Scan for malware using the herdProtect multi-engine cloud service
Published by Slartybart
Designer Media Ltd
herdProtect by Reason
Malware Detection: herdProtect, a multi-engine cloud based scanner
! Warning !
Effective malware remediation often requires specialized knowledge and tools. You can use this tutorial on your own, but it is best to have the guidance of a SevenForums (SF) member experienced in malware assist you.
Follow the exact instructions of the SF member assisting you, those instructions might differ slightly from the instructions found here.
According to the author of herdProtect:
How does it work?
The scanner takes a snapshot of all the 'active' files on a user's PC. An active file is defined as currently executing on the system or has the ability to automatically execute by means of an auto-start procedure.
Personally identifiable details are removed from the snapshot before being sent to the herdProtect server for analysis. The analysis is 100% anonymous.
The herdProtect server searches the database and sorts the files into known threats or unknown entities.
Known threats: are categorized by the number of detections and reported in the results phase of the current scan.
Unknown entities: are sent to the herdProtect servers for real-time analysis by each of the anti-malware scanners.
The herdProtect database is the updated and the final analysis is reported back to the user in the results phase of a subsequent scan.
What you should know
The herdProtect Scanner is not a complete anti-virus solution and is more of a second opinion scanner as of this release.
This version is a scanner only
The scanner provides limited rootkit detection functionality.
The scanner is an on-demand scan, there is no real-time scanning functionality.
A real-time Anti-Virus / Anti-Malware application is highly recommended to be running on your system in conjunction with herdProtect.
Communication between a user's PC and herdProtect's servers are encrypted.
Refer to the Terms of Service for more information.
False positives are minimized by algorithms that weigh detections.
herdProtect does not display all detections in the results window unless you de-select the false positive option (not recommended).
All detections are however, reported in the scan log.
If the algorithm cannot make a certain determination about categorizing the file as a false positive, herdProtect reports the determination as an inconclusive detection with recommendations.
Malware remediation requires specialized knowledge and tools. This guide provides the instructions to use only one tool, it does not endow you with enough information to efficiently eradicate malware on your system.
Incorrect use of any of the tools in the Malware Remediation series can seriously hamper your system. Critical system files might be infected and only a person experienced in threat remediation knows the proper methodology to use.
It is beyond the scope of any guide to provide that knowledge and experience. This guide is best used with guidance from a member who will assist you through the entire process.
herdProtect
2. Two install packages are offered on the herdProtect download page, a full install and a portable install
Select the portable package as the download.
3. On the Do you want to run or save ...Action Bar
Select Save
The file is placed in your default save location, normally the Downloads folder under your user profile.
4. On the The ... download has completed Action Bar
If your user profile is an Administrator User Account:
Select Run
If your user profile is a Standard User Account:
Select Open folder
Launch herdProtect with elevated privileges
Press the right mouse button on the file to open the context menu
Pick Run as administrator...
Answer Yes if prompted by a UAC dialog window.
5. Complete the initial steps to extract the program and accept any licensing agreements.
If a dialog window requests permission to run the application, Answer Yes, OK, or Run
Read the End User Licenses Agreement; Press the Accept button
Accept the default location to extract the application.
Press the Next > button.
6. The final setup window is presented
Warning
You must have an active Internet connection before you launch herdProtect.
If you do not have an active Internet connection, the initialization process will fail and prompt you to refresh.
As of this writing, there was no way to refresh herdProtect.
Re-launching from the task bar does display the UAC dialog window, but the connection fails.
You must close herdProtect and manually launch herdProtectScan.exe from the location where it was extracted
(default: C:\Program Files\Reason\herdProtect\Scanner_Portable)
Tick Launch herdProtect
Press the Finish button to start the scan using the default settings.
Answer Yes if prompted by a UAC dialog window
Press the Scan button. Note: This is a scan only operation, no corrective action can be taken in this mode.
herdProtect cycles through the scanning and analysis process
7. One of two possible Scan Results windows is presented when the initial scan has completed.
(a) Malware was not detected on your system:
This does not mean that your system is clean, it means that herdProtect did not detect any malware. Malwarebytes Anti-Malware Free v 2.0 can provide a second opinion if you are concerned. If a SevenForums member is advising you, follow the step-by-step instructions they provide, in the order they provide.
If SF members are assisting you, please post the confirmation screen as shown above to let them know that herdProtect did not find any threats.
You might be asked post the log even though no threats were detected.
See the Attach step below and follow the log posting instructions.
You may then close herdProtect using the X on the menu bar.
Additional on-demand malware scanners might be advised by SF members.
(b) Malware was detected, detections are reported in the Scan Results window.
Press the Show Details button to expand this section or continue on to the next step
The scan of your system might include files that the herdProtect database does not have any information. In this case, you are prompted to run a second herdProtect scan in a little over an hour. This allows herdProtect to scan the unknown file in real-time with each of the malware scanners it uses and update the database.
Press the OK button
The second scan should take less time than the first scan. The new information in the database presents a more complete picture of the files on your system. There are likely to be fewer, if any, files listed in the second Scan Results as the unknown files have been classified as threats, false positives, or insignificant. The log file might contain entries that were deemed false positives by herdProtect and were therefor not displayed in the Scan Results window.
You are advised to wait unitl the system has been scanned a second time with herdProtect in order to limit the number of files you might want to investigate.
There are two ways to research suspicious files given in this guide, only people experienced in malware can really decipher what the research means. If you're curious about the objects detected you can use a database on either herdProtect or Virustotal to learn more.
Remember, herdProtect is a scan only operation. You cannot use herdProtect for malware remediation at this point even if you know more about the reported object.
You must have an active Internet connection to use either database.
Click on the object to display the herdProtect View and Details buttons (shown in the above (b)Malware was detected image)
The logs have the following naming convention: Scan_YYYY-M-D-H-M.txt
Example: C:\Program Files\Reason\herdProtect\Scanner_Portable\Logs\Scan_2014-6-14-18-50.txt
Month and day do not have leading zeroes (i.e. 9, not 09)
Hours are in 24 hour representation (Post Meridian (PM) hour + 12)
1:30 PM is 13:30 (1 PM+12)
6:50 PM is 18:50 (6 PM+12)
This is very well done. I had no idea you wrote this up.
Fantastic job!!
A note on the herd protect tut:
if you click the cloud on the bottom left hand corner while it is trying to scan, it will test your internet connection and will see if anything is blocking it. It also will reset the proxy or lan connection to attempt a more successful connection.
Just thought you should know.
Last edited by andrew129260; 02 Sep 2014 at 14:30.
Computer Type: PC/Desktop System Manufacturer/Model Number: Custom Built OS: Windows 10 Pro CPU: AMD Ryzen 5 2400G Processor with Radeon RX Vega 11 Graphics Motherboard: ASRock X470 Master SLI/AC AM4 AMD Promontory X470 SATA 6Gb/s Memory: G.SKILL Ripjaws V Series 16GB (2 x 8GB) 288-Pin DDR4 SDRAM D Graphics Card: 2047MB NVIDIA GeForce GTX 1060 6GB (EVGA) Sound Card: Motherboard Built in Monitor(s) Displays: Acer R240HY bidx 23.8-Inch IPS HDMI DVI VGA (1920 x 1080) Wi Screen Resolution: 1920 x 1080 Keyboard: Wired Dell keyboard Mouse: Wireless Logitech mouse PSU: CORSAIR TX Series TX650M 650W 80+ Gold Modular Power Supply Case: CORSAIR CARBIDE SPEC-02 Mid-Tower Gaming Case, Red LED Fan Cooling: 220mm, two 120mm, and four 60mm fans Hard Drives: 1TB Sandisk SSD PLUS (Main drive)
500 GB Seagate 7200 RPM (Games)
500 GB Western Digital 7200 RPM (Virtual Machines) Internet Speed: 250mb down, 30mb up Browser: Chrome-ish x64 Antivirus: Panda Cloud Antivirus Other Info: Your awesome for reading this.
So some minutes ago my antivirus denied access to some temp file I never rember gettin, PUA Candy gen or something along those lines. I scaned the whole temp folder and found another virus identical to this 1 and a couple of suspicious files. Needles to say I am curently scanning the drivers for...