Speak To One Of Our Trusted IT Security Specialists, Call 01628 829290 Now
Security Advice

Security Advice

Here at AVR we regularly deal with customers problems, which can be a virus outbreak or misconfigured software, being in the business requires us to stay ahead of the curve. There are various resources that we use on a day to day basis and this page is here so we can share some of that with you.

Useful tools

Process Explorer
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

Process Monitor
An advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such as session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx

TCPView
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2010, Vista, NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
http://technet.microsoft.com/en-gb/sysinternals/bb897437.aspx

Autoruns
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

RootkitRevealer
RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).
http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx

HiJackThis
HijackThis is a free utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Combating Conficker

A number of customers have requested further information on the W32/Conficker.worm and a proactive response to this threat. The below section has been produced to provide extensive information, prevention, and resolution documentation, but please don't hesitate to contact us if you have any further questions or concerns.

What is Conficker?
Conficker is a computer worm that targets unpatched Microsoft Windows Operating Systems and attacks port 445, Microsoft Directory Service.

What are the Symptoms?
Symptoms are varied, but predominantly are:

  • No access to security-related sites.
  • Users being locked out of machines.
  • Traffic on port 445 on non-Directory Service (DS) servers.
  • No access to a machines admin shares.
  • Autorun.inf files in the recycled directory.

    • How can I protect myself
    Keep your windows systems patched. Conficker first surfaced in November and exploited a vulnerability that was patched in October. If you are not sure whether you are patched, visit Microsoft here: http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

    Why all the fuss?
    Nobody really knows what the plans are for Conficker, but it is now reckoned to be one of the largest botnets in existence, and has grown extremely rapidly. There is a very informative article about where Conficker came from, and where it is going here

    Detecting an Infection

    If you are not sure if your network has been affected I would recommend McAfee's detection tool that should flag up any infected machines on your network. Even if you don't think you are infected, this is worth running just to make sure.
    Download

    Removing an Infection

    If you think you might have systems infected with the Conficker, you need to take action now. Conficker.c was set to call the "Control Servers" on the 1st of April, and since then there have been program updates instigated by the infection, it isn't going to go away by itself. There are a number of tools available to scan for Conficker:

    McAfee Stinger for W32/Conficker Download

    Trend Micro Sysclean Download

    Microsoft's Conficker advice is available here

    We hope this information and the links provided are of use to you. If you have any questions, please call us on 01628 829290 and we'll be happy to help in whatever way we can.
    AVR Sitemap Our Terms
    Copyright © 2011, AVR International Ltd. All rights reserved.