Mcfaee has released an excellent table of Malware tools. We had cases where large Enterprise Mcafee customers with 8000+ clients had to use those tools to finally get rid of certain Malware.
Mainly because Enterprise Virus protection (Mcafee, Trend, Symantec) suites Block the infection of clients but in removing Rootkits or MBR/BIOS virus they still depend on open source
or freeware tools like these.
7-Zip
7-Zip is a utility for file compression, file sharing, file encryption, and data backup. Several operating systems are supported.
Website |
|
Documentation/Instructions |
|
Download |
ADPlus
ADPlus is a tool from Microsoft Product Support Services (PSS) that can troubleshoot any process or application that stops responding (hangs) or fails (crashes).
Website |
http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx |
Documentation/Instructions |
|
Download |
Autoruns
This utility shows you what programs are configured to run during computer start-up and logon, and shows you the entries in the order Windows processes them. These programs include ones in your Startup folder, Run, RunOnce, and other Registry keys.
Website |
|
Documentation/Instructions |
|
Download |
EICAR
EICAR is a standard test file for anti-malware products. For information on how to obtain and use EICAR, see KB59742.
Website |
|
Documentation/Instructions |
|
Download |
Fport
Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the ‘netstat -an’ command, but it also maps those ports to running processes with the PID, process name, and path.
Website |
|
Documentation/Instructions |
See Downloaded files |
Download |
|
Downloaded files |
Fport.exe md5: dbb75488aa2fa22ba6950aead1ef30d5 Change the file name for fport.exe to any other name. This will trigger detection on the file when you scan or run it. |
GMER
GMER is a utility that detects and removes rootkits. It scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden disk, sectors (MBR), hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls, and inline hooks.
Website |
|
Documentation/Instructions |
|
Download |
IceSword
The IceSword utility shows hidden processes and resources using a Windows Explorer-like interface.
Website |
http://www.softpedia.com/progDownload/IceSword-Download-79326.html |
Documentation/Instructions |
http://www.softpedia.com/progDownload/IceSword-Download-79326.html |
Download (version 1.22) |
http://www.softpedia.com/progDownload/IceSword-Download-79326.html |
IMPORTANT: Ensure that you use this utility only for logging purposes, and use McAfee products only for cleaning/deleting infected files.
ProcDump
The primary purpose of the ProcDump command line utility is to monitor an application for CPU spikes and generate crash dumps during a spike. As an administrator or developer you can use these dumps to determine the cause of the spike.
ProcDump also includes unresponsive Window monitoring (using the same definition that Windows and Task Manager use) and unhandled exception monitoring, and can generate dumps based on the values of system performance counters. ProcDump can also serve as a general process dump utility that you can embed in other scripts.
Website |
|
Documentation/Instructions |
|
Download |
Process Explorer
Process Explorer shows which handles and DLLs processes are opened or loaded. It helps track down DLL-version problems and handle leaks.
Website |
|
Documentation/Instructions |
|
Download |
Process Monitor
Process Monitor (ProcMon) is a monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. ProcMon combines and replaces the features of legacy utilities Filemon and Regmon.
Website |
|
Documentation/Instructions |
http://blogs.technet.com/b/appv/archive/2008/01/24/process-monitor-hands-on-labs-and-examples.aspx |
Download |
RootkitRevealer
RootkitRevealer is an advanced rootkit detection utility. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish, and HackerDefender.
Website |
|
Documentation/Instructions |
|
Download |
IMPORTANT: RootkitRevealer is not intended to detect rootkits that do not attempt to hide their files or registry keys.
RootRepeal
RootRepeal is a new rootkit detection utility.
Website |
|
Documentation/Instructions |
|
Download |
IMPORTANT: RootkitRevealer is not intended to detect rootkits that do not attempt to hide their files or registry keys.
Stinger
McAfee Stinger is a standalone, lightweight utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users dealing with an infected system.
Website |
|
Documentation/Instructions |
|
Download |
TCPdump
TCPdump is a common packet analyzer that runs from the command line. It allows you to intercept and display TCP/IP and other packets transmitted or received over a network.
Website |
|
Documentation/Instructions |
|
Download |
TCPview
TCPView (for Windows) is a Microsoft program that provides detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.
On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a better subset of the Microsoft Windows Netstat program.
The TCPView download includes Tcpvcon, a command-line version with the same functionality.
Website |
|
Documentation/Instructions |
http://technet.microsoft.com/en-us/sysinternals/bb897437 |
Download |
Vision
Vision allows you to access a large amount of supplementary information that is useful for determining host status. It displays detailed system information, applications running, and processes and ports in use, stating what port a process is using.
Website |
|
Documentation/Instructions |
|
Download |
WinPcap
WinPcap is a link-layer network access tool for Windows environments. It allows applications to capture and transmit network packets bypassing the protocol stack, and has additional features, including kernel-level packet filtering, a network statistics engine, and support for remote packet capture.
Website |
|
Documentation/Instructions |
|
Download |
Wireshark
Wireshark is a third-party network protocol analyzer that lets you capture and interactively browse running traffic on a computer network. It is available for free as open source, and is released under the GNU General Public License version 2. Wireshark was formerly known as Ethereal.
Website |
|
Documentation/Instructions |
|
Download |