Autoruns and VirusTotal

Published: 2015-07-17
Last Updated: 2015-07-19 08:31:57 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at autoruns.

Autoruns is another fine Sysinternals tool that comes with VirusTotal integration. If you are not familiar with autoruns, it scans all auto-starting locations in Windows and provides a comprehensive report. This gives you an overview of all programs that start automatically on the scanned Windows machine.

When you start autoruns it will start scanning the Windows machine. Wait for the scan to terminate, or abort it with the Escape key.

Go to the scan options:

And enable "Check VirusTotal.com":

With this option, autoruns will only submit hashes to VirusTotal. If a file is not known by VirusTotal, you won't have a score. But if you enable "Submit Unknown Images" too, then autoruns will submit (upload) files that are not in VirusTotal's database, and you will have a score after VirusTotal finishes scanning the file (this takes a couple of minutes).

You have to agree to VirusTotal's terms of use to enable this feature:

Hashes will be submitted:

And soon you'll have the VirusTotal scores for known entries:

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)

Comments


Diary Archives