|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Youtube video here Do you know about the program Autoruns? A Microsoft blog post reminded me about it. The other day a network management software t
[See the full post at: Tasks for the Weekend – December 19, 2020]
Susan Bradley Patch Lady/Prudent patcher
I am so leery of internet downloads today!!! I assume the autoruns download is safe??? I downloaded the .exe and ran Defender/MBAM checks – nothing found. Other than going to reputable sites (which even now may be compromised) Is running a check on the executable the best way to assure it is safe? Or are there other methods to check?
If the downloaded *.zip or executable is not too large, you can have it examined by uploading it to https://www.virustotal.com/gui/home/upload .
I am so leery of internet downloads today!!! I assume the autoruns download is safe??? I
Sysinternals is a Microsoft product and site, so yes, if you trust Microsoft it’s probably safe.
VirusTotal can be your friend in any case!
Windows 10 Pro 22H2
It stops the attack if it sees Autoruns or other known analysis tools actively running
In this case, I am glad to have HitmanPro.Alert by Sophos actively running on my PC.
One of the features in their “Risk Reduction” section is “Vaccination“.
Disguises the computer as that of a virus researcher, making sandbox-aware malware self-terminate.
Windows 10 Pro 22H2
To quote the main blog by Susan:
This Microsoft blog post, which pointed out that once the attackers SAW that security programs like Autoruns were installed on a machine, it ran away from that computer
so, no, quite the opposite, leave it on or add autoruns.
in answer (reply) to anons question. Autoruns gives the attackers the runs and not what he/she interpreted to remove autoruns 
I’m saying the weekend task is to install it to see what is automatically starting up on your computer.
Susan Bradley Patch Lady/Prudent patcher
I’m saying the weekend task is to install it to see what is automatically starting up on your computer.
As @TweakHound noted, it is portable and does not install.
On the other hand, I’m not an enterprise nor run as a Domain, so I’m not concerned with Solarwinds.
I use Autoruns to expose the startup items that are no longer relevant (uninstalled) but still have startup hooks. But I don’t use the checkboxes. For all the yellow entries, I run regedit as Trusted Installer, search for the Autoruns-listed Keys/Values and delete them from the registry. After a reboot and a fresh run of Autoruns, there are no more yellow entries.
As for the pink, I have lots of those, all related to my video and audio rendering software, so I’m good.
In addition, the excerpt from the blog I read stated that “It checks that there are no running processes related to security-related software (e.g., Windbg, Autoruns, Wireshark)“, not just whether the Autoruns package is located somewhere on the machine.
And again, I’m not an enterprise nor run as a Domain, so I’m not concerned with Solarwinds.
Susan, you point out something that has long been a sore point for me. There are really two different worlds of computer users: Enterprise and Home. They are very different. Long ago, that teen-aged punk in the basement next door was an attacker who took great delight in attacking your computer. That has long since been replaced by organized crime organizations and state actors with a mission. That mission is either straight out profit or information to be used to take advantage of an organization in some way.
There is a clear paranoia in the air about security, as it should be.
The problem I wish to point to is that writers who write about the security threat don’t differentiate between those two worlds. The result is that home users get really stressed out about their personal risk to their home PC. Probably much, much more than they should. The vast majority of those home computers are used for email, occasional browsing and games. Hardly an attack face that is likely to realize any benefit from some hacker with a goal in mind.\\
I laud you for pointing this out in your writing here.
CT
And no one here says otherwise. It’s just a question as to whether we have to take steps on our own devices to protect them.
-- rc primak
If I understand correctly, the Solar Winds attack was made by corrupting the software update process…..
That is a vulnerable attack vector because it is so difficult to manage and secure. Much of that change comes out of the bowels of development people and very few really dig deep into what is changing in detail.
That really means that software update is a vulnerability. The more often you do updates, the bigger the attack face and opportunity.
Does that no suggest that reducing frequency of updating would be one valid way of reducing risk???
CT
I understand. Obviously patching that corrects vulnerability reduces risk. There should be a balance between how often this is done and how much the updating itself increases risk. I am not at all certain that element is being adequately considered.
Additionally, many, if not even most updates are NOT to fix vulnerability but to change or add features. Those should only be done at a much longer period. That would require compartmentalizing feature Vs. security updates. This is exactly what took Microsoft so far off the rails. Roll back to 2013, most all updates were security related. Today most all are feature.
CT
Fred Langa discussed which updates we should accept and which ones we should ignore, and how to decide, in a recent LangaList article in the AskWoody Newsletter (paid version).
How to tell if software truly needs updating
by Fred Langa
AskWoody Plus Newsletter (Paid Edition)
ISSUE 17.9.0 • 2020-03-02
Top Story (should also be available for free subscribers)
This was specifically about products like KC Softwares SUM0, which present us with every available update for every little software fragment installed on our PCs. The vast majority of these updates are unnecessary for security purposes.
-- rc primak
Ok Next question – I downloaded the zip and double-clicked. I see six ‘Autoruns’ applications, or variations thereof. Which one do I run? I am running Windows10 64 bit.
You didn’t display file types in your screen shot.
You are on 64bit so run the autoruns64.
autoruns64a is for ARM CPUs.
I would advice to download the whole Sysinternals suit.
Sysinternals is a collection of MS utilities.
Sysinternals is a collection of MS utilities.
I find these 3 most useful:
Autoruns (Autoruns64.exe) As discussed in this thread.
Process Explorer (procexp64.exe) An enhanced view of the processes and threads running on your PC. Lets you view the company (publisher), verified signer, autostart location (registry or task scheduler), file path, etc.
TCPView (Tcpview.exe) Displays all of your current network connections along with the local and remote IP addresses and ports. Allows you to distinguish between localhost and external connections.
Windows 10 Pro 22H2
Thanks I was wondering which ones to run and what they do. I don’t understand all of it.
I agree! Some of it is definitely for deep geek diving!
Some background on the original founders of Winternals, whose Sysinternals website was acquired by Microsoft in 2006.
Winternals Software LP was founded by Bryce Cogswell and Mark Russinovich, who sparked the 2005 Sony BMG CD copy protection scandal in an October 2005 posting to the Sysinternals blog. Sony was found to be placing rootkits in users computers when they inserted particular copy protected CDs.
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
Windows 10 Pro 22H2
A lot of malware programs like to check your indexed file locations, and like to check Windows shortcuts for installed programs. Although Autoruns does not get installed on a computer using an installer, creating a Windows shortcut to Autoruns.exe will let many malware programs “see” that Autoruns is “installed” on that computer. I have created Windows shortcuts for many Sysinternals programs which I use from time to time.
We have a thread on this problem.
https://www.askwoody.com/forums/topic/virustotal-not-accepting-sysinternals-process-explorer-requests-as-of-16dec2020/
cheers, Paul
Autoruns and Process Explorer are not working for me since this past Saturday. you can read more about the problem here:
This VT issue has been confirmed over on the SANS ISC InfoSec Forums IOW, if it’s still not working, it isn’t fixed yet.
likely related to the mass google outage last week.
Started a new topic in TOOLS – AUTORUNS – what to do with results
Instead of using the link that’s built into Autoruns, go directly to the Virustotal website, https://www.virustotal.com .
When you get to the Virustotal main page, click on the word “FILE”, which will put a blue bar beneath the word. Now, click on the button just below that which says “Choose file”. This will bring up the Windows file explorer and you can then use it to navigate directly to the file in question. Once you’re at the location of the file you want to have examined, click on it once to highlight it and then select the button on the file explorer window that says “Open”. This will upload the file to Virustotal which will then analyze the file, probably very quickly, and give you the results from almost 70 (seventy) anti-crapware engines they have access to.
There is a small caveat for this, though: As stated in a small grey box under the file upload button (the one that says “Choose file”), the maximum size of file for analysis is 650 megs.
Yes, because usually the only file types you should be sending to Virustotal for inspection are the executables (ending in .exe) and the dynamic link libraries (those ending in .dll). Those are files that make the actual programs work and can harbor nasty stuff that can get you infected. This statement doesn’t mean that you should submit every single .exe or .dll file for inspection. It means that the .exe’s and .dll’s pointed out by Autoruns in “pink” should be the ones submitted for inspection, because Autoruns has flagged them as potentially problematic and it (for one reason or another) doesn’t have any info on its own to pass judgement on the file.
There can also be other file types that can be deliberately misnamed by their creator to get you trust them and thereby become infected, but that’s a completely different ball of wax.
If you have any doubts about a file you’d like to submit to Virustotal for inspection, let folks know on the other thread you’ve started abut the Autoruns results, and you’ll receive help there.
To quote @johnw ‘s post below,
You only need to scan files with executable code. For starters, applications with extensions such as .exe, .dll, .js, .bat, etc. Those should not contain any personal info.
So, you run autoruns and do your research on every autorun in your system. They all clear. You are happy.
One or two months later you run autoruns again. You look at the list. What is new and needs to be researched? That’s where SuperantiSpyware (SAS) can help.
SAS does not have the reputation is had before the 2011 acquisition by supportDOTcom. Most would only know it as a malware scanner but it does have other useful options worth exploring. In particular, System Investigator
You can click the [Start] button there and have many hours of ‘fun’ ahead of you researching a lot of malware points on your computer or you can choose to check specific point. To restrict the investigator,
SAS will inspect your system and return lists. Initially the lists it present you with will be ‘unknown items’ and ‘known good items’. It may have a list for known bad items, as well. If so, I’ve never seen it.
Now your work begins. For each unknown item, do your research. To help you do that, SAS has inbuilt search tools. Mouse-hover over the line you wish to check and a magnifying glass appears.
For example, my Autoruns list produces DSATray. Hover, click magnifying glass on the filename line runs a web search (uses Google, not default 
). Top of my list is file.net, which confirms it is Intel Driver and Support Assistant Tray. I am happy with that and don’t need to search further.
Back to SAS, there are options to upvote or downvote. I choose upvote, no comment required and click [OK]. Next time I run the investigator, the file will appear on my user upvoted list. I know it does not require research.
Now repeat for thousands of entries! Actually, it’s not that bad. For example, I am currently working through CLSIDs and have 1646 records. Most of those are known. 1588 of those are ‘known good items’. Those still to be check contained mostly signed files from software companies I know (Kaspersky, Lastpass, malwarebytes). Some are unsigned and will get research priority.
HINTS:
EDIT: almost forgot. Even the free version of SAS standard setting is to start with the system. Initially this concerns me but I figured out it must be connected with the right-click option. if you don;t want it to run (I don’t). Open System Tools, Preferences, uncheck General Configuration options. While at it, read ad decide about other settings. I like to be in full control. The only setting on mine is the Radio Button ‘Do not scan at startup’.
Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)
But just to check if “Autoruns.exe” is present on the system (portable or installed) would take only seconds.
Given that Autoruns writes more than 50 registry entries when it is first run (acceptance of EULA, registration of .ARN filetype, etc), a RegRead check of a selected key would take about a millisecond (according to Process Monitor, another of Sysinternals’/Technet’s ‘portable’ utilities) to determine whether Autoruns had ever been used.
Not personal files – but the files that AUTORUNS would submit – what about those? Are those downloaded app files? Sorry for my ignorance, but I’m learning here ; )
You only need to scan files with executable code. For starters, applications with extensions such as .exe, .dll, .js, .bat, etc. Those should not contain any personal info.
When you attempt to send a file to VT, it will first just generate a file hash and upload that to see if they already have a matching file on the database. Then they will return the results from a previous scan. If the file is new or unknown to them, they will they upload the entire file and scan it. Then it gets added to their database. So the first unique instance of a file is the only time a file upload occurs.
Data files are generally not a threat. Those would be text files, office docs, PDFs, photos, etc.
Windows 10 Pro 22H2
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
