Network scanner for viruses. How to scan a large network

Anti-virus scanners are designed to scan your computer for malicious software and eliminate detected threats. An anti-virus scanner application checks the system at random times and does not provide constant protection for the computer.

This shows the difference between anti-virus scanners and monitors (anti-viruses). An anti-virus scanner conducts one-time scans on demand, and an anti-virus installed on a computer constantly protects the PC.

Why do we need antivirus programs - scanners? Anti-virus scanners for Windows are necessary to scan your computer in cases where stationary installed antiviruses can't do their job. For example, the system began to slow down greatly for no apparent reason, some programs began to experience glitches, etc.

It is possible that malware has entered your computer. Therefore, it makes sense to check and, if something is found, cure the computer and eliminate the problems that have arisen.

Some users do not use antivirus applications on their computers. In such cases, you should check the system from time to time using an anti-virus scanner for prevention.

Some scanners use cloud servers in their work, with which they interact while scanning a computer. Therefore, for this type of program to work, an Internet connection is required.

Other anti-virus scanners are completely autonomous; they include all the current anti-virus databases at the time the application is downloaded. For new check you should download the latest version of the antivirus scanner.

In this article we will look at free antivirus scanners (alas, there are also paid programs of this type) that work without installation on the computer. Such applications have some advantages, since there are situations when, as a result of a severe infection of the system, it becomes impossible to install an antivirus program on the computer. The portable, portable version of the anti-virus scanner will allow you to run the program not only from a computer disk, but also from removable media, for example, from a USB flash drive.

To scan for viruses, you should use a scanner from another manufacturer, different from the developer of the antivirus installed on the PC.

This manual presents the best anti-virus scanners that support the Russian language and run on the Windows operating system.

Dr.Web CureIt! - powerful healing utility

Dr.Web CureIt! - a popular anti-virus scanner for treating infected computers from Russian company Dr.Web. The Dr.Web CureIt scanner detects various types of malware and has no conflicts with antiviruses installed on the computer.

Download the healing utility Dr.Web CureIt! from the official website of Doctor Web. To scan your PC again, download the latest version of the program with the latest databases (updates are released frequently, several times a day).

How to use the Dr.Web CureIt utility:

1. After the download is complete, run the application on your computer (the program has a name from a set of characters to counter viruses so that they cannot block the utility from running on the computer).
2. After launching the utility
3. Click on the “Start scan” button or select individual objects for check.

If malware was detected as a result of a system scan, disinfect your computer for viruses.

Learn more about using Dr.Web CureIt! read the article.

Kaspersky Virus Removal Tool - a powerful antivirus scanner

Kaspersky Virus Removal Tool(KVRT) is a product of the Russian company Kaspersky Lab for detecting and removing viruses from a computer. The application effectively copes with the tasks assigned to it.

Download the Kaspersky utility Virus Removal Tool from the official website of Kaspersky Lab. For a new scan, download latest version KVRT (the application is updated several times a day).

The virus scanning process in Kaspersky Virus Removal Tool takes place in several steps:

1. Launch KVRT on your computer.
2. Accept the terms license agreement.
3. In the “Everything is ready for scanning” window, click on the “Start scanning” button.

Receive a scan report, disinfect or remove detected malicious elements from your computer.

To learn more about how Kaspersky Virus Removal Tool works, go to.

Emsisoft Emergency Kit - emergency treatment kit

Emsisoft Emergency Kit - an emergency set of utilities for treating infected computers. The program includes several tools to counter malware: the graphical Emergency Kit Scanner tool and the Commandline Scanner tool, launched from the command line.

Download Emsisoft Emergency Kit from the official website of the New Zealand company Emsisoft, and then follow these steps:

1. Unpack the program on your computer. With the default settings, the “EEK” folder is created on the “C:” drive.
2. Then the folder with the program will open, in which you need to click on the “Start Emergency Kit Scanner” application.
3. Accept the terms of the license agreement, and then update the program.
4. Click on the "Scan" button.

1. Select scan type: " Quick check", "Check for threats", "Quick scan".
2. Start scanning.
3. Detected threats will be quarantined; remove viruses from your computer.

Read more about how the Emsisoft Emergency Kit application works.

ESET Online Scanner - online virus scanner

ESET Online Scanner is an online scanner for scanning your computer and removing detected threats from your PC. In its work, the utility uses cloud technologies to protect against different types threats.

First you need to download ESET Online Scanner from the official website of the Slovak company ESET.

Then follow these steps:

1. Accept the license agreement.
2. Configure scan settings.
3. Click on the "Scan" button.

After the scan is complete, remove the threats found.

Read more about ESET Online Scanner on the page.

F-Secure Online Scanner - cloud scanner

F-Secure Online Scanner is a cloud-based online scanner for checking your computer for malware. The application uses a cloud anti-virus database when scanning your computer.

Download the F-Secure Online Scanner application from the official website of the Finnish company F-Secure.

Check with F-Secure Online Scanner by following the steps:

1. After starting the program, accept the terms of the license agreement.
2. Click on the “Accept and Verify” button.
3. Scan and clean your system of malicious files and applications.

You will learn more about the operation of F-Secure Online Scanner from the article.

Norton Power Eraser - identifying virus threats

Norton Power Eraser is a tool for identifying threats that are difficult to detect with a regular antivirus. The program uses aggressive scanning technologies to identify malicious software.

Norton Power Eraser can be downloaded from the official website of the American company Symantec.

When checking, follow these steps:

1. Launch the program.
2. Click on the “Scan for threats” button.

1. Remove detected threats.

If necessary, in Norton program Power Eraser can perform advanced scans.

A detailed article about Norton Power Eraser is available.

Microsoft Safety Scanner - a virus scanner

An antivirus tool from an American corporation - Microsoft Safety Scanner detects and removes malicious software in the Windows operating system. To perform the scan, the user will need to download the utility and then launch the scanner on the computer.

Before downloading, Microsoft page Safety Scanner of the official website, select the language and bit version (64-bit or 32-bit) of the application. The anti-virus scanner remains operational for 10 days. For the next scan, you need to download a new version of the utility with the latest anti-virus databases.

Microsoft Safety Scanner scans your computer for viruses in the following order:

1. Run Microsoft program Safety Scanner on your computer.
2. Accept the terms of the license agreement.
3. In the next window, click on the “Next” button.
4. Select the scan type: “Quick scan”, “ Full check", "Custom scan".

1. Run a virus scan.
2. Wait for the scan results to appear.
3. If viruses or other malware are detected, remove dangerous objects from your computer.

Read a detailed article about Microsoft use Safety Scanner.

COMODO Cleaning Essentials - anti-virus tools

COMODO Cleaning Essentials is a set of tools for identifying and removing viruses and dangerous processes from your computer. The application includes an anti-virus scanner that detects various types of viruses.

Download from the official website of the American company Comodo. On the download page, select the operating bit depth Windows systems installed on your computer. Unpack the archive with the application in a convenient place.

To perform the check, do the following:

1. First, open the folder named “cce_scanner_version_number”, and then the folder “cce_x64” or “cce_86, depending on the selected system bitness.
2. Click on the “CCE” (Application) file to launch the program.
3. Accept the terms of the license agreement.
4. Select the scan type: Smart Scan, Full Scan, or Custom Scan.

After the scan is completed, remove malicious elements from your computer.

Conclusions of the article

The article discusses the best antivirus scanners that do not require installation on your computer. Programs can be launched from any convenient location on the computer, including from removable media. Anti-virus scanners are launched by the user independently for a one-time scan of the computer. Applications scan the system and remove viruses and malware from the computer.

The problem of an epidemic of network worms is relevant for any local network. Sooner or later, a situation may arise when a network or email worm penetrates the LAN and is not detected by the antivirus being used. A network virus spreads over a LAN through operating system vulnerabilities that were not closed at the time of infection or through writeable vulnerabilities shared resources. Mail virus, as the name suggests, is distributed via email, provided that it is not blocked by client antivirus and antivirus on the mail server. In addition, an epidemic on a LAN can be organized from within as a result of the activities of an insider. In this article we will consider practical methods for the operational analysis of LAN computers using various means, in particular using the author's AVZ utilities.

Formulation of the problem

If an epidemic or some abnormal activity is detected on the network, the administrator must quickly solve at least three tasks:

• detect infected PCs on the network;
• find samples of malware to send to an anti-virus laboratory and develop a counteraction strategy;
• take measures to block the spread of the virus on the LAN and destroy it on infected computers.

In the case of insider activity, the main steps of analysis are identical and most often boil down to the need to detect third-party software installed by the insider on LAN computers. Examples of such software include utilities remote administration, keyloggers and various Trojan bookmarks.

Let us consider in more detail the solution to each of the tasks.

Search for infected PCs

To search for infected PCs on the network, you can use at least three methods:

• automatic remote PC analysis - obtaining information about running processes, loaded libraries and drivers, searching for characteristic patterns - for example, processes or files with given names;
• studying PC traffic using a sniffer - this method is very effective for catching spam bots, email and network worms, however, the main difficulty in using a sniffer is due to the fact that a modern LAN is built on the basis of switches and, as a result, the administrator cannot monitor traffic the entire network. The problem can be solved in two ways: by running a sniffer on the router (which allows you to monitor data exchange between the PC and the Internet) and using the monitoring functions of switches (many modern switches allow you to assign a monitoring port to which the traffic of one or more switch ports specified by the administrator is duplicated);
• study of network load - in this case, it is very convenient to use smart switches, which allow you not only to assess the load, but also to remotely disable ports specified by the administrator. This operation is greatly simplified if the administrator has a network map, which contains information about which PCs are connected to the corresponding switch ports and where they are located;
• use of honeypots - it is strongly recommended to create several honeypots on the local network that will allow the administrator to timely detect an epidemic.

Automatic analysis of PCs on the network

Automatic PC analysis can be reduced to three main stages:

• conducting a complete PC examination - running processes, loaded libraries and drivers, autorun;
• conducting operational research - for example, searching for characteristic processes or files;
• quarantine of objects according to certain criteria.

All of the above problems can be solved using the author's AVZ utility, which is designed to be launched from a network folder on the server and supports a scripting language for automatic PC inspection. To run AVZ on user computers you must:

1. Place AVZ in a network folder on the server that is open for reading.
2. Create LOG and Qurantine subdirectories in this folder and allow users to write to them.
3. Launch AVZ on LAN computers using the rexec utility or logon script.

Launching AVZ in step 3 should be done with the following parameters:

\\my_server\AVZ\avz.exe Priority=-1 nw=Y nq=Y HiddenMode=2 Script=\\my_server\AVZ\my_script.txt

In this case, the Priority=-1 parameter lowers the priority of the AVZ process, the nw=Y and nq=Y parameters switch the quarantine to the “ network launch"(in this case, a subdirectory is created in the quarantine folder for each computer, the name of which coincides with network name PC), HiddenMode=2 instructs to deny the user access to the GUI and AVZ controls, and, finally, the most important parameter Script specifies the full name of the script with commands that AVZ will execute on the user's computer. Script language AVZ is quite simple to use and is focused exclusively on solving problems of computer examination and treatment. To simplify the process of writing scripts, you can use a specialized script editor, which contains an online prompt, a wizard for creating standard scripts, and tools for checking the correctness of the written script without running it (Fig. 1).

Rice. 1. AVZ script editor

Let's look at three typical scripts that may be useful in the fight against the epidemic. First, we need a PC research script. The task of the script is to conduct a study of the system and create a protocol with the results in a given network folder. The script looks like this:

ActivateWatchDog(60 * 10);

// Start scanning and analysis

// System exploration

ExecuteSysCheck(GetAVZDirectory+

‘\LOG\’+GetComputerName+’_log.htm’);

//Shutdown AVZ

During the execution of this script, HTML files with the results of the study of network computers will be created in the LOG folder (assuming that it is created in the AVZ directory on the server and is available for users to write), and to ensure uniqueness, the name of the computer being examined is included in the protocol name. At the beginning of the script there is a command to enable a watchdog timer, which will forcefully terminate the AVZ process after 10 minutes if failures occur during script execution.

The AVZ protocol is convenient for manual study, but it is of little use for automated analysis. In addition, the administrator often knows the name of the malware file and only needs to check the presence or absence of this file, and if present, quarantine it for analysis. In this case, you can use the following script:

// Enable watchdog timer for 10 minutes

ActivateWatchDog(60 * 10);

// Search for malware by name

QuarantineFile('%WinDir%\smss.exe', 'Suspicious about LdPinch.gen');

QuarantineFile('%WinDir%\csrss.exe', 'Suspicion of LdPinch.gen');

//Shutdown AVZ

This script uses the QuarantineFile function to attempt to quarantine the specified files. The administrator can only analyze the contents of the quarantine (folder Quarantine\network_name_PC\quarantine_date\) for the presence of quarantined files. Please note that the QuarantineFile function automatically blocks quarantine of files identified by the secure AVZ database or the Microsoft digital signature database. For practical use, this script can be improved - organize the loading of file names from an external text file, check the found files against the AVZ databases and generate a text protocol with the results of the work:

// Search for a file with the specified name

function CheckByName(Fname: string) : boolean;

Result:= FileExists(FName) ;

if Result then begin

case CheckFile(FName) of

1: S:= ‘, access to the file is blocked’;

1: S:= ‘, detected as Malware (‘+GetLastCheckTxt+’)’;

2: S:= ‘, suspected by the file scanner (‘+GetLastCheckTxt+’)’;

3: exit; // Safe files are ignored

AddToLog(‘The file ‘+NormalFileName(FName)+’ has a suspicious name’+S);

//Add specified file in quarantine

QuarantineFile(FName,’suspicious file’+S);

SuspNames: TStringList; // List of names of suspicious files

// Checking files against the updated database

if FileExists(GetAVZDirectory + ‘files.db’) then begin

SuspNames:= TStringList.Create;

SuspNames.LoadFromFile('files.db');

AddToLog('Name database loaded - number of records = '+inttostr(SuspNames.Count));

// Search loop

for i:= 0 to SuspNames.Count - 1 do

CheckByName(SuspNames[i]);

AddToLog('Error loading list of file names');

SaveLog(GetAVZDirectory+’\LOG\’+

GetComputerName+’_files.txt’);

For this script to work, it is necessary to create in the AVZ folder the Quarantine and LOG directories available for users to write, as well as the text file files.db - each line of this file will contain the name of the suspicious file. File names can include macros, the most useful of which are %WinDir% (the path to the Windows folder) and %SystemRoot% (the path to the System32 folder). Another direction of analysis could be an automatic examination of the list of processes running on user computers. Information about running processes is in the system research protocol, but for automatic analysis it is more convenient to use the following script fragment:

procedure ScanProcess;

S:= ''; S1:= '';

//Updating the list of processes

RefreshProcessList;

AddToLog(‘Number of processes = ‘+IntToStr(GetProcessCount));

// Cycle of analysis of the received list

for i:= 0 to GetProcessCount - 1 do begin

S1:= S1 + ‘,’ + ExtractFileName(GetProcessName(i));

// Search for process by name

if pos(‘trojan.exe’, LowerCase(GetProcessName(i))) > 0 then

S:= S + GetProcessName(i)+’,’;

if S<>''then

AddLineToTxtFile(GetAVZDirectory+’\LOG\_alarm.txt’, DateTimeToStr(Now)+’ ‘+GetComputerName+’ : ‘+S);

AddLineToTxtFile(GetAVZDirectory+’\LOG\_all_process.txt’, DateTimeToStr(Now)+’ ‘+GetComputerName+’ : ‘+S1);

The study of processes in this script is performed as a separate ScanProcess procedure, so it is easy to place it in its own script. The ScanProcess procedure builds two lists of processes: full list processes (for subsequent analysis) and a list of processes that, from the administrator’s point of view, are considered dangerous. In this case, for demonstration purposes, a process named ‘trojan.exe’ is considered dangerous. Information about dangerous processes is added to the text file _alarm.txt, data about all processes is added to the file _all_process.txt. It is easy to see that you can complicate the script by adding to it, for example, checking process files against the database safe files or checking the names of executable files of processes against an external database. A similar procedure is used in AVZ scripts used in Smolenskenergo: the administrator periodically studies the collected information and modifies the script, adding to it the name of the processes of programs prohibited by the security policy, for example ICQ and MailRu.Agent, which allows you to quickly check the presence of prohibited software on the PCs being studied . Another use for the process list is to find PCs that are missing a required process, such as an antivirus.

In conclusion, let’s look at the last of the useful analysis scripts - a script for automatic quarantine of all files that are not recognized by the safe AVZ database and the Microsoft digital signature database:

// Perform autoquarantine

ExecuteAutoQuarantine;

Automatic quarantine examines running processes and loaded libraries, services and drivers, about 45 autostart methods, browser and explorer extension modules, SPI/LSP handlers, scheduler jobs, print system handlers, etc. A special feature of quarantine is that files are added to it with repetition control, so the autoquarantine function can be called repeatedly.

The advantage of automatic quarantine is that with its help the administrator can quickly collect potential suspicious files from all computers on the network to study them. The simplest (but very effective in practice) form of studying files can be checking the resulting quarantine with several popular antiviruses in maximum heuristic mode. It should be noted that simultaneous launch of auto-quarantine on several hundred computers can create a high load on the network and the file server.

Traffic Research

Traffic research can be carried out in three ways:

• manually using sniffers;
• in semi-automatic mode - in this case, the sniffer collects information, and then its protocols are processed either manually or by some software;
• automatically using intrusion detection systems (IDS) such as Snort (http://www.snort.org/) or their software or hardware analogues. In the simplest case, an IDS consists of a sniffer and a system that analyzes the information collected by the sniffer.

An intrusion detection system is an optimal tool because it allows you to create sets of rules to detect anomalies in network activity. Its second advantage is the following: most modern IDS allow traffic monitoring agents to be placed on several network nodes - the agents collect information and transmit it. In case of using a sniffer, it is very convenient to use the console UNIX sniffer tcpdump. For example, to monitor activity on port 25 (SMTP protocol), it is enough to run the sniffer with command line type:

tcpdump -i em0 -l tcp port 25 > smtp_log.txt

In this case, packets are captured via the em0 interface; information about captured packets will be stored in the smtp_log.txt file. The protocol is relatively easy to analyze manually; in this example, analyzing activity on port 25 allows you to identify PCs with active spam bots.

Application of Honeypot

An outdated computer whose performance does not allow it to be used for solving production problems can be used as a honeypot. For example, in the author’s network, a Pentium Pro with 64 MB of RAM is successfully used as a trap. On this PC you should install the most common operating system on the LAN and choose one of the strategies:

• Install an operating system without update packages - it will be an indicator of the appearance of an active network worm on the network, exploiting any of the known vulnerabilities for this operating system;
• install an operating system with updates that are installed on other PCs on the network - the Honeypot will be analogous to any of the workstations.

Each strategy has both its pros and cons; The author mainly uses the option without updates. After creating the Honeypot, you should create a disk image for quick recovery system after it has been damaged by malware. As an alternative to a disk image, you can use change rollback systems such as ShadowUser and its analogues. Having built a Honeypot, you should take into account that a number of network worms search for infected computers by scanning the IP range, calculated from the IP address of the infected PC (common typical strategies are X.X.X.*, X.X.X+1.*, X.X.X-1.*), - therefore, Ideally, there should be a Honeypot on each subnet. As additional elements Before preparation, you should definitely open access to several folders on the Honeypot system, and several sample files should be placed in these folders various formats, minimum set - EXE, JPG, MP3.

Naturally, having created a Honeypot, the administrator must monitor its operation and respond to any anomalies detected on this computer. Auditors can be used as a means of recording changes; a sniffer can be used to record network activity. An important point is that most sniffers have the ability to configure sending an alert to the administrator if a specified network activity is detected. For example, in the CommView sniffer, a rule involves specifying a “formula” that describes network package, or setting quantitative criteria (sending more than a specified number of packets or bytes per second, sending packets to unidentified IP or MAC addresses) - Fig. 2.

Rice. 2. Create and configure a network activity alert

As a warning, it is most convenient to use email messages sent to Mailbox administrator - in this case, you can receive prompt alerts from all traps in the network. In addition, if the sniffer allows you to create multiple alerts, it makes sense to differentiate network activity by highlighting the work with by email, FTP/HTTP, TFTP, Telnet, MS Net, increased traffic more than 20-30 packets per second for any protocol (Fig. 3).

Rice. 3. Notification letter sent
if packets matching the specified criteria are detected

When organizing a trap, it is a good idea to place on it several vulnerable network services used on the network or install an emulator for them. The simplest (and free) is the proprietary APS utility, which works without installation. The operating principle of APS comes down to listening to many TCP and UDP ports described in its database and issuing a predetermined or randomly generated response at the moment of connection (Fig. 4).

Rice. 4. Main window of the APS utility

The figure shows a screenshot taken during a real APS activation on the Smolenskenergo LAN. As can be seen in the figure, an attempt was recorded to connect one of the client computers on port 21. Analysis of the protocols showed that the attempts are periodic and are recorded by several traps on the network, which allows us to conclude that the network is being scanned in order to search for and hack FTP servers by guessing passwords. APS keeps logs and can send messages to administrators with reports of registered connections to monitored ports, which is convenient for quickly detecting network scans.

When creating a honeypot, it is also helpful to familiarize yourself with online resources on the topic, in particular http://www.honeynet.org/. In the Tools section of this site (http://www.honeynet.org/tools/index.html) you can find a number of tools for recording and analyzing attacks.

Remote malware removal

Ideally, after detecting malware samples, the administrator sends them to the anti-virus laboratory, where they are promptly studied by analysts and the corresponding signatures are added to the anti-virus database. These signatures through automatic update get onto the user's PC, and the antivirus automatically removes malware without administrator intervention. However, this chain does not always work as expected; in particular, the following reasons for failure are possible:

• for a number of reasons independent of the network administrator, the images may not reach the anti-virus laboratory;
• insufficient efficiency of the anti-virus laboratory - ideally, it takes no more than 1-2 hours to study samples and enter them into the database, which means that updated signature databases can be obtained within a working day. However, not all antivirus laboratories they work so quickly, and you can wait for updates for several days (in rare cases, even weeks);
• high performance of the antivirus - a number of malicious programs, after activation, destroy antiviruses or otherwise disrupt their operation. Classic examples- adding to file hosts records, blocking normal work antivirus auto-update systems, deletion of processes, services and antivirus drivers, damage to their settings, etc.

Therefore, in the above situations, you will have to deal with malware manually. In most cases, this is not difficult, since the results of the computer examination reveal the infected PCs, as well as the full names of the malware files. All that remains is to remove them remotely. If the malicious program is not protected from deletion, then it can be destroyed using the following AVZ script:

// Deleting a file

DeleteFile('filename');

ExecuteSysClean;

This script deletes one specified file (or several files, since there can be an unlimited number of DeleteFile commands in a script) and then automatically cleans the registry. In a more complex case, the malware can protect itself from being deleted (for example, by re-creating its files and registry keys) or disguise itself using rootkit technology. In this case, the script becomes more complicated and will look like this:

// Anti-rootkit

SearchRootkit(true, true);

// Control AVZGuard

SetAVZGuardStatus(true);

// Deleting a file

DeleteFile('filename');

// Enable BootCleaner logging

BC_LogFile(GetAVZDirectory + 'boot_clr.log');

// Import into the BootCleaner task a list of files deleted by the script

BC_ImportDeletedList;

// Activate BootCleaner

// Heuristic system cleaning

ExecuteSysClean;

RebootWindows(true);

This script includes active counteraction to rootkits, the use of the AVZGuard system (this is a malware activity blocker) and the BootCleaner system. BootCleaner is a driver that removes specified objects from KernelMode during a reboot, at an early stage of system boot. Practice shows that such a script is able to destroy the vast majority of existing malware. The exception is malware that changes the names of its executable files with each reboot - in this case, files discovered during system scanning can be renamed. In this case, you will need to disinfect your computer manually or create your own malware signatures (an example of a script that implements a signature search is described in the AVZ help).

Conclusion

In this article, we looked at some practical techniques for combating a LAN epidemic manually, without the use of antivirus products. Most of the described techniques can also be used to search for foreign PCs and Trojan bookmarks on user computers. If you have any difficulties finding malware or creating treatment scripts, the administrator can use the “Help” section of the forum http://virusinfo.info or the “Fighting Viruses” section of the forum http://forum.kaspersky.com/index.php?showforum= 18. Study of protocols and assistance in treatment are carried out on both forums free of charge, PC analysis is carried out according to AVZ protocols, and in most cases treatment comes down to executing an AVZ script on infected PCs, compiled by experienced specialists from these forums.

A broken network card will not allow you to access the Internet or local network, if the connection to them is via a network adapter. Network cards can be built-in or external. If the card is external, check to see if it is fully inserted into the slot. Also check the connection tightness network cable with adapter connector. If these options don't work or you have a built-in network adapter, it's most likely a system settings issue.

If the Internet stops working. In the taskbar, check the connection status. If there is a red cross on the Internet access icon, then there is no connection. Try turning it on. To do this, click on the Internet icon and select “Network and Sharing Center.” Click on the red cross in the diagram network connection. This will launch a diagnostic program that will troubleshoot problems and enable the network adapter if it is disabled. Driver failure. If the network card drivers are installed incorrectly or they are damaged, you should reinstall them or make rollback to the last working state. To do this, click "Start", right-click on "Computer" and select "Properties" from the list of commands. From the menu on the left, open Device Manager. In the Network Adapters section, your device may be marked exclamation point, which means it is malfunctioning. Double-click the adapter, select the Driver tab, and click Roll Back.

If rollback doesn't work, try update drivers. To do this, in the “Driver” tab above the “Roll Back” button, click on “Update”. Select Automatic Search. If your computer has working drivers, Windows will find them and install them. If there are none, you will have to download them yourself. Reinstalling drivers. For built-in network adapters, just insert the disk that comes with your motherboard, and specify the update path to the driver folder. In the “Driver” tab, click “Update” – “Search and install manually” – Path to the Drivers folder on the CD. To make searching easier, check the “Including subfolders” checkbox. Click Next. The system will find and install working files. If your card is external and there is no disk with drivers, you will have to look for them yourself. This will require network adapter name. You can find it in Device Manager or by reading the sticker on the card itself. On a computer with Internet access, go to this site and enter the name of your network card in the search field. Follow the provided link. Select the driver for your version of Windows and click Download. Open the downloaded file and run setup.exe on the computer with the faulty network card. Select “Fix” from the program menu. Another possible problem is your network card. disabled and it is not visible in the device manager. Don't panic. If it worked properly before, you can turn it on again. To do this, in Device Manager, click right click mouse on "Network adapters" and select "Update hardware configuration". Plug and Play should immediately find your device and try to connect it.

Make sure that the problem is with the network card. If the diagnostics described in point 1 did not reveal problems with the adapter, it may be a problem with the provider or a technical failure on the line. Regularly update drivers and carefully store the disk from the motherboard - this will help you quickly solve problems with the network card. External cards can be checked on other computers to determine the cause of the problem.

If the range of external IP addresses is about 10 thousand units or less, nmap does an excellent job in the case of all of the above needs. However, in large companies that own hundreds of thousands of IP addresses, the task of identifying “live” hosts in a reasonable time (for example, within a few hours) becomes more difficult.

Often when performing pentests, a client asks me to scan the external network (I hope your clients are well aware of the risks, and in addition to scanning external network will give you access to internal network, but this is a topic for a separate article). For smaller organizations, I mostly use nmap for all phases of scanning. When it comes to large networks, let's first try to divide the scanning procedure into separate stages:

1. General network scan: search for IPv4 addresses that have working services (search for “live” hosts).
2. Port scanning: searches for open TCP and UDP ports on target systems.
3. Version detection: Determine the version of services and protocols that use open TCP and UDP ports.

If the range of external IP addresses is about 10 thousand units or less, nmap does an excellent job in the case of all of the above needs. However, in large companies that own hundreds of thousands of IP addresses, the task of identifying “live” hosts in a reasonable time (for example, within a few hours) becomes more difficult. By default, nmap sends several probe requests. If unsuccessful, the host is marked as "dead" and no further requests are sent. We can choose not to do a general network scan with the –Pn option, but nmap will then start checking all specified ports for each IPv4 address. Since most external IPv4 addresses do not have running services, checking large network may take weeks, months or even years. Thus, our task is to find effective method search for IP addresses with running services. Next, the found list will be checked in detail for specific ports and protocol versions.

Nmap has problems with a large range of addresses because the utility operates as a synchronous scanner, monitoring connection requests and waiting for a response. If the TCP connection request (SYN) does not receive a response, it times out and nmap sets the service to filtered status. Nmap runs several probe requests in parallel, but filtered services (and inactive IP addresses) slow down the overall process.

In addition to synchronization utilities, of which nmap is one, there are several asynchronous scanners that do not monitor connections: scanrand, ZMap, and my favorite, masscan.
I prefer using masscan for several reasons. The first and most main reason is that the syntax of masscan is very similar to nmap. Secondly, masscan is one of the fastest even among asynchronous scanners. If you have the right network interfaces and drivers, the effectiveness of this scanner is limited by the width of your channel. Using two 10 Gigabit Ethernet adapters from Intel, you can scan the entire range of IPv4 addresses in six minutes, with 10 million packets transmitted every second.

First, let's look at the basic syntax of masscan as it applies to scanning TCP ports over a large network range (for example, the 16 million IPv4 addresses used by Apple).

$ sudo masscan 17.0.0.0/8 -p0-1023

Scan speed

By default, masscan will send 100 packets per second. In each packet, 18 bytes are allocated for the Ethernet header, 20 bytes for the TCP header, and more than 20 bytes for the IPv4 header. As a result, 5800 bytes (or approximately 46 kilobytes) per second are sent. Since masscan distributes resources evenly when scanning ports and hosts, accordingly, the bandwidth will also be distributed evenly. On a wide strip, unintentional DDOS attack in the case of scanning a small network, but at 1-10 megabits per second (or 20 thousand packets per second, the --rate 20000 parameter) problems should not arise. On virtual machines, the speed can easily reach 200 thousand packets per second (--rate 200000), which is equivalent to 93 megabits per second outgoing traffic. However, the need to use such high speeds should be agreed with the client.

Network Scan

How can we determine that a certain IPv4 address has running TCP services? The easiest way is to scan 65536 ports (from 0 to 65535). However, in large networks this method will take too much time even for high speeds. I usually select the 100 or 1000 most popular ports according to nmap. If an IP address responds to any SYN packet (the response is either RST, which indicates a closed port/connection, or SYN-ACK, which indicates an open port/connection), then we store this IP address in a separate list for subsequent analysis using nmap or, for example, the Nessus vulnerability scanner.
Let's use a little trick to get a list of the most popular ports. We will scan our own system and display a list of ports in XML format. The XML format displays the parameters used during scanning and, more importantly, lists the ports in a human-readable form. I selected the first 100 ports, but you can easily change this value (for example, display the first 10 or 1000 ports).

$ nmap localhost --top-ports 100 -oX - | grep services

Next, we use the resulting list as the values ​​of the –p parameter when scanning the target range. We also use the network as an example Apple. A speed of 100,000 packets per second is equivalent to 32 megabits per second traffic.

$ sudo masscan 17.0.0.0/8 -oG apple-masscan.gnmap -p 7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445 ,465,513-515,543-544,548,554,587,631,646,873,990,993,995 ,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,51 90 -rate 1 00000

Note that masscan supports the same -oG filename.gnmap option as nmap. Next, we will process the resulting list (in greppable format) to analyze hosts with open ports. Scanning 16 million addresses on 100 ports will take approximately 5 hours. In my opinion, this time is quite reasonable. Let's look at the first few lines of the resulting file:

# Masscan 1.0.3 scan initiated Thu Jul 20 22:24:40 2017
# Ports scanned: TCP(1;7-7,) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 17.179.241.56 () Ports: 443/open/tcp////
Host: 17.253.84.72 () Ports: 179/open/tcp////
Host: 17.188.161.148 () Ports: 8081/open/tcp////
Host: 17.188.161.212 () Ports: 8081/open/tcp////

Since we only need IP addresses, we will use the egrep utility to find lines starting with "Host:" and then process the resulting data using the cut utility to remove the second field. We will also sort the list using the sort utility and remove duplicates using uniq.

$ egrep "^Host: " apple-masscan.gnmap | cut -d" " -f2 | sort | uniq > apple-alive

Thus, our list has become significantly smaller, and then we can use nmap for a more detailed analysis:

# nmap -PN -n -A -iL apple-alive -oA apple-nmap-advanced-scan

Now, based on the file generated by masscan, nmap scanner will be able to get the job done much faster.

Write in the comments if my method helped you in your work. In general, I like nmap, but sometimes resource-intensive tasks are better performed by more specialized utilities.
Thank you for your attention.

The free antivirus scanner ESET Online Scanner is designed to scan your computer for viruses online. The antivirus program performs a one-time virus scan to search for and neutralize malicious and potentially unwanted software.

ESET Online Scanner - what is this program? ESET Online Scanner - an online virus scanner to scan your computer for viruses and neutralize detected threats. For the application to work you need permanent connection to the Internet, since the computer is checked using antivirus databases, located in the “cloud”, on remote server ESET.

The application is not intended for permanent protection computer from malware. ESET Online Scanner is a one-time scan of your computer. When using ESET Online Scanner there are no conflicts with the antivirus installed on your computer.

The principle of using the scanner is as follows: launch the utility, one-time check and neutralize threats, remove the utility from your computer; for the next scan you will need to download the latest version antivirus utility.

Basic ESET features Online Scanner:

• Effectively detect all types of threats
• Removing malware
• Testing without installation on a computer
• Scan the entire computer or scan a specific area

The free ESET Online Scanner program works in Russian. ESET Online Scanner can be downloaded from the official website of the manufacturer, a well-known developer of antivirus software, the Slovak company ESET Software.

ESET Online Scanner does not require installation on your computer; the application runs on 32 and 64-bit versions of the Windows operating system. Just run the downloaded file, after checking this file can be deleted.

Immediately after launching Eset Online Scanner, in the “Terms of Use” window you must accept the terms of the license agreement, click on the “I accept” button.

ESET Online Scanner settings

In the “Computer Scan Settings” window, you need to select one of the options for scanning your computer:

• Enable detection of potentially unwanted applications
• Disable Potentially Unwanted Application Detection

If you enable the detection of potentially unwanted applications, from the point of view of ESET Online Scanner, the program will find such applications when scanning. If you select this option, a more thorough scan of your computer will take place.

Keep in mind that potentially unwanted applications are not malicious. These may be the programs you need. According to the antivirus utility, potentially unwanted applications may pose a potential threat to your computer.

If detection of potentially dangerous applications is disabled, ESET Online Scanner will only detect malicious software when scanning your computer.

To configure the program's operating parameters, click on "Advanced".

Here you can enable or disable individual settings application settings, select objects to scan, configure the proxy server yourself. Selected by default optimal settings. For example, it is better to first familiarize yourself with the detected threats in order to make a decision yourself, than to clean up threats automatically relying on the program’s opinion.

In the “Current scanning objects” setting, you are prompted to select objects to scan antivirus utility. Click on the “Change…” button to select scan objects.

In the “Select Scan Targets” window, you can select the desired option for scanning:

• Removable media - check removable media connected to the computer
• Local drives - checking local drives
• Network drives - check network drives
• Not chosen

By default, as a scan target in ESET program Online Scanner includes scanning of the following objects: RAM, boot sector, all local drives connected to the computer.

Here you can select only some drives to scan, or specific folders or files. To do this, uncheck unnecessary checkboxes next to scan objects. Next, select the files and folders located on the specific drive. After applying the changes, click on the “OK” button.

If an antivirus is installed on the computer being scanned, Eset Online Scanner will detect it. A message about this will appear in the scan settings window. Click on the "Show List" link for complete information.

In this case, ESET Online Scanner detected antivirus software on my computer: Kaspersky Internet Security.

After selecting the settings, click on the “Scan” button to start scanning your computer for viruses.

Virus scan with ESET Online Scanner

First, initialization takes place, at which time the database of virus signatures and other necessary components. Next, the process of scanning your computer for viruses will begin, which will take some time. You can stop the virus scan at any time by clicking the “Stop” button.

In the program window you will see a download prompt paid antivirus ESET NOD32 Smart Security. If this offer is not relevant, ignore it.

After the scan is completed, if threats were detected on the computer, a window will open in which you will see the malware found.

If necessary, you can copy information about threats to the clipboard, or save it on your computer in text file in "TXT" format.

In my case, ESET Online Scanner detected Trojans in an archive stored on Goole Drive. These turned out to be WordPress theme files that I once tried on a test site. At one time I saved the site folder in Goole Drive, so these files are still saved in cloud storage. In the cloud OneDrive storage The anti-virus scanner detected a threat in some keygen that was in the training course. By the way, Kaspersky Anti-Virus and other anti-virus scanners consider these files to be safe, so it is possible that this is a false alarm.

Depending on the results of the scan, you may not take any action, then all found files will be saved on your computer, select all or only some files to clear files from your computer. The files will be quarantined or deleted from your computer.

If you select “Do not clean”, a window with information about the scan results will open. In this window, you can select the “Delete application data when closing” option to delete virus data.

Check the boxes next to the detected objects, and then click on the “Clear selected” button (if only some objects are selected), or the “Clear all” button (if all objects are selected).

The next window will display information about the results previous action user with detected files. In “Quarantine Management” you can make choices to remove detected virus threats:

• Delete application data when closing - files will be deleted when the antivirus program is closed
• Remove files from quarantine - files will be deleted from quarantine

Quarantine (an isolated, protected area on your computer) contains files detected by ESET Online Scanner. First, select the files, then click on the “Back” button, and then select an action: delete when closing the program, or delete files from quarantine.

If the user does not select the option to delete the file, the file will remain in quarantine.

If necessary, a quarantined file can be restored to your computer. To do this, select a file in quarantine, and then click on “Restore”.

After the scan is complete, exit the program, and then delete the virus scanner file from your computer. To run a new scan, download the new version of ESET Online Scanner to your computer.

Conclusion

ESET Online Scanner is a free online antivirus scanner for detecting and removing malicious software from your computer. The program works without installation on the computer, the scanner scans the entire computer or a separate area, you can check in the application separate file or folder.