none
Malware AV Audit Script RRS feed

  • Question

  • I am trying to write up a script that will allow me to get the following information to help in determining a baseline for Malware/AV removal:

    1. Get a List of System Restore Points
    2. Get a list of startup items for the system including entries that would show up blank in MSConfig
    3. Get a list of Running Processes
    4. List the contents of System32 folder
    5. List the contents of App Data under each users' profile

    I want to output this to a text file. I've got an individual script that will give me the restore points and getting the contents of the system32 folder is easy enough. Processes should be fairly easy. I just want to gather this information and push it out to the same text file. I'd like to be able to do it for XP and Win7 primarily.

    If someone could point me in the right direction that would be great, I know how to manually get the info, just want to automate it.

    Thanks,

    Joe

    Wednesday, December 28, 2011 6:28 PM

Answers

  • I completely disagree. Mst major AV scanners do an excellent job as long as you use one designed for the enterprise and not for teh homowners.

    YOu willnever detect rootkits by looking at files.  It is exacrtly why rootkits are so dangerous.  On a good real-time AV scanner can prevent rootkit infection and only if users are not allowed eleveated access to teh system.  Admins have to also run as standard users and only elevate whenabsolutely required.  That is why that is the default model in Windows 7/WS2008R2.

    I am afraid you are just wasting your time on a fruitless excercise. I have been doing this since before the first opy of PCDOS. I have been using AV scanners since the first copy of McAfee was released.  I havenever had a rotkitted system and and have seldom had an infected system.  I have installed and managed thousands of systems.

    Every security expert for years starts by telling a company that they MUST have an AV scanner and maintain it at all times. ANything short of that is just a waste of time.

     

     

     


    jv
    Wednesday, December 28, 2011 9:52 PM

All replies

  • What scripting language are you using?
    ([string](0..9|%{[char][int](32+("39826578846355658268").substring(($_*2),2))})).replace(' ','')

    What's new in Powershell 3.0 (Technet Wiki)

    Wednesday, December 28, 2011 7:20 PM
  • VB. The other scripts that I have are VB. I know getting the process list is super simple in PS. I'm just dealing with XP and Win7 machines. The end goal is to get baseline information to help me start the troubleshooting process locating malware, viruses etc.

    Any other useful ideas for gathering info to help would be cool too.

    Wednesday, December 28, 2011 7:24 PM
  • You are asking a lot in one question.  I suggest you break it down as you have, and work on one part at a time.  I doubt whether anyone here is going to provide you with a turnkey solution.  You will have to put it together yourself.


    ([string](0..9|%{[char][int](32+("39826578846355658268").substring(($_*2),2))})).replace(' ','')

    What's new in Powershell 3.0 (Technet Wiki)

    Wednesday, December 28, 2011 8:07 PM
  • Item # 1

    http://support.microsoft.com/kb/295299

    Item #2 cannot be easily acquired in script.  You need to look at numerous registry keys.  Use autoruns.exe:
    http://technet.microsoft.com/en-us/sysinternals/bb963902

    Items #3 and #4 can be acquired using WMI.

    Item #5 will be an issue if you have roaming profiles.  To get local profiles you will need to read the registry and determine which entries are user profiles and which are system profiles.

    None of this will be much use in detecting malware without a method of generating file signatures and checking them against a malware database.

    The is no substitute for good AV software with enterprise reporting tools built in. McAfee, Norton, Microsoft, Trend Micro and others have all of this and more.

     

     


    jv
    • Edited by jrv Wednesday, December 28, 2011 8:22 PM
    Wednesday, December 28, 2011 8:17 PM
  • If your aim is to somehow improve upon or replace a proper AV solution with a script, then forget it!  Malware is usually far too clever for the likes of us to detect and remove. 

    AV engines operate at a very low level, and there is no way to substitute this with scripting.


    ([string](0..9|%{[char][int](32+("39826578846355658268").substring(($_*2),2))})).replace(' ','')

    What's new in Powershell 3.0 (Technet Wiki)


    • Edited by Bigteddy Wednesday, December 28, 2011 8:38 PM
    Wednesday, December 28, 2011 8:37 PM
  • If your aim is to somehow improve upon or replace a proper AV solution with a script, then forget it!  Malware is usually far too clever for the likes of us to detect and remove. 

    AV engines operate at a very low level, and there is no way to do this with scripting.

    Exactly. The OP's idea is equivalent to using a pitch fork when looking for the proverbial needle in the haystack.
    Wednesday, December 28, 2011 8:42 PM
  • The situation is, I am spending a lot of time going in behind AV programs cleaning up systems and such. I am familiar wth autoruns.exe and it is one of the tools I am currently using. This is dealing with systems with updated AV and Malware software on them.

    These programs are great, but cannot prevent user error as I'm sure many of us know. Item 2 I knew was the hard part. I'm just trying to get a list of this information to review also bringing to light possible rootkit activity.

    This is not Teir 1 troubleshooting, this is after other tools have failed to prevent infection. So I've got a script for #1 and #3.

    So with #2 is there a way to get autoruns.exe to output the results to a .txt file? I'm trying to have a scripted process to output to a txt which will upload to my monitoring software and allow support engineers access it through our monitoring software.

    Thanks for the information thus far guys. It's a lot of information that I"m trying to get, i realize that, but it's what I'm getting manually every time I deal with one of these issues, just like the rest of my team. We're trying to get something we can kick off, and come back to it when we have the results and look over the information to save time and energy. So I appreciate the help!

    Wednesday, December 28, 2011 9:02 PM
  • The situation is, I am spending a lot of time going in behind AV programs cleaning up systems and such. I am familiar wth autoruns.exe and it is one of the tools I am currently using. This is dealing with systems with updated AV and Malware software on them.

    If you spend a lot of time cleaning up systems then you're treating the symptoms rather than dealing with the cause. Does your company have a strict policy about virus scanners, permissible software, EMail attachments, playing games, visiting suspect sites? I suspect not. When you have such a policy, endorsed by senior management, published regularly and enforced without exception then you will find that damage by malware, viruses and poorly written software becomes the rare exception rather than the rule it now seems to be.
    Wednesday, December 28, 2011 9:14 PM
  • Nah, I'm not nearly that foolish. This is just looking things over to see if things do not look right as a start of the process to see what I may be dealing with Virus, Malware, Rootkit ect. It's just gathering clues as to what may be causing performance issues. Clues... that's the goal, not fixes.
    Wednesday, December 28, 2011 9:16 PM
  • I am working for a monitoring company that is dealing with other companies and their lax policies. I agree that this is dealing with symptoms instead of the root cause. Users being able to install programs, web browsing and doing things other than work while at work. That is the problem. We do set up strict AV solutions for our customers.

    AV is only as good as the end users, and we are also fighting companies that try to spend as little as possible so only having AV on a system is nearly useless anymore. Malware is becoming a huge issue and most AV scanners do not do a good job in preventing/detecting it, thus why I am spending large amounts of my time in dealing with malware infected systems with up to date AV that is finding nothing.

    Those of us that have been at the Virus Removal/malware/spyware/*ware game can see some of the things that are not exactly right that scanners are not picking up on. Just because the algorithim is not in the definitions yet, does not mean it is not a malicous piece of software. There are even perfectly good programs out there that have security flaws that allow malware and such into a system. You can download one right from the weather chanel.

    That is why I"m after this information. Because no software is perfect and sometimes we still need humans to flag things as possibly bad to have those with higher skills and knowledges to look at them. Format/reinstall is not always the best answer, again that's not fixing the problem.

    Wednesday, December 28, 2011 9:37 PM
  • I completely disagree. Mst major AV scanners do an excellent job as long as you use one designed for the enterprise and not for teh homowners.

    YOu willnever detect rootkits by looking at files.  It is exacrtly why rootkits are so dangerous.  On a good real-time AV scanner can prevent rootkit infection and only if users are not allowed eleveated access to teh system.  Admins have to also run as standard users and only elevate whenabsolutely required.  That is why that is the default model in Windows 7/WS2008R2.

    I am afraid you are just wasting your time on a fruitless excercise. I have been doing this since before the first opy of PCDOS. I have been using AV scanners since the first copy of McAfee was released.  I havenever had a rotkitted system and and have seldom had an infected system.  I have installed and managed thousands of systems.

    Every security expert for years starts by telling a company that they MUST have an AV scanner and maintain it at all times. ANything short of that is just a waste of time.

     

     

     


    jv
    Wednesday, December 28, 2011 9:52 PM
  • JV, I agree that a good AV Scanner is a must. But what happens when the AV didn't work... that's where I'm at with these customers. Most of these customers are on Enterprise AV, the ones that are not are on a professional grade AV, no home.

    I appreciate the input.  I appreciate the information thus far, the links above have been a great help. I can script Autoruns commandline to get the information I need from that and pipe it out to a text file. I just have to push it out to the machine as part of the script. That will take care of number 2 on my list.

    That just leaves 4 and 5. You already said that 4 is simple enough, so I'll just look it up. So we can mark this as answered from your earlier post. Unless someone wants to help me with number 5.

    Some rootkits generate files that you can catch, I've done it before. Those are the exceptions and not the rules however.

    Wednesday, December 28, 2011 10:09 PM
  • That just leaves 4 and 5. You already said that 4 is simple enough, so I'll just look it up. So we can mark this as answered from your earlier post. Unless someone wants to help me with number 5.

    Here is a script that will do #5 on a Windows 7 machine. All you need to do is to invoke it with cscript.exe and pipe its output into your text file. On my machine (which is essentially a single user machine) it generated around 8,000 lines of text. To facilitate your virus/malware detection task, just look for the word "virus" and "malware" in the output, or for any other word that you believe the malware uses to announce itself to the world at large.

    Set oFSO = CreateObject("Scripting.FileSystemObject")
    Set oWshshell = CreateObject("WScript.Shell")
    sProfileFolder = oWshshell.ExpandEnvironmentStrings("%UserProfile%")
    sProfiles = oFSO.GetFolder(sProfilefolder).ParentFolder

    Set oFolder = oFSO.GetFolder(sProfiles)
    On Error Resume Next
    For Each oProfileFolder In oFolder.SubFolders
        For Each oDir In oProfileFolder.SubFolders
            if lcase(oDir.Name) = "appdata" then Process oDir
        Next
    Next

    Sub Process(oFldr)
        On Error Resume Next
        For Each oFile In oFldr.Files
            WScript.Echo oFile.Path
        Next
       
        For Each oSubfolder In oFldr.SubFolders
            Process    oSubfolder
        Next
    End Sub

    Or as a fast batch file:
    @echo off
    cd /d "%UserProfile%\.."
    for /d %%a in (*.*) do if exist "%%a\AppData" dir /s /b "%%a\Appdata"

    Wednesday, December 28, 2011 10:36 PM
  • I my company we never attempted to clean an infected computer. We wiped it clean and reinstalled everything from image. Anything the user kept on the computer was lost.

     


    Richard Mueller - MVP Directory Services
    Wednesday, December 28, 2011 11:21 PM
    Moderator
  • I my company we never attempted to clean an infected computer. We wiped it clean and reinstalled everything from image. Anything the user kept on the computer was lost.

     


    Richard Mueller - MVP Directory Services


    http://www.youtube.com/watch?v=gG2naf70MbY&feature=related

     


    jv
    • Edited by jrv Thursday, December 29, 2011 12:19 AM
    Thursday, December 29, 2011 12:18 AM
  • My 2c worth:  Windows XP is a security hazard.  This is because a 'Limited User' is far too limited for most ordinary computing, and so admins make all the users part of the Local Administrator's group.   This also makes it easy for them to perform certain operations for the users, like installing printers.

    Windows Vista (and subsequently 7) is one of the best things that happened, from an IT admin point of view:  Why?  UAC, and more sensible rights for regular users.  Not to mentions IE9, which is also more secure than previous versions.

    I could go on about the various security improvements in Vista compared to XP, but I think I've made my point.  XP is a security hazard.


    ([string](0..9|%{[char][int](32+("39826578846355658268").substring(($_*2),2))})).replace(' ','')

    What's new in Powershell 3.0 (Technet Wiki)



    • Edited by Bigteddy Thursday, December 29, 2011 4:45 AM Typos
    Thursday, December 29, 2011 4:12 AM