Saturday, December 17, 2005

Top 10 Anti-Malware Tools

Claus Valca's Top-10 Anti-Malware tools for this year...and a whole lot more stuff!

First, we survived the final big Christmas shopping push today with no major disasters. Lavie and I tried to make a shopping list to help us focus before we hit the BayBrook Mall today, but gave up in frustration with a lack of ideas and just decided to "wing-it". Weather was pretty typical London fare--windy, wet/rainy and cold. We reached the mall and found traffic horrible outside the mall but remarkably tollerable inside. I've noticed that (this season) instead of the Salvation Army bell-ringers and Santa greeters, almost all large box-stores (Best Buy, Target, etc.) have local uniformed police officers on patrol instead. The coolest officers seem to like parking their cruisers directly on the sidewalk itself and making you walk around them. Nice. The mall we went to actually had a mobile sub-station set up on the parking lot perimeter. It must be too cold and wet for the mounted patrols though..Oops...I digress....(and I really do appreciate their work protecting us!)...Anyway...

Under some active miracle (was Belldandy watching over us?) we hit the first store and it was going of of business and many things were 60% off. When we left just about all the ladies on the gift-list were taken care of. First store. SCORE!!! While we were checking names on our list, an idea popped up and GOOOOAAAALLLL! Had it, got it. Done. It went on like this the whole time. Amazing. Prices were unbelivably good. (This is an important factor this year as Alvis had braces put on this month and the budget took a heavy hit with our intial contributions to her Orthodontist's swanky new office suites --the chairs all have their own GameBoy!). When I was growing up Mom and Dad took us to a very nice dentist but all we had to look at were Highlights magazine and the wierd scenic wallpapers.

So shopping done, we grabbed a late lunch at the Sweet Mesquite Grill and were back home in under 6 hours. Nice. Only bad thing is a USB-cellphone data cable I picked up that the cell phone store swore would be compatible with our cell-phones (bad sign #1--had different models listed on the front). Ok, I'm willing to be open. Tried to load the drivers since they weren't on the CD (bad sign number 2)--via web download. Failed. Eventually I discovered that this model of data-cable, while fitting both the phones connector interface, wasn't compatable after all. I'm taking it back and just ordering one on-line direct from Nokia. I snagged an e-coupon on their site and it will end up being cheaper than the one I picked up in the mall anyway. I can use the Nokia software on my laptop since it and my model cell phone have infrared ports. But Lavie's doesn't so that's why I need the USB cable adapter. She saw all the cool anime wallpapers I trimmed up for my phone and now I have to power-tweak her phone too!

Enough about me, the tech!

"I'm making a list, and checking it twice! Valca Claus is going to take on malware that's been naughty with some security tools that are nice.." Let's see what Claus's lovely Hina Girl elves have in the gift-bag for you.

Paperghost had a blogpost on his security site about the security tool "HiJack This" that got me really thinking. So now I'm going to do a "Claus Valca's Top-10 Anti-Malware Tools List" for you fellow system administrators and malware warriors! (Like the web really needs another one!)

My selection conditions: Must be 100% freeware or have a free for personal use version, must have a fairly understandable interface (I use lots of command-line tools, but many users don't find that comfortable), and must be able to be used (safely or not) by users with normal to above-normal computer experience (in case I have to walk them through using them over the phone). Windows only for now--sorry MAC/Linux fans--but then again, you don't really worry about malware do you?!!! And with the exception of the Microsoft product (big-surprise) all of these can be downloaded to a USB device (or even burned to a CD-R) and used as portable tools!

Meirjn's HiJack This. Coming in at a strong number one spot. This is always the very first tool I will run on a system that is reported to have malware issues. Why? At a glance the scan results tell me just how bad an infection I am dealing with. It helps me to focus my attack strategy. I'll normally make some notes, save the logfile and clean the obvious items first right here. I always do multiple rescans after cleaning/removal of entries. If I note that any reload or come back renamed, I'll know I have some more intense work to do.

Sysinternal's Process Explorer. I usually have this running either alongside HJT, or just after. This tells me what processes are running in memory. The advanced tools allow me to track down which processes still has a malware .dll file in memory that the system will not allow me to delete the file itself. You can search for dll's and processes, and highlight windows/etc that are showing to find the process that is controlling it. It is a very powerful tool that in the right hands can be better than a katana in the hands of "The Bride" slicing through malware scum.

(Tie) Sysinternal's RegMon/FileMon. Run these tools to log the calls to your registry and files. It's a great way to track down who is trying to do what, and from where. I've found some hidden applications by watching who was monitoring the registry while IE was running (and generating a ton of popus) and then where they were running from.

Noël Danjou's Locked Files Wizard. This handy little app can save some time. Some malware files can be very stubborn about getting deleted. They just refuse to budge. This app can help delete such stubborn files and folders from your drive. There are other--more technical ways--to do this, depending on what Windows OS version you have, but this tiny tool has saved me a lot of time.

Spybot Search & Destroy. The first malware scanner/cleaner tool I broke my teeth on. It still is running strong. Yes, it can't clean/catch everything, but it is great for bulk-cleaning a system of malware in a single pass or two. The Advanced Tools options can provide a wealth of supportive software that really compliment malware removal and system lockdown afterwards.

Sysinternal's RootkitRevealer. Did you know that there can be "super-hidden" files on your pc that you can't normally see, even when you set your Windows Explorer to show them all? Yep. Some are downright nasty. This can shine some light on them. It takes a long time to scan a drive, but it a great tool for finding where these creepy-crawlies are hiding!

LavaSoft Ad-Aware SE Personal. A few notches down is the 2nd anti-malware bulk-cleaning tool. I use it to compliment Spybot as they seem to find things the others don't. It can list a lot of MRU's (Most Recently Used--a.k.a history) items that are distracting and not at all malware, but 0nce you get past it's busy interface--it is a great program.

Microsoft AntiSpyware (Beta). Yeah; it's not portable and only runs on XP/2000 systems, but I have to confess, Giant had such a good product the M$ machine bought a good thing when they saw it. It seems to integrate well with XP/2000. Scans can be deep and still fast. I question some of the default action settings ("Ignore" malware instead of DESTROY with Nukes!!!), but those can be changed. I also like that when it is running in a defensive mode, though "chatty" with alerts from the system tray, they are pretty well color-coded so the most untech end-user generally can figure out "it's red--that's bad--I think I better block what it's blue or green...maybe not so bad."

Sysinternal's AutoRuns. Kinda like HJT, but the unabridged version. HJT looks for targeted locations in the Windows registry, while Autoruns shows all the processes, actions, etc that are scheduled to...well...autorun at a system boot. You can disable items without removing them--good for troubleshooting. Then go back and fully delete them if they are as bad as the looked to be.

Mozilla's Firefox/Portable Firefox web-browsers. Using an alternative browser (configured to prevent wholesale Javascipt execution) that doesn't use ActiveX will go a long way to preventing malware from even getting on your computer. I like keeping the portable version on USB so that when I am working on an infected pc, I don't have to use IE to download/browse the web while troubleshooting. Using IE while the pc is infected with malware can lead to an overload of popup windows and possible even more infections. So if the user insists on using IE, I can still use the portable version of Firefox and can leave a copy on their HDD for them to check out as well.

Honorable Mentions. I don't use these very much, but they make good special-teams unit players to call out onto the field for some special plays.

A-Squared Hijack Free: Similar to HJT. Gives a pretty wide view of things at a glance.

BHO Demon: No longer supported. Scanned IE for browser plugins and provided info/removal.

Spyware Blaster: Use this tool to lock down IE/Firefox from spyware using "whitelists" that get updated. Prevents/restricts ActiveX as well.

CWShredder: Nice tool to use to quickly scan/clean as system of CoolWebSearch browser/system hijacks (usually works).

LSP-Fix: Use this standalone tool to rebuild damaged Layered Service Provider items. Some malware make additions/changes to the LSP list and removal of the malware can prevent the internet connections from working. This can help repair them.

Advanced Process Termination: Every now and then a malware process just refuses to go quietly. It won't budge. This really brilliant tool allows you to use one of several programming methods (some easier on your system stability that others) to kill the running process. It is small, light, and free. Nice tool when all else fails before trying to boot in safe-mode.

Final comment. This list isn't dealing with virus/trojan bugabos. Just malware. I'm saving those for another day. Nor am I a malware researcher like some of the other pros. So they will use some additional tools to take pre/post infection snapshots of the registry, use packet sniffer tools to watch network traffic, etc. I'm not getting into those here. My primary task here is getting them off the pc, not finding out where they came from, who they are calling home to, and what other things they are doing while infesting the computers I support. Those are VERY important things and I follow the other pros in that field to stay informed on those things to help me know what I am dealing with, but I don't collect my paycheck for malware research work--"just get that user's pc up and running again"--hopefully without having to pull out my image cd's.

New Tool from SpyBot Team!

While validating the site links above I ran across a new tool offered by the folks who bring us Spybot: RunAlyzer. It is another variant of software (mentioned above) that displays items in your system startup group. I haven't played with it enough in "live-fire" exercises to judge it yet, but if it is from the Spybot team, it should be a good tool. The download is a bit challenging to find; use this link to get to the download/screenshot page. Note, it is still in Alpha (development) stage, but it seemed stable so far for me.

The rest of the Tech:

Quick hack to make a bookmark that resizes your browser window if it gets changed by a website. Neato!

Can a firewall be portable to USB? According to a forums poster, these two apps fit that bill. I can't vouch for them yet, but they are heading to my "testing" system to see: AS3 Personal Firewall and GhostWall. Both free but I'm not giving an endorsement yet.

CCleaner. Nice. Not really a malware tool. More of a system maintenance tool. Nice interface--lots of options.

iTMS Album Art Finder. Copy the url from iTunes and it will find the matching album art (if that's important to your iPod experience).

If you use a laptop like me in the field on tech-calls you may just have one PS2 port on your laptop. I don't like using the touchpad/keyboard of my laptop any longer than I must. When I'm at a field office away from my docking station I pull a keyboard or mouse from an unused pc, but I can only use one or the other (we aren't using USB keyboard/mice yet). But this handy set combines two PS2 plugs into one USB port. Cool!

Someone thought it would be clever to set up a spoofed McAfee website and offer a anti-virus patch for the "Kongo31.XRW" virus (which there isn't such a thing). Only trouble is that if you use it on your system to clean something you don't have....surprise! You just downloaded the "Trojan-Downloader.Win32.Hanlo.h". Bummer. I hate it when that happens. Link at F-Secure.

Not really sure how to use this tip, but it seems you could load just about any content in your Firefox sidebar--just check that little box in your bookmark item properties.

Moving on to RetroWorld:

My brother and I used to live on some early hand-held LED electronic games. These emulators allow you to recapture the thrill of retro-electronic nirvana. LED Head. He's got all the classics: Armor Battle, Baseball, Football (I and II), Sub Chase, Space Alert. Wow!

Virtual Merlin. Did you have this Parker Bros. gizmo? Man, this thing brings back the memories. I think we got this for Christmas one year.

Bits and Pieces...

More things you can do with folded cardboard. I think this is shaping up to be a new Grand Stream Dreams favorite blog topic.

More fun things you can do with industrial design over at DesignBoom.

I'm saving icon-love for another blog-day, but for some sweet Christmas Season desktop patterns, head on over to the retro-wonderful Pixel Decor. Jen is brilliant and generous with sharing her hard work and efforts.

When we would go and visit my Dad's parents in Missouri, they had a basement we would sleep in. Piled against one wall were hundreds (?) of old issues of Popular Science and Popular Mechanics magazines. Old ones. Very old ones. Modern Mechanix is a blog that captures scans of these early-technology days of wonder and exploration. This site brings back memories of the basement and visits to Grandpa's place. Man it's fun to read these again!

Lavie loves to watch those "I Love the 80's/90's" shows on cable. I'd rather forget most of those years myself, but I still find advertisments facinating glimpses on the changes our American society has gone though the decades. This site Adflip has scans of a multitude of ads from the 50's onward. They are awesome and great. It's another of those fun sites that make you why you want to spend so much time looking at things you would otherwise work hard to avoid.

Gillian had a birthday! Happy Birthday Gillian from the Texas coast!

I'm tired. It's late. But before we say good-bye. Check out Happy Palace. It's a blog that captures images from other sites/blogs--but without almost any comment or context. Wierd but fun.

Going to bed now....


Anonymous said...

How about MalwareLog Tool?

Anonymous said...

you are real dickhead,,,malverabytes is the best 3years in a row

Claus said...

@ Anonymous - Goodness! You seem to be strongly supportive of a single product. I've not heard of "malverabytes" that you mentioned but maybe you are referring to Malwarebytes' Anti-Malware? It is indeed a very good product. I have used it from time to time with good results. I do use their FileAssassin and RegAssassin products more regularly than the anti-malware product.

Please note that the post you commented on is close to being 4-years old when I wrote it. So I haven't bothered to go back and update it with new/additional products. Newer blog posts do frequently mention and reference Malwarebyte's anti-malware product among others.

Here are some additional ones that are a bit more recent related to those issues:

Anti-Malware Tools
Anti-Virus Tools
USB based AV/AM Tools
Online Scan Tools
Anti-Rootkit Tools

Even these are not at recent as they could be but do provide additional tools to use.

I personally see these tools as "canaries in the mine" and use them for early-warning and alerting to potential threats on a system.

When it comes to removing them I personally would use VIPRE Rescue from Sunbelt Software, followed by a pass from the full VIPRE Antivirus + Antispyware product.

If that didn't get it, I might toss one more alternative AV/AM product at it (Malwarebytes included), but then go to the mats and pull out my system utilities and boot the system off-line and manually clean out the registry/system myself rather than trusting the automated routines in a AV/AM product. That also might provide me better clues on how it vectored in to the system so I can beef up the defenses afterward rather than just tossing the threat off the system and continuing on.

If that still didn't get it I would just recover my critical data to a USB drive, zero-out the entire drive, reformat the drive, and then reload the system and my data.

Lots of work but then I could be fairly certain it was clean again.

Thanks for commenting.

Claus V.