Process Explorer now includes VirusTotal integration | 404 Tech Support

[IainB]

After reading the post (below) in 404 Tech Support, I downloaded and ran the latest version of Sysinternals' Process Explorer.
It's very nifty.
You just right-click on a process in the PE window and PE sends the hash of that process' file to VirusTotal.
A new column "VirusTotal" in the PE window says "Hash submitted...", and after VT returns its score for files of that hash, it displays the score - e.g., "0/50", meaning in this case that no virus checker of the 50 that tested this file found any virus/malware.
The VT score stays in the column whilst that process continues to run.
If you close and restart PE, the VT column for that same process is empty - which makes sense, because the score was for that process run at that previous point in time, and the process file could have been changed (would have a new hash) between starts.

The post has an image, some links and a YouTube demo of the thing described.
(Copied below sans embedded hyperlinks/images.)

Process Explorer now includes VirusTotal integration | 404 Tech Support
By Jason Hamilton on February 5, 2014 in Software

Last week, version 16 of Process Explorer was released and 16.01 was released yesterday. Its newest feature is VirusTotal integration. You use Process Explorer to examine the processes currently running on a Windows computer and now you can right-click on any process to upload it to VirusTotal to have it scanned by 40+ different antivirus scanners. You will then get the feedback on how many of those AV engines thought the file could be malicious. All from within Process Explorer.

The new version includes a new column for VirusTotal and a new entry on the context menu when you right-click on a process.

process explorer Process Explorer now includes VirusTotal integration

The first time you use the ‘Check VirusTotal’ function, you will be shown the Terms in your browser and a pop-up asking if you agree with the terms. After that, the process is hashed and submitted to VirusTotal. The column is then updated with the results to tell you how many of the virus scanners find the file to be malicious.

I made a quick screencast to demonstrate the new functionality.

Process Explorer could already be handy in cleaning a malware infection but this new feature makes it even better.

[tomos]

Thanks for the heads up -
that's going to be a great help

[bit]

This is very interesting, and I'm on the old learning curve with it now.
When I went to check up on a program, it tried to log on with Firefox.
How would I set it to log on with Seamonkey instead?

Is there a way to get ProcessExplorer to automatically scan and check every process/program that is running for viruses at least once, or do they all have to be checked manually one at a time?

[Steven Avery]

Thanks for pointing this out!  Great feature.

When you say ok to virus total, it automatically gets the hash and tells you the status of every file based on previous submsissions.

Four of my files were not totally clean, having one or two of the 57 or so results negatory.  Those can be pursued more depending on my interest.  The general reason would be using a toolbox or function that operates on some low-level that an AV considers off.  This would understandably apply to SuperAntiSpyware. The other three were RightNote, Notezilla and Splinterware's System Scheduler. Splinterware has a forum, a bit dormant now, but they would discuss the occasional false positive.  So none of these are of concern.

Then I had three files that were unknown, no previous submission, so I submitted them.  Currently it says "scanning file". Perhaps there is a queue. Ok, done, Allmyapps had four not real happy.

===============

A first-tier security addition.

And I would recommend it for the small business client to be on every one of the fifteen PCs. (Then you might want to check about occasional remote start and view.)

===============

Here is Mark Russinovich discussing this stuff, in 2013.  (I have to listen for awhile to see if this VirusTotal feature had been implemented.)

License to Kill: Malware Hunting with the Sysinternals Tools
http://channel9.msdn...a/2013/ATC-B308#fbid

===============

Steven

[Vurbal]

I'm glad to see them finally get with the program and implement this. System Explorer has had it for at least a couple years. I'm actually a little surprised it took the SysInternals team so long to catch up.

Having said that, for every day use, I still prefer System Explorer. As much as I love Process Explorer, IME it has a tendency to crash frequently on some machines, my current desktop being one of them.

[Steven Avery]

I'm glad to see them finally get with the program and implement this. System Explorer has had it for at least a couple years. I'm actually a little surprised it took the SysInternals team so long to catch up. Having said that, for every day use, I still prefer System Explorer. As much as I love Process Explorer, IME it has a tendency to crash frequently on some machines, my current desktop being one of them.

-Vurbal (February 17, 2015, 06:04 AM)

I'll have to see if I have any stability problems.  And I can see these now as the two best Task Manger replacements (although I do like Daphne for simplicity and color.)

I would say they are complimentary and they work differently.

System Explorer tests more .dlls and stuff, for better or worse.  System Explorer has their own database, that uses the community input.  They also left me with 48 unknown files (20 from DriveHQ, 6 from Priprinter, mostly .dll ) and then, e.g. gave information.  (e.g They identified the monitor.exe as coming form "Chameleon Monitor" actually Chameleon Startup Monitor .. with info on the program, author, etc.) So you can run through the unknowns reasonably effectively, even if it starts at a couple of dozens.  I have not checked yet whether you can comment or mark them as ok for the next run.

However, for a quick check of all files, Sysinternals shows them all (allowing that they don't do the .dlls) automatically, with the VirusTotal result easily available. So, even if it took them some time, it is a very good implementation.

Steven

[Vurbal]

I'd say your assessment is spot on. In fact, the reason I know Process Explorer crashes are an ongoing problem with this computer is because I continue to use it. Both it and System Explorer have features I wouldn't want to do without.

Also, I should probably test out this latest version on my computer to see if the problem even exists any more.