Lists of freeware analysis tools

From CastleCopsWiki

Jump to: navigation, search
Caution The article below is currently in beta and has not been reviewed for factual errors.

Contents

[edit] Freeware analysis tools

This is more of a general catch-all category for security tools. Most of these tools are used as diagnostic tools by knowledgeable users to check the overall health of the system.


Screenshots
Selection of Security Analysis tools snapshots:
(Click to enlarge)
AutoRuns for Windows
AutoRuns for Windows
AutoStart Explorer
AutoStart Explorer
a-squared HiJackFree
a-squared HiJackFree
DiamondCs Autostart Viewer
DiamondCs Autostart Viewer
RunAlyzer
RunAlyzer
RunScanner
RunScanner
TrendMicro™ HijackThis™ (includes StartupList)
TrendMicro™ HijackThis™ (includes StartupList)
Online Solutions Autorun Manager
Online Solutions Autorun Manager


[edit] Autostart and other listers

This class of software enumerates registry entries, startup folders,system files and other sensitive system areas that are often modified by malware -also sometimes called hijack points. Technically while autostart entries are by definition common hijack points for malware (malware needs to find some way to start), tools used for inspecting the machine for malware might look at other areas that do not really count as autostart entries (e.g. Host files).

You can see some of this distinction in some of the earlier and simpler autostart control utilities (see "basic") which monitor only well known and common registry areas and nothing else. They are more commonly used to remove safe but irritating entries added by legitimate programs that want to autostart with your computer rather than for malware inspection.


[edit] Basic

  1. AnVir Task Manager Free - http://www.anvir.com/taskmanagerfree/ Image:new.gif
  2. Application Paths 2000 - http://www.gregorybraun.com/AppPaths.html
  3. Autostart and Process Viewer (APV) - http://www.konradp.com/products/autostart-and-process-viewer/
  4. CodeStuff Starter - http://members.lycos.co.uk/codestuff/ (down July 07?) - alternative download align=center
  5. Cyberlion Startup Optimizer - http://www.download.com/Startup-Optimizer/3000-2086_4-10529547.html?tag=pdp_prod
  6. Deskanker - http://www.clearidea.us/deskanker/
  7. DoWinStartup - http://www.freewareweb.com/cgi-bin/archive.cgi?ID=622
  8. FreeFixer - http://www.freefixer.com/download.html
  9. MiTeC Startup Explorer - http://www.mitec.cz/Data/XML/data_downloads.xml, alternative download
  10. Msconfig - http://www.3feetunder.com/krick/startup/ align=center
  11. PC Tools Browser Explorer - http://www.pctools.com/browser-explorer/ Image:new.gif
  12. PC Tools Startup Explorer - http://www.pctools.com/startup-explorer/ Image:new.gif
  13. Quick Startup - http://www.glarysoft.com/quick-startup/
  14. SilentNight Startup Manager - http://www.silentnight2004.com/freeware.html
  15. StartDreck - http://www.niksoft.at/download/startdreck.htm
  16. Startup Control Panel - http://www.mlin.net/StartupCPL.shtml
  17. Startup Manager - http://www.pc-magazin.de/common/dtt/download.php?areaid=59&fileid=1487&PHPSESSID=8040f2ed3267eba3443210c88ce561d6
  18. StartupRun - http://www.nirsoft.net/utils/strun.html
  19. Startup Application Manager - http://homepages.paradise.net.nz/amorgan1/index.htm
  20. Startup Inspector - http://www.windowsstartup.com/startupinspector.php

[edit] Advanced

  1. Image:Vista.pngATool - http://www.antiy.net/freetools/atool.htm
  2. Image:Vista.png AutoRuns - http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx align=center
  3. Autostart Explorer - http://www.misec.net/products/autostartexplorer/
  4. Autostart Viewer - http://www.diamondcs.com.au/freeutilities/asviewer.php
  5. Image:Vista.png a-squared HiJackFree - http://www.hijackfree.com/en/ align=center
  6. Image:Vista.png HijackThis! http://www.spywareinfo.com/~merijn/programs.php#hijackthis ,Trend Micro version align=center Image:New.gif
  7. Image:Vista.png Online Solutions Autorun Manager- http://www.online-solutions.ru/en/osam_autorun_manager.php Image:New.gif
  8. Image:Vista.png RunAlyzer (betaware) - http://www.safer-networking.org/en/runalyzer/index.html
  9. RegRun Reanimator - http://www.greatis.com/security/download.htm
  10. Image:Vista.png RunScanner - http://www.runscanner.net/ align=center
  11. Image:Vista.png Silent Runners - http://www.silentrunners.org/ align=center
  12. SpyHolesList - http://www.greatis.com/security/spyholeslist.htm
  13. StartupList v2 - http://www.spywareinfo.com/~merijn/programs.php#startuplist align=center
  14. StartupList v1 - http://www.castlecops.com/downloads-file-516-details-StartupList.html
  15. SystemScan - http://www.suspectfile.com/systemscan_guide.php Image:New.gif
  16. WinPFind - http://download.bleepingcomputer.com/oldtimer/winpfind.exe
  17. See also Process listers below and various Lists of freeware behavior blockers, Lists of freeware antirootkit and Lists of freeware antispyware that list registry entries.


Among the more advanced utilties, HijackThis! is by far the most popular and used throughout the net on forums as a diagnosis aid to remove malware. There are however 2 major versions in use, the original 1.99.1 version and versions after 2.0 after it was sold to Trend Micro. Both are freeware.


Another tool is Silent Runners which is just a simple script to check various hijack points. Other utilities that are still in development includes a-squared HiJackFree, RunAlyzer by Spybot, RunScanner and Sysinternals autoruns .

These tools have many advanced features and typically check not just common autostart entries but also obscure seldom used areas which are exploited almost solely by malware only. Decision making analysis is made easier by filtering out signed entries (microsoft or not), automated checks with online/offline database of safe/dangerous entries, as well as allowing unusual entries to be easily googled. Some like RunScanner go beyond merely listing autostart entries but also provide process enumeration, and multiple process termination methods even though strictly speaking this is not really the province of such tools. However such features are usually handy to have.


Most of the tools listed here are not able to detect rootkit cloaked entries. One exception is Online Solutions Autorun Manager which not only functions as an autostart entry lister, but also tries to detect rootkit cloaked entries, using "the method of direct registry data analysis (without using OS functions)" and comparing it to the normal view. You can also use some anti-rookit tools like IceSword which enumerate some limited autostart registry entries or RootkitRevealer which lists all hidden entries. Also see Lists_of_freeware_antirootkit

Note :There are however a very large number of "hijack points" , see for example Tony Klein's autostart list and Grime's Where malware hides, so even such tools in combination may not detect everything.

[edit] Lists of autostart locations

  1. Roger Grimes's Where Malware hides - http://weblog.infoworld.com/securityadviser/archives/2006/05/updated_where_w.html
  2. Silent Runner's Launch point - http://www.silentrunners.org/sr_launchpoints.html
  3. Tony Klein's list at Gladiator forum - http://gladiator-antivirus.com/forum/index.php?showtopic=24610
  4. Greatis's Startup order list - http://www.greatis.com/security/startuporder.htm#9X
  5. Comparison of autostart locations of registry monitors - http://www.wilderssecurity.com/showthread.php?t=32823 - outdated
  6. R2 comparison - http://www.dslreports.com/forum/remark,6721512~days=9999~start=80 plus origin discussion http://www.dslreports.com/forum/remark,6686853~root=security,1~mode=flat

[edit] Process listers

  1. Another Task Manager - http://www.betasoluzioni.com/users/atm/higheng.html
  2. Advanced Process Manipulation - http://www.diamondcs.com.au/advancedseries/apm.php, Alternative download
  3. CurrProcess - http://www.nirsoft.net/utils/cprocess.html
  4. Prcview - http://www.teamcti.com/pview/prcview.htm
  5. Image:Vista.png Process Explorer - http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx align=center
  6. Process Patrol - http://www.majorgeeks.com/Process_Patrol_d4409.html
  7. Process Scanner - http://www.processlibrary.com/processscan/
  8. myProcMan - http://www.trsecurity.net/myprocman/
  9. ProcX - http://www.ghostsecurity.com/procx/ align=center
  10. Security Process Explorer - http://www.glarysoft.com/spe.html Image:new.gif
  11. Image:Vista.png Sysinternals Process Monitor - http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx
  12. TaskMan+ - http://www.diamondcs.com.au/index.php?page=taskman (down July 07), alternative download
  13. What's Running - http://www.whatsrunning.net/whatsrunning/main.aspx
  14. Window Watcher - http://www.karenware.com/powertools/ptwinwatch.asp
  15. See also Lists of freeware antirootkit like Icesword and GMER


The built-in task manager in Windows is largely acknowledged to be inadequate for everyday use, much less for power users using it for analysis purposes. Fortunately, there are many capable replacements that can take the place of task manager. They typically provide more information, particularly a column including full paths of the processes. Some like ProcX are lightweight enough to replace task manager. Perhaps the big brother of them all is formerly sysinternal's Process Explorer which provides pretty much every information and feature you might desire. However it might not be suitable for everyday use because of information overload. The ultimate real time analysis tool would probably be provided by combining it with Process Monitor by the same company, it combines Filemon and Regmon that shows real-time file system, Registry and process/thread activity.


Unfortunately, many rootkits are able to evade from even such advanced tools (though a keen eyed analyst might spot discrepancies that give the game away). This is where many anti-rootkits such as IceSword, DarkSpy, GMER, Rootkit Unhooker (see Lists of freeware antirootkit) come in. They also provide a task manager-like function, but have a better chance of getting past rootkit shielded defenses to display even hidden processes. Some will even indicate which processes are being hidden by rootkits. Similarly many provide autostart listings, port mapping functions, etc.

[edit] File and process analyzers

  1. Image:Vista.png FileAlyzer - http://www.safer-networking.org/en/filealyzer/index.html
  2. Eureka Malware Analysis Internet Service - http://eureka.cyber-ta.org/
  3. MANDIANT Red Curtain - http://www.mandiant.com/mrc
  4. PEiD - http://peid.has.it/
  5. Spy Studio - http://www.nektra.com/products/spystudio/
  6. SysAnalyzer - http://labs.idefense.com/software/malcode.php


Allows advanced users to study files and processes.

MANDIANT Red Curtain looks at six categories of information to calculate a threat score including entropy, digital signatures, and existence of specific packers. In addition, MANDIANT Red Curtain identifies executable files that appear to have been modified, files with an excessive amount of imports and those with various combinations of permissions that indicate whether they can be read, written or contain executable code.

SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare: running processes, open ports, loaded drivers, injected libraries, key registry changes, APIs called by a target process, file modifications, and HTTP, IRC, and DNS traffic. SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks: create a memory dump of target process, parse memory dump for strings, parse strings output for exe, reg, and url references, and scan memory dump for known exploit signatures.

PEiD detects most common packers, cryptors and compilers for executable files. It can currently detect more than 600 different signatures in executable files. Additional signatures have been added by third parties, such as Neil's Plugins For PeID

[edit] File/registry changes

  1. File Change Alarm - http://www.divshare.com/download/2075433-50b
  2. File Checker - http://www.javacoolsoftware.com/filechecker.html align=center
  3. File Spy Utility - http://www.osronline.com/article.cfm?article=370
  4. FileCheckMD5 - http://www.brandonstaggs.com/filecheckmd5/
  5. FileMon (legacy support for Win98) - http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx
  6. FingerPrint - http://www.2brightsparks.com/freeware/freeware-hub.html
  7. Md5Checker - http://getmd5checker.com/download/
  8. MD5summer - http://www.md5summer.org/download.html
  9. Image:Vista.png Process Monitor - http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx Image:Recommended.png
  10. RegMon (legacy support for Win98) - http://www.microsoft.com/technet/sysinternals/processesandthreads/regmon.mspx
  11. Sentinel - http://www.runtimeware.com/sentinel.html align=center
  12. Spy-The-Spy - http://www.mediachance.com/free/spythespy.htm
  13. SysAnalyzer - http://labs.idefense.com/software/malcode.php
  14. Tiny Watcher - http://www.donationcoders.com/kubicle/watcher/ align=center
  15. VisualHash - http://www.dominik-reichl.de/opensource.shtml#vishash
  16. See also 'Installation monitors'
  17. See also 'File change alerters'
  18. See also 'Registry watchers'


Use these tools to monitor file and registry changes made by processes. Some of these tools, such as Process Monitor, monitor in real time. Others, such as FingerPrint, run on demand.

Please note that FileMon and RegMon have been superceded by Process Monitor.

[edit] Port mappers

  1. Active Ports - http://www.protect-me.com/freeware.html
  2. Image:Vista.png CurrPorts - http://www.nirsoft.net/utils/cports.html
  3. OpenPorts (DiamondCS) - http://www.diamondcs.com.au/consoletools/openports.php align=center alternative download
  4. Open Ports - http://www.jasons-toolbox.com/programs.asp?Program=Open%20Ports
  5. Process And Port Analyzer - Process And Port Analyzer image:new.gif
  6. Image:Vista.png TCPView - http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx align=center
  7. See also Lists of freeware antirootkit like Icesword.


There are tools that improve on the build-in Net-Stat function by providing real time monitoring of ports on your system. They also map processes to ports so you can see what processes are sending packets on what ports. Many but not all firewalls also provide similar functions for information purposes.

[edit] Port scanners

  1. Angry IP Scanner - http://www.angryziber.com/w/Home
  2. Blue's Port Scanner - http://www.bluebitter.de/portscn2.htm
  3. Fport - http://www.foundstone.com/us/resources/proddesc/fport.htm
  4. Nessus - http://www.nessus.org/
  5. Nmap - http://insecure.org/nmap/index.html align=center
  6. SuperScan v4.0 - http://www.foundstone.com/us/resources/proddesc/superscan4.htm
  7. YAPS - http://www.steelbytes.com/?mid=19
  8. Windows UDP Port Scanner - http://ntsecurity.nu/toolbox/wups/


It is a mistake to assume that automated port scans like ShieldsUp! is all you need to do to test your defenses. Ideally a manual port scan using a tool like Nmap provides better security.

[edit] ARP watchers

  1. AdapterWatch - http://www.nirsoft.net/utils/awatch.html
  2. Winarpwatch - http://sid.rstack.org/arp-sk/
  3. XArp - http://www.chrismc.de/#


Defenses against ARP spoofing.

[edit] Packet sniffers

  1. PacketMon - http://www.analogx.com/contents/download/network/pmon.htm
  2. SmartSniff - http://www.nirsoft.net/utils/smsniff.html
  3. Image:Vista.png Wireshark - http://www.wireshark.org/ align=center
  4. Image:Vista.png WinDump - http://www.winpcap.org/windump/

[edit] NTFS Alternative Data Streams (ADS) scanners

  1. ADS Spy - http://www.merijn.org/programs.php#adsspy
  2. Crucial ADS - http://www.crucialsecurity.com//index.php?option=com_content&task=view&id=95&Itemid=137 (only available via email request)
  3. GMER - http://zert.castlecops.com/gmer/
  4. Image:Vista.png LADS - http://www.heysoft.de/nt/ep-lads.htm
  5. NTFS Streams Eraser - http://www.excessive-software.eu.tt/
  6. Streams - http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx


Search your computer for Alternative Data Streams (ADS). Some antivirus and antispyware already do this, but not all.

[edit] Process termination, file deletion, and registry key deletion-related programs

  1. Advanced Process Termination - http://www.diamondcs.com.au/advancedseries/apt.php alternative download
  2. Image:Vista.png Avenger - http://swandog46.geekstogo.com/avenger2/avenger2.html
  3. Image:Vista.png FileASSASSIN - http://www.malwarebytes.org/fileassassin.php
  4. KillBox - http://www.bleepingcomputer.com/files/killbox.php
  5. OTMoveIt - http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
  6. Image:Vista.png RegASSASSIN - http://www.malwarebytes.org/regassassin.php
  7. Simple process termination - http://www.syssafety.com/leaktests.html\
  8. UnDLL - The DLL Remover - http://www.nod32.it/tools/undll.php
  9. Image:Vista.png Unlocker - http://ccollomb.free.fr/unlocker/ align=center


The tools in this category use various different methods to terminate processes, delete locked files, and/or delete registry keys. These tools may be necessary because malware may make the removal of these items difficult. Many anti-rootkits, such as IceSword (see Lists of freeware antirootkit), are also capable of killing normally unkillable processes.

[edit] ActiveX/BHO/Toolbar/LSP listers (obsolete with XP SP 2)

  1. ActiveXHelper - http://www.nirsoft.net/utils/axhelper.html
  2. Active XCavator v2.0 - http://www.cognitronix.com/index.html#A1
  3. BHOCaptor - http://www.snapfiles.com/get/bho.html
  4. BHODemon - http://www.definitivesolutions.com/bhodemon.htm
  5. BHOlist - http://www.spywareinfo.com/~merijn/programs.php#bholist
  6. ToolbarCop - http://windowsxp.mvps.org/toolbarcop.htm


These group of tools are used to manage toolbars, BHOS, ActiveX controls in internet explorer. Somewhat obsolete today, since Internet Explorer provides built in methods to do the same. Moreover, many startup listers, antispyware tools list or monitor these entries as well.


[edit] URL discombobulators

  1. Image:Vista.png URL Discombobulator v1.9 - http://www.karenware.com/powertools/ptlookup.asp

[edit] Driver and DLL-related programs

  1. ListDrivers - http://ntsecurity.nu/toolbox/listdrivers/
  2. Loadorder - http://ccollomb.free.fr/unlocker/
  3. ServiWin Services/Drivers Manager - http://www.nirsoft.net/utils/serviwin.html
  4. See also Lists of freeware antirootkit like Icesword and GMER

[edit] Listing of files shares

  1. ShareEnum v1.6 - http://www.microsoft.com/technet/sysinternals/Networking/ShareEnum.mspx
  2. SHAREMON - http://members.fortunecity.com/sektorsecurity/projects/sharemon.html


[edit] End user license agreement (EULA) analyzers

  1. EULAlyzer - http://www.javacoolsoftware.com/eulalyzer.html
  2. EULA Analyzer (browser based service/beta) - http://www.spywareguide.com/analyze/index.php


Cut and paste EULAs into the program and it will highlight suspicious phrases.

[edit] Lookup of file hashes/names/processes/startups/CSLIDS

  1. Castlecops list - http://hashes.castlecops.com/ Note: Castlecops has other CastleCops#Research_Databases align=center
  2. FileAdvisor -http://fileadvisor.bit9.com/services/search.aspx - FileAdvisor client utility available
  3. Hijackthis.de - http://filedb.hijackthis.eu/
  4. Prevx - http://fileinfo.prevx.com/filesearch.asp (down), see http://fileinfo.prevx.com/ and http://research.prevx.com/
  5. ProcessLibrary - http://www.processlibrary.com/about/
  6. Runscanner list - http://www.runscanner.net/listMD5.aspx
  7. Spyandseek - http://www.spyandseek.com/
  8. NSRL list - http://www.nsrl.nist.gov/Downloads.htm
  9. Sysinfo.org - http://sysinfo.org/

[edit] Installation monitors

  1. FileMap by BB (nagware) - http://www.topshareware.com/FileMap-by-BB-download-4401.htm
  2. Installspy - http://www.2brightsparks.com/freeware/
  3. Installwatch - http://www.epsilonsquared.com/
  4. Look@win - http://digilander.libero.it/zancart/lookwin.html
  5. Revo Uninstaller - http://www.revouninstaller.com/
  6. Total Uninstall - http://www.aplusfreeware.com/categories/util/uninst.htmlalign=center
  7. ZSoft Uninstaller - http://www.zsoft.dk/ alternative download align=center
  8. See also Lists of freeware virtualization


Tools that monitor software installs, by comparing the differences between pre-install and post install states of the folders and registry. The idea here is that many uninstallers don't do a good job of removing every trace, hence the use of these installation monitors.

[edit] Script decoders

  1. VBScript Decoder - http://shockley.net/apps.asp

[edit] Security updates and analyzers

  1. COMODO Vulnerability Analyzer(beta) - http://forums.comodo.com/comodo_vulnerability_analyzer/comodo_vulnerability_analyzer_version_1009_beta_released-t22427.0.html align=center
  2. F-Secure Health Check - http://support.f-secure.com/enu/home/onlineservices/fshc/front.html align=center
  3. Microsoft Baseline Security Analyzer (MBSA) - http://www.microsoft.com/technet/security/tools/mbsahome.mspx
  4. Secunia Software Inspector - http://secunia.com/software_inspector align=center
  5. Secunia Personal Software Inspector (betaware) - https://psi.secunia.com/ align=center


Microsoft Baseline Security Analyzer (MBSA) only checks for Microsoft-related updates. Secunia Software Inspector is an online service that checks not just Microsoft-related software for security updates but also other common applications like Firefox, Opera, Java, Flash, media players, IM clients, etc (complete list). Secunia Personal Software Inspector runs locally on your computer, like MBSA, but checks a much larger list of applications.

F-Secure Health Check is similar to Secunia Software Inspector but currently (Jan 2008) it uses ActiveX and hence is available only for Internet Explorer (Secunia uses Java applets and hence works for all modern browsers). Also unlike Secunia it requires admin rights.

[edit] Software updates

  1. Appsnap - http://appsnap.genotrance.com/
  2. Image:Vista.png CleanSofts.org Update Notifier - http://cleansofts.org/view/update-notifier.html
  3. Image:Vista.png File Hippo Update Checker - http://www.filehippo.com/updatechecker/ align=center
  4. Image:Vista.png UpdateStar - http://www.updatestar.com/


Scans your hard-disk for applications and checks them with an online database. Informs you which ones have newer updates available. These updates don't always contain security updates but might add features, fix other bugs, etc.


This article is part of the Lists of Freeware Security Software: Malware Control series.

Freeware Anti-Viruses | Freeware Anti-Spyware | Freeware Anti-Trojans | Freeware Anti-Keyloggers | Freeware Anti-Rootkits | Freeware Firewalls | Freeware Behavior blockers | Freeware Sandboxes | Freeware Virtualization | Freeware Security analysis tools | Freeware Hardening tools | Freeware Blocklists | Freeware security services (excluding virus scanners) | Freeware Anti-Phishing | Freeware URL scanners | freeware security suites | List of unclassified tools

Related : Lists of online scanners

While reasonable attempts have been made to avoid the listing of any malicious or ineffective software, an entry listed here should not be taken as a mark of approval from CastleCops. The selection of freeware (see definition) here is more inclusive, to provide more experienced users scope for experimentation and not just the usual half dozen or so freeware security software that are often mentioned. While there are many gems in the list, some are in beta and unstable or require fair amounts of skill to use. Less experienced users should probably refer to Roll your own Free Security Suite for a shorter list of popular and safer freeware.
edit this template
Retrieved from "http://wiki.castlecops.com/Lists_of_freeware_analysis_tools"
Personal tools