Checking a System with System File Verification

Windows 2003 includes a feature called Windows File Protection (WFP) that prevents the replacement of protected files. WFP checks the file integrity when an attempt is made to overwrite a SYS, DLL, OCX, TTF, or EXE file. This ensures that only Microsoft-verified files are used to replace system files.
Another tool, sigverif, checks to see what files Microsoft has digitally signed on a system. In Exercise 1, we will use this tool.
Exercise 1: Signature Verification

We will run sigverif, a signature verification checker, and compare the results to the currently running processes in Task Manager:
  1. Press Ctrl+Alt+Del and select Start Task Manager.
  2. Click the Processes tab. Note any unusual processes and the amount of CPU time they are using. Any processes using a consistently high percentage of CPU time may indicate a virus or Trojan infection.

  3. Click the Performance tab in Task Manager to view the current CPU usage.

  4. Click Start ð Run.
  5. Type sigverif, and click Start.

  6. In the sigverif program, choose Advanced to see the signature verification report.

  7. Click the View Log button to see the report.

System File Checker is another command line–based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from the Windows\system32\dllcache folder and overwrites the unverified file. The command to run the System File Checker issfc/scannow.

No comments:

Post a Comment

Popular Posts