The Finest Hand-Selected Downloads
Individually reviewed & tested
Store News

Find previously undiscovered malware (maybe) with Mandiant Redline

23 April 2012, Mike Williams

If your PC gets attacked by some previously discovered specimen of malware then it’s relatively easy to spot. Your antivirus package will scan the new file on access, realise there’s a match for something in its virus database, and the threat will be quarantined immediately, before any real damage can be done.

If you’re attacked by some brand new specimen, though, it’s a very different story. Every antivirus package claims it can also detect new threats by behaviour alone, but this is vastly more difficult: there’s a good chance that it’ll be missed. And so if you think your system might have been compromised, then it’s a good idea to get a little third-party scanning help from the free Mandiant Redline.

The program works by carrying out an extremely thorough low-level scan covering every aspect of your PC. This can take a very long time (it required more than 30 minutes on our test PC), although you can keep this down a little by closing all non-essential programs before you start. But when it’s finished the program will create an MRI (Malware Risk Index) score for everything running on your system, which highlights the risk that a particular process is malware.

The program provides a very detailed low-level report on running processes

It’s important to not expect too much from this. Redline works by applying very simple rules – looking at executable files which aren’t signed and verified, for instance – and so this inevitably creates a lot of false alarms. On our test PC, for instance, iTunesHelper.exe received a malware risk index of 93. There was actually a solid reason for this – another application had inserted a DLL into its address space – but we still knew the process wasn’t a threat. And it’ll be the same on your PC. The MRI scores provide a place to start looking for possibly malicious processes, but they’re not actually proof of anything in themselves; a high MRI doesn’t mean you’re infected.

If you’re an expert Windows user, then, the real value of Redline isn’t in the MRI scores; it’s more then in-depth system information that’s provided along with them.

For each target process, for instance, you can browse its handles (Files, Directories, Processes, Registry Keys, Semaphore, Mutant, Event or Section, they’re all here). There’s an in-depth memory map. You can view strings within each process space (as long as you’ve chosen to collect those initially), and see any network connections it has open.

And multiple “Investigative Steps” give you a more general view across your system. You can browse system hooks to try and detect rootkits, for instance. There’s an option to view low-level details on your installed drivers. And there are pages on your network ports and connections, memory sections and loaded DLLs, untrusted handles and a whole lot more.

None of this is exactly beginner-friendly, of course; Redline is oriented squarely at security professionals. If you know what you’re doing, though, there’s plenty of useful information to be found here, and the program really can help you to uncover even the very latest, previously undiscovered malware.

Your Comments & Opinion

45,047,251
Downloads
Secure & Tested Software
6,482
Reviews
Instant Download 24/7
315,176
Members
10+ Years of Service