Knowledgebase:
About Malware Scan
Posted by Jack H. Ward on 02 February 2018 08:06 AM

Scanning for malware means analyzing Windows portable executable files for the signs indicating that a file might be malware.

The portable executable files, as a rule, have the following extensions: *.com, *.cpl, *.dll, *.efi, *.exe, *.mst, *.mui, *.ocx, *.scr, *.acm, *.ax, *.dat, *.dic, *.drv, *.en, *.enu, *.iec, *.f, *.fil, *.grm, *.lex, *.msstyles, *.olb, *.rll, *.rs, *.v3, *.tlb, *.tsp, *.winmd, *.ime, and *.sys.

Only 32 and 64-bit files are scanned. The scanning of 16-bit files is not supported.

The type of an executable file is defined by the file signature, i.e. even if a file extension is changed, it will still be detected as a portable executable file during the scan.

The signs of a file being malware are the following:

  • A file has an extension mismatch (the indicated file extension does not correspond to its file format).
  • A file has high entropy (the probability of a file containing malicious code).
  • A file has no signature.
  • A file has an expired signature.
  • A file has a revoked signature.
  • A file does not have a trusted certificate.

The more signs a file contains, the higher the probability of it being malware.

Windows PE malware scan cannot be performed for E3 mobile data case evidence. To search for potential malware in mobile data, use suspicious application detection.

Scanning can be performed for the following evidence types:

Evidence type

Malware scan

Malware scan if evidence is embedded

Mailstorage evidence

+

+

(except GroupWise, Thunderbird, and Windows mail)

Chat database evidence

-

-

Internet Browser data evidence

+

+

(Internet Explorer and Mozilla Firefox)

Filesystem evidence

+

+

Forensic Container evidence

+

+

OLE storage evidence

+

+

Archive evidence

+

+

Registry file evidence

-

-

E3 mobile data case

-

-

iTunes backup evidence

+

-

SQLite database evidence

+

+

Project-a-Phone data evidence

-

-

Memory dump evidence

-

-

JTAG memory dump

+

-

Xbox evidence

+

+

(0 vote(s))
Helpful
Not helpful

Comments (0)