- #SYSINTERNALS PROCESS MONITOR SOFTWARE#
- #SYSINTERNALS PROCESS MONITOR DOWNLOAD#
- #SYSINTERNALS PROCESS MONITOR WINDOWS#
Because a window enumeration only returns the windows on a process’s current desktop, the malware was not able to see the Sysinternals tools running on the second desktop. This particular malware presumably has a timer-based routine that queries window title text and terminates processes that have titles with blocked keywords like “process explorer”, “autoruns”, “process monitor” and likely the names of other advanced malware-hunting tools and common antivirus products. Holding his breath, he double-clicked on the Process Explorer icon – and it launched!
#SYSINTERNALS PROCESS MONITOR DOWNLOAD#
Maybe the malware would ignore windows on alternate desktops? He launched Desktops using its Sysinternals Live link (which lets you execute the utilities off the Web without even having to download them) and created a second desktop. Desktops lets you create up to three additional virtual desktops for running your applications and use hotkeys or the Desktops taskbar dialog to quickly switch between them. Locked out of his usual troubleshooting tools, he wondered if there might be some other Sysinternals utility that he could leverage, browsed to theĪnd scanned the list. Sure enough, when he double-clicked on the new text file, Notepad made a brief appearance before exiting. Malware authors even hijacked the Sysinternals brand by releasing a “scareware” product – malware that presents fake security dialogs to lure you into buying fake antimalware – namedīack to the case, the user, wondering if the malware was looking for particular processes or simply scanning for windows with certain keywords in their title bars, opened notepad, typed some text, and saved it to a file named “process explorer.txt”. , a virus that stole passwords in mid-2008, also used PsExec. What makes this case somewhat ironic is that malware authors have long used various Sysinternals tools themselves. If the malware is simply keying off the names of executables, for instance, the user could simply rename the tools. It’s a game I can’t win so I leave it to the ingenuity of the user to figure out a workaround. The fact that any small unique attribute is all that’s needed is the reason I haven’t bothered implementing mechanisms aimed at preventing identification. For example, it can use the hash of the software’s executables, look for specific text in the executable images, or scan process memory for keywords.
#SYSINTERNALS PROCESS MONITOR SOFTWARE#
Malware can use numerous techniques to identify software that it wants to disable. Process Monitor had the same behavior and at this point he became convinced the malware was responsible. Resulted in a brief flash of the Process Explorer UI followed by the termination of the Process Explorer process, however. The user, familiar with Sysinternals, tried following the malware cleaning recipe I presented in my They also hadn’t spotted anything in Task Manager. (MSE) scan, but the scan would never complete. The friend, already suspecting that malware might be the cause, had tried to run a
This case began when the user’s friend asked if he’d take a look at his computer, which had begun taking an unusually long times to boot and logon. More and more often, malware authors target antivirus products and Sysinternals utilities in an effort to maintain their grip on a conquered system. , this post describes one submitted to me by a user that took a unique approach to cleaning an infection when faced with the apparent inability to run ) as a lead up to the publication on March 15 of my novel First published on TechNet on Mar 06, 2011Ĭontinuing the theme of focusing on malware-related cases (last week I posted
0 kommentar(er)
