Information Security

Assessment Tools for Incidents involving Windows O/S

Most of the incidents at Tufts are virus/worm infections. To analyze these, make sure your CD kit includes a copy of 1)the Trend Cleanup program with the latest signatures, or 2) a copy of McAfee's Stinger. When you want to go further or the standard cleanup tools have missed a clever piece of code, the following steps and programs will get you started.

Note, Microsoft purchased Sysinternals in July 2006. On September 25, the Sysinternals website was taken down, and their tools have not appeared in Microsoft's web site yet. We will keep checking for their new locations, but if you'd like a copy of a tool in the meantime, please email us.

Windows Procedures and Tools

1. Read CERT/AusCERT's Windows Intruder Detection Checklist
2. Login as Administrator, in Safe Mode.
3. Set Windows Explorer to show all system files, hidden folders and file extensions.
4. Use Event Viewer to check logs for gaps, unexpected reboots or system events, and service failures.
5. Check accounts, passwords and their groups. Is the guest account in the admin group?
6. Check to see what is running:
1. Applications
• Use Add or Remove Programs. Is there an IRC or FTP server?
• What runs at startup. For WXP run msconfig from the Start box
• SilentRunners VBS script will identify every program that starts up with Windows.
2. Services
• Open Administrative Tools then Services.
• BlackViper's information on service configuration
• Microsoft's Service Security recommendations for Windows XP Pro
• Microsoft's Windows Server 2003 Security Guide includes service recommendations for file, print and web servers.
3. Ports
• Use Fport or TCPView to see the same output as "netstat -an" plus identifies its application.
• Latest IANA port assignments from 1-49150
4. Processes
• View Task Manager Processes, account for every process. Use Uniblue WinTasks Process Library or Process Library for .dll and .exe lookups.
• Run Sysinternals Process Explorer to find out which program has a specific file or directory open. Process Explorer will show backdoors which hide from the list of processes in the Windows Task Manager.
7. Now run Trend's Antivirus Scan. You can run it from the local install, but if it may have been deleted or corrupted, you can run it from a cd or usb.
8. Still not finding the file or process? Then its time to reformat and rebuild. If you're intensely curious or need an identification, check our list of forensic tool kits and root kit detection programs.

Case studies and examples

• Lawrence Baldwins' Case Study of a DCC Bot

Tufts Home | Inside Tufts | Contact University Information Technology
Privacy/Security Notices | Updated April 30 2008
© 2008 Trustees of Tufts College. All rights reserved.