Dulan Security Config

[Dulan]

Hi,

I would like to get some information from you guys regarding the malware analysis. I'm still a newbie in to it.At this moment I'm only looking to identify the changes that the malware does to a system without going in to the code level. I use following monitoring tools.

-Process Explorer
-Autoruns
-Process Monitor
- Windows inspection tool set.

I would like to get any recommendation for registry monitoring tool which can actually track all the registry changes made by the malware process. I tried Regmon but it's quite difficult to isolate only the registry changes made by the malware. Also I would like to know a good tool identify the exact tcp connection the malware process make to the outside. Also a good file motioning tool might be helpful as well.

Mean time I'm going through the threads and checking out the tools you guys are using.

Any help here would be much appreciated.

 

[Deletedmessiah]

I recommend to make system image backup. Windows built in or good free ones like Macrium, Aomei or Veeam. Thanks for sharing!

 

[Dulan]

I do agree with you but I believe Veeam is not free. I think I can easily use windows backup and do a baremetal backup. But if Veeam is free that would be awesome as it is one of the best backups in the market.

 

[Winter Soldier]

About registry monitoring tool I suggest you RegShot, I used it and I can say that it is a good solution.

From Softpedia:

"RegShot is a handy little tool that enables you to view the exact changes made in the Windows registry entries, by taking snapshots at different moments and comparing the “before” and “after” registry log files."

RegShot Download

 

[frogboy]

I do agree with you but I believe Veeam is not free. I think I can easily use windows backup and do a baremetal backup. But if Veeam is free that would be awesome as it is one of the best backups in the market.

Just use Macrium free and reliable for you to use.

Thanks for sharing your config.

 

[Dulan]

About registry monitoring tool I suggest you RegShot, I used it and I can say that it is a good solution.

From Softpedia:

"RegShot is a handy little tool that enables you to view the exact changes made in the Windows registry entries, by taking snapshots at different moments and comparing the “before” and “after” registry log files."

RegShot Download

Hi Winter Soldier,

Is there a way that you can use it to monitor changes made only by a specific process or application? before and after snapshots includes so much details and at this moment I'm not good at identifying what I really want.
My actual requirement is to identify all the registry changes done by a specific malaware and I don't want to have that mixed with other processes registry changes. I'm still newbie in to this, forgive me if it sounds stupid. Thanks.

 

[Deletedmessiah]

I do agree with you but I believe Veeam is not free. I think I can easily use windows backup and do a baremetal backup. But if Veeam is free that would be awesome as it is one of the best backups in the market.

Veeam has a free backup software: Free Windows Backup for Endpoints, Servers, Desktops - Veeam Agent for Windows
You'll need to enter email to download though but not a big deal.

 

[Dulan]

Thank you for your information. I will give it a try.

 

[Winter Soldier]

Hi Winter Soldier,

Is there a way that you can use it to monitor changes made only by a specific process or application? before and after snapshots includes so much details and at this moment I'm not good at identifying what I really want.
My actual requirement is to identify all the registry changes done by a specific malaware and I don't want to have that mixed with other processes registry changes. I'm still newbie in to this, forgive me if it sounds stupid. Thanks.

I got your point and with the obvious limitations RegShot can be a good point of reference.
Just close all the possible active applications that could write to the registry, do a snap before, then start the malware and do a snap after that.
Reading the log you should find the changes made by the malware with a good approximation.

 

[hd35]

Thank you for sharing with us your configuration.
On-demand Scanners: I can recommend zemana antimalware or hitman pro.

 

[Hector1]

Thank you!
You can use a system backup software and add more on demand scanners (zemana, norton power eraser, EEK are all good).

 

[a1nn]

Hi, Dulan, some things that I suggest you do are to:

• Backup system images
• Install some more second-opinion scanners (HitmanPro, Zemana Anti-Malware, Norton Power Eraser)
• Get HTTPS Everywhere (optional???)

Thanks for sharing your configuration! (◕‿◕)

 

[Exterminator]

Implement some type of system backup solution.
Consider adding an additional on demand scanner(s).
I assume you are using Kaspersky Antivirus? Please edit config to reflect this.
Apart from a system backup solution you have a secure config.
Thanks for sharing it with us

 

[S3cur1ty 3nthu5145t]

Other then the mentioned System Back up being needed, looks good to me, nothing to add.

p.s.
Regshot is your best bet for taking a snapshot of registry changes running malware.

-Drop regshot and the malware pack onto the system, take a snapshot
-Take a snapshot with Regshot, execute one sample while recording the changes, take the second snapshot with Regshot to compare
-Reset the Guest Machines snapshot and start the process over with the next sample in line

effectively testing one sample at a time and resetting the snapshot each time, will give you less to dig through in comparing both the initial snapshot and the secondary one.

 

[JM Safe]

Add ZAM Free.

Add HTTPS Everywhere.

Follow suggestions about backups, it is very important.

Thanks for sharing.

 

[Deleted member 178]

At least one system backup is recommended.

 

[JHomes]

No Backup - No Luck!

You need to back up your system, and I can see wanting to keep costs down. Disk imagers require storage media of some sort, and there's the added pressure of not knowing how big your disk images will be.

Recommend Rollback Rx Home. Its free which I'm sure you'll like. It's limited compared to paid version but it will do the job. You can always grab Rollback Pro and Drive Cloner when you can for added coverage but that's a personal preference.