How would you improve Comodo's psc-exam?

Melih just posted a download link for their system analysis tool, psc-exam.exe

It’s a bit like HiJackThis, it gives you a log to look through, and you can determine if you’ve got any malware infections.

You save the psc-exam.exe to your desktop (attached file - ComodoExamTool.JPG)

You double click psc-exam.exe to run the application.

A window then pops up and it runs a very quick scan. (attached file - ComodoExamTool0.JPG)

[attachment deleted by admin]

You then get an alert, telling you that a .txt log was created on your desktop (where you ran psc-exam.exe from)
(attached file - ComodoExamTool2.JPG)

The window then closes and then you can review your log personally, or post it in computer technical help forums for analysis.

(attached file - ComodoExamTool3.JPG)

[attachment deleted by admin]

And here is my log. (attached file - psc-exam.txt)

[attachment deleted by admin]

If you’re familiar with HiJackthis and Combofix, you know how great tools like this can be for removing malware from your system, and helping remove malware from other people’s computers in various internet forums.

I think this tool of Comodo’s could be great. A great asset to the community of people who use HJT and Combofix on daily basis to help people.

This tool could become the next great standard. Move aside HJT, not a chance Combofix, Comodo pwns.

Seriously, this could be one hell of a tool, it just needs to be expanded upon.

How could this be made better?

How could this help identify malware?

How could this help REMOVE malware?

How could this be better than HiJackThis, and Combofix combined?

I think we all should give some input here, this is a really good tool that Comodo can make great, let’s give them some encouragement and great suggestions.

I think I’m stating the obvious here.

My suggestion, (possibly first of many) I think you gotta have some way to manually delete files and registry keys, delete/remove malware, with the tool. psc-exam.exe has got to be able to remove malware. It doesn’t even need a fancy looking GUI, just simple and effective commands to remove malware.

I think listing the date of recently created files is a must for a tool like this, if someone tells you that three days ago they started having malware problems, you’re almost certain to find malicious files that were created that day.

Something like this should be included within CAV3 when it is finally released.

Very good report, but centered on registry and processes. It needs more information about the files and folders themselves. How about a consolidated file list, with md5, sha1, full pathname, dates, and file properties. If the file is listed in the report now, it should be on the consolidated list, and give the details only once.

Some malware will try to take the name of legit files, but the properties and md5/sha stuff just don’t match up.

And, if there is enough report volume (as would happen in malware removal forums), it’d be possible to weed out the good stuff, and leave only the unknowns to look at.

And in the netstat report, leave the entries as raw IP addresses and port numbers. Malware attacks on DNS redirectors can play havoc, and the name your machine resolves to and the name my machine resolves to may be entirely different. If I’m doing malware hunts, I need to know the IP address. Knowing the name is helpful, but potentially very very misleading. Same thing with port numbers, if I scramble the services file.

very good suggestions grue, keep them coming. Let’s help Comodo make this the ultimate tool for malware identification and removal.

I’ve got a thread over at twoplustwo about this as well.

At the risk of information overload, I’ll mention driver details (what drivers installed, again with the md5/sha and file properties), particularly about network stacks where malware likes to hide. But then again, taking over a very seldom used piece of hardware like some obscure usb hub would get malware installed at boot and not interfere with normal operations. And I mean, who investigates obscure OEM usb hubs.

And, anything in networking parameters: DNS, route tables, alternative network stacks, firewall settings (Comodo, Windows, and anybody else if this is for a malware hunt).

Just for good measure, throw in the Windows event logs.

All that shouldn’t add more than a few megabytes of report text ;D

It’s possible to do a bunch of that with some scripts. The format isn’t pretty, but the data is there.

how could it best remove malware grue? How could it be extremely effective at identifying and removing malware?

Combofix is really just for a few specific infections, how could this be made effective against more malware infections?

how could you make the log smaller but more effective?

From my previous experiences, I’ve found that keeping the cleanup tools separate from the analysis tools is the better policy. The “overhead” of doing things twice helps to catch mistakes and things that would otherwise not get caught. That, and the fact the cleanup tools are constantly changing due to the constant change in the malware. You don’t want to break your analysis tool during an update, as Murphy almost always says that is when you’ll need the analysis tools the most.

For the fully automated cleanup, just look at the universal uninstaller. Snapshot your machine in a known good state, catch snapshots daily, and backtrack when a problem gets detected. Windows system restore is an attempt at such, but seems aimed mostly at the registry. A full cleanup would need registry, file data, automated backup and some way to diff the known clean from “now”, and still keep your data intact.

In my opinion, one major improvement should be creation of a simple user interface but with the display of the log file from the program window itself, where the information should be structured with expanding and collapsing trees and color coding, like notepad++. This should make the analysis of the results easier.