Sunday, February 10, 2008

SysInspector: New System Utility from ESET

Alex Eckelberry over at Sunbelt Software had a blogpost that brought a new (beta) system inspector utility to my attention: SysInspector

ESET is a Slovakian computer security company that has a global customer base. One of their most noted mainstream products is their anti-virus product NOD32. They also provide firewall, antispyware, and anti-spam solutions. They also offer a free online scanning service: ESET Online Scanner.

So being familiar with their security-minded model, I was intrigued what this new product could bring to the table.

SysInspector - Not What you Think

SysInspector - (beta - freeware) - is a single-file executable download. It is supported on Microsoft Vista/XP/2003/200 in a 32-bit version. A 64-bit version is also available for all these systems (except 2000).

Having the program contained in a single executable is a nice feature. This means it should be easily portable on USB drives, and might (yet untested) even work off a CD/DVD-ROM disk. This should make use of the utility handy when sysadmins and desktop responders need to assess a running system and don't want to download the tool from Net.

Once launched, the program begins an immediate scan of the system it is running on. Depending on the hardware and software of the system, time-to-application window display may take anywhere from under a minute to several minutes.

Once the scan is complete the main interface window appears.

I was expecting the tool to be similar to SIW (System Information for Windows) or maybe another Process Explorer like utility.

I was pleasantly surprised to find it is like both, but neither!

The Menu Bar

At the top-right is a menu-bar. Here you can select "File", "Tree", "List", or "Help" options.

The File list allows to to open or save logs from your scans, generate reports formatted for sending in email or for personal (local) review, the ability to filter results by risk-level, change the report view detail level from Full to Basic, and you can exit the program from here.

The Tree list simply allows you to quickly expand or collapse the item tree view on the left-hand side of the main window. There is lots of data here so generally I find it helpful to leave it compressed and manually expand the element items as I examine them. Otherwise it is information overload!

The List options provide navigational aids, history, show parents and nodes of tree items, copy items to clipboard, perform an online search, jump to the item location (file), and jump to the item location (registry).

The Help option allows you a well filled (for a beta product) help guide to the product. It also links to ESET's online scanner, and has the "About" this program details.

The Tool Bar

I'm calling the second line down a "tool bar" but there aren't tools or icons in it in the normal sense.

You can select the detail level again here (Full, Medium, Basic), set the item threat-filtering level using a color-coded slider bar from Fine (green will display all items) to Risky (only will display high-risk rated items). Lastly, there is a search form where you can search scan results for particular items.

The Left Tree Window

On the left hand side is a window that displays the following scanned areas:

  • Running Processes - information about applications and processing running at scan-time.
  • Network Connections - processes and applications communicating on the network
  • Important Registry Entries - areas of the registry that ESET feels are worthy of watching
  • Services - list of files registered as Windows Services
  • Drivers - list of installed drivers on the system
  • Critical Files - list of critical Microsoft operating system files
  • System Information - detailed information on the system's hardware, software and environmental variables and user rights.
  • File Details - specific files located in the Program Files folder as well as system files.
  • About - information about the ESET SysInspector application itself.

Expanding any of these "nodes" shows details of the items listed.

Each item is color-coded with a corresponding "risk-level" scale. Green = safe, red = check it out.

Once a node is expanded, the items show up in the top-right window pane. Here you can examine each item in more detail. Right-clicking an item provides the navigation items or web-search options.

Clicking on an item in the that pane provide a highly detailed breakdown of the item in the bottom-right pane. You may scroll this section and if you need to, you may right-click to save the information to the clipboard.

Different nodes provide different information. For the most part, the column heading are the same.

All items have a "risk-status" rating, as previously mentioned.

Thoughts

The program runs very quickly and provides an expansive overview of a system. ESET has done well to focus on the major problem points a system might have, and the tool should be well used by desktop support staff.

While I am not sure what internal methodology ESET has programmed their application to use, it allows a system responder to quickly sort through lots of information and focus on the "high-risk" hits that were found during the scan.

It does not remove malware. It does not flag virus or malware. I didn't find the application has the ability to even kill or terminate processes, or change registry values. This isn't the type of tool it is.

Rather, SysInspector is a first-response assessment tool, used to help skilled support staff quickly identify points of interest on a system. Using this information, the responder may be able to plan a more targeted approach to dealing with the results. This isn't a tool for the casual or home-user attempting to fight malware.

ESET SysInspector is an application that thoroughly inspects your computer and displays gathered data in comprehensive way. Information like installed drivers and applications, network connections or important registry entries can help you to investigate suspicious system behavior be it due to software or hardware incompatibility or malware infection.

Nor does there currently appear to be any documentation on how ESET calculates the various threat level ratings it gives. I'm sure there is some kind of file entropy calculation going on. But I can't be sure.

ESET's building of reports and clipboard supported information captures is great. Being able to export information for later review, off-system is a valuable feature.

What it does remind me of is the excellent MANDIANT's Red Curtain threat assessment system scanner. For more about Red Curtain, see this review I did: Mandiant Red Curtain - Incident Review Software.

SysInspector is a tool to quickly scan and assess very complex operating systems and the processes and files they contain. From there, response is left up to the skills and training of the responder.

This product is currently in "beta" status. No word if this version has a time-bomb or not. Nor is it clear if this will be a free security product ESET offers to the security and sysadmin community or if it will later require $ to use.

Either way, having a fast, small, and single executable system assessment utility is a good thing. ESET has done their homework and I can only expect good things and improvements as this tool makes its way out of the beta process.

Valca Recommended (and added to my Sysadmin USB stick)!

--Claus

1 comment:

Anonymous said...

umm.......
idk wat any of that means but....
i just dropped by to say

I LOVE U DADDY

<3

ur hambone
:P