4 Replies Latest reply on Sep 6, 2010 5:03 AM by vinoo

    Getsusp not finding files

    carlob

      Hi Guys,

       

      I used getsusp the other day at a client, who had a major issue with a load a machines, the results I looked at never picked up anything of use, but after the MS autorun tool, I found 9 new infections ( virustotal came analyzed the files and none were found to be infected, files submitted to webimmune). The findings were that all 9 were new viruses and one was a bot.

       

      Suggestion is I may, why not dump all processes in memory, along with reg keys and services to the file and use that?, or is this being done. Reason is my example listed above.

       

      regards

      Carlo

        • 1. Re: Getsusp not finding files
          vinoo

          Hi Carlo,

           

          Could you mail me the getsusp.zip or report that was created? Could you also send me the webimmune ids for the 9 submissions so that the team can replicate the samples on our end and check why GetSusp did not flag them?

           

          We try to keep the report and amount of information displayed by GetSusp to minimum. By improving its accuracy, a user won't have to go through a lot of technical logs.

           

          Regards,
          Vinoo Thomas
          Technical Product Manager, McAfee Labs

          • 2. Re: Getsusp not finding files
            carlob

            Hi Vinoo,

             

            thanks for the feedback, i have attached the SR number for you Service Request# 3-1124700071, however the i cannot find the getsusp results. I might have deleted it due to getting detections sorted via gold support. if i get the same again, i will keep it all and send to you.

            • 3. Re: Getsusp not finding files
              vinoo

              Hi Carlo,

               

              The malware submitted uses the following registry method to startup:
              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

               

              We have an internal build of GetSusp 3.0.0.80 available that flags malware that uses this method. This GetSusp build has not be distributed publically yet.

               

              I'll mail this over to you right away.

               

              Best,
              Vinoo

              • 4. Re: Getsusp not finding files
                vinoo

                A digitally signed executable of GetSusp 3.0.0.81 is now made available at:

                https://community.mcafee.com/message/148081#148081

                 

                Best,

                Vinoo Thomas
                Technical Product Manager, McAfee Labs