Orion
A comprehensive user guide for the standalone threat remediation script.
Thank you for choosing Orion Malware Cleaner. It's important to understand that this is
not an antivirus replacement with real-time protection. Instead, it is a powerful, on-demand threat investigation and remediation toolkit designed for knowledgeable users to hunt for and remove active and dormant threats.
This guide will walk you through the entire process, from launching the script to understanding its findings and taking action. The tool is designed to be powerful, but its effectiveness relies on informed decisions from you, the operator.
The Boring Stuff (EULA)
Use at Your Own Risk. This is a powerful tool that makes significant changes to your system, including deleting files and modifying the registry. By using this tool, you acknowledge that you are doing so at your own risk. The creators are not liable for any data loss, system instability, or other damages that may result from its use.
It is strongly recommended that you back up any critical data before running a scan and performing remediation.
- Step 1: Preparation & Execution
- Step 2: Choosing Your Scan Level
- Step 3: Deconstructing the Report
- Live Process Monitor
- Memory Anomaly Detections
- Live Network Connections
- Suspicious Files & Scripts
- Dual-Use & Remote Access Tools
- Suspicious Persistence Mechanisms
- Abused / Vulnerable Driver Detections
- Potentially Unwanted Programs (PUPs)
- System Tampering & Policy Changes
- CPR Toolbox (Clean, Repair, Optimize, Harden)
- System Information
- Step 4: The Remediation Workflow
- Step 5: Post-Remediation
Before you even think about running a scan, a few preparatory steps are essential for the best results.
Close All Applications! Before initiating a scan, save your work and close all open programs (web browsers, documents, games, etc.). This does two critical things:
1. It prevents applications from locking files that the script may need to scan or remove.
2. It gives the script a cleaner snapshot of your system's baseline activity, making it easier to spot anomalies.
Running as Administrator
The script needs deep access to the system to inspect processes, check system files, and modify the registry. It MUST be run with Administrator privileges.
Execution Policy Bypass (Crucial!)
Windows has a security feature called "Execution Policy" that prevents PowerShell scripts from running by default. To run Orion, you must bypass this policy for this single execution. This does not permanently change your system's security settings.
- Open the Start Menu and type PowerShell.
- Right-click on "Windows PowerShell" and select "Run as administrator".
- In the blue PowerShell window, first navigate to the directory where you saved the script. For example: cd C:\Users\YourUser\Desktop\Orion
- Now, execute the script using the bypass flag. Assuming your script is named sa.ps1, the command is:
PowerShell.exe -ExecutionPolicy Bypass -File .\sa.ps1
- Press Enter. The Orion menu should now appear.
Prerequisites & Automation
The script's capabilities are enhanced by two external tools. The script will automatically search for them in its `modules` subfolder and in common installation paths.
- 7-Zip: If 7-Zip is found, the script enables Quarantine mode. Instead of permanently deleting malicious files, it moves them into a password-protected zip archive. This is the safest option. Without 7-Zip, the script will fall back to permanent deletion.
- Sysinternals Handle: This utility allows the script to identify and terminate processes that have a "lock" on a malicious file, enabling its removal. Without it, some locked files might require a system reboot to be deleted.
Log & Quarantine Location
All operational output, detailed text logs, and quarantine archives are stored in a dedicated folder for easy review: C:\Users\YourUsername\Documents\Orion_Logs\
Orion offers three distinct scan levels, allowing you to tailor the depth and duration of the analysis to your needs. Before the menu appears, the script will quickly check the status of its Dynamic Cloud Intelligence (DCI) feeds and download updates if necessary.
[10] Gentle Scan
The fastest scan, designed to find
live, active threats. It's a quick health check on what's currently happening on your system.
- Scans running processes for anomalies.
- Inspects loaded modules (DLLs).
- Runs the live network monitor to watch for suspicious outbound connections.
[20] Elevated Scan
A more thorough investigation that includes everything from the Gentle scan, plus a hunt for
dormant or persistent threats.
- Scans high-risk folders (Downloads, Temp, etc.) for suspicious files.
- Checks for common persistence mechanisms (e.g., Run Keys, Scheduled Tasks) that malware uses to restart itself.
[30] Aggressive Scan
The most comprehensive analysis. This is a deep-dive that uses multiple engines to inspect every corner of the system for threats, policy violations, and unwanted software.
- Includes all previous checks.
- Activates the Multi-Engine Static Analysis to look *inside* files for malicious characteristics.
- Hunts for Potentially Unwanted Programs (PUPs), vulnerable drivers, and system tampering (e.g., disabled Task Manager).
After the scan, the HTML report is your command center. Findings are grouped into categories, presented as collapsible "accordions". Understanding what each category represents is crucial for accurate remediation.
Built-in Safety and Accuracy! Orion is designed to be both powerful and safe. It includes a
Stability Control System to prevent removal of critical Microsoft files, and a
Relationship Analysis Engine to intelligently reduce false positives on legitimate third-party software.
This is a snapshot of all processes running on your system at the time of the scan. It is provided for informational and investigative purposes, allowing you to see which processes have network connections, if they are digitally signed, and if they have a visible window.
This category flags suspicious behavior happening in your computer's memory
right now. These are active threats that require immediate attention.
What you'll find here:
LOLBin Abuse: "Living-off-the-Land Binaries" are legitimate Windows tools (like powershell.exe) being used maliciously. Orion detects this when they're launched by an unusual parent process (e.g., Word) or with suspicious command-line arguments.
Process Masquerading: A malicious process naming itself after a critical Windows process, like svchost.exe, but running from the wrong location (e.g., a Temp folder instead of C:\Windows\System32).
Process Injection: A legitimate process (like explorer.exe) has loaded an unsigned DLL from a suspicious, user-writable location. This is a classic malware hiding technique.
This accordion shows you which non-browser programs are communicating with the internet. It leverages both heuristics and
Dynamic Cloud Intelligence (DCI)—a live threat feed of known malicious IPs and domains—to spot hidden C2 channels.
What you'll find here:
Botnet/C2 Detections: High-confidence alerts where a connection matches an entry in the DCI database or a strong heuristic, like a process connecting to an abused service (Discord CDN, Pastebin, Ngrok), a high-entropy domain (suggesting DGA malware), or directly to an IP address without resolving a domain name.
Connection Info: Informational entries showing normal background activity. Review them for context, but they usually don't require action.
This section is about potentially malicious files lying dormant on your hard drive. These might be droppers, payloads, or malicious scripts waiting to be executed.
What you'll find here:
Static Analysis Detections: Files flagged by looking inside them for suspicious indicators: high entropy (packed/encrypted), missing or fake version information, anti-analysis strings (like `VMWare`), suspicious imported functions, and more.
Relationship Analysis: For files that look suspicious but have some legitimate properties, this engine provides a "Confidence" score. It checks for other signed files from the same software vendor nearby, helping to distinguish a legitimate installer component from a standalone threat.
Suspicious Scripts/LNK/PDF: Scripts (.js, .vbs) with heavy obfuscation, shortcut files (.lnk) that point to malicious commands, and PDFs with active content keywords are flagged here.
This category lists legitimate software that, while useful for IT professionals, is the primary tool used by attackers and tech support scammers to gain control of a victim's computer.
What you'll find here:
Programs like AnyDesk, TeamViewer, LogMeIn, etc. If you did not explicitly ask a known, trusted IT contact to install this,
it should be removed immediately.
Persistence is how malware survives a reboot. This category is one of the most critical, as it finds the hooks that malware embeds into the system to ensure it runs again every time you start your computer.
What you'll find here:
The script checks all the common hiding spots: Registry Run Keys, Scheduled Tasks, Windows Services, Startup Folders, and more. Finding an unsigned or strangely located program here confirms that the machine is compromised.
This category flags the presence of legitimate, signed kernel drivers that are known to contain vulnerabilities. Attackers can abuse these drivers to disable security software or load their own malicious code into the kernel.
What you'll find here:
The script maintains a list of known-vulnerable drivers (e.g., dbk64.sys, gmer.sys). Finding one of these on your system is a high-risk indicator. Unless you have a specific, known reason for having this driver, it should be removed.
PUPs are not viruses, but they are "junkware" that often comes bundled with other software. They can degrade performance, inject ads, and compromise your privacy.
What you'll find here:
Adware, browser toolbars, and "scareware" system cleaners. Generally, anything found here can be safely removed.
This section detects when malware has deliberately weakened your system's security settings to make its job easier or to prevent you from fighting back.
What you'll find here:
Common findings include the Task Manager being disabled, Windows Defender exclusions being added for the malware's folder, or the HOSTS file being modified to block you from accessing security websites.
This is a special category containing a suite of proactive tools for system maintenance, hardening, and optimization. These are optional actions you can take to improve your system's health and security posture.
Actions to remove clutter like temporary files, the Recycle Bin, and old Windows Update caches.
Tools to verify and repair the integrity of core system files using System File Checker (SFC) and DISM.
Actions to improve performance, like running drive optimizers (Defrag/TRIM) and managing startup programs.
Actions to reduce your system's "attack surface" by enabling advanced Windows Defender features (PUP Protection, ASR Rules) and blocking commonly abused tools from accessing the internet.
An informational section at the bottom of the report that provides a detailed summary of your computer's operating system, hardware, network configuration, and a list of all installed software for your reference.
Once you have reviewed the findings, you can instruct the script on what actions to take. This is a deliberate, two-step process to prevent accidental changes. Orion also includes several automated remediation enhancements.
Advanced Remediation Features
Chain Remediation: If you select a persistence item (like a Run Key), Orion automatically finds and selects the malicious file it points to for removal.
Correlational Cleanup: After removing a file, Orion scans the same folder for related malware artifacts (like `.dat` or `.zip` files) and removes them. It will also delete the parent folder if it's left empty.
Orphaned Shortcut Removal: Any shortcuts pointing to a file you've selected for remediation will also be automatically removed from the desktop and start menu.
Firewall Rules: In the details modal for any network detection, you have the option to create a Windows Firewall rule to block that specific process or destination IP address from making outbound connections.
- Select Items for RemediationIn the HTML report, go through each category and place a checkmark next to every item you wish to remove or fix. You can use the "select all" checkbox at the top of each table.
- Generate the Remediation FileAfter making your selections, click the orange Generate Remediation File button at the top of the report. This will download a JSON file (e.g., Orion_Remediation_List_....json) to your computer's Downloadsfolder. Do not change the name of this file.
- Confirm in PowerShellGo back to the PowerShell window where the script is waiting. It will now prompt you to "Press any key after you have generated the remediation file". Press any key.
- Execute RemediationThe script will automatically find the JSON file, read your selections, and begin taking action. You will see its progress in the PowerShell window as it quarantines files, removes registry keys, and creates firewall rules.
After the remediation actions are complete, the script will provide a final summary.
- Summary of Actions: A list of all actions taken will be displayed in the console.
- Quarantine Archive: If quarantine was enabled, it will tell you the path to the password-protected zip file. The password is always infected.
- Reboot Required: If the script was unable to remove a locked file, it will schedule it for deletion on the next reboot. If you see this message, it is critical that you restart your computer to complete the cleanup.
This concludes the manual. Stay vigilant, and happy hunting!
This is the Orion Manual, this is the link to it:
Trident submitted a new resource:
Orion Malware Cleaner - by Trident - Removes Active and Persistent Malware, and Restores Health
Orion Malware Cleaner uses signatureless technology and aggressive heuristics to eradicate active malware. It comes a script for maximum performance, and the recommended PowerShell version is 7.5.3 which is the latest stable at the moment. This version supports high-performance parallel scanning. The script is not packed as an executable as this will require digital signature and will create more than 20 times larger file.
To use Orion...
