CrowdInspect: second-opinion malware scanner with Virustotal integration
CrowdInspect is a free portable program for Microsoft Windows devices that enables you to give your system a thorough second opinion malware scan.
While you may have all the confidence in the world in resident security software, it may be a good security precaution to run second opinion scans regularly on machines just to confirm that confidence.
The reason for scanning the system with other security software is simple: no solution is perfect. What one product may detect, may be totally unknown to another.
There are numerous tools that you can use to run second opinion scans, for instance Malwarebytes 3.0, Dr. Web CureIt, or Microsoft Security Scanner.
CrowdInspect review
CrowdInspect is an on-demand scanner for Windows. You can download the program from the developer website, and run it from any location on supported Windows machines.
The program displays an EULA on start, an an option to switch from the integrated Virustotal API key to a custom one. The main benefit doing so is that CrowdInspect displays only total scores and not individual scores if the built-in key is used.
The program lists all running processes on start, and begins to scan them right away. Each process is listed with its name, and a variety of useful information.
The four columns that begin right after process name and ID highlight code injection status, the Virustotal score, the Team Cymru malware hash registry result, and Web of Trust for remote connections.
These scores are color coded, and indicate right away if the file checked out fine, or if it requires further attention.
CrowdInspect checks the network status of each process as well, displays the type and state, and local and remote IP addresses.
The scans happen in real-time while CrowdInspect is up and running. If a new program is launched for instance, it is scanned by the program eventually.
You may pause the scanning at any time with a click on the pause button. You may also add or hide information from the interface. A click on full path replaces the file name with the full path and file name for instance.
Buttons are provided to kill selected processes or close network connections. You may right-click on processes instead to run the termination or close commands using the context menu.
A click on VT results opens score details and a link to the Virustotal website to look it up online. This is useful if at least one of the antivirus engines that Virustotal supports reports a hit.
CrowdInspect supports a history feature that you can switch to from the live view. History lists processes, scans and all of that sorted by date and time.
Closing Words
CrowdInspect is a handy second opinion scanner for Microsoft Windows that scans running processes and network connections using a variety of services. You may still need other software if hits are reported, as CrowdInspect does not offer much in terms of handling threats other than killing processes and cutting network connections.
Now You: Do you use second opinion scanners?
Windows, Firefox: ClamWin, FireClam – Hope this addon stays.
Linux, Firefox: Clam Tk, FireClam, (for eg, videos, music, ebooks downloaded from web sites – for mainly Windows viruses, yes, still good insurance).
If the addon does go, in Windows, Clam Win is Open Source standalone scanner.
deploy.akamaitechnologies Biggest virus of them all.
I felt even more confident using CroudInspect after reading the EULA, and their blog at https://www.crowdstrike.com/blog/virustotal-lookups-are-back-in-crowdinspect-crowdstrikes-popular-free-tool/
Surely a software with better privacy EULA…
What Rob refers to is probably this sentence:
“For each entry discovered and transmitted by You, the Software collects and transmits — and Company may retain and use — the full directory, file name, SHA256 hash, /create/ timestamp of the above; /last accessed/ timestamp; /last write/ timestamp; digital signature information, as well as your connection information.”
and that there is no way to opt out of this.
I assume any malware company that is engaged in trying to discover and analyze emerging threats has similar terms in its EULA. Here’s the relevant sentence from MalwareBytes:
“Without limiting the Privacy Policy, you agree that Malwarebytes may track certain data it obtains from your Device, including data about any malicious software, exploits or other threats flagged by the Software (including but not limited to potential sources of such threats, such as payload files, file format and recent URL’s visited), data about your license, data about what version of the Software you are using and what operating conditions it runs under and data concerning your geographic location.”
I was going to suggest using the VirusTotal integration in Process Explorer, but the relevant section from their (Microsoft’s, go figure) EULA is even more vague than MalwareBytes’.
As far as other process viewers/managers/explorers with VirusTotal capabilities: Process Hacker doesn’t seem to have a privacy policy, but doesn’t send all running processes to VirusTotal – you have to send each one you’re interested in. AnVir Task Manager also doesn’t seem to publish a privacy policy, but they use their own rating system for software security (you can also send processes to VirusTotal one-by-one), so you can be sure they’re collecting the same data as CrowdInspect.
None of the above alternatives notify the user about code injection status (as far as I can tell) or include Web of Trust ratings.
Note also VirusTotal’s privacy policy: https://www.virustotal.com/en/about/privacy/
They collect as much data about you as they can, so even if you used a PowerShell script or something to create hashes of all running processes and then upload them to VirusTotal, you still have the same privacy concerns with them.
So, as far as I can find, there doesn’t seem to be similar software with a better privacy EULA. If anyone knows of one, I’d be interested to hear about it.
I should have added that I’m not personally concerned about these privacy issues. I assume that most anti-malware companies offer free versions of their tools in part to collect data and respond to new malware. If no one were collecting data like this, we would almost certainly have far more malware problems.
Eddy, a most interesting comment. Even got to put a smile on my face when jumping from bad practices to worse, nicely detailed :)
How do you call it when you have to pay (be it with your privacy) to get protected?
Personally I use HitmanPro for second opinion malware scans. Of course the developer knows a lot, what exactly I don’t know, is it shared? No idea.