myNetWatchman SecCheck

SecCheck is a Windows forensic tool developed by myNetWatchman which aids in the detection and removal of malicious applications, backdoors, trojans, worms, and viruses that may be unknowningly installed on your computer. This tool is used at the direction of myNetWatchman, and is not suitable as a replacement for anti-virus. You will need to contact myNetWatchman prior to running SecCheck in order to receive the results of your scan. There are two different versions of SecCheck available, please chose the one that best fits your situation/needs:

SecCheck Version 2 SCU - for complete analysis including binary file upload

Download and run the following: SecCheck SCU

This version is meant for computer novices that need the most help in identifying malware on their systems. This version automaticaly collects and sends forensic data and copies of any active program or module to the SecCheck analysis server. Upload time is minimized by only copying programs/modules which are not already contained in the SecCheck file repository ...this then enables us to perform centralized virus scans of these files and return the results to you.

When the submission is done, a new SubmissionStatus browser window will be opened. Note: Virus scanning can take 3-5 minutes to complete, so you may need to refresh the page a couple of times until results are populated.


SecCheck SCU Case (for Analysis of Multiple Computers)

This version is meant for business/enterprise analysts and admins that are investigating malware that may be on multiple systems. It is similar to SecCheck SCU, but also allows scans on multiple systems to be grouped together by a unique case identifier.

SCU Case requires special configuration of an already-registered SecCheck account prior to use. If you are interested in more information on using SCU Case, please contact myNetWatchman at our support email for more information.

If we have already configured your account, SCU Case can be downloaded here: SecCheck SCU Case


SecCheck Version 2 GUI (for limited analysis, does not include binary upload)

Advanced users that prefer not contribute active binaries to the file repository can use: SecCheckUI DOS

p>

Click 'Do Check', then 'Submit results to mNW'. SubmissionStatus page will include virus scan results, but only for files which we already have in our repository.

In addition to submitting the XML scan from above, you will probably also want to 'Do Text Check' option, and save results to Text file. This will produce a human-readable version of the output (vs. XML) enabling output to be easily reviewed using a text editor (e.g. Notepad).

Important: If you prefer to only collect Seccheck data locally then simply avoid using the 'Send Results to mNW button'...you will be responsible for interpreting the analysis and results, and no information will be transmitted to myNetWatchman.

Analyzing SecCheck results:

If you have a good background in Microsoft Windows, you can likely interpret some or all of the SecCheck output yourself...here are some pointers:

  • Compare current connection activity with reported behavior (e.g. outgoing port scans)
  • Identify hostile application generating behavior
  • Locate how it's being started
  • Check for signs of backdoors/trojans
  • Identify startup method

Here is what information SecCheck gathers from your system:

  • Currently active processes
  • Defined services
  • Startup folder items
  • Startup Registry Key contents
  • Applications listening for inbound connections
  • Applications with active network communications
  • Active Browser Helper objects (BHOs)
  • Installed ActiveX controls
  • Module dump (DLLs) for all active applications
  • SHA1 hashes for all active files (SC V2 only)
  • A copy of any active binary not already in SecCheck file repository (SC V2 w/upload only)