Sunday, May 29, 2011

IGL-Security Guide: File Research

 Executable Files (.exe is the most common but others are out there) are everywhere and you most likely run a lot every day. However have you ever checked on what the files do before you run them? Thanks to a lot of different companies out there we can now research what each file does without the need of manually researching what changes are made. I use these tools a lot when I want to research what a malware files does, so I have had a lot of personal experience with these so I want to share my knowledge with you. Here are some of my favorite tools for file research.

 Bleeping Computer File DB:

 Bleeping Computer's FileDB is a great way to look up what a file belongs to and to see if its already ranked as safe or not. I use Bleeping Computer File DB when I see a file in my task manager using a lot of CPU and I don't know what it is. This tool allows you to look up file data without needing to upload it anywhere and it simple to use. Just enter the .EXE name and search.

 Online Armor File DB

 Just like Bleeping Computer's File DB the Online Armor File DB lets you enter an .exe name to see if its ranked OK in their database and check vendor information. Online Armors file DB (known as Online Armor System Information Service) collects its data through users of their firewall application Online Armor to gather information on how many users use it and how many users allow it. This is a great service for those that don't want to upload a file for analysis.

 Xandora

 Xandora is a free tool for file analysis from Panda Security. Uploading the file to site a like this will allow you to get a report of the files behavior and the file will be submitted to Panda Security for analysis. The tool also allows you search for reports by MD5, name, and even the IP it connects to.

  ThreatExpert

 Threat Expert from PC Tools is one of the more known file analysis tools. Using this tool it will check the files behavior, and attempt to tell you what type of malware it is comparing it what other malware has the same behavior. I normally send any files I research to Xandora and ThreatExpert because some malware attempts to kill itself if it detects a vendors research tools.

 Virustotal

 VirusTotal is really the most famous out of all the file research tools. When you upload a file to VirusTotal it will give you the detection results of over 42 different antivirus engines. It will also send the file to each of the vendors on VirusTotal to help them detect the new malware sent there. VirusTotal is a great tool if you want to check the detection results of a file before you run it. However VirusTotal uses the command line version of each scanner not the full product so don't think that because its not detected on VT its not detected by the product on a real machine. On a real machine AV's have HIPS, Behavior Blockers, and other tech that can not used on a command line version.

1 comment:

  1. thanks for great articles!

    from other tools/resources, personally i also like

    http://anubis.iseclab.org/
    http://wepawet.iseclab.org/
    http://systemexplorer.net/filedb.php

    and of course google.com :)

    ReplyDelete