How to detect system changes/ dropped files?

[Solarquest]

Dear All,

many users are now testing AV and running malware.
As we know, AV do what they can in detecting what bad happens on the device...most of them and most of the time they don't detect all....

For a windows system:

-how do you detect system changes (registry, startup, DNS, settings etc)?
-how do you detect if and where new files were dropped?



You can scan with other serious AV, use Winpatrol, autoruns, check appdata (sub) folders for "new entries" (but how to detect new files in a folder with hundreds of old files if e.g the creation date is "faked" by the malware?)...any other suggestion?

This could help many to double check the effectiveness of the used AV and, in general, to help to better check the system for unwanted changes.

Thank you

 

[upnorth]

The use of a correct permission setup restricted account normaly does the trick.

Heimdal Pro takes care of the DNS.

 

[LabZero]

Personally in my LabZero I use this three tools:

-Regshot: to monitor registry changes, it is very easy to use, what interests us are the right buttons and fields "Scan dir1"and" Destination Directory ". The latter allows us to specify the directory to save its temporary files. To add a new directory (at the bottom of the list), just press the button "..." next to this field, search the directory and press OK to confirm. Alternatively, we can also do it manually by writing down the field, reminding us, however, to separate the different directories with ";" (not to put after the last, at the bottom of the field).
The buttons that interest us are the "1st", "2nd shot shot", "compare", "clear". The first two serve (as the name suggests) to "photograph" the system configuration in two successive stages. The third is used to compare between them that results, then displays them in a text file. The fourth button makes a "cleansing" of temporary files yielded by Regshot during the phases of "shot".

-MooO File Monitor: excellent tool to monitor your files in real time.
It is free software, also available in portable version, which monitors changes to files and folders on all disks/partitions of your computer.
Once you start it, all modifications, deletions, creations or changes the name of a file or a folder, will be recorded. By clicking on one of the lines will open the folder that contains the file you selected. Considers that data flows could be remarkable and you can create a report file, by reference, in Html format.

-Wireshark is a protocol analyzer software or "packet sniffer" capable of analyzing the content of all data packets in transit on active network interface. This program provides a detailed overview of everything that is happening on the local network by offering an easy to use graphical interface and easy to understand. Wireshark is able to locate the network protocols used for various types of communication and is therefore able to show various encapsulations, I use it to find the connections of the malware.

Of course you can try other tools and here in Malware analysis, you can find my old threads about Regshot and Wireshark (find them because I'm a bit lazy ).

 

[Der.Reisende]

Think about giving the first two a try Thank you for your Input @Klipsh

 

[jamescv7]

Process Hacker can notify you on the services change which will popup on he notification bar.

Many file monitor are available in the internet which contains notification feature from every operation happen to your system.

Glasswire as also the ability to notify some changes too besides on an application connect in the internet for the first time.

 

[Solarquest]

Personally in my LabZero I use this three tools:

-Regshot: to monitor registry changes, it is very easy to use, what interests us are the right buttons and fields "Scan dir1"and" Destination Directory ". The latter allows us to specify the directory to save its temporary files. To add a new directory (at the bottom of the list), just press the button "..." next to this field, search the directory and press OK to confirm. Alternatively, we can also do it manually by writing down the field, reminding us, however, to separate the different directories with ";" (not to put after the last, at the bottom of the field).
The buttons that interest us are the "1st", "2nd shot shot", "compare", "clear". The first two serve (as the name suggests) to "photograph" the system configuration in two successive stages. The third is used to compare between them that results, then displays them in a text file. The fourth button makes a "cleansing" of temporary files yielded by Regshot during the phases of "shot".

-MooO File Monitor: excellent tool to monitor your files in real time.
It is free software, also available in portable version, which monitors changes to files and folders on all disks/partitions of your computer.
Once you start it, all modifications, deletions, creations or changes the name of a file or a folder, will be recorded. By clicking on one of the lines will open the folder that contains the file you selected. Considers that data flows could be remarkable and you can create a report file, by reference, in Html format.

-Wireshark is a protocol analyzer software or "packet sniffer" capable of analyzing the content of all data packets in transit on active network interface. This program provides a detailed overview of everything that is happening on the local network by offering an easy to use graphical interface and easy to understand. Wireshark is able to locate the network protocols used for various types of communication and is therefore able to show various encapsulations, I use it to find the connections of the malware.

Of course you can try other tools and here in Malware analysis, you can find my old threads about Regshot and Wireshark (find them because I'm a bit lazy ).

Thank you for these informations!

I found your informative articles!

Malware Analysis Report #1

Introduction to Wireshark protocol analyzer

Some tips for Malware Analysis Lab

Thanks