Process Explorer 16.0 brings Virustotal support
Process Explorer provides you with information that the Windows Task Manager does not offer. While you can use the default task manager to check the running processes on a system, that is about as far as it goes.
Process Explorer adds a multitude of information so that you can check each running process thoroughly on the system. It is for instance possible to check command line parameters that a process was started with, get a list of all of a processes' threads, files and Registry keys that it makes use of, or get detailed performance or network statistics.
It is a program for professionals mostly, but it has its uses for regular users as well. The most recent version of Process Explorer was released today to Microsoft's Windows Sysinternals website.
Process Explorer 16 introduces Virustotal support to the application. Here is how this works.
When you start Process Explorer you can enable Virustotal checks in two ways. You can either right-click any process listed by the application and select the "check Virustotal" option from the context menu, or select Options > Virustotal.com > Check Virustotal instead.
Process Explorer will check file hashes on Virustotal by default, and display the results in its interface. The process itself does not take long, and you should see the number of hits and the total number of engines used to scan the file in the Process Explorer window.
What happens when an unknown executable is discovered? Nothing, unless you enable the sending of unknown executables under Options > Virustotal.com.
If you do, unknown files get automatically transferred to Virustotal where they are scanned by all malware engines. The result is then displayed by Process Explorer, and is also available to all other users who may run into the same file on their system.
All Virustotal results are links, which means that you can click on a link to be taken to the review page on Virustotal to access the detailed results of the scan.
Verdict
Integration of Virustotal adds another useful feature to Process Explorer, Especially the ability to quickly scan all running processes for traces of malware needs to be mentioned here, as it enables you to quickly scan everything that is running on the system.
The scanning is unobtrusive and works well, provided that you do not run any files that are greater than the maximum allowed file size of Virustotal. (via Carsten Knobloch)
Advertisement
VirusTotal added a new AV yesterday: AegisLab
Process Explorer now shows 15 detections for Windows 7 OS processes, all from AegisLab
Anyone else noticing this?
Getting only Emsisoft false positives.
Ok. Thanks for checking!
I forgot to mention that these doesn’t show up until I select “Show Details For All Processes”, and Process Explorer then restarts as Administrator.
All detections are for system processes. Probably FPs but strange that it’s so many. example:
https://www.virustotal.com/en/file/32be52836f2a011d46957ad60aba48986b87026fd50ed09d8495460c7f1ab23e/analysis/
nice update but v16. Shows my icore 7440 as having only 4 cores – everywhere else it Shows up as having 8
Yeah I laughed when I saw that too!
What did the link to Virustotal say?
I did not look it up, and it is gone now. Was 100% sure it was a false positive, so likely some “gen” generic hit.
Funny how procexp.exe itself got a hit on Virustotal on that screenshot…LOL.
Anyway, this nice and nifty new feature make Process Explorer my top application for Windows!
I have used Process Explorer a lot and still do, but I also like Process Hacker:
http://processhacker.sourceforge.net/
Process Hacker has more customization options than Process Explorer but they’re both great programs that I find indispensable. Every toolkit should have at least one of these programs If not both.
Very nice! After right-clicking, I’m getting a link under the Virus Total column in PE that takes me to a web page with a nice rundown of all the major AV services and safety checkmarks.
Nice addition, but it’s buggy. When I select ‘Show Lower Plane’ with Virus Total switched on, it causes procexp64.exe to crash. Something about BEX64, whatever that is.
Nice addition, but it’s buggy. When I select ‘Show Lower Plane’ with Virus Total checking switched on, it causes procexp64.exe to crash. Something about BEX64 whatever that is.
Good to know. The only issue that I experienced was that no value was returned for some files, but that was likely a transfer issue. After a restart, all files checked out fine.
It seems they’ve fixed the crash problem now with v16.01. I had verifying digital signatures switched on, so maybe that’s why it crashed with me, but not for you.
“Process Explorer v16.01: This release fixes a bug that could cause a crash when the VirusTotal column is added to the process view, and another that could cause a crash when verifying digital signatures.”
http://blogs.technet.com/b/sysinternals/archive/2014/02/04/updates-process-explorer-v16-01-sigcheck-v2-02.aspx
The only thing I get is “JSON object could not be decoded”.