GetSusp

From aldeid
Jump to navigation Jump to search

Description

McAfee GetSusp is intended for users who suspect undetected malware on their computer. GetSusp eliminates the need for deep technical knowledge of computer systems to isolate undetected malware. It does this by using a combination of heuristics and querying the McAfee Global Threat Intelligence (GTI) file reputation database to gather suspicious files.

Installation

The program can be downloaded from the following link: http://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp.exe

Usage

Graphical Interface (GUI)

Top start a scan via the GUI, click on the "Scan Now" icon:

Command Line (CLI)

Options

--MD5
Send only the report
--SILENT
Initiate a silent scan
--OFFLINE
scan in offline mode
--EMAIL=email
Specify email address
--PROXY=ip
port
Specify proxy address and port
--UPLOAD=path
Specify folder or GetSusp zip file path for upload
--COMMENT=comment
Specify comments
--ZIPPATH=path
Specify folder to save suspicious zip file
--SCANPATH=path
Scan specific file or folder path
--PROXY-SCRIPT=url
Specify automatic configuration script URL

Example

Let's say you want to scan a suspected host (192.168.1.3) remotely from your computer (192.168.1.2). 

C:\>psexec \\192.168.1.3 -u administrator -p passwd -c getsusp.exe

Log files will be generated in the C:\windows\system32\logs\ directory on the targeted system (192.168.1.3).

From a *nix machine, you can remotely grab the interesting log file as follows: 

$ smbget -u unknown smb://192.168.1.32/c$/windows/system32/logs/getsusp.log
Password for c$ at 192.168.1.32: 
Using workgroup WORKGROUP, user unknown
smb://192.168.1.32/c$/windows/system32/logs/getsusp.log                                   
Downloaded 36,97kB in 2 seconds

Here is what the log file looks like: 

$ egrep -v "OK" getsusp.log 
McAfee Labs(r) GetSusp(tm) Version 3.0.0.323 built on Dec 31 2012
Copyright (c) 2012 McAfee, Inc. All Rights Reserved.

GetSusp initiated on Thu Jun 06 18:26:44 2013


  Master Boot Record(s):....1
  Possibly Infected:.............0
  Boot Sector(s):.................1
  Possibly Infected:.............0

C:\documents and settings\unknown\local settings\application data\lollipop\lollipop.exe ... is Suspicious !!!
C:\DOCUMENTS AND SETTINGS\UNKNOWN\LOCAL SETTINGS\APPS\2.0\QQ8NQWYL.8LX\DED97HG1.CQQ\GITH..TION_8F45A2159C87C850_0001.0000_E49521E8B5E59340\GITHUB.EXE ... is Unknown !!!
C:\Documents and Settings\unknown\Local Settings\Temp\sngalng.exe ... is Suspicious !!!
C:\PROGRAM FILES\FICHIERS COMMUNS\ADOBE\ACROBAT\ACTIVEX\PDFSHELL.FRA ... is Unknown !!!
C:\Program Files\SingAlong\singalng.dll ... is Suspicious !!!
C:\Program Files\SingAlong\SingalngUpdater.exe ... is Suspicious !!!

GetSusp scan identified (4) Suspicious file(s) and (2) Unknown file(s).

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=GetSusp&oldid=22097"