How to detect system changes/ dropped files?

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Dear All,

many users are now testing AV and running malware.
As we know, AV do what they can in detecting what bad happens on the device...most of them and most of the time they don't detect all....

For a windows system:

-how do you detect system changes (registry, startup, DNS, settings etc)?
-how do you detect if and where new files were dropped?



You can scan with other serious AV, use Winpatrol, autoruns, check appdata (sub) folders for "new entries" (but how to detect new files in a folder with hundreds of old files if e.g the creation date is "faked" by the malware?)...any other suggestion?

This could help many to double check the effectiveness of the used AV and, in general, to help to better check the system for unwanted changes.

Thank you
 
  • Like
Reactions: askmark, Venustus, shukla44 and 5 others
L

LabZero

Personally in my LabZero I use this three tools:

-Regshot: to monitor registry changes, it is very easy to use, what interests us are the right buttons and fields "Scan dir1"and" Destination Directory ". The latter allows us to specify the directory to save its temporary files. To add a new directory (at the bottom of the list), just press the button "..." next to this field, search the directory and press OK to confirm. Alternatively, we can also do it manually by writing down the field, reminding us, however, to separate the different directories with ";" (not to put after the last, at the bottom of the field).
The buttons that interest us are the "1st", "2nd shot shot", "compare", "clear". The first two serve (as the name suggests) to "photograph" the system configuration in two successive stages. The third is used to compare between them that results, then displays them in a text file. The fourth button makes a "cleansing" of temporary files yielded by Regshot during the phases of "shot".

-MooO File Monitor: excellent tool to monitor your files in real time.
It is free software, also available in portable version, which monitors changes to files and folders on all disks/partitions of your computer.
Once you start it, all modifications, deletions, creations or changes the name of a file or a folder, will be recorded. By clicking on one of the lines will open the folder that contains the file you selected. Considers that data flows could be remarkable and you can create a report file, by reference, in Html format.

-Wireshark is a protocol analyzer software or "packet sniffer" capable of analyzing the content of all data packets in transit on active network interface. This program provides a detailed overview of everything that is happening on the local network by offering an easy to use graphical interface and easy to understand. Wireshark is able to locate the network protocols used for various types of communication and is therefore able to show various encapsulations, I use it to find the connections of the malware.

Of course you can try other tools and here in Malware analysis, you can find my old threads about Regshot and Wireshark (find them because I'm a bit lazy :D).
 
  • Like
Reactions: askmark, porkpiehat, Rishi and 3 others
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Process Hacker can notify you on the services change which will popup on he notification bar.

Many file monitor are available in the internet which contains notification feature from every operation happen to your system.

Glasswire as also the ability to notify some changes too besides on an application connect in the internet for the first time.
 
  • Like
Reactions: askmark, porkpiehat and Der.Reisende
Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Klipsh said:
Personally in my LabZero I use this three tools:

-Regshot: to monitor registry changes, it is very easy to use, what interests us are the right buttons and fields "Scan dir1"and" Destination Directory ". The latter allows us to specify the directory to save its temporary files. To add a new directory (at the bottom of the list), just press the button "..." next to this field, search the directory and press OK to confirm. Alternatively, we can also do it manually by writing down the field, reminding us, however, to separate the different directories with ";" (not to put after the last, at the bottom of the field).
The buttons that interest us are the "1st", "2nd shot shot", "compare", "clear". The first two serve (as the name suggests) to "photograph" the system configuration in two successive stages. The third is used to compare between them that results, then displays them in a text file. The fourth button makes a "cleansing" of temporary files yielded by Regshot during the phases of "shot".

-MooO File Monitor: excellent tool to monitor your files in real time.
It is free software, also available in portable version, which monitors changes to files and folders on all disks/partitions of your computer.
Once you start it, all modifications, deletions, creations or changes the name of a file or a folder, will be recorded. By clicking on one of the lines will open the folder that contains the file you selected. Considers that data flows could be remarkable and you can create a report file, by reference, in Html format.

-Wireshark is a protocol analyzer software or "packet sniffer" capable of analyzing the content of all data packets in transit on active network interface. This program provides a detailed overview of everything that is happening on the local network by offering an easy to use graphical interface and easy to understand. Wireshark is able to locate the network protocols used for various types of communication and is therefore able to show various encapsulations, I use it to find the connections of the malware.

Of course you can try other tools and here in Malware analysis, you can find my old threads about Regshot and Wireshark (find them because I'm a bit lazy :D).
Click to expand...

Thank you for these informations!

I found your informative articles!

Malware Analysis Report #1

Introduction to Wireshark protocol analyzer

Some tips for Malware Analysis Lab

Thanks :)
 
  • Like
Reactions: askmark, LabZero, Der.Reisende and 1 other person
You must log in or register to reply here.

Similar threads

anirbandutta01
    • Like
  • Locked
Question Maximum antivirus detects it but Kaspersky not
Replies
15
Views
680
Kaspersky
harlan4096
harlan4096
R
My computer is being hacked and remotely access and no one can detect it
Replies
3
Views
778
Windows Malware Removal Help & Support
nasdaq
nasdaq
BigWrench
    • Like
Unlimited Giveaway Wise Care 365 PRO - free license version 7.0.9.691 (fresh update)
Replies
5
Views
1,038
Giveaways, Promotions and Contests
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top