Using Sysinternals to Detect MalwareSysInternals Logo

Microsoft has acquired the Sysinternals Process Explorer and offers it free of charge. It has beenenhanced to utilize to verify executable and DLL hash codesagainst the VirusTotal database. Within minutes, a information security practitioner will be able tosee analysis results of every process running on the computer.


Obtain Windows SysInternals Process Explorerfrom thispage that contains this link. It comes as a .zip with an EULA, executable, and windows help file(.CHM). Extract these files in a location on your own computer for thisexample. However when dealing with support calls in the field you may simplyrun the executable from the .ZIP container. Note: This .zip file would be an excellent resource for your forensics toolkit DVD/USB Drive.

Using SysInternals

1. Launch the Executable. For those of you who are unfamiliar with Sysinternals, there are traditional "File / Options" menu entries at the top of the executable window and some performance monitoring graphs. The 'Process' column lists all currently running processes on the system. 'PID' identifies the particular process ID, which may be helpful for in-depth analytical investigation and forensics. The 'Description' and 'Company name' columns are retrieved from the executable or DLL, and may potentially be forged. The final column on the right, 'Virus Total', shows results after querying
SysInternals Screenshot 1

2. You may right-click a specific process and chooseCheck Virus Total. In the screen capture below, I have queried the ALsvc.exe executable, PID 4048. Under the Virus Total column, a 0/55 is displayed. These are the results of testing against Virus Totalsrepository of 55 antivirus and anti-malware agents. Should this number belarger than 0/55, there is either a false-positive or the object in question ismalicious. Note: the denominator may increase or decrease over time, as adds or removes antivirus checking software from its repository.
SysInternals Screenshot 2

3. To check the entire process table against VirusTotal: From the top menu, select Options,, and select Check Virus Total. This will submit to,automatically, every running process and any new processes automatically whenthey start.

SysInternals Screenshot 3

4. You may click the VirusTotal column header tosort by this result.

Note: Use common sense when detecting malware, falsepositives commonly occur. For instance, the processes AeXNSAgent.exe,our Symantec agent, is falsely detected by 2/55 anti-virus agents.

5. Click the red underlined 2/55 top open a browserand investigate the VirusTotal results.

Some other helpful options (select from the topmenu)

Options / Verify Signatures This will verifythe hash code of the file system object being executed against Microsofts listof valid objects. Essentially checking if an operating system .DLL or.EXE has been replaced with an imposter. This may slow system performance.

Process / Properties load the properties fileof the object executing. This is also a good way to detect if a maliciousobject has been launched from a higher priority path. This was an oldertechnique where malware would install itself in a location, with objects namedto match MS Operating System objects like Explorer.exe, then add that locationto top of the file system search path. Then next time Explorer.exe islaunched, the malware version becomes active because it was found first in the system's search path.

Process / Properties - You may also investigatethreads, security, environment and strings which show ASCII code strings often giving a clue to the executable's nature, or showing IP addresses or URLsof command and control servers.