Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: herdProtect: Malware Detection


herdProtect: Malware Detection

Scan for malware using the herdProtect multi-engine cloud service
Published by Slartybart
26 Jul 2014
Published by

herdProtect: Malware Detection-logo_herdprotect-b.png herdProtect by Reason

Malware Detection: herdProtect, a multi-engine cloud based scanner

! Warning !
Effective malware remediation often requires specialized knowledge and tools. You can use this tutorial on your own, but it is best to have the guidance of a SevenForums (SF) member experienced in malware assist you.

Follow the exact instructions of the SF member assisting you, those instructions might differ slightly from the instructions found here.


According to the author of herdProtect:

How does it work?
The scanner takes a snapshot of all the 'active' files on a user's PC. An active file is defined as currently executing on the system or has the ability to automatically execute by means of an auto-start procedure.
 
Personally identifiable details are removed from the snapshot before being sent to the herdProtect server for analysis. The analysis is 100% anonymous.

The herdProtect server searches the database and sorts the files into known threats or unknown entities.
  • Known threats: are categorized by the number of detections and reported in the results phase of the current scan.
  • Unknown entities: are sent to the herdProtect servers for real-time analysis by each of the anti-malware scanners.

    The herdProtect database is the updated and the final analysis is reported back to the user in the results phase of a subsequent scan.


What you should know
The herdProtect Scanner is not a complete anti-virus solution and is more of a second opinion scanner as of this release.
 
  • This version is a scanner only
  • The scanner provides limited rootkit detection functionality.
  • The scanner is an on-demand scan, there is no real-time scanning functionality.

A real-time Anti-Virus / Anti-Malware application is highly recommended to be running on your system in conjunction with herdProtect.

Communication between a user's PC and herdProtect's servers are encrypted.

Refer to the Terms of Service for more information.

False positives are minimized by algorithms that weigh detections.
  • herdProtect does not display all detections in the results window unless you de-select the false positive option (not recommended).

    All detections are however, reported in the scan log.
  • If the algorithm cannot make a certain determination about categorizing the file as a false positive, herdProtect reports the determination as an inconclusive detection with recommendations.


herdProtect: Malware Detection-01herdtask-prep-.png
1. Understanding the process and the utility
  1. Create a System Protection Restore Point

  2. Make a backup of your personal data

  3. Malware remediation requires specialized knowledge and tools. This guide provides the instructions to use only one tool, it does not endow you with enough information to efficiently eradicate malware on your system.

    Incorrect use of any of the tools in the Malware Remediation series can seriously hamper your system. Critical system files might be infected and only a person experienced in threat remediation knows the proper methodology to use.

    It is beyond the scope of any guide to provide that knowledge and experience. This guide is best used with guidance from a member who will assist you through the entire process.

  4. Read the online herdProtect documentation


herdProtect: Malware Detection-tb01_dnld-sf-.png herdProtect
2. Two install packages are offered on the herdProtect download page, a full install and a portable install
Select the portable package as the download.
herdProtect: Malware Detection-herdsite02-downld-.png
3. On the Do you want to run or save ...Action Bar

Select Save
The file is placed in your default save location, normally the Downloads folder under your user profile.

herdProtect: Malware Detection-bar0_dlsave.png
4. On the The ... download has completed Action Bar
  1. If your user profile is an Administrator User Account:
    Select Run

    herdProtect: Malware Detection-bar0_dlrun.png
  2. If your user profile is a Standard User Account:
    1. Select Open folder

      herdProtect: Malware Detection-bar1_dlcompopen.png

    2. Launch herdProtect with elevated privileges

      Press the right mouse button on the file to open the context menu

      Pick Run as administrator...
      Answer Yes if prompted by a UAC dialog window.


herdProtect: Malware Detection-03herdtask-accept-.png
5. Complete the initial steps to extract the program and accept any licensing agreements.

If a dialog window requests permission to run the application, Answer Yes, OK, or Run

Read the End User Licenses Agreement; Press the Accept button

Accept the default location to extract the application.

herdProtect: Malware Detection-herdscrn03a-xtract-.png

Press the Next > button.


herdProtect: Malware Detection-05herdtask-scan-.png
6. The final setup window is presented

warning   Warning
You must have an active Internet connection before you launch herdProtect.
 

If you do not have an active Internet connection, the initialization process will fail and prompt you to refresh.
As of this writing, there was no way to refresh herdProtect.

herdProtect: Malware Detection-herdscrn02-notconnected-.png

Re-launching from the task bar does display the UAC dialog window, but the connection fails.

You must close herdProtect and manually launch herdProtectScan.exe from the location where it was extracted
(default: C:\Program Files\Reason\herdProtect\Scanner_Portable)


herdProtect: Malware Detection-herdscrn03b-launch-.png

Tick herdProtect: Malware Detection-tickye_b.png
Launch herdProtect

Press the Finish button to start the scan using the default settings.

Answer Yes if prompted by a UAC dialog window

Press the Scan button. Note: This is a scan only operation, no corrective action can be taken in this mode.

herdProtect: Malware Detection-herdsrcn05a-scanbtn-.png

herdProtect cycles through the scanning and analysis process

herdProtect: Malware Detection-herdsrcn05b-aniscan-.gif


herdProtect: Malware Detection-06herdtask-analyze-.png
7. One of two possible Scan Results windows is presented when the initial scan has completed.

(a) Malware was not detected on your system:

This does not mean that your system is clean, it means that herdProtect did not detect any malware.
Malwarebytes Anti-Malware Free v 2.0 can provide a second opinion if you are concerned. If a SevenForums member is advising you, follow the step-by-step instructions they provide, in the order they provide.

herdProtect: Malware Detection-herdscrn07a-malwareno-.png

If SF members are assisting you, please post the confirmation screen as shown above to let them know that herdProtect did not find any threats.

You might be asked post the log even though no threats were detected.
See the Attach step below and follow the log posting instructions.

You may then close herdProtect using the X on the menu bar.

Additional on-demand malware scanners might be advised by SF members.
(b) Malware was detected, detections are reported in the Scan Results window.

herdProtect: Malware Detection-herdscrn07b-malwareyes-.png

Press the Show Details button to expand this section or continue on to the next step
 

The scan of your system might include files that the herdProtect database does not have any information. In this case, you are prompted to run a second herdProtect scan in a little over an hour. This allows herdProtect to scan the unknown file in real-time with each of the malware scanners it uses and update the database.

herdProtect: Malware Detection-herdscrn07c-2scans-.png

Press the OK button
The second scan should take less time than the first scan. The new information in the database presents a more complete picture of the files on your system. There are likely to be fewer, if any, files listed in the second Scan Results as the unknown files have been classified as threats, false positives, or insignificant. The log file might contain entries that were deemed false positives by herdProtect and were therefor not displayed in the Scan Results window.

You are advised to wait unitl the system has been scanned a second time with herdProtect in order to limit the number of files you might want to investigate.

There are two ways to research suspicious files given in this guide, only people experienced in malware can really decipher what the research means. If you're curious about the objects detected you can use a database on either herdProtect or Virustotal to learn more.

Remember, herdProtect is a scan only operation. You cannot use herdProtect for malware remediation at this point even if you know more about the reported object.

You must have an active Internet connection to use either database.

Click on the object to display the herdProtect View and Details buttons (shown in the above (b)Malware was detected image)
  • View: Opens a Windows Explorer at the location of the object and highlights the object.
    See: Analyze suspicious files with VirusTotal

  • Details: Opens a browser window to the herdProtect database and displays known information about the object.


herdProtect: Malware Detection-tb08_atch-sf-.png
8. Attach the herdProtect log file to a new post on your thread.

The herdProtect log file is located in the same folder where the files were placed when extracted. The default location is
C:\Program Files\Reason\herdProtect\Portable_Scanner\Logs.
See: How to capture screenshots, upload, and attach files to your post

Please attach the most recent log file.

information   Information
The logs have the following naming convention: Scan_YYYY-M-D-H-M.txt
Example: C:\Program Files\Reason\herdProtect\Scanner_Portable\Logs\Scan_2014-6-14-18-50.txt

Month and day do not have leading zeroes (i.e. 9, not 09)
Hours are in 24 hour representation (Post Meridian (PM) hour + 12)
1:30 PM is 13:30 (1 PM+12)
6:50 PM is 18:50 (6 PM+12)



Related Tutorials

Malware Detection:
  • Farbar Recovery Scan Tool (FRST)
  • herdProtect (this tutorial)

Malware Remediation:
Malware Research Services:
Real-time Anti-Virus (AV) applications:
  • Microsoft Security Essentials



    Note: Grayed out entries in the above list are not live tutorials, but are planned inclusions in the Malware Detection and Remediation series.

Related Tutorials


Malware Detection:
  • Farbar Recovery Scan Tool (FRST)
  • herdProtect (this tutorial)

Malware Remediation:
Malware Research Services:
Real-time Anti-Virus (AV) applications:
  • Microsoft Security Essentials



    Note: Grayed out entries in the above list are not live tutorials, but are planned inclusions in the Malware Detection and Remediation series.
27 Aug 2014   #1
andrew129260

Windows 10 Pro
 
 

This is very well done. I had no idea you wrote this up.

Fantastic job!!

A note on the herd protect tut:

if you click the cloud on the bottom left hand corner while it is trying to scan, it will test your internet connection and will see if anything is blocking it. It also will reset the proxy or lan connection to attempt a more successful connection.
Just thought you should know.


My System SpecsSystem Spec
Comment

 herdProtect: Malware Detection




Tutorial Tools Search this Tutorial
Search this Tutorial:

Advanced Search



Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:22.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App