Freeware Analysis tools Edit
This is more of a general catch all category for security tools. Most of them are used as diagnostic tools by knowledgeable users to check the overall health of the system.
Autostart and other listers Edit
This class of software enumerates registry entries, startup folders,system files and other sensitive system areas that are often modified by malware -also sometimes called hijack points. Technically while autostart entries are by definition common hijack points for malware (malware needs to find some way to start), tools used for inspecting the machine for malware might look at other areas that do not really count as autostart entries (e.g. Host files).
You can see some of this distinction in some of the earlier and simpler autostart control utilities (see "basic") which monitor only well known and common registry areas and nothing else. They are more commonly used to remove safe but irritating entries added by legitimate programs that want to autostart with your computer rather than for malware inspection.
- Application Paths 2000 - http://www.gregorybraun.com/AppPaths.html
- Autostart and Process Viewer (APV) - http://www.konradp.com/products/autostart-and-process-viewer/
- CodeStuff Starter - http://members.lycos.co. uk/codestuff/ (down July 07?) - alternative download
- Cyberlion Startup Optimizer - http://cyberlion.info/index.htm
- Deskanker - http://www.clearidea.us/deskanker/
- DoWinStartup - http://www.freewarepages.com/download.php?aid=348 (down July 07)
- FreeFixer - http://www.freefixer.com/download.html
- MiTeC Startup Explorer 2.0 - http://www.mitec.cz/systools.htm (down July 07), alternative downlosad
- Msconfig - http://www.3feetunder.com/krick/startup/
- Quick Startup - http://www.glarysoft.com/quick-startup/
- SilentNight Startup Manager - http://www.silentnight2004.com/freeware.html
- StartDreck - http://www.niksoft.at/download/startdreck.htm
- Startup Control Panel - http://www.mlin.net/StartupCPL.shtml
- Startup Manager - http://www.pc-magazin.de/common/dtt/download.php?areaid=59&fileid=1487&PHPSESSID=8040f2ed3267eba3443210c88ce561d6
- StartupRun - http://www.nirsoft.net/utils/strun.html
- Startup Application Manager - http://homepages.paradise.net.nz/amorgan1/index.htm
- Startup Inspector - http://www.windowsstartup.com/startupinspector.php
- SIW System Information Windows - http://www.gtopala.com
- with this tools you can track three important thread within your PC which are basicly like Software, Hardware and Network within attache onto your PC- System Information Windows
- AutoRuns - http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
- Autostart Explorer - http://www.misec.net/products/autostartexplorer/
- Autostart Viewer - http://www.diamondcs.com.au/index.php?page=asviewer (down?), alternative download
- a-squared HiJackFree - http://www.hijackfree.com/en/
- HijackThis! http://www.spywareinfo.com/~merijn/programs.php#hijackthis ,Trend Micro version
- RunAlyzer (betaware) - http://spybot.safer-networking.de/en/runalyzer/index.html
- RegRun Light - http://www.greatis.com/regrun.htm
- RunScanner - http://www.runscanner.net/
- Silent Runners - http://www.silentrunners.org/
- SpyHolesList - http://www.greatis.com/security/spyholeslist.htm
- StartupList v2 - http://www.spywareinfo.com/~merijn/programs.php#startuplist
- StartupList v1 - http://www.castlecops.com/downloads-file-516-details-StartupList.html
- SystemScan - http://www.suspectfile.com/systemscan_guide.php
- Download keylogger - https://descargar-keylogger.com/
- WinPFind - http://download.bleepingcomputer.com/oldtimer/winpfind.exe
- See also Process listers below and various Lists of freeware behavior blockers, Lists of freeware antirootkit and Lists of freeware antispyware that list registry entries.
Among the more advanced utilties, HijackThis! is by far the most popular and used throughout the net on forums as a diagnosis aid to remove malware. There are however 2 major versions in use, the original 1.99.1 version and versions after 2.0 after it was sold to Trend Micro. Both are freeware.
Another tool is Silent Runners which is just a simple script to check various hijack points. Other utilities that are still in development includes a-squared HiJackFree, RunAlyzer by Spybot, RunScanner and Sysinternals autoruns .
These tools have many advanced features and typically check not just common autostart entries but also obscure seldom used areas which are exploited almost solely by malware only. Decision making analysis is made easier by filtering out signed entries (microsoft or not), automated checks with online/offline database of safe/dangerous entries, as well as allowing unusual entries to be easily googled. Some like RunScanner go beyond merely listing autostart entries but also provide process enumeration, and multiple process termination methods even though strictly speaking this is not really the province of such tools. However such features are usually handy to have.
Lists of autostart locations Edit
- Roger Grimes's Where Malware hides - http://weblog.infoworld.com/securityadviser/archives/2006/05/updated_where_w.html
- Silent Runner's Launch point - http://www.silentrunners.org/sr_launchpoints.html
- Tony Klein's list at Gladiator forum - http://gladiator-antivirus.com/forum/index.php?showtopic=24610
- Greatis's Startup order list - http://www.greatis.com/security/startuporder.htm#9X
- Comparison of autostart locations of registry monitors - http://www.wilderssecurity.com/showthread.php?t=32823 - outdated
- R2 comparison - http://www.dslreports.com/forum/remark,6721512~days=9999~start=80 plus origin discussion http://www.dslreports.com/forum/remark,6686853~root=security,1~mode=flat
Process Listers Edit
- Process Revealer - http://www.logixoft.com/process-revealer-free-edition.html
- Another Task Manager - http://www.betasoluzioni.com/users/atm/higheng.html
- Advanced Process Manipulation - http://www.diamondcs.com.au/index.php?page=apm (down July 07), Alternative download
- CurrProcess - http://www.nirsoft.net/utils/cprocess.html
- Prcview - http://www.teamcti.com/pview/prcview.htm
- Process Explorer - http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
- Process Patrol - http://www.majorgeeks.com/Process_Patrol_d4409.html
- Process Scanner - http://www.processlibrary.com/processscan/
- myProcMan - http://www.trsecurity.net/myprocman/
- ProcX - http://www.ghostsecurity.com/procx/
- Security Process Explorer - http://www.glarysoft.com/spe.html
- Sysinternals Process Monitor - http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx
- TaskMan+ - http://www.diamondcs.com.au/index.php?page=taskman (down July 07), alternative download
- What's Running - http://www.whatsrunning.net/whatsrunning/main.aspx
- Window Watcher - http://www.karenware.com/powertools/ptwinwatch.asp
- See also Lists of freeware antirootkit like Icesword and GMER
The built-in task manager in Windows is largely acknowledged to be inadequate for everyday use, much less for power users using it for analysis purposes. Fortunately, there are many capable replacements that can take the place of task manager. They typically provide more information, particularly a column including full paths of the processes. Some like ProcX are light weight enough to replace task manager. Perhaps the big brother of them all is formerly sysinternal's Process Explorer which provides pretty much every information and feature you might desire. However it might not be suitable for everyday use because of information overload. The ultimate real time analysis tool would probably be provided by combining it with Process Monitor by the same company, it combines Filemon and Regmon that shows real-time file system, Registry and process/thread activity.
Unfortunately, many rootkits are able to evade from even such advanced tools (though a keen eyed analyst might spot discrepancies that give the game away). This is where many anti-rootkits such as IceSword , DarkSpy, GMER, Rootkit Unhooker (see Lists of freeware antirootkit) come in. They also provide a task manager like function, but have a better chance of getting past rootkit shielded defenses to display even hidden processes. Some will even indicate which processes are being hidden by rootkits. Similarly many provide autostart listings, port mapping functions etc.
File analyzer/ API Monitors Edit
- FileAlyzer - http://www.safer-networking.org/en/filealyzer/index.html
- MANDIANT Red Curtain - http://www.mandiant.com/mrc
- Spy Studio - http://www.nektra.com/products/spystudio/
Allows advanced users to study files. MANDIANT Red Curtain looks at six categories of information to calculate a threat score including entropy , digital signatures , existence of specific packers. In addition, the tool identifies executable files that appear to have been modified, files with an excessive amount of imports and those with various combinations of permissions that indicate whether they can be read, written or contain executable code.
File/registry logging Edit
- FileMon (legacy support for Win98) - http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx
- RegMon (legacy support for Win98) - http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
- Sysinternals Process Monitor - http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx
Use these tools to monitor in real time file and registry changes made by processes.
Port Mappers Edit
- Active Ports - http://www.protect-me.com/freeware.html
- CurrPorts - http://www.nirsoft.net/utils/cports.html
- OpenPorts (DiamondCS) - http://www.diamondcs.com.au/openports/ (down July 07) alternative download
- Open Ports - http://www.jasons-toolbox.com/programs.asp?Program=Open%20Ports
- TCPView - http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
- See also Lists of freeware antirootkit like Icesword.
There are tools that improve on the build-in Net-Stat function by providing real time monitoring of ports on your system. They also map processes to ports so you can see what processes are sending packets on what ports. Many but not all firewalls also provide similar functions for information purposes.
Port scanners Edit
- Blue's Port Scanner - http://www.bluebitter.de/portscn2.htm
- Fport - http://www.foundstone.com/us/resources/proddesc/fport.htm
- Nessus - http://www.nessus.org/
- Nmap - http://insecure.org/nmap/index.html
- SuperScan v4.0 - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm (down July 07)
- YAPS - http://www.steelbytes.com/?mid=19
- Windows UDP Port Scanner - http://ntsecurity.nu/toolbox/wups/
It is a mistake to assume that automated port scans like ShieldsUp! is all you need to do to test your defenses. Ideally a manual port scan using a tool like Nmap provides better security.
ARP watch Edit
- AdapterWatch - http://www.nirsoft.net/utils/awatch.html
- Winarpwatch - http://sid.rstack.org/arp-sk/
- XArp - http://www.chrismc.de/#
Defenses against ARPspoofing.
Packet Sniffer Edit
- PacketMon - http://www.analogx.com/contents/download/network/pmon.htm
- Wireshark - http://www.wireshark.org/
- WinDump - http://www.winpcap.org/windump/
NTFS Ads scanner Edit
- Ads Spy - http://www.merijn.org/programs.php#adsspy
- Crucial ADS - http://crucialsecurity.com/products/index.html (only available via email request)
- LADS - http://www.heysoft.de/nt/ep-lads.htm
- NTFS Streams Eraser - http://www.excessive-software.eu.tt/
- Streams v1.53 - http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx
Search your computer for Alternative Data Streams (ADS). Some antivirus and antispyware already do this, but not all.
Processkiller & file unlocker Edit
- Advanced Process Termination - http://www.diamondcs.com.au/index.php?page=apt (down July 07) alternative download
- FileASSASSIN - http://www.malwarebytes.org/fileassassin.php
- KillBox - http://www.bleepingcomputer.com/files/killbox.php
- Simple process termination - http://www.syssafety.com/leaktests.html
- Unlocker - http://ccollomb.free.fr/unlocker/
Many malware process are extremely difficult to kill , the tools in this category, use various different methods to terminate processes, and/or delete locked files. Many anti-rootkits such as IceSword (see Lists of freeware antirootkit), are also capable of killing normally unkillable processes due to access to kernel.
ActiveX/BHO/Toolbar/LSP listers (obsolete with XP SP 2) Edit
- ActiveXHelper - http://www.nirsoft.net/utils/axhelper.html
- Active XCavator v2.0 - http://www.cognitronix.com/index.html#A1
- BHOCaptor - http://www.snapfiles.com/get/bho.html
- BHODemon - http://www.definitivesolutions.com/bhodemon.htm
- BHOlist - http://www.spywareinfo.com/~merijn/programs.php#bholist
- ToolbarCop - http://windowsxp.mvps.org/toolbarcop.htm
These group of tools are used to manage toolbars, BHOS, ActiveX controls in internet explorer. Somewhat obsolete today, since Internet Explorer provides built in methods to do the same. Moreover, many startup listers, antispyware tools list or monitor these entries as well.
URL discomboulator Edit
- URL Discombobulator v1.9 - http://www.karenware.com/powertools/ptlookup.asp
- ListDrivers - http://ntsecurity.nu/toolbox/listdrivers/
- Loadorder - http://ccollomb.free.fr/unlocker/
- ServiWin Services/Drivers Manager - http://www.nirsoft.net/utils/serviwin.html
- See also Lists of freeware antirootkit like Icesword and GMER
- ShareEnum v1.6 - http://www.microsoft.com/technet/sysinternals/Networking/ShareEnum.mspx
- SHAREMON - http://members.fortunecity.com/sektorsecurity/projects/sharemon.html
End user license agreements (EULAs)Analyzer Edit
- EULAlyzer - http://www.javacoolsoftware.com/eulalyzer.html
- EULA Analyzer (browser based service/beta) - http://www.spywareguide.com/analyze/index.php
Cut and paste EULAs into the program and it will highlight suspicious phrases.
Listing of dangerous sites Edit
- Badware.org - http://stopbadware.org/ (no plugin just listing)
- Finjan SecureBrowsing - http://securebrowsing.finjan.com/index.html
- Haute Secure (betaware)- http://www.hautesecure.com/howitworks.aspx (Includes elements of HIPS with sandboxing and behavior analysis).
- Linkscanner (free software available also for Internet explorer and firefox) - http://linkscanner.explabs.com/linkscanner/default.asp
- Robot Genius RGguard - http://www.robotgenius.net/technology/rgguard.jsp
- Scandoo - http://www.scandoo.com/config.do
- Siteadvisor (available via firefox extension) - http://www.siteadvisor.com/
- Sitehound - http://www.firetrust.com/firetrustsitehound.html
- TrendProtect™ Beta Overview - TrendProtect™ Beta Overview - http://www.trendsecure.com/portal/en-US/free_security_tools/trendprotect.php
- Web Security Guard - http://www.websecurityguard.com/
- See also Lists_of_freeware_antiphishing
Tools in these categories are typically browser addons (for both Internet explorer and Firefox).Somewhat related to anti-phishing tools, they typically overlay searches results from common search engines (e.g google, yahoo)with information about how trustworthy or dangerous the site is, allowing the user to be forewarned before clicking the link. In addition, most will also prompt a warning if you enter a url that the tool considers dangerous (not available for the freeware versions for some).
Note, each tool has slightly different definitions of what counts as dangerous or untrustworthy and targets slightly different class of threats. They include
(1) Websites that offer spyware and other malware exeutables for download - most common (Siteadvisor, RGguard) (2) Websites that use exploits (Linkscanner) (3) Websites that are phishing (Most in this list don't, see anti-phishing tools) (4) Websites that provide fraudulent services (Sitehound claims to warn about "Misleading or False Advertising")
There are several ways used to determine whether a site is bad, some scan the code on the page dynamically -real time analysis (Finjan SecureBrowsing) , others rely on prescanned results (Siteadvisor), others rely on other measures of trustworthiness -so called reputation systems (TrendProtect), yet others supplement all this with community analysis, where human users provide feedback and comments on the ratings provided.
Listing of file hashes/names/processes/startups/CSLIDS Edit
- Castlecops list - http://hashes.castlecops.com/ Note: Castlecops has other CastleCops#Research_Databases
- FileAdvisor -http://fileadvisor.bit9.com/services/search.aspx - FileAdvisor client utility available
- Hijackthis.de - http://filedb.hijackthis.eu/
- Prevx1 - http://fileinfo.prevx.com/filesearch.asp
- ProcessLibrary - http://www.processlibrary.com/about/
- Runscanner list - http://www.runscanner.net/listMD5.aspx
- Spyandseek - http://www.spyandseek.com/
- NSRL list - http://www.nsrl.nist.gov/Downloads.htm
- Sysinfo.org - http://sysinfo.org/
Installation monitors Edit
- FileMap by BB (file only) - http://www.dogkennels.net/filemap/
- InCtrl5 - http://www.devhood.com/tools/tool_details.aspx?tool_id=432
- Installspy - http://www.2brightsparks.com/freeware/
- Installwatch - http://www.epsilonsquared.com/
- Look@win - http://digilander.libero.it/zancart/lookwin.html
- Total uninstaller - http://www.aplusfreeware.com/categories/util/uninst.html
- ZSoft Uninstaller - http://www.zsoft.dk/ alternative download
- See also Lists of freeware virtualization
Tools that monitor software installs, by comparing the differences between a pre-install and post install states of the folders and registry. The idea here is that many uninstallers don't do a good job of removing every trace, hence the use of these installation monitors.
- VBScript Decoder - http://shockley.net/apps.asp
Patch checker Edit
- Secunia Software Inspector - http://secunia.com/software_inspector
- Secunia Personal Software Inspector (betaware) - https://psi.secunia.com/
- Microsoft Baseline Security Analyzer (MBSA) - http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Microsoft Baseline Security Analyzer (MBSA) only checks for Microsoft related patches. Secunia Software Inspector is an online service that checks not just Microsoft related software for security patches but also many other common applications like Firefox, Opera, Java, Flash and media players, IM clients, see list. etc. Secunia Personal Software Inspector runs locally on your computer like MBSA, but checks a much larger list of applications than the other two.
Other mass software updater checker Edit
- Appsnap - http://appsnap.genotrance.com/
- File Hippo Update Checker - http://www.filehippo.com/updatechecker/
Scans your hard-disk for applications and checks them with an online database. Informs you which ones has newer updates available. These updates don't always contain security updates but might add features , fix other bugs etc.
Freeware Anti-Viruses | Freeware Anti-Spyware | Freeware Anti-Trojans | Freeware Anti-Keyloggers | Freeware Anti-Rootkits | Freeware Firewalls | Freeware Behavior blockers | Freeware Sandboxes | Freeware Virtualization | Freeware Security analysis tools | Freeware Hardening tools | Freeware Blocklists | Freeware security services (excluding virus scanners) | Freeware Anti-Phishing | List of portable tools | List of unclassified tools
Related : Lists of online scanners