RunScanner - Qu'est-ce que c'est ?

Sécurité et insécurité. Virus, Trojans, Spywares, Failles etc. …

Modérateur: Modérateurs et Modératrices

Règles du forum
Assiste.com a suspendu l'assistance à la décontamination après presque 15 ans sur l'ancien forum puis celui-ci. Voir :

Procédure de décontamination 1 - Anti-malware
Décontamination anti-malwares

Procédure de décontamination 2 - Anti-malware et antivirus (La Manip)
La Manip - Procédure standard de décontamination

Entretien périodique d'un PC sous Windows
Entretien périodique d'un PC sous Windows

Protection des navigateurs, de la navigation et de la vie privée
Protéger le navigateur, la navigation et la vie privée

RunScanner - Qu'est-ce que c'est ?

Messagede pierre » 17 Mar 2007, 13:22

Désolé, j'ai fait ce papier en anglais pour le partager avec d'autres forums anglophones.
Je ferais une version française pour la fiche sur site.
Bêta actuellement - uniquement des tests !
________________________________________________________________________

This paper is for cross references of our evaluations and others observations, remarks, warning if it is necessary.

We, at Assiste.com, observe and evaluate since 1 month the various test versions of a new software which appears very promising.

RunScanner
A new tool to analyze all autostart locations
A replacement for HijackThis / Autoruns...
state : betaRunScanner is compatible with those versions of Windows
All versions of Windows beginning at Windows 2000

What does it do ?
  • Do a log of (at that time) 73 autostart locations
  • Do an on line analysis of the log
  • Very easy to read and comfortable
  • Ability to fix
  • Use hashes (ie : official from Microsoft and an internal DB)
  • And the best for us (helpers and experts)
    • A user can save the .run file
    • A user can send the .run file to an expert - (We can receive a .run file)
    • We can analyze the .run file with RunScanner
    • We can mark items that need fixing
    • We can send the .run file back to the user with items marked
    • The user re-open the .run file with his RunScanner and fix what we check
    Miscellaneous
    • Check to see if user has administrator rights
    • Lookup at google.com to maingrid
    • Process killer : Start explorer (if all your explorers are killed)
    • Kill process popup menu
    • - Kill and rename of process
    • - Kill and delete of process
    • - Delete at next reboot of process file
    • - Copy to clipboard
    • - Open location
    • - Show file properties
    • Many ways for marking of items (space, doubleclick, popupmenu)
    • Whitelist
    • Importing of .run files directly from internet links
    • Possibility to save text .log files. (to post in forums, ...)
    • Service information (enabled, disabled, automatic)
    • Driver infromation (kernel, IO, enabled, disabled, automatic)
    • Username/Domain in the process killer list
    • Regedit jump jumps to values
    Currently scanned items
    000 Items in the header of the log
    • General info:
    • Runscanner Version
    • Time of scan
    • Type of scan (full, quick)
    • Productname
    • Service Pack
    • Version Build
    • Language
    • Internet explorer version
    • Windir
    000 General info
    001 Running processes
    002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
    003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
    004 current user startup
    005 common startup
    006 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    007 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    008 .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    009 System user\Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)
    010 installed services
    011 installed drivers
    030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
    031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
    032 HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
    033 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    034 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
    036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
    037 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
    038 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
    040 HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
    041 HKLM\Software\Microsoft\Internet Explorer\Toolbar
    041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
    042 HKLM\Software\Microsoft\Internet Explorer\Extensions
    043 HKCU\Software\Microsoft\Internet Explorer\Extensions
    044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    047 Trusted zones Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
    048 ESC Trusted zones Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains
    050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    051 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    060 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
    063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
    064 HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
    065 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    066 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
    067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\' + Current_Protocol_Catalog
    069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
    070 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
    071 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
    072 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
    073 %windir%\Tasks
    074 %windir%\System32\Tasks
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Start Page'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Start Page
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Search Page'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Search Page'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Default_Page_URL'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Default_Page_URL'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Default_Search_URL'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Default_Search_URL'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_CURRENT_USER, 'SearchAssistant'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_LOCAL_MACHINE, 'SearchAssistant'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_CURRENT_USER, 'CustomizeSearch'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_LOCAL_MACHINE, 'CustomizeSearch'
    100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_CURRENT_USER, 'ProxyServer'
    100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_LOCAL_MACHINE, 'ProxyServer'
    100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_CURRENT_USER, 'ProxyOverride'
    100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_LOCAL_MACHINE, 'ProxyOverride'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\SearchUrl', HKEY_CURRENT_USER, '', 'SearchUrl HKCU'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\SearchUrl', HKEY_LOCAL_MACHINE, '', 'SearchUrl HKLM'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Connection Wizard', HKEY_CURRENT_USER, 'ShellNext'
    100 Internet Explorer settings', 'Software\Microsoft\Internet Connection Wizard', HKEY_LOCAL_MACHINE, 'ShellNext'
    102 HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
    102 HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
    104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
    106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL
    107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\' + 'Current_NameSpace_Catalog'
    120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\VXD\MSTCP', 'Domain'
    120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\VXD\MSTCP' 'NameServer'
    120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', HKEY_LOCAL_MACHINE, 'Domain',
    120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', HKEY_LOCAL_MACHINE, 'NameServer'
    120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', HKEY_LOCAL_MACHINE, 'SearchList'
    120 Domain/DNS hijacking', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony', HKEY_LOCAL_MACHINE, 'DomainName'
    120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces'
    121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows', HKEY_LOCAL_MACHINE, 'AppInit_DLLs', '');
    122 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
    135 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)'
    136 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)',
    137 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)'
    138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)',
    139 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load'
    140 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run'
    145 HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters',
    146 HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell',
    147 HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders'
    148 HKLM\System\CurrentControlSet\Control\WOW\cmdline
    149 HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    150 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore',
    151 HKLM\Software\Microsoft\Command Processor\Autorun'
    152 HKCU\Software\Microsoft\Command Processor\Autorun
    160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
    166 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
    167 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
    170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    171 HKCU\Control Panel\Desktop\SCRNSAVE.EXE',
    172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
    173 HKCR\*\shellex\ContextMenuHandlers
    174 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.bat',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.cmd',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.com',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.exe',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.hta',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.pif',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, '.scr',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'batfile',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'cmdfile',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'comfile',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'exefile',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'htafile',
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'piffile',,
    180 FileType Hijacking', HKEY_CLASSES_ROOT, 'scrfile',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.bat',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.cmd',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.com',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.exe',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.hta',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.pif',
    180 FileType Hijacking', HKEY_CURRENT_USER, '.scr',
    180 FileType Hijacking', HKEY_CURRENT_USER, 'batfile'
    180 FileType Hijacking', HKEY_CURRENT_USER, 'cmdfile',
    180 FileType Hijacking', HKEY_CURRENT_USER, 'comfile',
    180 FileType Hijacking', HKEY_CURRENT_USER, 'exefile',
    180 FileType Hijacking', HKEY_CURRENT_USER, 'htafile',
    180 FileType Hijacking', HKEY_CURRENT_USER, 'piffile',
    180 FileType Hijacking', HKEY_CURRENT_USER, 'scrfile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.bat',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.cmd',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.com',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.exe',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.hta',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.pif',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.scr',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'batfile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'cmdfile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'comfile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'exefile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'htafile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'piffile',
    180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'scrfile',
Exemple of an online analysis
http://www.runscanner.net/report.aspx?repo...33-b8e3d15e9a7b

Example of the (future) rating of the files - we can see the template of those pages
http://www.runscanner.net/getmd5.aspx?md5=...ess=svchost.exe

Reading the log
  • State Icons - Far left column
    • Image Driver or service starts up automaticly
    • Image Driver or service starts up manually
    • Image Driver or service is disabled
    • Image IO Driver
    • Image Kernel Driver
  • Shield Icons - Second colomn
    • Image Certified with an MD5 - The signature of this file is verified (it is from a trusted source and signed by Verisign, ...).
    • Image No wintrust signature - the file is not signed (this does not mean that the file is malware) - (This function is buildin into windows "wintrust.dll" - Redmond sign may be trusted - Using a database of certainty clean system files significantly reduce the number of objects that have to be hand analyzed.).
    • When hashes will be rated, it will exist a red shield for parasites. The MD5 hash is used to store the file in the online database. As soon as the final version is ready there will be a rating of the files on the website - At this moment, rating of processes begins.
Dream of the day
The good thing would be that RunScanner act as a front end for DBs like
  • Castlecops
    http://hashes.castlecops.com/Hashes.html (31 743 604 file hash entries including parasites (this is what we are looking for))
  • File Advisor File Identification
    http://www.bit9.com/index.php (2 054 736 194 file hash entries without parasites (!))
  • Or redo, in internal, a same db
  • Or work with distributed DB (RunScanner + Castlecops + File Advisor + Microsoft + Others SW editors proposing such DB)
I do believe in this tool
(and, if Trend do the same with HijackThis as they do with CWShredder...)

Need beta testing and upload of logs to feed the DB
If many people do an online analysis, it will rapidly grow.

HowTo
Download > Unzip > Run (no install) > Do a "Full Scan" (Not a "Quick Scan") > Do an « Online Analysis »

Links
Dernière édition par pierre le 04 Oct 2007, 01:20, édité 1 fois.
Image
__________________
Pierre (aka Terdef)
Appel à donation - Le site a besoin de votre aide

Comment je me fais avoir/infecter ? - Protéger navigateur, navigation et vie privée - Bloquer publicité et surveillance sur le Web
Accélérer Windows - Accélérer Internet - Décontamination - Installer Malwarebytes - Forums d'entraide

Il ne sera répondu à aucune demande de dépannage posée en MP (Messagerie Privée). Les demandes doivent être publiques et les réponses doivent profiter au public.
Image
Avatar de l’utilisateur
pierre
 
Messages: 24944
Inscription: 20 Mai 2002, 23:01
Localisation: Ici et maintenant

Messagede pierre » 19 Mar 2007, 11:11

Bonjour,

Je posais quelques questions à Geert : Réponses

Pierre a écrit:Let's talk about new database entries !
That's the most important.
Who rates them ?
How long should it take ?
Redmond sign may be trusted - Using a database of certainty clean system files significantly reduce the number of objects that have to be hand analyzed but for the other ones ?


Geert a écrit:-90% can be done by machine (signed microsoft, ati, nvidia, ... files)
-Some items can be whitelisted statisticly (If I have 10000 online reports and 9000 have acrobat.exe from adobe it's probably safe)
-Rating can be done with lookup in other online MD5 database (fileadvisor, castlecops, ...)
-In the next version you will be able to rate/report an item and add your comments. This will be posted in the central database for inspection by "professionals"
-You will be able to rate the files from the website (protected by captcha and stored into a temporary table for inspection by "professionals"
-It would also be great if you can save your own comments inside the .run file.


Geert montre son outil interne de qualification des objets identifiés par leur MD5
CC stand for Castlecops database
FA stand for File Advisor database
Geert a écrit:Image


Egalement :

Pierre a écrit:Who will constitute this “college” of professionals (experts)?


Geert a écrit:Haven't really thought of this yet.


Egalement :

Pierre a écrit:What is the time of retention of a log on the RunScanner server ?
What is the policy about confidentiality and privacy on the site and the software (a log exposes part of our privacy publicly). Same problem as with HJT but centralized on one server.


Geert a écrit:Time of log = I was thinking of 30 days (depending on the future load of the server and the popularity of Runscanner)
30 days should be enough to solve a computer problem.

Afterwards I'll make a summary table with 3 fields
ITEMID & MD5hash & Count

This is good for rating of processes, you can see how many pc's have a certain file installed (if it's from a trusted publisher, even better).

Before you do an online analysis, there is a warning screen which states that you are uploading to internet, you can choose "Show report" or "cancel" (which is more then I can say from trendmicro hijackthis 2.0 Whistle )

The report is only visible to other users if you know the correct report url.

As with hijackthis, it's your choice to post your log on a forum, the program doesn't trick you to do it.


A+
Image
__________________
Pierre (aka Terdef)
Appel à donation - Le site a besoin de votre aide

Comment je me fais avoir/infecter ? - Protéger navigateur, navigation et vie privée - Bloquer publicité et surveillance sur le Web
Accélérer Windows - Accélérer Internet - Décontamination - Installer Malwarebytes - Forums d'entraide

Il ne sera répondu à aucune demande de dépannage posée en MP (Messagerie Privée). Les demandes doivent être publiques et les réponses doivent profiter au public.
Image
Avatar de l’utilisateur
pierre
 
Messages: 24944
Inscription: 20 Mai 2002, 23:01
Localisation: Ici et maintenant


Retourner vers Sécurité (Contamination - Décontamination)

Qui est en ligne

Utilisateurs parcourant ce forum: Aucun utilisateur enregistré et 11 invités