VirusTotal support integrated into new version of Process Explorer

Posted by   Virus Bulletin on   Jan 30, 2014

Sysadmins can check hashes of processes against file-checking service database.

Microsoft and Google are known for their fierce competition, but when it comes to security, the tech giants are eager to put that aside. Hence as of this week, Google's VirusTotal has been integrated into Microsoft's Process Explorer.

The planned integration was announced by Sysinternals founder and developer Mark Russinovich (who has written for Virus Bulletin in the past and whose fictional works have also been reviewed in the magazine) on Twitter last October:

With yesterday's release of Process Explorer 16.0, the integration was completed.

Process Explorer is a task manager and process monitor that is part of the Windows Sysinternals suite. It gives Windows administrators information on the processes that are running and the resources used by them. It can be very helpful when trying to solve system issues.

While investigating, an administrator may wonder whether a process that is running is actually benign. As of this week, they can choose to send the hash of a process to VirusTotal and the interface will show whether the file has been scanned before and, if it has, how many of several dozen anti-virus products detect it as malicious.

VirusTotal is regularly used by people who then go on to make claims about the performance of anti-virus solutions - something those running the service have long said is a bad idea. However, to find out if a certain file or process is deemed to be malicious by at least some anti-virus products, which in many cases is sufficient information, it is a very useful tool.

In case the file isn't known to VirusTotal - for instance because it is some highly polymorphic or very targeted malware, or because it is an unknown but legitimate program - Process Explorer also lets the user upload the file itself, in order for it to be scanned by a large number of anti-virus products. All in all, I expect that for many system administrators, this integration will be very helpful to confirm whether or not a suspicious process is known to be malicious.

Update: An earlier version of this blog post suggested that only hashes of files were supported. This has now been corrected. Thanks to VirusTotal's Bernardo Quintero for pointing this out.

Posted on 30 January 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.