Todd said:
Hi All,
Process Explorer has a cool new feature allowing you to upload
a process to Virus Total:
https://isc.sans.edu/diary/Hello+Virustotal?++It's+Microsoft+Calling./17594
-T
Considering Virustotal was sold to Google, and Google now runs
it, that *is* pretty funny.
Virustotal has an upload size limit, so if a rogue process is
big enough, it'll be a doddle to prevent that from happening.
And don't think that "Internet Engineers" don't keep an
eye on that limit, either. They do. That's why some
packed executables are just marginally larger than the
Virustotal limit.
You can search Virustotal using a checksum (MD5 say),
but if there is no hit on Virustotal, you'd have to do
an upload to get an analysis. And if it is larger
than the current limit, it's not going to work.
Let's hope the Process Explorer design is two-stage,
and does the more economical checksum test first.
As using Process Explorer as a DDOS tool against virustotal,
that would be pretty nasty.
Paul
