Autoruns offline analysis and other resources

Discussion in 'other anti-malware software' started by MrBrian, Feb 17, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From IAmA a malware coder and botnet operator, AMA:
    ---------

    Autoruns Analyze Offline System Option

    ---------

    From ASEPMonitor (free):
    ---------

    From hxxp://idsmonitor.narod.ru/indexen.html (free):
    ---------

    Paper "Utilizing AutoRuns To Catch Malware": direct pdf download hxxps://www.sans.org/reading-room/whitepapers/malicious/utilizing-autoruns-catch-malware-33383 (contains a script for comparison)
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Hiren's BootCD has Autoruns and thus can be used to analyze a non-booted operating system.

    I tried using Autoruns to compare the autostarts of the same system when booted vs. non-booted, but it didn't work well; same with Autorunsc.

    Autorunsc has an option to list file hashes of autostart entries :thumb:.
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I did that as well on my XP, and using a custom made BartPE CD and everything was fine. What went wrong for you?
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Autoruns: everything shows as "different"
    Autorunsc: one output file has about 1000 lines, while the other has about 775 lines (for the same account); also, there are some intra-line format differences as well.

    Are you using Autoruns or Autorunsc? Which version? If Autorunsc, what parameters do you use?
     
    Last edited: Feb 18, 2014
  7. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,080
    This is more or less what winpatrol does, right?
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes, but Autoruns also has the ability to do offline system analysis (handy for rootkit-hidden autostart entries).

    I have been doing periodic Autoruns snapshot comparisons (non-offline) for years. I also do snapshot comparisons with What's Running.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tried online vs offline again. Autoruns 11.70 shows every item as a difference, while 11.42 and 11.34 show some items as differences.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Comodo Autorun Analyzer (part of Comodo Cleaning Essentials) also has an option to analyze offline systems. It doesn't have snapshot comparison, but it does check autostart entries with its cloud database.

    Any other similar programs with offline analysis ability?
     
  11. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,080
    HiJackfree is similar to comodo CE
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    You made me curious. I will try it again and post the results. Stay tuned :)

    Later edit: I checked on a VM using Autoruns 11.70, and you are right; Autoruns cannot be used reliably as a comparison tool because it says that every item counts as a difference. By looking at the text list that it exports, I was able to see what is the problem: for some reason (bug?) Autoruns reads each registry entry's time stamp wrongly in the offline analysis. This makes it believe that every entry is different, even if in reality they are not.
    As a conclusion Autoruns remains a good offline inspection tool, but only if you are willing to check the results yourself.
     
    Last edited: Feb 20, 2014
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  14. tom1876

    tom1876 Registered Member

    Joined:
    Jan 4, 2014
    Posts:
    15
    Location:
    England
    Did any try this app. ASEPMonitor?

    it doesn't seem to work for me.i ran it "run as administrator" and it will display "Please wait. WinBatch Processing Window..." for some time and then exit without any message or error.and sometimes this ""Please wait. WinBatch Processing Window..." will stay for a very long time and i will have to kill it from task manager.

    i am using windows 7 64bit.
    Does anyone know any other app or way which can do automatic analysis of all startup items at regular intervals and display alert if some extra items are found?
     
  15. tom1876

    tom1876 Registered Member

    Joined:
    Jan 4, 2014
    Posts:
    15
    Location:
    England
    Do these have automatic compare and alert feature? or are they like sysinternals autorun tool only?
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    WinPatrol.

    WhatInStartup and ServiWin are manually-run tools.
     
  17. tom1876

    tom1876 Registered Member

    Joined:
    Jan 4, 2014
    Posts:
    15
    Location:
    England
    Thanks MrBrian :)

    WinPatrol looks like a nice tool to have on a system :)
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    I periodically manually compare Autoruns snapshots (of the computer currently running, unlike this thread topic) to spot new such items.
     
Loading...
Thread Status:
Not open for further replies.