Educause Security Discussion mailing list archives
Some tricks to find information quickly on Windows processes, DLLs, and malware
From: James Moore <jhmiso () RIT EDU>
Date: Tue, 8 Jun 2010 12:19:49 -0400
This is something that I shared with our systems admins. It helps in looking for what processes are supposed to do, and sometimes what processes might be affected by certain types of malware. I have tuned a variety of search providers in IE and Firefox (Chrome works too, but I haven't tried it). Both browsers support the use of opensearch (http://www.opensearch.org/Community/OpenSearch_search_clients ), in fact if you ever look at the XML code that is generated when you "add search provider" you will see the opensearch format. There is a website that does the same that is embedded in IE for providing installation generation from an example search for "TEST". It is http://www.searchplugins.net/generate.aspx But your mileage may vary, especially when you get to highly complex URLs. I will run through setting things up with IE (and I will show you some of the search providers that I have set up, and why), and then describe how you do that Firefox. Since Firefox has the capability of being a portable app, you might want to think about loading the search providers in the version that you carry on your favorite portable media. *The basics, if you never have done this before.* In IE, there is a downward arrow beside the search box on the address bar. You can pull that down, and it shows "Find More Providers" menu item. When you select it, it shows in the current tab, "Add search providers". On the left are standard search providers, on the right are adding your own search provider. The way that you add a search provider is "Create Your Own" to use the word TEST in a search field of a website's internal search function. If "TEST" shows up in the URL, you are golden. You drop the resulting URL in the URL field, give it a label in the "specify a name for the search provider" field. And then click the install button. Below are the URLs that you can copy, either to generate a search provider for IE, or to generate one through searchplugins.net for Firefox. I usually use the site or the site or sub-site description as the label. Ones that I use are: File extensions: filext.com - really Uniblue (formerly liutilties), a Microsoft Gold partner, http://filext.com/file-extension/TEST fileinfo - lists some Mac extensions, no information about who runs it, or how they get their information http://www.fileinfo.com/extension/TEST Processes: Neuber (makers of a great little tool called Security Task Manager, like task manager, but does some ratings of risky behavior, like hidden windows, lack of signed code, etc. Also shows how processes start) And in Security Task Manager, all of the processes are hotlinks to this knowledgebase (which can be searched independently) http://www.neuber.com/taskmanager/process/TEST.html Process Library (also Uniblue/formerly liutilties, a Microsoft Gold partner) http://www.processlibrary.com/search/?q=TEST AntiVirus Vendors: McAfee - Search the threats (doesn't work well on searchplugins.net) http://search.mcafee.com/search?q=TEST&site=us_site.Virus&num=10&btnG=Search&entqr=0&type=enterprise&output=xml_no_dtd&sort=date%3AD%3AL%3Ad1&ie=UTF-8&origin=us&client=default_frontend_us&ud=1&spell=1&oe=UTF-8&proxystylesheet=default_frontend_us®ion=us&partialfields=&getfields=description&filter=0 McAfee - Not nearly as good, especially since it doesn't sort by date (Does convert to a Firefox search - through searchplugins.net) http://www.google.com/search?hl=en&as_q=TEST&as_epq=&as_oq=&as_eq=&num=10&lr=&as_filetype=&ft=i&as_sitesearch=vil.nai.com%2Fvil%2Fcontent&as_qdr=all&as_rights=&as_occt=any&cr=&as_nlo=&as_nhi=&safe=images Kapersky - Shows as "securelist" but it is them. Also shows the hits in Descriptions, analysis, blog, glossary, website pages, secunia http://www.securelist.com/en/find?search_mode=virus&words=TEST&search=Search Secunia General http://secunia.com/search/?search=TEST Secunia Advisories http://secunia.com/advisories/search/?search=TEST Secunia Forums http://secunia.com/community/forum/all_threads/?forum_search=TEST&iForumID=All_Threads Sophos http://www.sophos.com/security/analyses/viruses-and-spyware/search-results/?search=TEST&action=search&x=59&y=11 Symantec http://searchg.symantec.com/search?q=TEST&charset=utf-8&nh=10&hitsceil=100&st=1&proxystylesheet=symc_en_US&client=symc_en_US&site=symc_en_US_vir&output=xml_no_dtd&context=hho&x=9&y=7 Symantec Virus search http://searchg.symantec.com/search?q=TEST+security_response&charset=utf-8&nh=10&hitsceil=100&st=1&proxystylesheet=symc_en_US&client=symc_en_US&output=xml_no_dtd&context=hho&x=9&y=7&sort=date%3AD%3AL%3Ad1&entqr=0&entsp=a&oe=UTF-8&ie=UTF-8&ud=1&site=symc_en_US_vir Rate a website: Web of Trust http://www.mywot.com/en/scorecard/TEST Jim - - - - Jim Moore, CISSP, IAM Senior Information Security Forensic Investigator Rochester Institute of Technology 151 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 255-0809 (Cell - Incident Reporting & Emergencies) (585) 475-7920 (fax) If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645 I prefer the company of peasants because they have not been educated sufficiently to reason incorrectly. Michel de Montaigne CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information
Current thread:
- Some tricks to find information quickly on Windows processes, DLLs, and malware James Moore (Jun 08)