1 Reply Latest reply on Dec 7, 2010 4:53 AM by vinoo

    FMR: Add switch to specify suspicious file

    HBullock

      I have had a large number of previously undetected malware be identified via a variety of low severity HIPS events when those events occur more frequently than one would expect. This high volume of HIPS events from a single computer is in itself suspicious. Yet when I run Getsusp, that specific file was not listed as unknown or suspicious.

       

      In such a circumstances, I would like to be able to specify a specific fully qualified file to be inspected when Getsusp executes. Thoughts?

        • 1. Re: FMR: Add switch to specify suspicious file
          vinoo

          Thanks for the feedback. We've have multiple customers and support requesting this.

           

          The next build of GetSusp will support a custom scanpath switch which will allow for scanning a specified directory or drive. Since this can result in many many files being reported - we limited the scan criteria to only executable files created/modified in the last 10 days by default.

           

          getsusp.exe  --scanpath=c:\                     (scans all files in c:\ which has been modified in last 10 days by default)
          getsusp.exe  --scanpath=c:\ --date=15   (scans all files in c:\ and also allows for modifying date range)

           

          This build is currently undergoing QA and should be posted on the forum next week.

           

          Will this meet your requirement? Also - please escalate GetSusp malware misses (md5 will suffice) so that we can continue to improve the detection logic.