System Information Collector Release Readme

System Information Collector Release Readme

SIC 5.5 Build 1031

Trend Micro Incorporated, 2010. All Rights Reserved.

System Information Collector (SIC Tool) tool is a stand-aloneutility that gathers detailed computer configuration run on possibly infected computers and same time collect suspicious files that will aid malware analysis.

Index

1. Product Version Information
2. SIC Components
3. SIC Features
4. System Requirements and Compatible List
5. Change logs
6. Known Issues
7. About Trend Micro Inc.
8. Contact Information

1. Product Version Information

Build Version:5.5.0.1031

Language:English

Release Platforms:

Windows 2000 Professional and Advance Server

Windows XP Home and Professional

Windows Server 2003 Standard and Enterprise

Windows Vista (all editions) 32-bit platform

Windows 7 (all editions) 32-bit platform

Windows Server 2008 and R2 32-bit platform

1. SIC Components

a. SIC Log Reader(SLR)

Build Version:6.0.0.9

b. SLR Rules

1. SIC Features

1. Gathered system information
2. Add SIC component integrity check (use two-pass CRC check)
3. Re-arrange system information log for better readability
4. Gathered system security information
5. Logs Trend product and pattern versions
6. Enumerate and log Temporary Internet files
7. Log LSP chain and gather files
8. Log active auto-execute registry entries
9. Log scheduled tasks
10. Log auto-execute INI entries
11. Log services in the system
12. Log hidden files hidden by rootkits
13. Archived suspected files
14. Graphical User Interface (GUI)
15. Silent console mode for logon script incorporation
16. Integrates SIC Log Reader(SLR) to help identify suspected malwares programs and reduce the size of SUSPECT.ZIP
17. Additional filtering of normal files using Trend NFC
18. Support Trend Micro Internet Security Pro 2009 product logging

1. System Requirements and Compatibility List

This tool is designed to run under Microsoft Windows 2000/XP/2003/Vista/7/2008platform but only in 32-bit system.

1. New Features in SIC 5.5.1031

Integrate with (tmcomm.sys、tmcomeng.dll、TmEngDrv.dll) 2.80.0.1078

Integrate with tmufeng.dll 3.0.0.1029

Add a new command mode parameter -NOPOPUP for not prompting user for restarting computer if new driver is installed

List services which have the ImagePath and ServiceDll registry values

Fix hanging when exiting on Windows 7

Add a new section in SIC's log for logging hidden files (e.g. TDSS rootkit)
+------
|Logging Hidden Files
+------

Added feature to collect the following additional registry information from the system.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoDriveTypeAutoRun

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoDriveAutoRun

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto

UpdateAUOptions

• HKCU\Software\Microsoft\Internet Explorer\Main

Default_Page_URL

• HKLM\Software\Microsoft\Internet Explorer\Main

Default_Page_URL

• HKCU\Software\Microsoft\Internet Explorer\Main

Default_Search_URL

• HKLM\Software\Microsoft\Internet Explorer\Main

Default_Search_URL

• HKCU\Software\Microsoft\Internet Explorer\Main

Local Page

• HKLM\Software\Microsoft\Internet Explorer\Main

Local Page

• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA=

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

NoDispBackgroundPage

• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

NoDispBackgroundPage

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

NoDispScrSavPage

• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

NoDispScrSavPage

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Added feature to collect the following information from the OSCE installation on the system.

• WRS Active
• Smart Scan iCRC Enabled
• iCRC OTH Pattern Version
• ENT95 Pattern Version
• OSCE Product Version
• AEGIS Enabled
• AEGIS Service Active
• DAC Policy Enabled
• DAC Pop-up Enabled
• Behavioral Monitoring Enabled
• Behavioral Monitoring Pattern Version
• Threat Detection Enabled
• Threat Detection Pattern Version
• Network Virus Wall Enabled
• Network Virus Wall Pattern Version
• GUID
• SPN Data Feedback Enabled
• SPN File Feedback Enabled
• Conficker Patch
• Parent or Server GUID

1. Known Issues

1. SIC is unable to log rootkit (UseTrueApi) when the user in Windows Vista/7 is not login as administrator. (This is possible operating system limitation)
2. SIC is able to log and archive the file executed under reserve folder name (e.g. COM1), however the archive produced cannot be extracted. (This is an operating system limitation)
3. SIC is unable to log Layered Service Provider (LogLSP=1) when the user in Windows Vista/7 is not login as administrator. (This is possible operating system limitation)
4. SIC is unable to log Master Boot Record (LogBootRecords=1) when the user in Windows Vista/7 is not login as administrator. (This is possible operating system limitation)
5. SIC takes a long time to finish logging host machine’s network connections if there are too many connections with a TIME_WAIT state. TIME_WAIT state happens when an application opens a network connection but failed to disconnect it.
6. SIC currently does not implement auto-clean up on files that are copied in SICLOG folder.

1. About Trend Micro Incorporated

Trend Micro Incorporated provides centrally controlled server-based virus protection and content filtering products and services. By protecting information that flows through Internet gateways, email servers, and file servers, Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop.

Copyright 2010, Trend Micro Incorporated.

1. Contact Information

Email: