Project Description
If you are reading this post, you probably have a technical issue and need the BitDefender System Information tool to gather information for a diagnosis. It can be downloaded here.
Read on for a detailed description of what it is and what it does.
1.What Bitdefender System Info Is
During our time at BitDefender we have come to realize that in order to help clients we need as much information as we can get about their computers. In order to get that kind of information we have developed a tool that, when sent to and run by the client, will scan the computer for known locations where malware resides and create a log that will later be sent to the BitDefender Support team. When developing the tool we had two things in mind. The first one was that it should be user friendly and the second was to get as much information as possible in a relatively short time.
2.What kind of information does BitDefender System Info collect?
We concluded that we need at least the information listed below. Keep in mind that this tools is not final and every suggestion will be taken in consideration.
a) File Information
The tool tries to get the essential information about every file that it comes across.
b) Process Enumeration
BDSystemInfo gathers information about the process running in the client’s system, along with the process command line. (this is very useful, especially when the process that is running is rundll32.exe). For each process listed we also enumerate the modules that the process loaded.
c) Layered stack providers Enumeration
This information is useful for detecting malware that intercepts network traffic
d) Network Configuration
For every network card installed we retrieve information like the ipAddress, the dhcpserver,subnetmask,defaultgateway,dhcpserver and others specific to the network card.
The tool also gathers information about the internet connections established from the machine.(both tcp and udp ports).
e) Driver Enumeration & Service Enumeration
Information about every running driver in the system
f) Internet Explorer Settings
The current settings of Internet Explorer, such as the home page
g) Browser Helper Objects
This is useful when the user is infected with some kind of malware that injects itself into Internet explorer (or explorer), such as a hidden toolbar that will display ads.
h) Winlogon startup
BitDefender System Info lists the path of modules that are loaded when the users logs into Windows
i) Various Run Places
The tool enumerates every process that starts when the users logs on windows.
j) Hidden process enumeration
We have a simple but efficient trick to test if a process is hidden. It doesn’t work every time, but we had good results using this method.
k) Autorun File Enumeration
The tool lists the name and the content of every autorun.inf file located in the root of a partition (example C:\autorun.inf)
l) Scheduled Tasks
BitDefender System Info enumerates every job that is scheduled on the user’s computer
m) Redirected Programs
In Microsoft Windows you can set a program to be executed instead of another. (even though the users intends to execute a specific program). The tools displays the redirected program and the path to which is redirected
n) Policy Settings
The tool displays the policy settings set by an administrator. This is useful especially when malware disables taskmgr or regedit.
o) Winlogon Settings
This are settings specific to winlogon. The most interesting values displayed in this section is the shell and userinit value.
p) Addresses from etc\hosts
This is the section where every line from the driver\etc\hosts file is displayed
q) Firewall Exceptions
In this section you can find information about the files that is excepted from the Windows Firewall. (this works best for Trojan Downloaders)
r) Enumerate Hidden Programs
The tool tries to get information about any program that is hidden to the user
s) Enumerate Program Files
The tool enumerates recursively every directory from the Program Files folder, including information about any executable file that it find during the enumeration.
We have used this information in order to find Rogue AV software installed on clients’ computers.
t) Enumerate Installed Programs
Some adware or rogue AV software install themselves as legitimate programs using Windows installer. You can search them in the list of installed programs. (this is the same information as the user sees when it goes to Add\Remove programs).
u) Other Security Settings
This is the section where we included any additional information that couldn’t be included in any section listed above. For the moment, we only display here the data from the values that are used to redirect every executable file.
v) Enum Streams from Windows Dir
As the name suggests, this section is used to display the path of any streams that run in windows directory.
3.User Interface
The interface is simple allowing the client to create a log with just a click of a button. The log will be automatically zipped with the password “infected”. It is up to the user to then send the log to the support team.
The user can select between 3 types of logs. The first type (the complete one) will include all information listed above. The minimal will contain only Listing Processes,Hidden Processes,Process Command Line, Network Settings, Drivers and Services,Ie Configuration, Ie Registry Keys, Winlogon Statup Places,autorun file, scheduled files,Standard place, redirected startup places,Policy settings, Winlogon settings, Redirected addresses from etc\hosts, Other Security Settings and firewall exception. The main purpose of the minimal log is to create a log much faster. If the user chooses to create a custom log, he will be presented with a menu that allows him to chose what kind of information to collect from his computer.