{"id":1681,"date":"2016-02-21T08:49:07","date_gmt":"2016-02-21T13:49:07","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1681"},"modified":"2016-02-21T08:49:07","modified_gmt":"2016-02-21T13:49:07","slug":"powershell-malware-detection-and-tracking-of-new-autoruns","status":"publish","type":"post","link":"https:\/\/www.wildow.com\/blog\/?p=1681","title":{"rendered":"PowerShell: Malware detection and tracking of new autoruns"},"content":{"rendered":"<h3 class=\"post-name\"><a title=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/2016\/02\/20\/powershell-malware-detection-and-tracking-of-new-autoruns.aspx\" href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/2016\/02\/20\/powershell-malware-detection-and-tracking-of-new-autoruns.aspx\" target=\"_blank\">PowerShell: Malware detection and tracking of new autoruns<\/a><\/h3>\n<div class=\"post-rating\"><span class=\"ui-rate rating readonly\" title=\"Average rating: 5 out of 1 ratings.\" data-contentid=\"79b22bf2-41bf-4fb0-892e-c9a332468f20\" data-contenttypeid=\"f7d226ab-d59f-475c-9d22-4a79e3f0ec07\" data-readonly=\"true\" data-initialvalue=\"1\" data-initialcount=\"1\" data-configuration=\"ReadOnly=true\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-left-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-right-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-left-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-right-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-left-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-right-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-left-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-right-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-left-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/utility\/images\/star-right-on.png\" alt=\"\" align=\"absmiddle\" border=\"0\" \/><\/span><\/div>\n<div class=\"post-author\"><span class=\"avatar\"><img decoding=\"async\" src=\"http:\/\/i1.social.s-msft.com\/profile\/u\/avatar.jpg?displayname=robin+granberg&amp;size=large\" alt=\"Robin Granberg\" border=\"0\" \/><\/span><span class=\"profile-usercard-hover\" data-profile-userid=\"5afee000f15547b29af1ff85a85df081\" data-profile-rendered=\"true\"><span class=\"user-name\"><a href=\"http:\/\/social.technet.microsoft.com\/profile\/Robin%20Granberg\">Robin Granberg<\/a><span class=\"Apple-converted-space\">\u00a0<\/span><\/span><\/span><\/div>\n<div class=\"post-date\"><span class=\"value\">20 Feb 2016 2:35 AM<span class=\"Apple-converted-space\">\u00a0<\/span><\/span><\/div>\n<div class=\"post-content user-defined-markup\">\n<h2>Old Project realized<\/h2>\n<p>A month ago I reinstalled one of my PC&#8217;s and thought of a project I started but never finished many years ago. It was when I found out about autorunsc.exe , one of the many awesome tools from the<span class=\"Apple-converted-space\">\u00a0<\/span><strong>Sysinternals suite<\/strong><span class=\"Apple-converted-space\">\u00a0<\/span>and the creator<strong>Mark Russinovich<\/strong>, when I thought of an idea to<strong><span class=\"Apple-converted-space\">\u00a0<\/span>keep track of all additions to my Windows installation<\/strong>. Any additions to it that had any effect on my boot process or that started any processes at startup. With this information I would be able to determine when I had additions I didn\u2019t approved nor expected.\u00a0 Then I could simple remove these binaries or uninstall the guilty application.<\/p>\n<p><strong>Now, I have a slightly different approach<\/strong>. Besides catching all additions to the auto-runs in my Windows installation<strong><span class=\"Apple-converted-space\">\u00a0<\/span>I also would like to know what executables are signed or not and if these could be a threat to me<\/strong>. I&#8217;m thinking of malware and vicious code. I think autorunsc.exe can do a fantastic job here with all its features, especially with some of the new features and the combination with another awesome tool, also from Sysinternals, Sigcheck.<\/p>\n<p><strong>Some\u00a0 of the\u00a0 things Autorunsc do:<\/strong><\/p>\n<ul>\n<li>List all drivers, processes, scheduled tasks, boot drivers , logon startups and auto-runs.<\/li>\n<li>Check if the image of the executable is signed or not.<\/li>\n<li>Check the hash of the image.<\/li>\n<\/ul>\n<p><strong>Link to Autoruns :<\/strong><span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902\">https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902<\/a><\/p>\n<p><strong>Some\u00a0 of the\u00a0 things SigCheck do:<\/strong><\/p>\n<ul>\n<li>Verify signatures.<\/li>\n<li>Check the image against Virus Total, a free online virus, malware and URL Scanner.<\/li>\n<\/ul>\n<p><strong>Link to SigCheck:<\/strong><span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb897441\">https:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb897441<\/a><\/p>\n<p>With a combination of both:<\/p>\n<p><strong>Scan my entire system auto-runs against Virus Total<\/strong>, i.e. the things Autorunsc.exe collects:<\/p>\n<ul>\n<li>Boot execute.<\/li>\n<li>Codecs.<\/li>\n<li>Appinit DLLs.<\/li>\n<li>Explorer addons.<\/li>\n<li>Sidebar gadgets (Vista and higher)<\/li>\n<li>Image hijacks.<\/li>\n<li>Internet Explorer addons.<\/li>\n<li>Known DLLs.<\/li>\n<li>Logon startups (this is the default).<\/li>\n<li>WMI entries.<\/li>\n<li>Winsock protocol and network providers.<\/li>\n<li>Office addins.<\/li>\n<li>Printer monitor DLLs.<\/li>\n<li>LSA security providers.<\/li>\n<li>Autostart services and non-disabled drivers.<\/li>\n<li>Scheduled tasks.<\/li>\n<li>Winlogon entries.<\/li>\n<\/ul>\n<h2><b>Powershell &#8211; There&#8217;s nothing PowerShell can&#8217;t do!<a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/powershell_2D00_logo.jpg\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/120x120\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/powershell_2D00_logo.jpg\" alt=\" \" border=\"0\" \/><\/a><\/b><\/h2>\n<p>Powershell comes to help once again. By using PowerShell I built a wrapper around these two Sysinternals tools (Autrunsc.exe and SigCheck.exe) plus some GUI to provide you with notifications when you got new binaries on your system.<\/p>\n<p>The processs:<\/p>\n<ul>\n<li>Use Scheduled Tasks to run the script at:\n<ul>\n<li>Boot(Analyze autoruns) .<\/li>\n<li>User Logon (Notifications).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>One Powershell script that does all the job.<\/li>\n<li>The script scan the machine with Autorunsc.exe.<\/li>\n<li>Generates CSV output.<\/li>\n<li>Compares CSV inbetween boots.<\/li>\n<li>The script finds any differences.<\/li>\n<li>The script sends the user notifications when:\n<ul>\n<li>New Unsigned Non-Microsoft Binaries added.<\/li>\n<li>New Unsigned Microsoft Binaries added.<\/li>\n<li>Files with New Hash and\u00a0 Unsigned Binaries added.<\/li>\n<li>New Non-Microsoft Binaries added.<\/li>\n<li>New Microsoft Binaries added.<\/li>\n<\/ul>\n<\/li>\n<li>Provide a UI to see the added files and a summary.<\/li>\n<li>With the list of additions you can run a check against Virus Total.<\/li>\n<\/ul>\n<h2><b>The value this script provides<\/b><\/h2>\n<ul>\n<li>Scan the entire system auto-runs with Virus Total.<\/li>\n<li>Creates an offline file for scanning entire system auto-runs with Virus Total, when no internet is available.<\/li>\n<li>Notifications when additions to the system are added.<\/li>\n<li>A Summary of additions over every boot.<\/li>\n<li>Summary of current additions with information about what kind of modifications done.<\/li>\n<\/ul>\n<h2><b>Requirements<\/b><\/h2>\n<p>These are the requirements.<\/p>\n<ul>\n<li>PowerShell<\/li>\n<li>Sysinternals Autorunsc v13.51 (or newer) &#8211; Autostart program viewer.<\/li>\n<li>Sysinternals Sigcheck v2.50\u00a0 (or newer) &#8211; File version and signature viewer.<\/li>\n<li>Internet connection if you will run a check against Virus Total.<\/li>\n<li><b>Important!<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>Once run Sigcheck -v &lt;any file&gt; and accept the agreement with Virus Total, if you do agree of cause :).<\/li>\n<li><b>Important!<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>Agree to Autorunsc.exe EULA.<\/li>\n<li><b>Important!<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>Agree to SigCheck.exe EULA.<\/li>\n<\/ul>\n<p>Run the PowerShell script once and it will prompt you with the option to agree to the EULA and to use Virus Total.<\/p>\n<p><b>Tip!<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>:\u00a0 I would recommend the nice script<span class=\"Apple-converted-space\">\u00a0<\/span><b>Update-sysinternals.ps1<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>to keep your Sysinternals tools updated.<\/p>\n<p>Modify the following command in the script to something like this.<\/p>\n<p>Update-Sysinternalshttp -ToolsLocalDir &#8220;c:\\Sysinternals&#8221;<\/p>\n<p><a href=\"https:\/\/gallery.technet.microsoft.com\/scriptcenter\/Another-Sysinternals-Tools-aa288439\">https:\/\/gallery.technet.microsoft.com\/scriptcenter\/Another-Sysinternals-Tools-aa288439<\/a><\/p>\n<h2><b>Config<\/b><\/h2>\n<p>To run this you have to put these two files, Autorunsc.exe and SigCheck.exe,\u00a0 in a folder on your drive,\u00a0 the expected path is<strong><span class=\"Apple-converted-space\">\u00a0<\/span>C:\\Sysinternals<\/strong><span class=\"Apple-converted-space\">\u00a0<\/span>but it&#8217;s configurable.<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0<span class=\"Apple-converted-space\">\u00a0<\/span>First run must include the &#8220;-Analyze&#8221; switch . This is needed after each boot since it will collect all auto-runs.<\/p>\n<p>Verify-Autoruns.ps1 -Analyze<\/p>\n<p>Or<\/p>\n<p>Verify-Autoruns.ps1 -Analyze -Dir &lt;folder path to Autorunsc.exe and SigCheck.exe&gt;<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0<span class=\"Apple-converted-space\">\u00a0<\/span>Once we have collected data we can run the script without scanning if we just want to get notifications and summary<\/p>\n<p>Verify-Autoruns.ps1<\/p>\n<p>Or if we want notifications even if nothing has happend:<\/p>\n<p>Verify-Autoruns.ps1 -Icon<\/p>\n<p>I also suggest you put the script in the same directory, but it is not a requirement ,though it must be configured in the scheduled task.<\/p>\n<p><strong>You can schedule a task in that runs at every boot.<\/strong><\/p>\n<p>This is the action for the task:<\/p>\n<p><b>Program:<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe<\/p>\n<p><b>Arguments:<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>-ExecutionPolicy Unrestricted -File &#8220;C:\\Sysinternals\\Verify-Autoruns.ps1&#8221; &#8220;-Analyze&#8221;<\/p>\n<p>If you want you can just import the exported Scheduled Task provided : Verify Autoruns &#8211; Analyze Boot.xml included in the attached file\u00a0<strong>VerifyAutoruns_ScheduledTaskExports.zip<\/strong><\/p>\n<p>You can also schedule a task in that runs at every logon to provide the user that logons with notifications.<\/p>\n<p><b>Program:<\/b><span class=\"Apple-converted-space\">\u00a0<\/span>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe<\/p>\n<p><b>Arguments:<span class=\"Apple-converted-space\">\u00a0<\/span><\/b>-Nologo -WindowStyle Hidden -ExecutionPolicy Unrestricted -File &#8220;C:\\Sysinternals\\Verify-Autoruns.ps1&#8221; &#8220;-Icon&#8221;<\/p>\n<p>If you want you can just import the exported Scheduled Task provided : Verify Autoruns &#8211; Verify.xml\u00a0\u00a0included in the attached file\u00a0<strong>VerifyAutoruns_ScheduledTaskExports.zip<\/strong><\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/ScheduleTasksVerifyAutoruns.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/ScheduleTasksVerifyAutoruns.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<h2><b>Output from Verify-Autoruns<\/b><\/h2>\n<p>What will this powershell script generate:<\/p>\n<ul>\n<li>A CSV file with all the autoruns on the system in a folder called C:\\AutorunsLogs (Can be customized). Example: AutorunsC_20160210-0925.csv<\/li>\n<\/ul>\n<p>Verify-Autoruns.ps1\u00a0 -LogDir &lt;folder path to all logs&gt;<\/p>\n<ul>\n<li>A CSV file with any new files added . This will require that you have at least two boot scans created, there&#8217;s only going to be one file for each boot. Example file: AutorunsC_New_20160210-0950.csv<\/li>\n<li>A CSV file with the collected summary of all added files, i.e. the contents of all AutorunsC_New.. files.<\/li>\n<li>SigCheck input CSV file for offline systems that can not access to internet. This file can be moved and run on internet connected systems for checking with Virus Total.<\/li>\n<li>Notifications Icon.<\/li>\n<li>Ballon Notifications.<\/li>\n<li>Report Window.<\/li>\n<li>Summary Window.<\/li>\n<\/ul>\n<h2><b>Notifications Icon<\/b><\/h2>\n<p>This Shield icon in the task bar let you access three things:<\/p>\n<ul>\n<li>The Report Window.<\/li>\n<li>The Summary of the last run.<\/li>\n<li>Windows Reliability Monitor (This tool can provide you with events on your system that might have caused one of the additions to the auto-runs)<\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/NotificationIconMeny.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/NotificationIconMeny.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<h2><b>Balloon Notifications<\/b><\/h2>\n<p>The following notifications are fired at detection. This will require that you have at least two boot scans created, there&#8217;s only going to be one file for each boot.<\/p>\n<ul>\n<li><strong>New Non-Microsoft Files that are not signed<\/strong><\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/8372.Notifi_5F00_UnsignedNonMS.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/8372.Notifi_5F00_UnsignedNonMS.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<ul>\n<li><strong>Files with new Hash that are not signed<\/strong><\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/Notifi_5F00_UnsignedNewHash.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/Notifi_5F00_UnsignedNewHash.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<ul>\n<li><strong>New Microsoft files that are not signed<\/strong><\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/8037.Notifi_5F00_UnsignedMS.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/8037.Notifi_5F00_UnsignedMS.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<ul>\n<li><strong>New Non-Microsoft files added<\/strong><\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/Notifi_5F00_NonMS.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/Notifi_5F00_NonMS.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<ul>\n<li>New Microsoft files added<\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/Notifi_5F00_MS.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/Notifi_5F00_MS.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<h2><b>Report Window<\/b><\/h2>\n<p>Here can you view the files added to autoruns. You can also:<\/p>\n<ul>\n<li>View a summary of the last boot.<\/li>\n<li>View the logfile.<\/li>\n<li>Check the new files against Virus Total. Requires Internet. (Requires SigCheck.exe ver 2.50 in the same\u00a0 folder as Autorunsc.exe).<\/li>\n<li>Check all current autoruns against Virus Total .Requires Internet. (This might take a while).<\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/8156.AlertGUI_5F00_NonMSUnsigned.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/8156.AlertGUI_5F00_NonMSUnsigned.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<h2><b>Summary Window<\/b><\/h2>\n<p>This list shows the results from the latest analysis.<\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/SummaryGUI.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/SummaryGUI.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<h2><b>Virus Total Check Window<\/b><\/h2>\n<p>This is a table with the results from Virus Total.<span class=\"Apple-converted-space\">\u00a0<\/span><strong>The column VT Detection will let you know the detection ratio. How many indications of the binary to be &#8220;unsecure&#8221; in ratio with the number of sources of information.<\/strong><\/p>\n<p><a href=\"http:\/\/blogs.technet.com\/cfs-file.ashx\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/VTGUI.png\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/resized-image.ashx\/__size\/550x0\/__key\/communityserver-blogs-components-weblogfiles\/00-00-00-94-14\/VTGUI.png\" alt=\" \" border=\"0\" \/><\/a><\/p>\n<p>This picture shows the Virus Total outcome of the new addtions to Windows from the latest boot.<\/p>\n<h2><b>Scan the entire systems auto-runs against Virus Total<\/b><\/h2>\n<p>If you like to scan all binaries that the system runs at boot and startup you can do it from the<span class=\"Apple-converted-space\">\u00a0<\/span><strong>Report Window<\/strong>, just click &#8220;C<strong>heck All System Autoruns with Virus Total<\/strong>&#8220;, or<span class=\"Apple-converted-space\">\u00a0<\/span>you can do it directly from the<span class=\"Apple-converted-space\">\u00a0<\/span><strong>Powerhshell<\/strong><span class=\"Apple-converted-space\">\u00a0<\/span>command line.<\/p>\n<p>Command:<\/p>\n<p>PS C:\\Sysinternals&gt; .\\Verify-Autoruns.ps1 -SystemCheck<\/p>\n<p>This action might take a while since there are many files to be checked over internet.<\/p>\n<p><strong>Or if no internet connection is possible:<\/strong><\/p>\n<p>PS C:\\Sysinternals&gt; .\\Verify-Autoruns.ps1 -SystemCheck -Offline<\/p>\n<p>The output from this command can be used with SigChekc on a internet connected system like this:<\/p>\n<p>SigCheck.exe -o -v VTInput.csv &gt; VTResult.csv<\/p>\n<p>This output will file contain the VT Detection ratio for each file. It&#8217;s a CSV file that&#8217;s best suitable for opening in Excel or similar.<\/p>\n<h2><b>Summary<\/b><\/h2>\n<p>With this script running on my PC&#8217;s I can easily determine all the auto-runs added, even over time.<span class=\"Apple-converted-space\">\u00a0<\/span>But the coolest feature according to me is that you can scan the entire systems auto-runs against Virus Total online or offline.<\/p>\n<p>This script does of course<span class=\"Apple-converted-space\">\u00a0<\/span><strong>not replace any antivirus or malware software<\/strong>. I use it on all my PC&#8217;s as an additional control and nice to have.<\/p>\n<p>The script is available at\u00a0<a href=\"https:\/\/gallery.technet.microsoft.com\/scriptcenter\/Malware-detection-and-995f01eb\">TechNet Script Center here.<\/a><\/p>\n<\/div>\n<div class=\"post-attachment-viewer\">\n<div class=\"post-attachment\"><span class=\"value\"><a class=\"internal-link download-attachment\" href=\"http:\/\/blogs.technet.com\/cfs-filesystemfile.ashx\/__key\/telligent-evolution-components-attachments\/01-9414-00-00-03-66-05-56\/VerifyAutoruns_5F00_ScheduledTaskExports.zip\"><span class=\"avatar\"><img decoding=\"async\" src=\"http:\/\/blogs.technet.com\/cfs-filesystemfile.ashx\/__key\/communityserver-components-imagefileviewer\/filetypeimages_2E00_\/zip.png_2D00_28x28.png\" alt=\"\" border=\"0\" \/><\/span>VerifyAutoruns_ScheduledTaskExports.zip<\/a><\/span><\/div>\n<\/div>\n<div class=\"post-actions\">\n<ul class=\"navigation-list\">\n<li class=\"navigation-item\"><\/li>\n<\/ul>\n<\/div>\n<div class=\"post-tags\"><span class=\"ui-tag\" data-contentid=\"79b22bf2-41bf-4fb0-892e-c9a332468f20\" data-contenttypeid=\"f7d226ab-d59f-475c-9d22-4a79e3f0ec07\" data-urlformat=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/{tag}\/default.aspx\" data-readonly=\"true\" data-tags=\"Powershell,autorunsc,Sigcheck,VirusTotal,malware,Autoruns\" data-configuration=\"\"><a href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/Powershell\/default.aspx\" rel=\"nofollow tag\">Powershell<\/a>,<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/autorunsc\/default.aspx\" rel=\"nofollow tag\">autorunsc<\/a>,<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/Sigcheck\/default.aspx\" rel=\"nofollow tag\">Sigcheck<\/a>,<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/VirusTotal\/default.aspx\" rel=\"nofollow tag\">VirusTotal<\/a>,<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/malware\/default.aspx\" rel=\"nofollow tag\">malware<\/a>,<span class=\"Apple-converted-space\">\u00a0<\/span><a href=\"http:\/\/blogs.technet.com\/b\/pfesweplat\/archive\/tags\/Autoruns\/default.aspx\" rel=\"nofollow tag\">Autoruns<\/a><\/span><\/div>\n","protected":false},"excerpt":{"rendered":"<p>PowerShell: Malware detection and tracking of new autoruns Robin Granberg\u00a0 20 Feb 2016 2:35 AM\u00a0 Old Project realized A month ago I reinstalled one of my PC&#8217;s and thought of a project I started but never finished many years ago. &#8230; <a class=\"more-link\" href=\"https:\/\/www.wildow.com\/blog\/?p=1681\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1681","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1681"}],"version-history":[{"count":1,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1681\/revisions"}],"predecessor-version":[{"id":1682,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1681\/revisions\/1682"}],"wp:attachment":[{"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}