Register

Forgot Password

Site FAQ

Home > IT Answers > Security > Dissecting applications on a production server

NewnanIT

1,110 pts.

Dissecting applications on a production server

Antivirus software, Application security, Execute Format, Production Servers, Server Security

Several EXE files were installed on a production server. The AV did not detect them as viruses but we do not know what they do. We have copied them to a USB stick and deleted them and all references from production. How can we dissect the applications to see what they did or do?

Software/Hardware used:

ASKED: January 19, 2011 5:12 PM

UPDATED: January 21, 2011 2:29 PM

RELATED QUESTIONS

Answer Wiki:

There are a number of great Windows Sysinternals tools that will provide information about what files, registry keys and other objects processes have open, which DLLs they have loaded, and more and who owns each process - Process Explorer provides this information. You can get Process Explorer and other tools from the Microsoft Technet site: http://technet.microsoft.com/en-us/sysinternals/bb795535. Process Monitor will Monitor file system, Registry, process, thread and DLL activity in real-time. So you can find a spare machine or virtual machine and re-run the EXE files and use some of the above tools to monitor what those EXE are doing.

Last Wiki Answer Submitted: January 19, 2011 6:17 pm by Mortimer1

675 pts.

All Answer Wiki Contributors: Mortimer1

675 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Jan 19, 2011 10:20 PM (GMT)

If you have nothing else, you can also open the .EXEs with Notepad and scan through it visually. Look for any names that you can read. The names may reference procedures and/or .DLLs that will give you some guidance. There can also be constants that sometimes give clues.

You don’t have to execute the programs — just look through them to see anything that catches your eye.

Tom

TomLiotta

107,695 pts.

POSTED: Jan 21, 2011 1:06 AM (GMT)

yes i have to agree with mortimer1 regarding using Process Monitor to dissec t application and re-run on spare machine for safeguard….

one suggestion if it requires…you can use Acronis 2010 True Image software which allows you to test run those applications that youve suspected…if applications seems to caused problem, acronis can disgard what was done and will not harm your system. a special feature called “try and decide”..

Rakei

3,260 pts.

POSTED: Jan 21, 2011 2:24 PM (GMT)

I agree on the suggestion to use tools from sysinternals.

Googling for the exact process/application name could also offer some hints.

carlosdl

63,535 pts.

POSTED: Jan 21, 2011 2:29 PM (GMT)

If you are going to run the program(s) on another machine, I would recommend installing some software firewall with outgoing connections monitoring capabilities that could inform if the application tries to connect to the outside.

You could also install some anti-spyware program which will inform if the application is trying to modify any system file.

carlosdl

63,535 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags