Kaseya Community

Malware Scanning

  • I started digging into learning the Sysinternal Suite of tools and came upon a lecture provided by Mark Russinovich. The hour long seminar was fantastic. Here is the link. http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359
    I am no programmer and gave up that pursuit years ago so I really don't know why this would be so I thought I would ask. Mark outlines a process for searching for spyware/malware and other suspicious content. As part of this process, he suggests searching for unsigned files. So, with this in mind, why are Kaseya's main executeables not signed?
    The other item I thought was hugely beneficial was the use of the sigcheck tool to try to find files that do not have signatures. Has anyone scripted this tool to do routine scans of their networks? Is anyone doing routine sweep of machines for rootkits?
    Please provide feedback so we can determine whether trying to script these tools has proven to be a useful process for anyone.
    Thanks in advance.
    TR

    Legacy Forum Name: Malware Scanning,
    Legacy Posted By Username: trnetwork
  • Mark Russinovich is a great resource. And he openly says what I've been saying for a long long time anti-virus only is not the solution. It only detects what the anti-virus companies think it should. Therefore it's only part of the solution. True security should be a combination of non-admin, anti-virus software, and consistant patching procedures. I You have Kaseya to do all but the first item on the list. But it can help with automating the non-admin changes once you know what they need to be.

    As for signing their code it's LAZYNESS! It's the same reason some don't test their code to work as non-admin. Intuit and PeachTree were HUGE non-admin offenders. A few years back both of them cleaned up their code. Why? I think they saw Vista and future Windows versions were going to break their software. So they bit the bullet and fixed it. So it can be done. But end users need to let software companies know they EXPECT to run their software as a non-admin user.

    Another point is avoiding rootkits. Microsoft's stance is if you have or suspect you have a rootkit is to format and reinstall the OS. Let me ask the obvoius question. How would one get a rootkit without administrator rights? The answer is you shouldn't assuming you've keep up to date with patching the OS.

    Remember without administrator rights any malware can't add/remove/change services, add drivers, or add/replace files in the Windows or Program Files folders. Therefore any malware that does get on a system is very limited. Typically a clearing internet cache and temp folders and doing a reboot removes most of them.

    Matt

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex
  • TR,

    I viewed that same video last year and it made a night-and-day difference in my ability to deal with malware infections. Fantastic stuff, there.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: GreyDuck
  • Mark and his previously company Winternals made some great software. I really liked all the free utilities they provided via the Sysinternals site. I think he'll have a really strong influence in the Windows core (kernel) development process. I've read many of his blog entries. It's quite interesting stuff.

    Matt

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex
  • Mark and his previously company Winternals made some great software. I really liked all the free utilities they provided via the Sysinternals site. I think he'll have a really strong influence in the Windows core (kernel) development process. I've read many of his blog entries. It's quite interesting stuff.

    Matt

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex