herdProtect by Reason

Malware Detection: herdProtect, a multi-engine cloud based scanner

! Warning !

Effective malware remediation often requires specialized knowledge and tools. You can use this tutorial on your own, but it is best to have the guidance of a SevenForums (SF) member experienced in malware assist you.

Follow the exact instructions of the SF member assisting you, those instructions might differ slightly from the instructions found here.

---

According to the author of herdProtect:

How does it work?
The scanner takes a snapshot of all the 'active' files on a user's PC. An active file is defined as currently executing on the system or has the ability to automatically execute by means of an auto-start procedure.

 

Personally identifiable details are removed from the snapshot before being sent to the herdProtect server for analysis. The analysis is 100% anonymous.

The herdProtect server searches the database and sorts the files into known threats or unknown entities.

• Known threats: are categorized by the number of detections and reported in the results phase of the current scan.
• Unknown entities: are sent to the herdProtect servers for real-time analysis by each of the anti-malware scanners.
  
  The herdProtect database is the updated and the final analysis is reported back to the user in the results phase of a subsequent scan.

What you should know
The herdProtect Scanner is not a complete anti-virus solution and is more of a second opinion scanner as of this release.

 

• This version is a scanner only
• The scanner provides limited rootkit detection functionality.
• The scanner is an on-demand scan, there is no real-time scanning functionality.

A real-time Anti-Virus / Anti-Malware application is highly recommended to be running on your system in conjunction with herdProtect.

Communication between a user's PC and herdProtect's servers are encrypted.

Refer to the Terms of Service for more information.

False positives are minimized by algorithms that weigh detections.

• herdProtect does not display all detections in the results window unless you de-select the false positive option (not recommended).
  
  All detections are however, reported in the scan log.
• If the algorithm cannot make a certain determination about categorizing the file as a false positive, herdProtect reports the determination as an inconclusive detection with recommendations.

---

1. Understanding the process and the utility

1. Create a System Protection Restore Point
   
   
2. Make a backup of your personal data
   
   
3. Malware remediation requires specialized knowledge and tools. This guide provides the instructions to use only one tool, it does not endow you with enough information to efficiently eradicate malware on your system.
   
   Incorrect use of any of the tools in the Malware Remediation series can seriously hamper your system. Critical system files might be infected and only a person experienced in threat remediation knows the proper methodology to use.
   
   It is beyond the scope of any guide to provide that knowledge and experience. This guide is best used with guidance from a member who will assist you through the entire process.
   
   
4. Read the online herdProtect documentation
   • Home: herdProtect
   • About: herdProtect
   • Policy: Potentially Unwanted Programs (PUP)
   • Terms of Service (ToS)
   • Policy: Privacy

---

herdProtect
2. Two install packages are offered on the herdProtect download page, a full install and a portable install

Select the portable package as the download.

3. On the Do you want to run or save ...Action Bar

Select Save
The file is placed in your default save location, normally the Downloads folder under your user profile.

4. On the The ... download has completed Action Bar

1. If your user profile is an Administrator User Account:
   Select Run
   
   
   
   
2. If your user profile is a Standard User Account:
   1. Select Open folder
      
      
      
      
   2. Launch herdProtect with elevated privileges
      
      Press the right mouse button on the file to open the context menu
      
      Pick Run as administrator...
      Answer Yes if prompted by a UAC dialog window.

---

5. Complete the initial steps to extract the program and accept any licensing agreements.

If a dialog window requests permission to run the application, Answer Yes, OK, or Run

Read the End User Licenses Agreement; Press the Accept button

Accept the default location to extract the application.

Press the Next > button.

---

6. The final setup window is presented

   Warning

You must have an active Internet connection before you launch herdProtect.

 

If you do not have an active Internet connection, the initialization process will fail and prompt you to refresh.
As of this writing, there was no way to refresh herdProtect.



Re-launching from the task bar does display the UAC dialog window, but the connection fails.

You must close herdProtect and manually launch herdProtectScan.exe from the location where it was extracted
(default: C:\Program Files\Reason\herdProtect\Scanner_Portable)

Tick
Launch herdProtect

Press the Finish button to start the scan using the default settings.

Answer Yes if prompted by a UAC dialog window

Press the Scan button. Note: This is a scan only operation, no corrective action can be taken in this mode.



herdProtect cycles through the scanning and analysis process

---

7. One of two possible Scan Results windows is presented when the initial scan has completed.

(a) Malware was not detected on your system:

This does not mean that your system is clean, it means that herdProtect did not detect any malware.
Malwarebytes Anti-Malware Free v 2.0 can provide a second opinion if you are concerned. If a SevenForums member is advising you, follow the step-by-step instructions they provide, in the order they provide.

If SF members are assisting you, please post the confirmation screen as shown above to let them know that herdProtect did not find any threats.

You might be asked post the log even though no threats were detected.
See the Attach step below and follow the log posting instructions.

You may then close herdProtect using the X on the menu bar.

Additional on-demand malware scanners might be advised by SF members.

(b) Malware was detected, detections are reported in the Scan Results window.

Press the Show Details button to expand this section or continue on to the next step

 

The scan of your system might include files that the herdProtect database does not have any information. In this case, you are prompted to run a second herdProtect scan in a little over an hour. This allows herdProtect to scan the unknown file in real-time with each of the malware scanners it uses and update the database.

Press the OK button

The second scan should take less time than the first scan. The new information in the database presents a more complete picture of the files on your system. There are likely to be fewer, if any, files listed in the second Scan Results as the unknown files have been classified as threats, false positives, or insignificant. The log file might contain entries that were deemed false positives by herdProtect and were therefor not displayed in the Scan Results window.

You are advised to wait unitl the system has been scanned a second time with herdProtect in order to limit the number of files you might want to investigate.

There are two ways to research suspicious files given in this guide, only people experienced in malware can really decipher what the research means. If you're curious about the objects detected you can use a database on either herdProtect or Virustotal to learn more.

Remember, herdProtect is a scan only operation. You cannot use herdProtect for malware remediation at this point even if you know more about the reported object.

You must have an active Internet connection to use either database.

Click on the object to display the herdProtect View and Details buttons (shown in the above (b)Malware was detected image)

• View: Opens a Windows Explorer at the location of the object and highlights the object.
  See: Analyze suspicious files with VirusTotal
  
  
• Details: Opens a browser window to the herdProtect database and displays known information about the object.

---

8. Attach the herdProtect log file to a new post on your thread.

The herdProtect log file is located in the same folder where the files were placed when extracted. The default location is
C:\Program Files\Reason\herdProtect\Portable_Scanner\Logs.
See: How to capture screenshots, upload, and attach files to your post

Please attach the most recent log file.

   Information

The logs have the following naming convention: Scan_YYYY-M-D-H-M.txt
Example: C:\Program Files\Reason\herdProtect\Scanner_Portable\Logs\Scan_2014-6-14-18-50.txt

Month and day do not have leading zeroes (i.e. 9, not 09)
Hours are in 24 hour representation (Post Meridian (PM) hour + 12)
1:30 PM is 13:30 (1 PM+12)
6:50 PM is 18:50 (6 PM+12)

---

Related Tutorials

---

Malware Detection:

• Farbar Recovery Scan Tool (FRST)
• herdProtect (this tutorial)

Malware Remediation:

• AdwCleaner
• ESET Online Scanner
• Hitman Pro (trial)
• Junkware Removal Tool (JRT)
• Kaspersky TDSSKiller: Rootkit detection and threat remediation
• Malwarebytes Anti-Malware Free v 2.0
• Microsoft Malicious Software Removal Tool
• Microsoft Safety Scanner
• Panda Cloud Cleaner

Malware Research Services:

• VirusTotal: Add 'Send to VirusTotal' to the Windows Explorer context menu
• Multiple references: Analyze suspicious files using Web based services

Real-time Anti-Virus (AV) applications:

• Microsoft Security Essentials
  
  
  
  Note: Grayed out entries in the above list are not live tutorials, but are planned inclusions in the Malware Detection and Remediation series.