First, I’ve added the ability to use a whitelist with KillEmAll. The feature is designed for adding your remote support app to the whitelist, so you can run KillEmAll on a remote support session and it won’t kill your connection software (e.g. Teamviewer, etc.)
You could use the whitelist for other items, but why? Additionally, keep the list SMALL so it doesn’t impact performance / effectiveness of KillEmAll.
Why not just add common/popular remote support apps to KEA’s internal whitelist, you might ask? Well there are quite a few apps out there, and especially with custom ones or purchased packages, they may be renamed to your preference – and how should I know what you named your custom branded Teamviewer Quick Support client?
Note that unlike KillEmAll’s internal whitelisting of essential Windows processes, items in the user defined whitelist will be allowed no matter what directory they are running from.
To use whitelisting with KillEmAll:
- Create a plain text file named “KEA_Whitelist.txt” in your KillEmAll/D7 directory
- Inside the file, place the executable names you wish to whitelist e.g. teamviewer.exe
Second, I’ve added a new function: FindDups. The function is for finding duplicate files, of course, and verifies duplicates by MD5 hash.
I find that on occasion, I will run across malware that has duplicated itself into HUNDREDS of other DLL files in WindowsSystem32 – as a technician, I’m positive you’ve run across that before! All of the files will be identical and naturally, the same size.
A simple solution of the past was to highlight the known malware file in Explorer, then sort by file size, and delete everything of the same size. Problem is, you run into similarly sized legitimate files (less than 1kb difference) that get caught up in the mix, at times, so you have to be careful with your mass deletion that you don’t include one of those.
Well I didn’t like the manual part of that, and the chance I might accidentally delete something legitimate; so that is the point of Find Dups.
Of course, with Find Dups you aren’t limited to searching within the same directory only; you can get specific and search one directory and no subdirs, or just search the entire partition (granted, that’s a slow process…) It’s not unheard of for malware to also duplicate itself inside different directories e.g. a copy in WindowsSystem32, a copy in ProgramData somewhere, a copy in the specific user profile directory maybe in AppData somewhere. You never know…
While you can search for all file types, you can also opt to search for the same file type only – which can be a huge time saver in the scanning process; I include this option because as far as I know, a malware .DLL (for example) usually duplicates itself as another .DLL file, not an .EXE or other file type… I do plan on doing some experimentation with that theory, however, and will surely follow up with another blog post should I discover otherwise.
You will find “Find Dups” in various places inside D7:
- in the D7 menu as “Find Duplicate Files” – if you have a path/file name already copied to the clipboard, it will automatically be inserted when you click this option.
- a “Find Dups” button is in Malware Scan, to search for dups of the selected file.
- a “Find Dups” context menu option is added to Explorer’s right click menu, enabling you to invoke the functionality on any file in Explorer – likewise the same button can be found in the Work With File context menu option, which attempts to add all context menu functionality into one.
Leave a Reply