Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Process Explorer + VirusTotal (to check all processes with 50+ AV's)


Process Explorer + VirusTotal (to check all processes with 50+ AV's)

Check all running processes on VirusTotal
Published by Tookeri
16 Sep 2014
Published by

information   Information
Process Explorer by Sysinternals(Microsoft) is a more advanced alternative to Windows Task Manager

VirusTotal.com is a multi-engined scanner service from Google with more than 50 different anti-virus products including:
AVG, Avast, Avira, BitDefender, ESET, F-Secure, GData, Kaspersky, Malwarebytes, Microsoft, Norman, Panda, SUPERAntiSpyware, Sophos, Symantec, TrendMicro and many more.

The VirusTotal integration in Process Explorer is very fast because it only sends file hashes, a unique content identifier, and not the files itself. It's dependent of previous scans on VirusTotal for every specific file and version, but because VirusTotal is a heavily used worldwide service you often get fresh results for most files.

1. Download Process Explorer from its homepage: Process Explorer
or use the direct download link download

2. Extract the contents from the ZIP file preferably to a new folder. If you don't have a 3rd party Zip program you can use the Windows built-in function: right click the Zip file and select "Extract all..."

3. Double-click the file procexp.exe

4. Enable "Check VirusTotal.com"
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-enable-vt.png

The new column VirusTotal will be added automatically, and initially show "Hash submitted...". After a few seconds it will show the result:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-vt-standard.png
5. Processes that run as System and not as standard user, won't show a VirusTotal result until we restart Process Explorer with elevated permissions:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-admin-launch.png

If you get a UAC prompt click Yes. Now, after a few seconds, we will see the VirusTotal result for every process:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-admin.png

information   Information
A VirusTotal result of 0/55 means that 55 anti-virus products have checked the file and that non of them detected anything!

Click the result/link to open the detailed report in a web browser. There you'll find when the scan was done and other useful information like what anti-virus products detected anything and what type of possible infection/malware.


Example of a VirusTotal detection:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-vt-detection.png

Note   Note
If only one AV detected something chances are that it's a "false positive" (wrongly detected) and that the file is clean. Click the VirusTotal link to get more details about it.

6. If you have processes that show "Unknown" in the VirusTotal column, it means that specific file and version has never been uploaded to VirusTotal. To automatically upload these files to VirusTotal select this option:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-submit-unknown.png
7. To submit a file to VirusTotal manually, any file (not only "Unknown" ones), which means to upload and re-scan the file, double click a process, go to the Image tab and click this button:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-submit-one.png

You can then exit the Properties window and wait until you see a result in the VirusTotal column for that process. It'll take a few minutes.
8. You can also do a VirusTotal check for all the DLL files a process uses. Select a process and press Ctrl+L to toggle the lower pane. It will submit the file hashes to VirusTotal and show the result after a few seconds:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-lower-pane.png

If the VirusTotal column isn't shown in the lower pane, right-click a column header to select columns
If other files than DLL's are shown, go to menu View - Lower Pane View - and select DLLs
9. If you find more than one suspicious process and want to terminate them, it's recommended by Mark Russinovich, the author of Process Explorer, to first suspend(right click option) them. As many malware infections include multiple processes they can easily restart each other when only one is killed, so suspending them first is a safer way.
More info: Managing Risk

10. If you like Process Explorer you can easily replace Task Manager with it:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-replace-tm.png

11.
If you want you can also verify image signatures. You do this by selecting "Verify Image Signatures" from the Options menu. In the screenshot above you can see how it looks like when that option is checked, the second row in the drop-down Options menu. When you select this option you'll see a new column in the process list: "Verified Signer". Example:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-peverified.png
An unsigned software doesn't mean it's bad, but it may be more suspicious. Besides looking for unsigned or revoked signatures, also look out for empty or strange names (also in the columns Description and Company Name)
12. Another useful feature is "Process Timeline". To add it go to menu View - Select Columns... then go to tab "Process Performance" and select "Process Timeline".
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-timeline.png
The green part indicates how long a process have been running. So in the above example all processes have been running since start except these that have been started in this order:
- iexplore x 3, started just after the start of Windows
- firefox
- procexp, recently started (almost no green visible)
So how can this information be useful?
Example: Let's say you start a browser and end up on a web site that has a drive-by-download that is able to start a new process. You can then check process timeline for any processes that has started after the browser was started.

Note   Note
You won't see details for all processes until Process Explorer is run as Administrator!


information   Information
The default colors used in Process Explorer are set in the Options menu - Configure colors. Not all colors are used by default, so if you want you can enable the unchecked ones too:
Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-colors.png
Most programs are not "packed"(purple color) which can mean they are obfuscated or encrypted, so watch out for those as they would probably be more suspicious than other processes!



This Tutorial has showed you how to check all running processes. If it finds any malware it means it's already running on your system. To try and prevent new malware from infecting your system I recommend my other Tutorial mentioned below. It's an easy way to check downloaded software before running or installing them.


20 Sep 2014   #1
andrew129260

Windows 10 Pro
 
 

Very well done.


My System SpecsSystem Spec
26 Sep 2014   #2
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Ok mate it is going to take me a few reads to rally get the hang of this but it sounds such a good tool to have.
My System SpecsSystem Spec
06 Nov 2014   #3
Tookeri

Windows 7 Pro 32
 
 

Update: added info on how to verify image signatures (step 11)
My System SpecsSystem Spec
.

17 Dec 2014   #4
Tookeri

Windows 7 Pro 32
 
 

Update: added info for "Process Timeline" (step 12) + minor improvements
My System SpecsSystem Spec
06 Apr 2015   #5
GeorgeilotS

Windows 7 x64 Pro, Windows 8.1 x64 Pro, Windows 10 TP 10041
 
 

Hey, thanks very much for all this information, especially the Process Timeline!
My System SpecsSystem Spec
Comment

 Process Explorer + VirusTotal (to check all processes with 50+ AV's)




Tutorial Tools Search this Tutorial
Search this Tutorial:

Advanced Search




Similar help and support threads
Windows 7 Tutorial Category
VirusTotal + HerdProtect - Check Files with Simultaneously
Check Files with VirusTotal + HerdProtect Simultaneously The main purpose with this solution is to check downloaded software before running or installing it! Feb 18, 2015: New version of the script code and .bat file. Fixed a bug that caused the script to fail and stop further executing if...
Tutorials
Strange processes on my process list
Hello. First, I don't know is it right forum for this question. If not, please move my thread to other forum. I was not looking at this list and today I did it for no reason and noticed something that I'm not sure about. 1. hyoidragaslope.exe. User name that run this process : System ...
System Security
"Error opening process" message in Process Explorer
Hi Everyone I recently did a System Restore on a Windows 7 Pro 64 bit system to correct a strange problem I was having with IE. It seems to have solved the problem, but now Process Explorer is displaying the messages in the screen shot below, and I'm not sure why. The computer is functioning...
Software
open explorer, starts new process, close it, process remains active
Hi, I've got a quicklaunch shortcut to: %windir%\explorer.exe shell:::{323CA680-C24D-4099-B94D-446DD2D7249E} That takes me straight to my explorer favourites. What I notice is that when I launch that, I get a new explorer.exe thread appear in the task manager. When I close it though, that...
General Discussion
Windows 7 + Process Explorer + Patch: [Opening error process]
Hi fooks, I hope you all can read this, i'm from Belgium so my Englsich is not as good as it might be. I have bought last year a little notebook with Windows 7 Home Premium on it. On this machine i am the Administrator, and there are no other people on that, or guestaccounts made. On...
Installation & Setup
Script to Check Processes then Launch
I would like a script that does the following: If ProcessA.exe NOT Running? Open ProgramA (Access link file) End If If ProcessB.exe NOT Running? Open ProgramB (Access link file) End If
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 00:25.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App