Can Process Explorer stop malware infections -- not just detect them?

Sysinternals’ Process Explorer has always been used to detect malware infections, but that’s just the start of its advantages. Just running the program in the background might stop some threats installing in the first place.

This works because some malware tries to detect when it’s being watched. If it spots common monitoring tools running in the background it won’t drop the payload, making you think there’s nothing to worry about, and keeping the main package hidden just a little longer.

PaFish for Office Macro is an Office document which collects together some of these anti-forensic tricks. Your antivirus software might raise an alert if you download or open it, but it’s just because some of the code has these malware-like detection elements: there’s nothing in it that can harm you in any way.

If you’d rather not download it anyway, the key code looks like this.

badTask = False
badTaskNames = Array(“vbox”, “vmware”, “vxstream”, “autoit”, “vmtools”, “tcpview”, “wireshark”, “process explorer”, “visual basic”, “fiddler”)

For Each Task In Application.Tasks

For Each badTaskName In badTaskNames

If InStr(LCase(Task.Name), badTaskName) > 0 Then

badTask = True

End If

Next

Next

Essentially this looks through your currently-running applications for some popular monitoring or virtualization tools (a real threat could add many more), and allows the malware to take evasive action if anything turns up.

This is a smart technique, but it also means you might give yourself a little extra protection simply by running Process Explorer, TCPView and maybe similar tools in the background. If you run malware that checks for this, it may decide to stay hidden and not infect your system.

How effective could this be? Not very, we’d guess -- it’s just another trick to keep one or two threats away. But malware which uses this kind of sophisticated anti-forensic approach is probably also hiding an unusually dangerous payload, and any extra protection you can get should be welcome.

Process Explorer is a free application for Windows 7 and later.