AChen
02-26-2008, 02:29 AM
Hi All,
ThreatExpert Memory Scanner (TEMS) is an experimental lab product developed by the ThreatExpert team.
TEMS is a "post-mortem" diagnostics tool designed to detect a range of high-profile threats in different regions of a computer’s memory.
This tool is designed to assist in answering a common question asked by many customers whose systems have been susceptible to threats: "Is my system still infected?"
A threat may potentially slip under the radar of conventional malware scanners by engaging in stealth techniques to stay undetected as long as possible. Often, in such a scenario, the original threat file is encrypted with polymorphic encryptors which rely on anti-debugging and anti-emulation techniques, presenting a challenging task for malware scanners in detecting it.
However, when such threat is loaded in memory, it needs to decrypt its own malicious code, completely or partially, or it is unable to run. The aforementioned stealth techniques are used by such threat families as Citwail/ Pandex/ DieHard, Storm, Mailbot/ Rustock and some others.
NOTE: ThreatExpert Memory Scanner targets threats that are already active on a client’s computer system. It does NOT provide you with any protection or defence, nor does it replace conventional antivirus or anyspyware products.
In the current beta release, the Memory Scanner does not attempt to remove any detected threats.
If the scanner is capable of locating a file linked to the offensive memory module, you may submit that file by using a stand-alone ThreatExpert Submission Applet.
If you have identified a suspicious file yourself, you may run the submission applet to submit that file for analysis.
Soon after the file gets submitted, ThreatExpert automation processes it in a fully isolated environment and builds a comprehensive report that describes any detected threat behaviour. A report is submitted to you via email and a copy of it posted online at: http://www.threatexpert.com/reports.aspx
In certain rare cases, when a threat injects malicious code into a legitimate process, the Memory Scanner may be unable to locate the malicious module/s responsible for such code injection. Nevertheless, it should still be able to detect the injected malicious code and inform you if your computer is compromised or not.
NOTES:
ThreatExpert team provides no technical support for its beta product releases.
The tool is complimentary (free), and contains no adware/spyware.
Please feel free to leave your feedback at: http://www.threatexpert.com/contact.aspx
Download available here (http://www.pctools.com/memory-scanner/download/).
ThreatExpert Memory Scanner (TEMS) is an experimental lab product developed by the ThreatExpert team.
TEMS is a "post-mortem" diagnostics tool designed to detect a range of high-profile threats in different regions of a computer’s memory.
This tool is designed to assist in answering a common question asked by many customers whose systems have been susceptible to threats: "Is my system still infected?"
A threat may potentially slip under the radar of conventional malware scanners by engaging in stealth techniques to stay undetected as long as possible. Often, in such a scenario, the original threat file is encrypted with polymorphic encryptors which rely on anti-debugging and anti-emulation techniques, presenting a challenging task for malware scanners in detecting it.
However, when such threat is loaded in memory, it needs to decrypt its own malicious code, completely or partially, or it is unable to run. The aforementioned stealth techniques are used by such threat families as Citwail/ Pandex/ DieHard, Storm, Mailbot/ Rustock and some others.
NOTE: ThreatExpert Memory Scanner targets threats that are already active on a client’s computer system. It does NOT provide you with any protection or defence, nor does it replace conventional antivirus or anyspyware products.
In the current beta release, the Memory Scanner does not attempt to remove any detected threats.
If the scanner is capable of locating a file linked to the offensive memory module, you may submit that file by using a stand-alone ThreatExpert Submission Applet.
If you have identified a suspicious file yourself, you may run the submission applet to submit that file for analysis.
Soon after the file gets submitted, ThreatExpert automation processes it in a fully isolated environment and builds a comprehensive report that describes any detected threat behaviour. A report is submitted to you via email and a copy of it posted online at: http://www.threatexpert.com/reports.aspx
In certain rare cases, when a threat injects malicious code into a legitimate process, the Memory Scanner may be unable to locate the malicious module/s responsible for such code injection. Nevertheless, it should still be able to detect the injected malicious code and inform you if your computer is compromised or not.
NOTES:
ThreatExpert team provides no technical support for its beta product releases.
The tool is complimentary (free), and contains no adware/spyware.
Please feel free to leave your feedback at: http://www.threatexpert.com/contact.aspx
Download available here (http://www.pctools.com/memory-scanner/download/).