May 01

Catching Malware Like Pro – Part 1

Most IT-Pro’s I talk to on this topic have the same answer when it comes to catching a possible virus on a machine.

Important steps to take:

  • Remove the device from the corp network
  • Scan the device with the ‘favorite’ antivirus product
  • If the step above fails to find it, use another antivirus/antimalware product
  • …..
  • clean install the device

There are a few problems with this approach

  • Scanning an entire machine depending on the hardware and amount of files on the system can take hours per product
  • only at the end of the scan you know if you picked the right product to catch the malware
  • you only get 1 opinion at a time

As most know, there’s no perfect antivirus product, though many do a good job.
What if we could get the knowledge of all those vendors combined in one scan action?

The knowledge is out there!

virustotal logo
virustotal logo

https://www.virustotal.com is a website that allows you to upload a suspicious file & check it against most of the known vendor’s engines.

Upload is only needed if the file isn’t already known in their database, if anyone already uploaded the file you want to test a simple file-hash check reveals the latest scan result of the file

screenshot of the interface
screenshot of the interface

press choose file on the file tab & select a file to upload/check

screenshot of the upload file selection
screenshot of the upload file selection

For this demo I used the eicar.org test file a well known test virus

screenshot of the result 56/65 engines triggered a response
screenshot of the result 56/65 engines triggered a response

As this is a know file no scan was needed & the result is instant, you can access the result >here<

If you want to update the result, rescan the file with all those engines (this one was scanned 5 minutes ago at the time of the test) you can press the circle arrow at the top right.

rescan in action
rescan in action
screenshot of 2nd scan result showing even more hits
screenshot of 2nd scan result showing even more hits

The number of used engines can vary from time to time & type of file, some engines do not can certain filetypes

looking at the list in this result you will be able to spot you favorite tools & more.

So now we are able to scan a file with all the possible intel, solving the issue of what engine to use to catch the malware

A good Idea to use this when assessing the use of a new tool

More on how to extend this to more than just 1 file in ‘part 2’

Catching Malware Like Pro – Part 2

1 pings

  1. […] Catching Malware Like Pro – Part 1 […]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.