Special case
For known Trojans that can be detected and killed by popular virus disposal engines such as "Driver Life" mining Trojans and wannaamine, if the full scan fails, you can try to use the quick scan; the reason is that the file killing engine and the popular virus disposal engine It is a parallel relationship. When the performance of the host is low, it may cause the epidemic virus processing engine to time out.
How should existing processes be positioned
process exists
EDR does not scan the process separately, so when the virus only exists in the process and the host, it cannot be detected and killed. At this time, it is necessary to find the virus process and end it; the fastest way is to restart the host, but in some special cases the host cannot be restarted. Tools are needed to find the virus process and terminate it.
When the traffic side continues to report that the host accesses malicious domain names or IPs, you can use the memory search tool to scan the process memory on the host to find malicious processes. However, it should be noted that clipboard, remote software, anti-virus software, etc. may be Because the domain name string was copied, it was scanned out and should be excluded.
example
Using the botnet tool, click on "Threat Search":
Botnet tool download address: Sangfor EDR
Enter the domain name string to be searched, and click "Search":
After a while, you will get the process information containing the domain name. You can see that vmtoolsd.exe contains the domain name string due to the use of the clipboard function. The more suspicious two svchost.exe processes are:
How to judge which svchost is really problematic? Use the tool processhacker to view the process information, find the process according to the PID - right click - Services, you can view the service corresponding to the process; the svchost.exe process with PID 1140 corresponds to the service Here's what doesn't look very suspicious:
Among the services corresponding to svchost.exe with PID 904, there is a fastuserswitchingcompatibility service that is suspicious, so click "Go to service" to view the service information:
It can be seen that the description of the service is also very strange, right click - Properties to view the detailed information of the service:
You can see that the Service DLL is a jpg file, which is very suspicious. You can take it out to judge whether it is a missed virus file:
Planned Tasks Troubleshooting
Using the Autoruns tool, you can view the scheduled tasks created on the host and the detailed command content, execute powershell commands or cmd commands, and the scheduled tasks with some strange domain names, IPs, or encrypted data in the commands are highly suspicious:
Or the name is more suspicious, and the executed file path is more suspicious:
Malicious scheduled tasks can be exported in "Program Scheduled Tasks", which can be saved to facilitate analysis of virus behavior:
Service troubleshooting
It is relatively difficult to judge malicious services, because malicious services often disguise themselves as service names that look normal, so they rely more on experience. For example, Wannamine’s service is spliced from a specific word list; For the Trojan horses that have been analyzed, you can find out whether there are malicious services by checking whether the program corresponding to the service is suspicious.
For example, the fastuserswitchingcompatibility service in the figure below:
The corresponding service program is found to be a jpg file, which is very suspicious. After taking out the file for analysis, it turns out to be a Trojan horse program:
If you cannot judge directly from the service name, you can find the corresponding service through known malicious processes. As shown in the figure, svchost.exe with PID 904 is a suspicious process. Right-click - Services to view the service corresponding to the process. The fastuserswitchingcompatibility service name looks strange, so click "Go to service" to view the service information :
It can be seen that the description of the service is also very strange, right click - Properties to view the detailed information of the service:
You can see that the Service DLL (the DLL file corresponding to the service) is a jpg file, which is very suspicious. You can take it out to determine whether it is a missed virus file:
WMI troubleshooting
WMI is also a commonly used resident item for Trojan horses. You can view the specific content of WMI through the Autoruns tool. The judgment of WMI is similar to the judgment of planned tasks. It is judged by name and content. For example, the following WMI name is very suspicious, and An encrypted powershell command was executed, which is definitely malicious:
MBR troubleshooting
MBR rewriting is also a resident method, which is more difficult to judge and repair. If after checking other resident items, it is still not cleared, you can try to use tools to scan whether the MBR has been modified, and use special killing to clean it up. .
SQL residency troubleshooting
When the server accesses the malicious domain name from time to time, but the startup item cannot be found using Autoruns, you can check the SQL Server to confirm whether there is any malicious code resident.
Customers reported that the malicious domain name sql.4i7i.com will be accessed as soon as the server is restarted.
The threat is related to the fact that the virus will attack SQL Server, so it is speculated that malicious code may reside in SQL Server.
Open Autoruns, no suspicious startup items were found.
Using threat location, it is found that there are malicious domain name strings in the memory of sqlserver.exe.
Then use ProcessHacker to search for the string sql.4i7i.com in the memory of sqlservr.exe, and detect the powershell code, which can basically determine that there is malicious powershell code resident in SQL Server.
Open SQL Server, click: SQL Server Agent --> Job, right-click the suspicious job item, and open a new query editor window.
You can find the malicious powershell code in the window, delete the malicious job test_powershell_job1, and the server will no longer alarm.
