Closed lad101880 closed 7 years ago
Hey lad,
These hits are likely the remnants of the Windows Defender signature database. When AV loads into memory it will also load its signature database in as well in order to have it available for scanning. This will leave many malicious looking artifacts in memory that aren't actually part of active malware infections.
We discuss many issues like this, and how to work around them in our memory forensics book: https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
I am going to close the ticket, but please let us know if you have any further issues.
Hi Atcuno,
I have this book and checked the FREE MEMORY issue but its not clearly explained in the book but to use other tools to analyze it such as sleuthkit. I even found memory on the PID of windows defender and combination of FREE MEMORY. SO in my thought, yes, it could be signature from the windows defender since it is associated from the WIndows Defender process ID.. but how about the FREE MEMORY since its not associated with any PID
I was thinking of that as well maybe it might be from the windows AV but on some installers that I have this issue did not show up. I also contacted some researcher and they mentioned that anything that would go to the unallocated disk or the FREE MEMORY (from volatility), they mentioned the executable was executed somehow.
Im just confused if indeed its infected or not
What I will do is uninstall windows defender and get the memory again after the restart.. I will then update you. This is to prove if indeed Windows Defender is causing this when it tries to load the signatures as you pointed out.
Hi,
I downloaded a copy of Windows 7 64 Enterprise edition from Microsoft Website (volume license). I installed it and after the installation I took a copy its memory if the installer is clean. I notice there was a mimikatz in the string using the tool strings. SO i decided to use the strings plugin in volatility and it should that the mimikatz is in FREE MEMORY. Does it mean that Microsoft installer is already infected? Has anyone from your team already noticed this? I hope there is an answer about this
First, I extracted memory (A.raw) on the machines: Command1: strings -o A.raw | grep imikat > mimikatz.txt Results: 25344300513 .\mimikatz.exe 26416362660 .\mimikatz.exe
Command2: volatility --profile=Win7SP0x64 -f A.mem strings -s mimikatz.txt Results: [FREE MEMORY] .\mimikatz.exe [FREE MEMORY] .\mimikatz.exe