Virus Hunting without AntiVirus from PC
An antivirus is an essential software in our Windows machine, and we are mostly relying on this. The purpose of AV is to detect known viruses or malware from the system. Which AV is best is not part of this article, but how can we detect the malware without AV is the discussion topic of this article.
This is not very advanced level hunting, but this will help you clean your system with known malware missed by AV. We will use the Windows Sysinternals toolset for this, which is totally free from Microsoft.
What is the Windows Sysinternal toolset?
Windows Sysinternals is a suite of more than 70 freeware utilities that was initially developed by Mark Russinovich and Bryce Cogswell that is used to monitor, manage and troubleshoot the Windows operating system, and which Microsoft now owns and hosts on its TechNet site. Link
We will use two utilities of Sysinternals in this hunting.
1: Process Explorer (with name procexp.exe in suit)
2: Autoruns (with name autoruns.exe in suit)
Process Explorer
Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals, which has been acquired by Microsoft and rebranded as Windows Sysinternals. Sometimes we called this advanced Task Manager. This tool uses to check all the running processes in our memory; in the below screenshot, you can check the running processes in my system.
This tool will help you to get the detail of the running process name (Process), process id (PID), CPU usage (CPU), and company name of the running processes.
Step 1:
In the first step, after running the procexp.exe, we will validate all the running process's signature. In the menu bar, Options > Verify Image Signature.
This function will start verifying running processes and displaying the result in the new Verified Signer section. (As per the below screenshot)
From signature verification, we can verify all our running processes' signature and find if any application that has not verified signature.
Step 2:
Now we will check all our running processes hashes on VirusTotal.
VirusTotal is Google product. VirusTotal is an online service that analyzes files and URLs enabling the detection of viruses, worms, trojans and other kinds of malicious content using antivirus engines and website scanners. It also can be used to detect false positives.
For menu bar of procexp.exe, Options > VirusTotal.com > Check Virustotal.com. This will check the all running process hashes on VT and share the score in the VirusTotal section.
!Score means how many antivirus programs detect this as malware/virus.
In the current stats, the VT score is 0/76; it’s mean file hash checked on 76 AVs engine, and no one detected this file as malicious.
Till now, we have validated all the running processes Signature and VirusTotal result. This will help us to identify any active suspicious program/process in the system.
Sometimes you’ll find the Unknow file on the VT section; it’s mean the hash is not found on the VT database. In this scenario, you will choose the option Submit Unknow Executable as per the below image.
Autoruns
After check all running processes in memory, now we will use the autoruns.exe utility to validate the processes that are automatically executed on startup. Malware always uses autorun to start on every login. This tool helps us find the programs, registries, and processes executed at the start of windows.
In autorun, we will control all the processes, and registries start on windows login. We can check or uncheck the process from the Autorun Entry section. We will review the Publisher of the process, the timeline of the process, and the file's image path.
Step 3:
In this step, we will validate all the processes and registries that are start on windows startup. We will validate the Signature and Hashes from VT.
We can start this from Options > Scan Options.
A dialog box appears to check Verify Code Signature and Check VT option and press rescan (as per the below image). This will validate all the process's signatures and check on VT for the score.
After complete the scan, we can check any not verified signature from the Publisher section and also VT score from the VirusTotal section.
You can uncheck suspicious processes in autorun on the base of Published and VT Score.
Conclusion:
With the help of these two tools, we’ll find the suspicious processes from our system. I shared minimal use of these tools. These are potent tools, and most analysts use these tools for initial analysis of any system or process.
I am not discouraged from using the Antivirus program. You can use any AV program but regularly scan your system and also update your AV database regularly.
!Microsoft Defender is a good tool for protection without any cost.