CrowdInspect - Host-based Process Inspection Tool


CrowdInspect is a free community tool for Microsoft Windows systems that helps alert you to the presence of potential malware on your network.

It is a host-based process inspection tool utilizing multiple sources of information to detect untrusted or malicious process and network-active applications. Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity.

The tool runs on both 32-bit and 64-bit versions of Windows from XP and above.

CrowdInspect captures process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address. The tool accommodates both IPv4 and IPv6 addresses.


CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of those accessed. You can click the "Live/History" toolbar button to switch between the regular live process window and the network history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process and any network connection it may be using. This is achieved through the use of the following technologies and services:

  • Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the "Inject" column.
  • --  (o Gray icon): Not applicable/not available. No process is not able to be tested.
  • ??  (o Gray icon): The process did not allow us to test for code injection.
  • OK  (o Green): The process did not appear to have any evidence of thread injection.
  • !!  (o Red icon): The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.

  • VirusTotal

Multiple antivirus engine analysis results queried by SHA256 file hash

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:
  • --  (o Gray icon): Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.
  • ??  (o Gray icon): The entry does not exist in the VirusTotal database. This is probably good!
  • 0% ... 100%  (o Green ... o Red icons): The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV-Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.

  • Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case, we are simply querying for a yes/no answer so the results can be one of the following:
  • --  (o Gray icon): Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.
  • ??  (o Gray icon): The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.
  • !!  (o Red icon): The entry DOES exist in the MHR database. The process is known to be malware. This is bad!

  • Web of Trust

Crowd-sourced domain name reputation system

Shown in the "WOT" column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:
  • --  (o Gray icon): Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.
  • ??  (o Gray icon): The entry does not exist in the WoT database.
  • 0% ... 100%  (o Red ... o Green icons): The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.
To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.



No comments

Powered by Blogger.