Malware vs. Process Explorer

By Ben Farmer

What if I told you that you weren’t at the mercy of how good your antivirus software is? That you could, with a little learning, search for malware yourself? We will be using a program called Process Explorer, by Mark Russinovich. Process Explorer is essentially Task Manager on steroids, without the anger issues. This isn’t a perfect method but it adds another healthy layer of security to protect your dirty browsing history from prying eyes.

The first and only thing you’ll need is the program itself. It can downloaded from tinyurl.com/khpyt3n. It doesn’t require installation, so to run it, just hit procexp.exe. Once it’s open you will see a ton of information, and it may be intimidating for the uninitiated, but if you have a look around it may all make sense. However, you don’t really need to know even 10 percent of the displayed information.

Now we need to add the VirusTotal column in order to compare processes with a database of around 60 antivirus programs. Click on “Options” at the top left, then hover over “VirusTotal.com” and select “Check VirusTotal.com.” It will prompt you to accept terms. After this, and a short wait, a column called VirusTotal will be added, and it will display some important information.

In the new column, it will show you many fractions. The fractions represent how many antivirus programs think a process is malware. Zero out of 60 would mean that a process is considered nonthreatening by all antiviruses that ran it through their database. This is much nicer than just asking one antivirus, don’t you think? If a process shows that there are a few antiviruses that think it’s a threat, don’t panic. Simply disconnect from the internet (to minimize the damage) and then Google the process name on a different device. It may be a false positive, so don’t immediately nuke it. You will find plenty of information on most processes. If it turns out to be malicious, you may kill a process by clicking on it and pressing Delete on your keyboard.

Another feature of Process Explorer is that it color-codes all processes. Each color means something different. For example, a red process means it has just ended and will soon be removed from the list. The color we are looking for is purple. If you see a purple process, it means it is packed. A packed process is compressed, usually to hide something. There are very few good reasons for a process to be packed, so that should raise an immediate red flag. In this situation, you should also research the process name and kill it if you have reason to believe it is malware.

Ben Farmer is a member of the Information Technology senior seminar course and is planning on a career in networking. He can be contacted at benjaminjfarmer@smccme.edu. Feel free to ask any questions. An online version of this article can be found at benjaminfarmer.smccme.net/beacon.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s