McAfee GetSusp is intended for users who suspect undetected malware on their computer. GetSusp eliminates the need for deep technical knowledge of computer systems to isolate undetected malware. It does this by using a combination of heuristics and querying the McAfee Global Threat Intelligence (GTI) file reputation database to gather suspicious files.
The program can be downloaded from the following link: http://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp.exe
Graphical Interface (GUI)
Top start a scan via the GUI, click on the "Scan Now" icon:
Command Line (CLI)
- Send only the report
- Initiate a silent scan
- scan in offline mode
- Specify email address
- Specify proxy address and port
- Specify folder or GetSusp zip file path for upload
- Specify comments
- Specify folder to save suspicious zip file
- Scan specific file or folder path
- Specify automatic configuration script URL
Let's say you want to scan a suspected host (192.168.1.3) remotely from your computer (192.168.1.2).
C:\>psexec \\192.168.1.3 -u administrator -p passwd -c getsusp.exe
Log files will be generated in the C:\windows\system32\logs\ directory on the targeted system (192.168.1.3).
From a *nix machine, you can remotely grab the interesting log file as follows:
$ smbget -u unknown smb://192.168.1.32/c$/windows/system32/logs/getsusp.log Password for c$ at 192.168.1.32: Using workgroup WORKGROUP, user unknown smb://192.168.1.32/c$/windows/system32/logs/getsusp.log Downloaded 36,97kB in 2 seconds
Here is what the log file looks like:
$ egrep -v "OK" getsusp.log McAfee Labs(r) GetSusp(tm) Version 22.214.171.1243 built on Dec 31 2012 Copyright (c) 2012 McAfee, Inc. All Rights Reserved. GetSusp initiated on Thu Jun 06 18:26:44 2013 Master Boot Record(s):....1 Possibly Infected:.............0 Boot Sector(s):.................1 Possibly Infected:.............0 C:\documents and settings\unknown\local settings\application data\lollipop\lollipop.exe ... is Suspicious !!! C:\DOCUMENTS AND SETTINGS\UNKNOWN\LOCAL SETTINGS\APPS\2.0\QQ8NQWYL.8LX\DED97HG1.CQQ\GITH..TION_8F45A2159C87C850_0001.0000_E49521E8B5E59340\GITHUB.EXE ... is Unknown !!! C:\Documents and Settings\unknown\Local Settings\Temp\sngalng.exe ... is Suspicious !!! C:\PROGRAM FILES\FICHIERS COMMUNS\ADOBE\ACROBAT\ACTIVEX\PDFSHELL.FRA ... is Unknown !!! C:\Program Files\SingAlong\singalng.dll ... is Suspicious !!! C:\Program Files\SingAlong\SingalngUpdater.exe ... is Suspicious !!! GetSusp scan identified (4) Suspicious file(s) and (2) Unknown file(s).