Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Autoruns and VirusTotal - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Autoruns and VirusTotal

Continuing my diary entries on Sysinternals tools with VirusTotal support, I'm taking a look at autoruns.

Autoruns is another fine Sysinternals tool that comes with VirusTotal integration. If you are not familiar with autoruns, it scans all auto-starting locations in Windows and provides a comprehensive report. This gives you an overview of all programs that start automatically on the scanned Windows machine.

When you start autoruns it will start scanning the Windows machine. Wait for the scan to terminate, or abort it with the Escape key.

Go to the scan options:

And enable "Check VirusTotal.com":

With this option, autoruns will only submit hashes to VirusTotal. If a file is not known by VirusTotal, you won't have a score. But if you enable "Submit Unknown Images" too, then autoruns will submit (upload) files that are not in VirusTotal's database, and you will have a score after VirusTotal finishes scanning the file (this takes a couple of minutes).

You have to agree to VirusTotal's terms of use to enable this feature:

Hashes will be submitted:

And soon you'll have the VirusTotal scores for known entries:

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

337 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!