Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Process Explorer and VirusTotal - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Process Explorer and VirusTotal

About a year ago, Rob had a diary entry about checking a file from Process Explorer with VirusTotal.

Did you know you can have all EXEs of running processes scanned with VirusTotal?

In Process Explorer, add column VirusTotal:

Enable VirusTotal checks:

And accept the VirusTotal terms:

(update: as you can see, by default Process Explorer only submits hashes to VirusTotal, not files, unless you explicitly instruct it to submit a file).

And now you can see the VirusTotal scores:

Process Explorer is not the only Sysinternals tool that comes with VirusTotal support. I'll showcase more tools in upcoming diary entries.

Sysinternals: http://technet.microsoft.com/en-us/sysinternals

VirusTotal: https://www.virustotal.com/

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

393 Posts
ISC Handler
If you don't have direct access to the internet, you'll need to specify a proxy. Unfortunately, it won't take IE's proxy setting, you'll need to set it via netsh:

backup your settings:
netsh winhttp show proxy

set the proxy
netsh winhttp set proxy <ip addr>:<port>

Don't forget to reset your proxy settings when you are done:
netsh winhttp reset proxy (or the appropriate command from your backup)
Ed

4 Posts
Thanks Didier. I have been trying to find a way to make the autorunsc program work through our proxy. However when I set the WinHTTP proxy, the autorunsc program does not seem to use it (still attempts to go direct which fails). Have you or anyone else here found a solution?

Derek
@dsplice
dsplice

9 Posts

Sign Up for Free or Log In to start participating in the conversation!