Mandiant Redline uncovers malware other apps won't
If your PC gets attacked by some previously discovered specimen of malware then it’s relatively easy to spot. Your antivirus package will scan the new file on access, realize there’s a match for something in its virus database, and the threat will be quarantined immediately, before any real damage can be done.
If you’re attacked by some brand new specimen, though, it’s a very different story. Every antivirus package claims it can also detect new threats by behavior alone, but this is vastly more difficult: there’s a good chance that it’ll be missed. And so if you think your system might have been compromised, then it’s a good idea to get a little third-party scanning help from the free Mandiant Redline.
The program works by carrying out an extremely thorough low-level scan covering every aspect of your PC. This can take a very long time (it required more than 30 minutes on our test PC), although you can keep this down a little by closing all non-essential programs before you start. But when it’s finished the program will create an MRI (Malware Risk Index) score for everything running on your system, which highlights the risk that a particular process is malware.
It’s important to not expect too much from this. Redline works by applying very simple rules -- looking at executable files which aren’t signed and verified, for instance -- and so this inevitably creates a lot of false alarms. On our test PC, for instance, iTunesHelper.exe received a malware risk index of 93. There was actually a solid reason for this -- another application had inserted a DLL into its address space -- but we still knew the process wasn’t a threat. And it’ll be the same on your PC. The MRI scores provide a place to start looking for possibly malicious processes, but they’re not actually proof of anything in themselves; a high MRI doesn’t mean you’re infected.
If you’re an expert Windows user, then, the real value of Redline isn’t in the MRI scores; it’s more then in-depth system information that’s provided along with them.
For each target process, for instance, you can browse its handles (Files, Directories, Processes, Registry Keys, Semaphore, Mutant, Event or Section, they’re all here). There’s an in-depth memory map. You can view strings within each process space (as long as you’ve chosen to collect those initially), and see any network connections it has open.
And multiple “Investigative Steps” give you a more general view across your system. You can browse system hooks to try and detect rootkits, for instance. There’s an option to view low-level details on your installed drivers. And there are pages on your network ports and connections, memory sections and loaded DLLs, untrusted handles and a whole lot more.
None of this is exactly beginner-friendly, of course; Redline is oriented squarely at security professionals. If you know what you’re doing, though, there’s plenty of useful information to be found here, and the program really can help you to uncover even the very latest, previously undiscovered malware.