatically without some
> kind of code signature. The Drivers tab of Autoruns will list all your
> drivers.
>
> As far as malware or viruses are concerned, your principle indicators will
> be:
>
> 1. Strange behavior of computer.
> 2. Strange filename or location of executable.
> 3. Lack of publisher name.
> 4. Not signed.
> 5. Program or driver phones home or accesses TCP/IP.
> 6. Executable is compressed or obfuscated.
> 7. Multiple instances of the binary of the same length, same date/time
> under different names in the system32/ or system32/drivers file with very
> strange version information blocks.
>
> You cannot effectively use the filename alone as an indicator.
>
> Using Autoruns or Process Explorer you can search online (google) by
> selecting the item and hitting ctrl-M. This presents a list of hits that
> you can research. Very handy. Of course, some of what is written about
> some
> of these files is written by non-experts or the occasional troll, so you
> must judge what is reasonable, valid information.
----------------
Just tried Process Explorer, does it show hidden DLLs that possibly can
loaded inside explorer.exe process?
Some processes displayed by Process Explorer not fully clear:
process PID Description
System 4
what is 'System' process with PID 4?
Process Explorer show System Idle Process take 98.46 percent. Why so many?
Is there similar security tools that can work on win98?
Thanks.
| 
XML site map