Documentation Guide to Malicious File Hunter
Introduction:
Malicious File Hunter is a software that allows IT Security Professionals to check for presence of malware files on one or multiple remote Windows computers. This is achieved by running a search query for the malware file names across multiple computers on the network. Results include a number of data on found files to help an administrator analyse and take further appropriate action.
Searching Remote Computers:
This is the core feature of Malicious File Hunter software. It's capable of searching a large number of machines or your entire network for the presence of one or multiple files. Multiple files search is available by using filenames separate by semi-column (;). Wildcard (*) can also be used if full filename is not known.
Search Status Bar:
The search status bar displays a number of information when search is Idle, In Progress, Cancelled or Completed.
Status Description:- Idle: MFH started and no search run yet.
- In Progress: search is in progress
- Completed: search is done and results are in Search Results tab if any found.
- Cancelled: search has been cancelled
Threads:
Threads are the number of threads currently set and used.
Windows Account:
username used to run searchesSearching: displayed when search is in progress and shows the current hostname or IP the search is running on.
Done: displayed when search is in progress and shows the number of hostnames/IPs completed. For instance, if you have 100 machines to search and MFH has completed search on 10, the status bar will show Done: 10/90
Total Files Found: number of files found matching the search query.
Note regarding cancelling search:
Cancelling search may take time depending on how many threads and computers are being searched. The software will need to wait for search to be terminated on each machine that received the search request before search cancelling can be confirmed. This important to ensure the future searches are successfully sent and processed by remote computers.
Search Results:
When search completes, results are displayed on lower window in a table format. Search columns are:Hostname: computer name
IP: IP address
Filename: filename found based on search query
Location: Local path where the file is stored
Size: size of file in Bytes
Type: type of file found. i.e Application, Text file, Word Document.
Created Date: Date when the file was created based on Windows filestamp.
Modified Date: Date when the file was modified based on Windows filestamp.
File Use Count: The number of processes that have the file open for exclusive read/write.
Enabling Settings > Display File Attributes in Results will show additional columns in results:
Compressed: Yes or No; whether the file is an archive like zip, rar, 7z or other compressed formats.
Encrypted: Yes or No; if a password is needed to open a file or it's marked encrypted by Windows.
Hidden: Yes or No; if the file has hidden attributes so it's not displayed when browsing it location
Readable: Yes or No; If the file content can be read
Writeable: Yes or No; If additional data can be added to the file or it's marked for read-only.
Save Results:
The save button allows you to save results to the local software database. This database is used exclusively by MFH. Saved results can be loaded by clicking “Audit Log” > Load Results.
You can delete saved results by clicking Delete saved results button.
Export Results:
Search results can be exported in CSV file format. By default search results are exported to the logged-in user Desktop using filename format: MFH_Exported_Search_Results YYYY-MM-DD--HH-MM-SS.csv
The exported CSV file can be opened by Notepad, Excel or any other software capable of opening CSV files. Also, it can easily be imported to any archive software or database if needed.
The same columns displayed in search results are available in CSV file when exported.
Email Results:
The email feature can send the results to one or multiple email. The following email settings are required before sending an email. You can configure them under Settings > Email Settings:
- SMTP Host
- SMTP Port
- Username
- Password
Some installed Antivirus or Firewall software may blocked MFH from sending emails. You can usually add an exclusion for a process: Malicious File Hunter.exe
Search within Results:
This feature allows you to filter search results further to a keyword string. Let’s you have 100 results of svchost.exe from different machines, but want to see which one are located in \temp folder. You can click on the Search in Results icon and simply type temp as shown below.
Computers & Accounts:
This window allows the user to specify 2 important settings:
Windows Account:
The account username and password that will be used to run search across target machines. It’s important that this account has WMI rights and the target computers have WMI service enabled and WMI is allowed through Windows Firewall. See details here. In many cases, the user is a domain administrator, but any user with WMI rights will do.
Computers
The targeted remote computers for search. By default you will find “localhost” which the local machine where MFH is installed and can be used for a test search. There are a number of ways you can enter targeted computers:
- Copy and paste list of hostnames, IP address or both.
- Set a range of IP addresses
- Specify a TXT or CSV file with hostnames, IP addresses or both - one in each line.
You can test if a user have sufficient WMI rights on a remote computer. Just enter hostname in Computer field and click “Check WMI Access”.
Note:
Username and Password set in Computers & Accounts are also used to run Scheduler searched and Copy to Share features*.
*Scheduler available in Professional and Enterprise editions. Copy to Share available in Enterprise edition.
Scheduler:
The scheduler allows you to configure one or multiple searches to be run at a set time and frequency. You can configure searches to run daily, weekly (every day or selected days) or monthly. The scheduler uses 24hours format.
Creating a Scheduled Task:
You can create a new Scheduled Task by clicking "New Scheduler". This will set the time to the current time, date to "Today", clear search box and set the default path location to the logged in user desktop.
Scheduler Frequency:
Scheduled tasks can run at any set time, daily, weekly - using selected days or all
Schedule Files Format:
Search using scheduler using the same search format as main search. You can search for one file or multiple files separated by semi-column (;) aswell as add wildcards.
Scheduler Credentials:
The scheduler uses the same credentials saved under Computers & Accounts to run searches.
Scheduler Status:
Here are a description of different scheduled tasks statuses:
No Results Yet: Task never run and there is no results yet.
Scheduled: the task is scheduled to run at set time and frequency
Completed: the task did run at least once, but will continue to run if the frequency has been set to Daily, Weekly or Monthly.
Scheduler Results:
The Scheduler window shows the location of results for each task if available:
No Result Yet: is displayed for a new task that has never run.
Open Location: is displayed for scheduled tasks that run at least once.
Scheduled search results are saved on the Desktop of the logged-in user by default using MFH_Scheduled_Search_Results YYYY-MM-DD--HH-MM-SS.csv
When a scheduled search is completed, the status column shows "Completed". You can then open the location where scheduled search results CSV is saved or use Windows explorer to find the saved CSV file.
If the scheduled search is no longer needed, you can delete it using the "Delete" button.
Default Scheduler Path:
The default path where scheduled search results are saved is the user Desktop; his is C:\Users\username\Desktop in Windows 7. You can change the path to another location. The Scheduler automatically checks if the new path is accessible when you click "Add to Scheduler". An error will be displayed if there is a problem accessing the path.
Copy to Share:
Copy to Share allows the user to copy one or multiple files from the search results to a destination share path. The username and password entered under Computers & Accounts will be used to:
- Copy the file(s) from source computer(s), and to
- Write the file to destination share
Copy to Share will only prompt the user for the desitnation as it already has the details from the search results on the location of file(s) on remote computers.
Settings:
The following settings are available under settings pop-up.
Threads:
Threads are used to run multiple concurrent searches on targeted hostnames. For example, if you run a search for notepad.exe on 10 machines, the software construct 10 threads with each one running a separate query for each machine. The same thread waits for response for targeted machine before displaying the results or an error.
If one thread is used for search on 10 machines, a separate sequential search is run on list of machine baded on list order. So the thread will start with machine 1, 2, 3 and so on. The search thread will process results.
Multithreading is available in all. The number of threads available depending on the edition you have purchased. They start from 10 to unlimited.
MFH works by sending one or multiple search requests to the targeted machines and returning results from those machines.
Export CSV Default Location:
Search results can be exported to a CSV file. To make the process easier and faster, clicking “Export Results” button will automatically create a file with the name MFH_Exported_Search_Results date—time.csv to the logged in user desktop. You can change this path under settings.
Results Columns:
By default, the following columns are displayed in results:- Hostname
- IP
- Filename
- Location
- Size (bytes)
- Type
- Created
- Modified
- File in Use
You can view additional field by clicking on Settings > Show File Attributes in Results. This will display the following additional columns:
- Compressed
- Encrypted
- Hidden
- Readable
- Writable
Tabs:
Search Results Tab:
Show results of a search query in a table format starting from Hostname and ending by File Use Count.
Search Log Tab:
Contains details of a search progress. If you are running a big search across dozens or hundreds of machines, this tab show the progress of search across those machines.
Audit Log Tab:
The audit log contains information on who, what and when. Who executed a particular search, what was the search query, date and time of search query and number of results returned. It serves as a basic audit to help the user and management keep track of what Malicious File Hunter software is being used for. It’s not possible to delete the content of Audit Log, unless the software is uninstalled.