Sunday, December 30, 2007

This Week in Utilities - Mostly New Anti-Malware Tools

Been a busy week for finding nice utilities.  Here are quite a few worth looking into:

Malwarebytes - Anti-Malware

Some time ago I made mention of Malwarebytes' announcement that they were working on a new anti-malware product.

This is the same group that has produced these very finely crafted tools:

RogueRemover FREE - (freeware) - removes rouge antispyware, antivirus and hard-drive utilities.

FileASSASSIN - (freeware) - deletes files locked by malware processes.

RegASSASSIN - (freeware) - deletes registry keys locked by malware processes.

StartUpLite - (freeware) - tool to locate and disable/remove startup entries from system.

Unfortunately, their blog hasn't leaked any new clues to the status or design of the new anti-malware product they are cooking.

Luckily, gHacks has spilled the beans!

Malwarebytes Anti-Malware - gHacks review of an early beta-release version was overall fairly positive.  Like most of us, we don't really keep "malware-infested" systems lying around to test the efficacy of these scanners.  My own test mirrored gHacks results closely.  The scan ran well and was pretty fast.

Once installed the mail application presents eight tabs.

  • Scanner - chose a quick scan for common malware, or a full scan for all hard-drives/partitions.
  • Monitor - offers "real-time" protection of  your system. Only available in the paid (Pro) version.
  • Update - checks for new signatures.
  • Quarantine - shows any infected files that have been made safe by the application.
  • Ignore List - shows any "skip" files the user has set to "ignore".
  • Settings - Various user configuration options for scanning and action.
  • More Tools - Bug reporting for the program and FileAssassin (locked file killer).
  • About - version information.

Still in beta status, but worth keeping an eye on.  Like many anti-malware programs, they seem to be only as effective as their definitions are current or their heuristics abilities are well designed. Malwarebytes previous products have a good and trusted reputation and lots of community support so I hope a final version delivers.

Malwarebytes Anti-Malware Beta test - Download link to sign up for public testing.  Log in and get the download link.

FileForum | Malwarebytes Anti-Malware - Download link to version 0.84 beta, if you don't want to register.

Universal Extractor

Universal Extractor - (freeware) - is one of my most-favorite unpacker utilities in the entire universe.  I have quite a few file compression utilities I like, but when it comes to mucking around and unpacking application setup files, Universal Extractor simply can't be beat.  This application is in my "pending posts" pile to do a full and worthy writeup one day.

It can unpack over 40 compression formats, automatically. Amazing.

The one thing it seems to have problems with is keeping up the the latest versions of Inno Setup.

Luckily, the program's forum page is rife with fans and a developer who is quick to provide the latest version of an unpacker module.  Just download the latest one, unpack it, and replace the program's old file with the newer one.

It it is a packed file or setup file, chances are Universal Extractor can open it.

RunScanner

RunScanner - (freeware) - This is a very new single exe file startup and hijack analyzer utility.  I am very impressed with it.  It doesn't require installation, seems quite USB drive portable, and packs a wallop with finding and researching system processes and startup entries.

At launch it offers three modes, "Beginner" which scans only and provides a log for upload to forums, "Classic" which a simplified and fairly safe method to scan and fix potential problems, and "Expert" which is the full deal with no training wheels.

Scans are pretty fast, and options are very easy to save the log file or send it for online analysis

Results are listed in sections that are clearly named.  Each item contains a description, path/info details, the company name (if available) and who the security certificate issuer was.

Tabs are available to look at common hi-jack area, a process killer, loaded modules, and even a HOSTS file editor.  All very handy.

You can select items for action, (disable/delete), but right-clicking allows you to kill running processes, delete or rename on reboot, upload to VirusTotal for scanning, or even Google search. A bottom window pane can be opened which allows easy copy/paste of item details.

Having a number of handy resources to research and deal with the items is very useful.

I'm really impressed with this tool so far.

Drawbacks?  Might not be quite as thorough as some other "focused" utilities listed below, and it doesn't seem to present the running processes in a "tree" view like Process Explorer so it isn't as easy to see dependencies.

Alternatives:

a-squared HiJackFree - Very similar program, with other options.

Process Explorer v11.04 - The Godfather of Process tools.

AutoRuns for Windows - The Godfather of AutoRun entry tools.

TrendMicro HijackThis - Oldie but still a goodie on dealing with malware auto-start items.

I'll not be discarding any of these because of RunScanner, but it will be added to my USB sysadmin utility stick to help support them.

mst IsUsedBy - Ugly name, clever tool

Obviously the developers at mst software decided they weren't going with the Web 2.0 naming game when they released their handy little freeware product.  Taking a more NirSoft-like approach with practical naming, IsUsedBy does what it says.

mst IsUsedBy - (freeware) - This handy little program helps you figure out what process on your system has a particular file open.  Great when fighting malware and you are trying to delete a file but it keeps reporting it is unable to do so because the file is locked and in use.

Run the application, and a small window opens.  Drag and drop the target file from Windows Explorer on it and it will rat-out the process that has it locked down.

A few curiosities; first it comes in either an .msi or exe installer format. Second, for such a nice little program, it must be "installed" on your system.  However, copy the single program file to your USB and uninstall the program and it seems (so far) to work Ok.  Finally, it requires administrative privileges to work.  EULA says it is for private and non-commercial use only.

Spotted via 4sysops.

Alternatives:

OpenedFilesView - (freeware) - NirSoft's wondermous little gem. Run this baby and it will provide a listing of all the files that are open on your system, in a handy table format view.  No drag-n-drop needed.  Find the one you are looking for, find the process using it, right-click on the item and attempt to close the open handles or kill the process using it.  All-in one.

UNLOCKER - (freeware) - Probably one of my all-time favorite file-in-use killing tool right now. This marvelous tool has some of the most comprehensive methods for shutting down a file, and not only can you try to kill it, but you can also set a file to be moved, renamed, or deleted after reboot. Definitely a must-have for any malware hunter or sysadmin.  Not really "portable" and should be installed on a system to work effectively.

Locked Files Wizard - (freeware) - Handy tool that lets you pick out a target file that is locked (manually), the view the processes locking it.  From there you can attempt to stop the locked process or flag the file to be deleted/renamed at reboot.

WhoLockMe Explorer Extension v1.04 beta - (freeware) - I used to use this one a lot on my Windows 2000 systems I had to support.  It did have some drawbacks. First it needed to be installed so it could appear in the right-click context menu.  Kinda messy when you are hunting malware.  Second, it was released in 2002 and doesn't seem to have been updated since. However, if you have a Windows 2000/XP system and want a resident locked-file research tool, it is nice to have on right-click demand.

For a full list of locked file finders and process/file killers see this previous GSD post: I will kill thee a hundred and fifty ways...freely.

Zenmap/Nmap Duo

I've not yet had the opportunity to really work with Nmap, but it keeps coming up over and over again.  Most of my network scans are simply to find used/unused IP's or network printers on our networks when they get shuffled around.

So the other day I found a note that Nmap has a really great GUI called Zenmap.

The screenshots look quite nice.

I'll be downloading it at work and giving it a workout to see just how useful it could be in our network environment.

Nmap - (freeware) - Insecure.org. Free and open source utility for network exploration or security auditing.

Zenmap - (freeware) - Insecure.org's official cross-platform Nmap Security Scanner GUI.

Download Link - distributed as a combined pair.

Reference Guide - Getting started guide. 

Documentation - Going deep.

One More Duplicate File Finder

In my early December post Seeing Double I listed five (plus one hybrid) applications I love for hunting down duplicate files on a system. In order of preference; DupKiller, Easy Duplicate File Finder, Duplicate File Finder (DupFinder), DoubleKiller, Duplicate File Finder (DupFiles), and Easy Cleaner. All but DupFiles are freeware.

So when TinyApps posted a recommendation for a duplicate file finder, I paid notice.

Duplicate Files Searcher (DFS) - (freeware) - Quickly and powerfully finds duplicate files. Also can calculate MD5 and SHA hashes...if you need.

What are the key features of the Duplicate Files Searcher?

The most important features are:

    • Easy to use graphical user interface,
    • No limitations on number of files, file size, folders or drives,
    • Works with all removable media devices such as floppy disk, CD/DVD ROM, USB devices, etc.
    • Manual files selection which gives a user the full control over files to be deleted,
    • Byte for byte files comparison. It ensures 100% accuracy.
    • Files preview,
    • Improved (faster) searching engine,
    • Several files comparison methods,
    • New report files format.

It runs on Windows, Linux or MacOS. How rare is that?!

The program is actually written in Java. So download the zip file, then unpack it. Make a directory and put the dfsfull.jar file in there. Assuming you have Java SE installed, execute the jar file and you are good to go. There are actually two versions; free and full. The "free" version is a bit more stripped down in the options and capability. The "full" version has more features. Both are (for end-user's sake) free to use.

Clever and tiny.  Good find, TinyApps!

--Claus

No comments: