Community Technical Support! Forum Index Live Help Community Technical Support!
Please enjoy our support forums and free computer security related news feeds and please come again
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to monitor and really control your own system!

 
Post new topic   Reply to topic    Community Technical Support! Forum Index -> System Monitoring
View previous topic :: View next topic  

Do you monitor background system activity?
Yes
100%
 100%  [ 2 ]
No
0%
 0%  [ 0 ]
I used to
0%
 0%  [ 0 ]
I am thinking about it
0%
 0%  [ 0 ]
Total Votes : 2

Author Message
Guy Deschênes
Site Admin
Site Admin


Joined: 27 Feb 2007
Posts: 77
Location: Toronto,Ontario, Canada
PostPosted: Sat Mar 31, 2007 8:17 am    Post subject: How to monitor and really control your own system! Reply with quote
A lot of users are asking me this question after observing me select then manually "remove" things from memory, something they usually find amazing. A task usually delegated to software...

Having the ability to identify, isolate then remove spyware & viruses is fun for me to do but it is also relatively easy for the average users to do as well.

My answer to those who think it is to complex is you can also do this if have the right tools and if you know what to look for and how to find answers when you are in doubt. I will at least try and answer these here.

let me begin my explanation with this. Any software running on your pc works like this: It must be written somewhere and invoked to run. It must be loaded into memory using a loader of some sort or read from disk by another software. It is only "Running" while some aspect of it is either live in memory or is being hooked into by another process or service running in memory and can as such be invoked at will to perform some task. As a result unless it is cloaked by a root kit or some internal kernel control it should be visible and thus identifiable and thus provide you with an opportunity to terminate it if necessary.

Basically (In simple terms) there is 3 things to keep an eye on.

1 Process (Programs running live in memory)
2 Executables (Programs sitting dormant on the disk)
3 Ports & Sockets (The doors in and out of your pc that programs use).

Any Process that run in memory need to load into it. They use loaders which are entries read by the OS and they load up. You need a good tool to see what loads up. It should provide you with enough control to actually see basically everything that load in the background at boot or login and give you the opportunity to prevent something from loading again if it turns out to be hostile. Keep in mind many of these entries are in the registry or embedded into other processes so apply careful consideration here. You can also use this tool to make a snapshot of all loaders on a fresh (Clean system) and monitor modifications as they occur providing an opportunity to go back...

A good tool for this is Autoruns and it's free. get it here:
http://download.sysinternals.com/Files/Autoruns.zip

Once your system is up you need to see which processes are loaded and using resources. In short if you wish to monitor your system and applications processes for nasty behavior in real time. A good tool for this is ProcessXP. It provides the most detailed info and controls you can get and it is free.
Get it here http://download.sysinternals.com/Files/ProcessExplorer.zip

Another tool a bit simpler and lighter weight is PRCView also Free
get it here: http://www.teamcti.com/pview/prcview.htm

For those interested in what each and every single process thread and handle is doing you can use Process Monitor (It really does give you what everything does...) Perhaps too much for the average joe. but it is perhaps the most detailed free tool I have seen on process activity.

Get it here http://download.sysinternals.com/Files/ProcessMonitor.zip

Once you have identified a process that is hostile. Many tools Included the Process explorer named above cant kill them. So you need a tool that can.

The best free tool to do so that I know off is Advanced Process Terminator 4.0 It uses about 12 different techniques to kill a process that wont die until it find ones that kills it. Very useful to terminate nasty spyware and viruses from memory so you can remove it's loader and delete it's executables...
Get it from DiamondCS here http://www.diamondcs.com.au/downloads/apt.zip

The good thing about being able to view what processes and services are up and running is finding out how much processor & memory resources they use as well as being able to research the process location on the disk to help in identifying it as legit or hostile. You can also Google it or use other search engines to find out what is know about the process online...

Now that you know the process that load and how to monitor them and kill them if necessary you need to monitor your ports (Doors & Windows) for whatever processes activity is taking place through them. You basically need to look for 3 things:

On your end of the connection this is what you need to monitor:

1 The Process or Service - A Program listening or connected
2 The protocol - Usually UDP or TCP (for the Internet anyways)
3 The Local Address - Your actual computer IP while connected
4 The local Port - The door used by the program
5 The connected State: Important ones are Listening & Established

On the Internet or Remote End this is what you need to monitor:

1 Listening local Process - Scanners seek listening local processes.
2 The protocol - Usually UDP or TCP
3 The Remote Address - The domain name or IP of remote Process
4 The Remote Port - The door used by the process

Basically what you are looking for are processes that are either listening to a connection (meaning it's a server waiting for something from the Internet) or it's already connected. A lot of Processes are legitimate and have a good reason to do this but I would suspect any process that is doing so and is not clearly identified. Meaning after looking at the process you cant find out what the company name is or the process is hidden or is behaving strangely. You should then do a Google search on all suspect processes or go to a process database and check it out. (I will name a few of these free services further on).

Just don't panic on local processes that are listening or connected to the "Remote address Local Host or 127.0.0.1" they are simply programs running internal servers for self communications. Learn your internal address nomenclature.

Here are a few good tools to monitor network active processes
PortExplorer is the best! (not Free and the company seems to be having issues with registration) You can get it from here http://www.diamondcs.com.au/downloads/pesetup.exe

A very nice free tool (Light weight as well and it is also a portable tool that can be used direct from USB devices or CD's
is TCPView from here http://download.sysinternals.com/Files/TcpView.zip It shows just about everything you need to see! (minus a few important things as well but beyond the scope of this writing).

Earlier I spoke of Process database services here is where you can begin investigating a process: ProcessLibrary is where I often begin my process investigations. I even have a plugin directly into Firefox... neat tool.

the process library is here http://www.processlibrary.com/
Here is a list of my Firefox add ons and Security Pluggins for your benefit.
Dr.Web Antivirus - https://addons.mozilla.org/en-US/firefox/addon/938
Virus Total Antivirus check: Thiis is a really good one: https://addons.mozilla.org/en-US/firefox/addon/4451
Process Library: https://addons.mozilla.org/en-US/firefox/addon/4461

Remember the Process killer I talked about earlier on: Advanced Process Terminator 4.0. It uses about 12 different techniques to kill a process that wont die until it find ones that kills it. Very useful to terminate nasty spyware and viruses from memory so you can remove it's loader and delete it's executables..

Another useful tool to monitor your system I find incredibly power full is a Microsoft tool Microsoft Network Monitor 3 it is a network protocol analyzer. Basically it is a tool to allow capturing and protocol analysis of network traffic right off your desktop no need of a server here. Capturing the data packets as they flow in and out of your ports and sockets is the only way to see what they contain and it is what is often done to build up a case by forensic analysts or by security specialists to identify hostile from faulty traffic... Now for most users it is not really useful since often the content is encrypted rendering it useless but it is useful for those studying security or programing.

Nonetheless it is a free tool and incredibly powerful so here is where you can get the tool: http://www.microsoft.com/downloads/details.aspx?FamilyID=aa8be06d-4a6a-4b69-b861-2043b665cb53&DisplayLang=en


Last but not the least and probably the most overlooked monitoring tool is the windows Firewall Log (Only useful if you are using Microsoft built in firewall).
It must be enabled (logging is turned off by default even when firewall is active) Enable the log from "Windows Firewall" -->Security Logging --> select both Log dropped packets & Log successful connections. Give a size to the log of your choice. Chose a location for the log. (I would recommend a secondary Hard disk to resist performance degradation). Typical file name is pfirewall.log.

You can get a lot of information from this file but for most it's useless until they get a log parsing and analyzing tool. Essentially you are looking for two things in your log. Packets rejected by the firewall (Usually for good reasons) Since they are the actual reason you have a firewall on in the first place, and for successfully established connections. The lather is so you can see who successfully connected when, and from where... You can also derive quite a few useful stats about your systems performance and connectivity.

The best log analyzer for Windows logs I know is Sawmill and you can get if free for at least 30 days. Get if here: http://www.sawmill.net/ A nice thing about this log analyzer is that if you test it thoroughly and document the process and send your log to sawmill you can get your license free!!! What a deal!!!

Ok, so now you have the means to find the IP address of someone on the Internet connecting to or hacking but what to do with that information?

Knowing where a suspect intruder is located, where a malicious email originated, or validating the location of a website is key information to identify security threats, track and report abusers. You need a good tool for this as well. The one I will recommend here is not free but it provides a rather well rounded suite of data about the IP including a visual wold map pinpointing the location of the possible intruder and offers resources to easily report it

Get the tool here: (Free trial for 15 days)
Visual IP trace http://www.visualiptrace.com/

I hope this does answer the question on how to monitor your system in a clear and simple manner while providing the right tools....
_________________

Live Technical Support Help Desk
We Provides Online Computer Help 24/7. Our technical Support Staff Can Fix Computer Problems, Clean Viruses, Speed up your Computer, Remove Spyware, and Eliminate Computer Crashes.
[/b][/color] http://www.hermes-computers.ca
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Community Technical Support! Forum Index -> System Monitoring All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group