Microsoft’s free Process Explorer is one of those utilities that every admin should have in his tool box. The new version 16 allows you to send hashes of suspicious files to VirusTotal, a subsidiary of Google, which analyzes files to identify malware.
Latest posts by Michael Pietroforte (see all)

I don’t think I have to explain here what Process Explorer is. I first blogged about Process Explorer about eight years ago, and that was version 10. Every once in a while, Microsoft adds a cool new feature to the Sysinternals tool. (I wonder if Mark Russinovich is really still doing the coding. At least it says so on the download page.)

Process Explorer - Check VirusTotal

Process Explorer - Check VirusTotal

Process Explorer is usually the first tool I fire up when suspicious things are going on with a PC. With the new VirusTotal integration, you now just need a click (or two) to send hashes of files to VirusTotal. If a file has been previously submitted to VirusTotal, Process Explorer will tell you if the file is likely harmless or malicious.

Process Explorer - VirusTotal result

Process Explorer - VirusTotal result

If you click “Check VirusTotal” in the context menu of a file that VirusTotal can’t identify, Process Explorer will display “Unknown” in the new VirusTotal column. If VirusTotal can identify the file by its hash, Process Explorer displays a link to the VirusTotal website containing a list of the scan results of various well-known antivirus tools.

Unknown hash

Unknown hash

It is also possible to look up all files displayed in the process and DLL view by selecting "Check VirusTotal" in the Options menu. You can then send all unknown files to VirusTotal by navigating to "Submit Unknown Executables" in the VirusTotal.com Options menu. (Note: In a previous version of this article, I mentioned that this functionality was discussed in a WindowsITPro article and that I wasn't able to find this feature.)

Process Explorer - Submit unknown files to VirusTotal

Process Explorer - Submit unknown files to VirusTotal

I guess it was too hot for Microsoft to offer a tool that sends files across the Internet to a third-party site. This limits the usefulness of this new feature a little. However, I use VirusTotal frequently, and it only happens in very rare cases that a file hasn’t been scanned previously. In my test, VirusTotal didn’t know the relatively new Amazon WorkSpaces client.

VirusTotal result page

VirusTotal result page

On a Windows 8.1 computer, Process Explorer v16 was extremely unstable and crashed several times. So, you might want to keep a copy of the previous version. Update: Microsoft is aware of the bug and will probably offer an update.

0
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account