Hunting for malware on your Windows computer with Process Explorer

Sysinternals Process Explorer is a quick and effective way to check for malware running on your Windows computer, by confirming the integrity of all current processes and allowing you to submit them to virustotal.com where they will be scanned for free by roughly 60 different antivirus scanners.

Begin by downloading Process Explorer from https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

Extract the contents of the archive into a folder on your computer and launch procexp64.exe by right-clicking on it and selecting Run as administrator in order to grant it the highest user privileges.  If your system is 32-bit, procexp64.exe will fail to launch in which case simply use procexp.exe instead.

Once Process Explorer starts, a lot of detailed information will appear on your screen.  Do not worry about the majority of these for now, the ones we care about the most are the Verified Signer and VirusTotal columns which are not shown by default.  Click on Options in the menu bar and select Verify Image Signatures.  The Verified Signer column will now appear.  Click on it in order to sort by this column which will allows you to quickly identify which processes are not digitally signed and thus provide less reassurance about their legitimacy although this does not immediately mean they are considered malicious.  But if you have suspicions about any processes these are the candidates to focus on first and you will probably want to re-submit these to VirusTotal (explained below) to confirm that they are indeed OK.  Also keep in mind that digitally signed malware although rare, does exist, so don’t automatically assume that any digitally signed file is non-malicious either (for any such cases, these are often files which were signed with the keys of slightly obscure companies which have been breached, or which use signing keys that have since been revoked). 

Next we complete the more important step which is to click on Options again and select VirusTotal.com | Check VirusTotal.com.  Read and accept the terms, and a file hash of each of your processes will be sent to virustotal.com so that you can see the file scan results of 60 different antivirus scanners.  A few things you need to note about this:

The results that you see are historical results based on the last time that file was submitted (by somebody else) to virustotal.com.  All you have done so far in Process Explorer is lookup those last scan result for that file, which from this screen alone is not possible to determine whether this was last scanned one hour or one year ago or more.  The Additional Information tab on the virustotal.com web site will show you when the file was first and last submitted.  But below we will show you how to easily submit these files in order to get up-to-date results.

With 60 different antivirus scanners examining those files, there is a reasonable probability that in your entire list of processes there may be processes which triggered a false positive results.  For example you may see some processes that appear in red and have a result such as 1/60.  This means that the file triggered a positive detection on virustotal.com with 1 out of 60 antivirus scanners.  It is normal for non-malicious files to occasionally trigger a positive detection so do not worry yet, but you definitely want to look into these further by right clicking on that process in Process Explorer, selecting properties, then on the Image tab at the bottom clicking on the submit button in order to re-submit the file to virustotal where it will actually get scanned.  Once the results appear, click on it to view the full report.

To gauge whether the detection is a false positive, look into the history of when the file was first submitted to virustotal.  It is difficult to quantify this into an exact number, but if the file was first submitted more than 3 months ago and there is only 1 to 3 AV engines currently detecting it, then there is a reasonable probability that it is a false positive.  I have seen cases of 7 different AV scanners flagging a file and it being confirmed later on as a false positive, although this is rare.

Different AV scanners sometimes use the same engines and so you can have 2 different AV products that both flag the file with the same detection, but in reality it is more like 1 AV product since they are both using the same method of identification. 

You can also sometimes get a true positive detection but it is for adware which is not as severe of a detection as other types of malware (trojans, rootkits, backdoors, etc.).  Look at the detection names to determine the nature of what is being detected.

Heuristic-based detections (typically indicated by the detection name) have a higher probability of being false positives, even when there are multiple AV engines detecting it.  In such cases re-submit the file the following day, the day after that, and the following week to see whether this changes.

Click on the Comments tab on VirusTotal to see what other people are saying about the file.  Often times these provide links to more detailed reports.  Likewise the  Behavioral information tab (if present) provides more technical information about the file behavior which if it shows the file making HTTP and DNS requests to questionable domain names is something that increases the likelihood of the file being malicious.

If you conclude that one of your processes is indeed malicious but your current AV product is not detecting it even with its heuristics set to maximum, you can try downloading a trial version of the AV product that detected it (assuming it is reputable) to see if it can clean up the infection for you.  Note that certain AV products will proceed to uninstall any existing AV products that are present on a computer, so make sure you have a backup copy of your license key and software before considering this.

Lastly, certain malware are known to purposely interfere with Process Explorer in order to make detection more difficult.  If Process Explorer fails to launch, generates error messages, becomes unresponsive, crashes, or causes your computer to BSOD, do consider this as indication that your computer may be infected.  A simple trick that sometimes works around this is to rename procexp64.exe to something different and launching the renamed version.