Better yet put the sample through an online sandbox called Malwr.com and see the output from the sandbox. That will give you some indicators of what is going on with it.
Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected] [mailto:[email protected]] On Behalf Of Erik Goldoff Sent: Thursday, December 05, 2013 10:13 PM To: [email protected] Subject: RE: [NTSysADM] Shrink the size of winsxs & other places, new tool avail The Symantec result from VirusTotal was "WS.Reputation.1" , that wasn't a signature match, it was a result of their Insight reputation database. Just like when doing manual load point analysis of suspicious files, I would Google the filename. Three possible outcomes : 1. Known file for a reasonably long time, known safe 2. Known file for a reasonably long time, known malicious 3. New file not yet known, not enough information to declare safe but also not enough known to declare as malicious. Most commercial software will fall under category #1, most known malware will be category #2. Category #3 can include both new benign files, but also newly released malware, so new not in signatures yet. Hence the Reputation flag as potential malware. It remains to be seen after a reasonable amount of time if it is declared safe or malicious From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Arma Rayo Sent: Thursday, December 05, 2013 8:45 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Shrink the size of winsxs & other places, new tool avail Hi all, again :) I have read all that information from MS regarding shrinking WinSxs folder. While it is true that one cannot just go and delete here and there without knowing what to delete, because it might hurt the installer/uninstaller/repair/patch/unpatch functions of the OS, MS has had to jargon about that do not touch it as a general rule, as otherwise most people would not know what they're doing. MS states in the KB discussing the size of WinSxs, that they don't really recommend deleting stuff there, but also they aren't saying that it would be the ultimate hazard, no. As I wrote before the Windows Update Clean tool is very in the know of what can be deleted and what cannot. It's careful and precise. It only deletes old versions: obsolete and invalid hasbeen Windows files that are replaced by new ones. The tool also links those deleted item locations to point to the latest - newest files that are in use. After scanning, the tool lists the locations that has stuff to remove, but marks the locations as either Delete or Retain, and the user can opt-in and opt-out these recommendations. The tool also shows how much it's able the free up space. In my previous post I wrote 3GB away, I just want to clarify that the tool didn't shrank my Winsxs from 11GB to 3GB, no, but it was able to shrink the size of Winsxs and few other locations all together 3GB, so 3GB of space was freed up from my precious SSD. (in addition to what CDM Dism or Disk Cleanup could free up by removing SP1 uninstallability. The same with the tool in question, after using the tool Windows updates cannot be rolled back(!). But Office updates can be rolled as the tool always suggests to retain MSOcache. I understand where you stand and want to get confirmation regarding this tool. That's good. I want it too. I was very surprised to see that Virus Total's 40+ engines 2 marked it at least suspicious. Then again it doesn't surprise that some engines marked it, solely because of behaviour analysis; after all the tool goes into core Windows folders and deletes stuff there. I think that the author(s) of the the tool should be informed about Virus Total results in the hopes of fixing it. But I'm kind of lazy to register into that Chinese forum.. When I found about this tool I expected some more fancy website made for it that mixed language forum post. Certainly if the tool would be malware they haven't thought of marketing strategists as the forum topic is to raise more questions than a sleek website page would. After using the tool I have not only done a complete virus scan of my system with Avast 9, but also I have used 3 different rootkit scanners and all together not a single issue found. (nor that using the tool has impacted the performance of my Win 7 pro x64). I used kaspersky, Comodo and Avast rootkit scanners, no issues found. How I found the tool? I was looking for 3rd party plugins inorder to make Windows Explorer tabbed, I came across this: http://ejie.me/ and then this: http://ejie.me/windows-update-clean-tool/ (don't use DL links there as it links to older version, latest version here: http://www.chuyusoft.com/thread-274-1-1.html) Oh yeah, btw, I found that tabbing Windows Explorer is better not to try as those few plugins out there seem to mess more than do good. Same with that Clover 3 plugin, it doesn't even work with x64. So, here's my story about the tool. Take it or leave it, no one forces to use the tool. Since it was some 2 weeks i used it I should be seeing some malware action going on.. if there would be malware? But my very strictly configured Comodo Firewall (with Defense+) and Avast antivirus haven't alerted a single thing. Nor did full system scan and nor did using 3 different rootkit scanners. I also use Sysinternal tools and I don't see any signs of malware. But as people pointed here that 2 engines in Virus Total marks the tool, I suspect that it's because of the behavior of the tool, but of course, if there's people that could go more indepth about the tool would be really awesome. Sincerely, ArmaRayo (regarding my nick, and me, I'm a Finnish male and my nick is just a joke from the past, where the "arma" not precisely meaning a "gun" and "rayo" has more to do with sun ray but ~ anyhow...) :) > Date: Thu, 5 Dec 2013 10:06:16 -0800 > From: [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > Subject: Re: [NTSysADM] Shrink the size of winsxs & other places, new tool > avail > > I've not directly heard of cases, but I'm not sure of many doing it. > > How to address disk space issues that are caused by a large Windows > component store (WinSxS) directory: > http://support.microsoft.com/kb/2795190/en-us > More links from MS regarding WinSxS > > On 12/5/2013 9:55 AM, Micheal Espinola Jr wrote: > > Hi Susan! > > > > While you're here, and this doesn't relate to patch-management > > directly - do you know of any negative repercussions to compressing > > parts of, if not all of the WinSXS folder structure? > > > > -- > > Espi > > > > > > On Thu, Dec 5, 2013 at 9:33 AM, Susan Bradley <[email protected] <mailto:[email protected]%20%0b>> > <mailto:[email protected]>> wrote: > > > > Not to mention if the WinSXS folder is not cleaned up in the > > manner that Windows wants it to be cleaned up you can render your > > machine unpatchable and be facing a repair install (at best) and > > total rebuild at worst. > > > > http://blogs.technet.com/b/joscon/archive/2010/08/06/should-you-delete-files-in-the-winsxs-directory-and-what-s-the-deal-with-vss.aspx > > http://blogs.technet.com/b/joscon/archive/2009/06/12/why-is-the-windows-winsxs-directory-so-large.aspx > > > > Even if it's not malware, I would not be using a tool that isn't > > blessed and supported by Mothership Redmond. > > (lurker on the list/listmom on Patch management.org > > <http://management.org> where there's enough patching pain caused > > by update without inflicting more on yourself) > > > > > > On 12/5/2013 9:14 AM, Richard Stovall wrote: > > > > Does Amit still have his world-renowned malware testing lab? > > Maybe he could check it out for us. > > > > > > On Thu, Dec 5, 2013 at 11:36 AM, Ben Scott > > <[email protected] > > <mailto:[email protected]<mailto:[email protected]%20%3cmailto:[email protected]>> > > <mailto:[email protected] > > <mailto:[email protected]<mailto:[email protected]%20%3cmailto:[email protected]>>>> > > wrote: > > > > Fellow list members: Poster of the below has never > > posted to this > > list before. This is, at best, spam. Software may even > > be a trojan > > horse. > > > > OP: If you are legit, my apologies, but this behavior is > > highly > > suspicious. > > > > On Thu, Dec 5, 2013 at 11:25 AM, Arma Rayo > > <[email protected] > > <mailto:[email protected]<mailto:[email protected]%20%3cmailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]%0b>> > <mailto:[email protected]>>> wrote: > > > A lot of people are having frustration with WinSxs > > folder and > > especially > > > with it's ever-growing size. > > > > > > MS has released an update to Disk Cleanup that can help to > > reduce the size > > > of the folder by removing SP backups and it's backups. > > > > > > However for many this is not enough. > > > > > > A Chinese based coder group has launched a tool called > > > > > > The Windows Update Clean Tool > > > > > > PIC > > > http://ejie.me/images/win_upd_clean.png > > > > > > The tool is very careful and precise and only deletes > > what is > > safe to > > > delete. It also links/junctions old deleted items to the > > latest > > ones. Be > > > noted that cleaning WinSxs with this tool: Rolling back > > Windows > > Updates > > > isn't possible. > > > > > > Always use the latest version, DOWNLOAD link here: > > > http://www.chuyusoft.com/thread-274-1-1.html > > > > > > CHEERS > > > > > > > > > > -- > > Got your CryptoLocker prevention in place? > > http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > > > > > > > > > > -- > Got your CryptoLocker prevention in place? > http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > > >
<<inline: image001.jpg>>
