system scanner

[uptonm]

Hello. I was wondering about a particular kind of windows system scanner that will help a more advanced user check for malware/understand what is going on in his system. I've spent a lot of time searching for this, but have not been able to find anything. Specifically, if anybody knows of a program that will have some sort of database (similar to program checker except a local program that can scan all of the files.) where it can scan through your windows folder, check file sizes/md5sums of files to see if they are normal. To tell you what files are normally in a windows installation, and which ones have been added later. Thanks.

[uptonm]

ok so maybe nobody knows, but don't you see the potential in this kind of tool? I'd personally like to know all of the files in my windows system at a glance and see if they match up to the ones provided by microsoft or not, plus any other things that might come from other companies. You find interesting things with "unknown files." I'm not talking about running processes, I know there are plenty of tools for that, rather I'm talking about files on the disk

[PC_LOAD_LETTER]

youve basically described the built in system file checker. the problem with using it as a malware defense is that malware rarely replaces files anymore. it easier just to toss a key in the registry and let windows do the rest. if such a tool existed, 99% of the infected machines it ran on would show as being perfectly clean.

[uptonm]

perhaps i'm not explaining clearly.

the features of the windows system file checker are a small part of it, but only part. I'm talking not only file replacements, I'm talking about extra files, also md5/sha1sum info on every file inside the windows folder compared against an independent database. a complete listing of all of the files inside the folder, along with color coded highlights that tell you what is standard, what is extra, what files are changed from original system versions. In some ways the same thing, but in a much nicer layout to help advanced users. It would be more of an information tool, than a cleanup tool. An alert that the system is infected or clean is nice but less important, than to possess knowledge about what is different. There would not actually be an "infected" listing, but just a mark to show that its different.

A lot of malware tends to leave behind files such as batch files, downloaders, even log files, and things that are not system file replacements, per se, but are simply leftovers. a quick google search on a particular file and its location, a rough example: googling c:\windows\temp.exe can often lead to information about malware that might have used such a file as a downloader. sometimes you can look inside batch files that have not been normally present in a windows system and google the text inside. You can use file analysis tools to determine what is inside of a file, if it is suspect, and look at strings inside, etc.

We have tools like Hijack this! for findings inside the registry, etc. but the principle I'm thinking on is roughly the same thing, only more file based. I can't count how many times I've simply fired up windows explorer and found malware that an antivirus did not find simply by noticing things that seem unusual. One memorable occasion was when I connected via vnc to a friend's computer over the internet, and within 10 minutes i had determined that her computer was infected by a rootkit virus. Why? because her id*** boyfriend who coded the thing was capturing all of her internet activity and dumping it to a gigantic 1 gig file simply located in c:\. (he admitted it was his him) It has happened so often I now make it a point to fire up windows explorer for just a quick peek while I'm working with a customer. I know that sort of method can be effective because I've done it so often just by eye. One could only think it would be even more useful if much of the process were automated.