10
3
If I would have a running virus on my system, would I be able to see the process in taskmanager? I mean, would it be possible for a running virus to circumvent the taskmanager so the process doesn't appear in the tasklist of windows7?
Or in other words. If I really now all the processes in taskmanager to be secure, I also know that my PC is clean?
user1344545
Posted 2014-02-08T03:38:00.030
Reputation: 215
7
No, not usually. It is possible for Task Manager (and other parts of the operating system) to themselves be compromised, thus hiding the virus. This is called a rootkit.
If I really now all the processes in taskmanager to be secure
You can never know all the processes in taskmanager to be secure. Viruses use names of system components for a reason, sometimes even displacing them.
Use an antivirus.
Jonathan Baldwin
Posted 2014-02-08T03:38:00.030
Reputation: 426
5
An antivirus detects only so and so much ("During 4Q11, 33 percent of Web malware encountered was zero-day malware not detectable by traditional signature-based methodologies at the time of encounter", source: http://blogs.cisco.com/security/cisco-4q11-global-threat-report/ ).
With a bit of training you can detect some malware because they behave in a certain way that is a bit off to whats usual on the OS. It might be more network traffic, more cpu usage, strange disk accesses or something else. Malware are not only available as single binaries which are detectable via a taskmanager but also as dynamic libraries (dll) attached to other processes.
You can get clues about what is running on your system with a taskmanager like Process Explorer from the Sysinternal Suite, and you can watch things happen on your system with something like Process Monitor of the same suite. Get used to the tools and watch for signs of "strangeness":
(The "strange" part is the training you need in order to distinguish between "that's normal" and "that is strange")
The author of the Sysinternal Suite shows some clever ways to use the above mentioned tools:
https://www.youtube.com/watch?v=7heEYEbFim4
So, yes, you can detect some of the malware with a decent task manager. The less sophisticated the malware is, the easier it will be to detect. If the malware tries to detect the use of task managers like Process Explorer you might need to even take advanced steps such as using a different "Session" to detect strange behavior but it is still possible.
akira
Posted 2014-02-08T03:38:00.030
Reputation: 52 754
While good advice (+1) there is no substitute for a decent antivirus on a Windows machine. This is (obviously) a supplement to that, and requires some knowledge on what "strange behaviour" is to not break your system. Many Windows components act "strange" to the untrained eye. – Jonathan Baldwin – 2014-02-08T14:17:21.920
Also, there are several orders of magnitude more legitimate unsigned binaries than infected unsigned binaries. Actually, most Windows software is unsigned, since very few devs cared about signing before Windows 8 SmartScreen appeared. Not a great benchmark by itself. – Jonathan Baldwin – 2014-02-08T14:17:56.313
Well, most "normal" software is signed, the one coming from MSFT itself is most certainly signed. So, you can get a clue about what's part of the system and what is not part of the system. AV software usually is software that runs with kernel rights, downloads new instructions from the internets :) https://twitter.com/thegrugq/status/297177182848049152 http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0,39033341,39264249,00.htm etc. Yeah, it's easier to install something that someone claims helps. IMHO.
– akira – 2014-02-08T14:26:29.8632
It is not possible to detect virus from task manager.
There are several kind of virus. Virus, Trojan, rootkit, adware/puk etc. Some virus hide themselves from task manager.So, it doesn't appear in task manager.
I would suggest you to stop looking in task manager and install antivirus.
How can I: Access Windows® Event Viewer?
Calculating Machine
Posted 2014-02-08T03:38:00.030
Reputation: 290
I am not sure to have a virus, but I had a suspect message when logged out yesterday. I couldn't read it completely, because it was very fast, but my 'gut feeling' says, that the message told that someone is still logged in. – user1344545 – 2014-02-08T04:20:21.773
open task manager- navigate to user tab and check how many session are there. It is your home computer or it is joined in domain? – Calculating Machine – 2014-02-08T04:23:05.363
We have a little network at home. My wife and children. But I was alone in the network, when the message popup during logout. Is there a way to trigger a message, when someone is logging into my local PC ? – user1344545 – 2014-02-08T04:26:42.820
I would suggest you to check login history from event log. – Calculating Machine – 2014-02-08T04:29:02.913
How sure can someone be to not have a virus when running a full scan with AVIRA Free Antivirus ? – user1344545 – 2014-02-08T04:29:13.270
1Virus is a simple program for destruction. Antivirus service provider always check for new threat. If they found any new threat then they release detection file(ide). If you have antivirus it doesn't mean it will protect you 100%. But i can say your machine is atleast safe for previous threat. – Calculating Machine – 2014-02-08T04:32:24.027
@user1344545 If you aren't sure that the scan worked, try running scans using a combination of antiviruses. I can't really suggest you anything specific. What type of network is this? An intruder cannot really "log on" to the network unless a home server is present. – oldmud0 – 2014-02-08T04:36:24.910
Network destcription: We have 3 Computers and lots of tablets :-). One Router which is connected to the line of internetprovider. Every PC can connect to shared drives of other PCs by using the \COMPUTERNAME in cmd. – user1344545 – 2014-02-08T04:40:17.327
you got message while shutdown or logoff? – Calculating Machine – 2014-02-08T05:02:58.093
@user2301394: how do you think the authors of av-software detect the malware in the first place? the signatures for the malware do not fall out of the blue sky. – akira – 2014-02-08T08:10:39.473
@akira: antivirus companies get the infected file and after tht they release update. If they donot hav sample file how they can create ide. Some of the settings are defined in antivirus engine. Such HIPS. Ids, buffer overflow. But for any specific virus they create ide. – Calculating Machine – 2014-02-09T04:44:26.750
don't leave the most important step out: they analyze the file by (among other things) running it and watching it's behavior. – akira – 2014-02-09T05:06:50.537
They do it in their own lab. They run it in their environment and watch the behavior afterthat they create ide. – Calculating Machine – 2014-02-09T08:20:01.843
By the way why vote down? I dont think i deserve vote down. – Calculating Machine – 2014-02-09T08:22:10.193
1and then they watch it via a processmonitor / taskmanager. malware also likes to hide itself from antivirus software... which renders the point of av ... well, pointless. – akira – 2014-02-09T11:44:00.327
totally agree with you Akira. – Calculating Machine – 2014-02-09T12:23:41.043
0
Viruses are quite sophisticated nowadays. That means that they may hide themselves from Task Manager, run multiple copies of themselves (in case one copy gets taken down), and many more tricks. By definition, viruses also inject themselves to system processes in order to conceal themselves.
Malware in general can usually be detected pretty easily just by identifying an unusual process that's running. But viruses specifically usually can only be identified by their payload injected onto the target process.
So an antivirus is really the only thing that can accurately detect... well... a virus!
oldmud0
Posted 2014-02-08T03:38:00.030
Reputation: 3 858
-1
From a programmer's perspective, I would suggest your try learning programming using windows API, and further more - API hooks.
The OS kernel keeps a table of these native API functions which you need to identify and hook into. Your hook will then redirect and modify/filter the output. This piece of code has to run on kernel-space, and in order for you to control it (i.e. load/stop), you'd have to have a piece of software on the user-space as well. Although these are possible on the user-space as well, it will most likely be flagged by modern AVs as some sort of malicious activity.
The approach would be to hook a piece of code to intercept API calls (i.e.NtQueryDirectoryFile()) such that you modify/filter the output - sort of man-in-the-middle approach. Processes running on user-space(i.e. TaskManager,Windows Explorer,Process Explorer), will just display the filtered output provided by your hook... And NO, ACLs has no power on this layer
Of course, modern AVs has pieces of code running on kernel-space too, and/or PATTERN MATCHING (remember when AV updates are called AV Patterns Update? ) - to detect and prevent such malicious hooks.
mVincent
Posted 2014-02-08T03:38:00.030
Reputation: 159
1I am not sure how this answer actually answers the proposed question the author had. – Ramhound – 2014-10-07T18:43:13.853
An edit was suggested. This is supposedly posted ( http://superuser.com/questions/821040/do-all-programs-running-in-a-computer-show-up-in-the-processes-tab-in-task-manag?lq=1). But was closed by mods, just minutes before i clicked post.
– mVincent – 2014-10-07T18:54:22.603That still does not explain how this answer addresses the question posed by the stated question. The question you linked to was closed a full hour before you submitted this answer. Of course I believe I will bring up the fact the linked duplicate is a much better question then this one. – Ramhound – 2014-10-07T18:57:52.260
Yes, indeed. And like i said, that is supposedly to be posted on that Linked Question. However an edit was suggested, that i erase the note attached. This answer provides an insight to the relevant question and addresses the false sense of security a user has if he himself cannot ascertain the capability of the software which he relies upon. – mVincent – 2014-10-07T19:16:26.117
I tried to understand how this answers if the task manager can lists a running virus but I still can't see it – Ramhound – 2014-10-07T19:55:15.247
You might be referring to a rogue process running and visible thru task manager, yet you cannot identify the dropper / or process spawner.. The reason is the dropper or process spawner is hook on other winAPI calls(i.e. Windows explorer) – mVincent – 2014-10-07T20:13:27.610
Does this apply to Windows 7 and 8.x ? – Faiz – 2015-04-20T04:33:53.167
@Faiz the "Use an antivirus" part does. You should always use an antivirus (there are free ones such as Avast Antivirus), and these days it is even necessary to use antivirus software on mobile devices. – NH. – 2017-06-21T16:57:08.187
1for better understanding: So this means, that taskmanager shows for example 0% CPU usage in overall ( all processes 0% ), but it could be that there is a hidden process that uses CPU, but I don't see it in taskmanager ? – user1344545 – 2014-02-08T04:16:25.893
I agree with Jonathan answer. – Calculating Machine – 2014-02-08T04:17:50.690
The task manager will always show a process called "System Idle Process" that runs during CPU idle time, that will appear to max out your CPU usage. It doesn't actually, and is not a virus. But yes, a virus can attach itself to taskman to hide its CPU usage. – Jonathan Baldwin – 2014-02-08T14:23:50.630