Dissecting applications on a production server

1110 pts.
Tags:
Antivirus software
Application security
Execute Format
Production Servers
Server Security
Several EXE files were installed on a production server. The AV did not detect them as viruses but we do not know what they do. We have copied them to a USB stick and deleted them and all references from production. How can we dissect the applications to see what they did or do?

Answer Wiki

Thanks. We'll let you know when a new response is added.

There are a number of great Windows Sysinternals tools that will provide information about what files, registry keys and other objects processes have open, which DLLs they have loaded, and more and who owns each process – Process Explorer provides this information. You can get Process Explorer and other tools from the Microsoft Technet site: http://technet.microsoft.com/en-us/sysinternals/bb795535. Process Monitor will Monitor file system, Registry, process, thread and DLL activity in real-time. So you can find a spare machine or virtual machine and re-run the EXE files and use some of the above tools to monitor what those EXE are doing.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    If you have nothing else, you can also open the .EXEs with Notepad and scan through it visually. Look for any names that you can read. The names may reference procedures and/or .DLLs that will give you some guidance. There can also be constants that sometimes give clues. You don't have to execute the programs -- just look through them to see anything that catches your eye. Tom
    125,585 pointsBadges:
    report
  • Rakei
    yes i have to agree with mortimer1 regarding using Process Monitor to dissec t application and re-run on spare machine for safeguard.... one suggestion if it requires...you can use Acronis 2010 True Image software which allows you to test run those applications that youve suspected...if applications seems to caused problem, acronis can disgard what was done and will not harm your system. a special feature called "try and decide"..
    3,260 pointsBadges:
    report
  • carlosdl
    I agree on the suggestion to use tools from sysinternals. Googling for the exact process/application name could also offer some hints.
    69,510 pointsBadges:
    report
  • carlosdl
    If you are going to run the program(s) on another machine, I would recommend installing some software firewall with outgoing connections monitoring capabilities that could inform if the application tries to connect to the outside. You could also install some anti-spyware program which will inform if the application is trying to modify any system file.
    69,510 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following