1
00:00:03,080 --> 00:00:08,570
Once malicious or suspicious processes have been identified it's necessary to stop them.

2
00:00:10,020 --> 00:00:15,500
As we mentioned trying to set up a process which is monitored by other processes is quite difficult.

3
00:00:16,710 --> 00:00:24,430
You can't stop all of them at the same time if you stop one process you will be automatically restarted

4
00:00:27,050 --> 00:00:32,120
malicious programs not only higher with the use of other processes but often modify system components

5
00:00:32,120 --> 00:00:33,310
to oversee them.

6
00:00:36,330 --> 00:00:39,760
The solution is freezing a malicious process instead of killing it.

7
00:00:41,850 --> 00:00:47,430
Switched the process to the suspend mode suspended process does not execute.

8
00:00:47,580 --> 00:00:50,160
It cannot operate.

9
00:00:50,270 --> 00:00:52,090
It doesn't use up any C-p time.

10
00:00:52,100 --> 00:00:54,840
And it seems to be placed outside the system scheduler.

11
00:00:56,280 --> 00:01:01,690
A suspended process is still however marked as running so it won't be relaunched by other processes.

12
00:01:03,980 --> 00:01:09,630
If all associated controlling processes are suspended you'll be able to terminate them one by one.

13
00:01:11,950 --> 00:01:19,820
And terminating the process is your next task is preventing them from relaunching the system restart.

14
00:01:19,830 --> 00:01:27,500
This can be accomplished with the use of M-S config a standard Windows utility if you believe M-S config

15
00:01:27,830 --> 00:01:32,720
the number of automatic startup processes is very small.

16
00:01:32,720 --> 00:01:38,240
The reality however is that several hundred applications and processes are run hundreds of locations

17
00:01:38,240 --> 00:01:40,180
are checked.

18
00:01:40,190 --> 00:01:42,330
That's why I would rather use another program

19
00:01:46,390 --> 00:01:49,160
auto runs as a component of this internal suite.

20
00:01:50,100 --> 00:01:55,260
After you make sure a malicious program can't relaunch you need to physically remove it from the computer

21
00:01:57,440 --> 00:02:00,470
removing the program can be more complicated than it seems.

22
00:02:01,950 --> 00:02:08,430
If some other process maintains an open handle to a file making the system unable to delete the file.

23
00:02:08,600 --> 00:02:15,670
This can be a problem to identify a parent process will again resort to process explorer or a third

24
00:02:15,670 --> 00:02:23,250
component of this internal suite process monitor with this utility stopping an entire process won't

25
00:02:23,250 --> 00:02:24,440
be necessary.

26
00:02:25,200 --> 00:02:28,500
It be enough to terminate a handle to an open file in the process

27
00:02:31,180 --> 00:02:32,000
if it fails.

28
00:02:32,020 --> 00:02:39,650
You can also attempt to remove the file system reboot will schedule the removal but the operation will

29
00:02:39,650 --> 00:02:43,680
be executed very early on during the launch of the operating system.

30
00:02:43,700 --> 00:02:49,950
This will occur ahead of any other process capable of blocking the removal to accomplish this.

31
00:02:49,970 --> 00:02:56,950
We can use a Forth tool that is a component of this this internal suite move file Let's discover this

32
00:02:56,950 --> 00:02:59,050
procedure step by step and practice

33
00:03:07,550 --> 00:03:12,770
first check out information on processes that are automatically run it system start is returned by M-S

34
00:03:12,770 --> 00:03:13,600
config.

35
00:03:14,720 --> 00:03:21,370
Beside system services there are only three entries in the Startup tab only three programs are supposed

36
00:03:21,370 --> 00:03:23,910
to run at startup.

37
00:03:23,910 --> 00:03:29,400
Let's compare this list against the information returned by auto runs a component of Ciss internals.

38
00:03:32,030 --> 00:03:36,860
Launching a program you can see that the list of tabs that represent sites that can contain automatically

39
00:03:36,860 --> 00:03:40,080
run files is quite long.

40
00:03:40,190 --> 00:03:44,720
The launch computer scan isn't yet completed but you can already see there are more results and three

41
00:03:49,470 --> 00:03:55,600
during the scan we can move to the log on tab as you can see some programs start automatically when

42
00:03:55,600 --> 00:03:58,690
you log onto your computer.

43
00:03:58,790 --> 00:04:03,720
The suspicious elements in this section include programs that claim to be provided by Microsoft but

44
00:04:03,720 --> 00:04:05,340
have not yet been verified.

45
00:04:07,470 --> 00:04:12,270
In a moment we'll run an automatic verification of all entries similar to the ones performed in process

46
00:04:12,270 --> 00:04:12,930
explorer

47
00:04:15,770 --> 00:04:17,660
programs are automatically run in Windows.

48
00:04:17,660 --> 00:04:25,620
Not only log on ons environment extensions system Shell extensions can also load programs.

49
00:04:25,750 --> 00:04:31,150
You can even see here an error or program or a library that should be loaded but can't be found.

50
00:04:34,770 --> 00:04:40,910
There are also many tests that can be scheduled to start up automatically at system bu you can see here

51
00:04:40,910 --> 00:04:48,990
one instance of such a task each time you locate the century you can delete it or verified online but

52
00:04:48,990 --> 00:04:52,930
also track it with Process Explorer and check the properties of the process.

53
00:04:57,960 --> 00:05:03,360
As far as registry keys are concerned you can jump directly to the place in the registry where the entry

54
00:05:03,360 --> 00:05:11,380
is found.

55
00:05:11,570 --> 00:05:14,870
The scan has ended in the meantime.

56
00:05:15,000 --> 00:05:18,480
This is a demo version of the system so there isn't a lot of entries.

57
00:05:19,990 --> 00:05:22,670
You can still discover some things that shouldn't be there.

58
00:05:23,570 --> 00:05:29,890
Some weird drivers that have been deleted or on the list the entries are not found.

59
00:05:29,940 --> 00:05:33,470
You should either delete the entries or verify them in some other way.

60
00:05:35,240 --> 00:05:40,940
Since the displayed list is quite long it's useful that the application implements a way to filter results

61
00:05:41,000 --> 00:05:43,840
and compared save entries with an updated list.

62
00:05:46,500 --> 00:05:51,160
Filtering can be set to hide windows entries.

63
00:05:51,230 --> 00:05:53,730
This is the default option.

64
00:05:53,740 --> 00:06:00,190
You can also hide Microsoft entries or checking the second option from the top you can hide all Microsoft

65
00:06:00,190 --> 00:06:03,600
results that have been verified through the use of digital signature.

66
00:06:07,070 --> 00:06:13,730
Unchecking the options will automatically expand the list of startup files.

67
00:06:13,960 --> 00:06:20,360
The programs you saw before should be paid close attention these processes or programs can be suspicious

68
00:06:22,180 --> 00:06:26,940
will also show how you can remove a file that can't be deleted in a standard manner without the use

69
00:06:26,940 --> 00:06:30,870
of move file.

70
00:06:30,890 --> 00:06:33,820
This is an excuse to showcase another helpful tool.

71
00:06:33,830 --> 00:06:41,760
Process Monitor Process Monitor captures in real time the activity of all or of selected processes.

72
00:06:44,670 --> 00:06:51,860
As you can see Explorer X-C performs some operations on the registry.

73
00:06:51,870 --> 00:06:56,160
You can also view the result of each attempted operation whether it's successful or failed

74
00:06:58,880 --> 00:07:05,570
will create the test directory in the command line and go to the directory next we'll create a subfolder

75
00:07:05,570 --> 00:07:15,010
test to.

76
00:07:15,050 --> 00:07:18,650
Now let's look at the sequence of operations executed by our program

77
00:07:23,500 --> 00:07:24,840
by right clicking on a program.

78
00:07:24,850 --> 00:07:31,030
You can create dynamic filters the filter will create will include the CM DXi process

79
00:07:34,790 --> 00:07:37,220
the list of actions that are visible in the main window.

80
00:07:37,250 --> 00:07:40,420
Includes only the operations executed by our process

81
00:07:48,040 --> 00:07:49,720
like the other utilities we have shown.

82
00:07:49,720 --> 00:07:56,410
Process Monitor includes a feature that makes it possible to identify processes.

83
00:07:56,450 --> 00:08:00,140
You can easily find a specific process process.

84
00:08:00,140 --> 00:08:05,750
Monitor is not restricted to tracking system programs activity.

85
00:08:05,780 --> 00:08:13,030
It is also a great troubleshooting tool for programs that require escalated permissions to run.

86
00:08:13,100 --> 00:08:14,710
We'll talk about this later.

87
00:08:16,270 --> 00:08:23,180
In that case the programs window will contain error messages that can be used to check program activity

88
00:08:23,240 --> 00:08:28,340
and Grand-Duke user permissions to files folders and registry keys without granting the user administrator

89
00:08:28,340 --> 00:08:31,860
privileges.

90
00:08:31,920 --> 00:08:35,630
It's an important feature that can help you implement the principle of least privilege.