Category Archives: Incident Response

Incident Response Tool of The Month: ESET SysInspector

From ESET Website:

ESET SysInspector® is a free, state of the art diagnostic tool for Windows systems. It is also an integral part of ESET Smart Security 6 and ESET NOD32 Antivirus 6. It peers into your operating system and captures details such as running processes, registry content, startup items and network connections. Once a snapshot of the system is made, ESET SysInspector applies heuristics to assign a risk level for each object logged

SysInspector is an excellent tool for first responders, as it can gather  useful volatile and non-volatile information of a computer with suspicious behavior, and can be used to compare a freshly installed image of the computers in your organization, against a current image that is behaving suspiciously.  In the next example I will execute SysInspector before and after executing a malware, and demonstrate how the IOCs can be found easily.

First, I execute the tool, before running any malware:



Nothing suspicious here… You can see here a lot of useful information, such as running processes, open connections, important registry values,services, drivers and much more. Now I will execute the malware (This time I will execute CryptoLocker), and save another XML report with SysInspector. Now it`s time to compare both logs:

SetToCompareThe results are interesting, some new processes created by the malware:


A new file dropped by the malware:



A registry key to achieve persistence:


And finally, some network activity by the processes we have discovered earlier:



CryptoLocker is relatively old, Most AVs have signatures for it, but a big part of new malware that AVs can`t identify can  be detected using the same technique.

SysInspector is a really useful tool, That can  shorten the incident response time, and focus the response team on what`s important.

SysInspector can be downloaded from the ESET Website below: