How to detect unknown malware with WinPatrol

Beat PC intruders and tune your system

How to detect unknown malware with WinPatrol

Host-based intrusion detection is a serious consideration for people wishing to stay safe online from as-yet unknown threats.

Knowing exactly what's happening under the hood is also the first step in controlling what your computer does and when. Linux has enjoyed the protection of major open source intrusion detection systems (IDS) for some time.

Windows users have fewer options, but that doesn't mean the threats facing it are any less dangerous. The landscape is now changing so fast that it takes a large and growing online security industry to keep up.

To help gain and keep the upper hand, it's becoming necessary to counter unknown threats as well as trying to spot and stop the known ones. To help, a new class of anti-malware has emerged.

Combining the advantages of an intrusion detection system (IDS) with other software can help detect and block malicious activity, and even clean up after a successful attack.

Detecting intrusions

There are two main types of IDS, which differ in the scope of their protection. A network IDS (NIDS) sits at a strategic point on the network – such as between the internet router and the internal network – where it can see all the data packets as they flow by. It inspects all traffic flowing across, into and out of the network, looking for activity indicating a remote attack.

By contrast, a host-based IDS (HIDS) is installed on each networked computer, and monitors traffic flowing in and out of just that machine. This second type of IDS can be quite specialised, and can monitor individual aspects of the system and its behaviour – such as changes to the Registry.

A protocol-based IDS (PIDS) is an even more dedicated IDS. It's installed on a server (or somewhere it can see all the traffic flowing in and out of the server) and monitors use of the server's specific network connections. It might be installed on a web server protocols, for example.

The detection techniques employed by an IDS fall into several categories. The simplest of these is signature-based. Like most antivirus packages, this tests a huge number of traffic patterns against a large database of profiles generated by known attack types. As with antivirus software, this database must be updated regularly, as new attack signatures become available.

Unlike static virus signatures however, an IDS attack signature has a distinct time element because it needs to understand the order, sequence and possibly even the delays between the packets involved in the attack as they arrive.

Anomaly detection

Anomaly-based intrusion detection is more sophisticated and intelligent. It first establishes a baseline of 'normal' network activity by monitoring network traffic for a while, including the general amounts of bandwidth used, the protocols used, the associated ports, the number of connections and which devices generally connect to each other.

Once in detection mode, the system will compare this baseline to subsequent network traffic patterns. Anything out of the ordinary is considered suspicious.

detected threat

POSSIBLE THREATS: If you find something potentially dodgy on your system, you can view its details and even add a note for future reference so you don't forget

In an application protocol IDS (APIDS), the baseline is even more specific and has to be far more detailed. To be effective, the APIDS monitors the traffic received and transmitted by the network protocol, so it has to understand in depth the way the protocol is being used in order to look for anything that deviates from the way it's normally used.

Regardless of the detection technique used, once an IDS identifies suspicious activity, it can take two courses of action: active or passive. A passive IDS simply detects and logs anomalies in system behaviour and reports them to the user or system administrator.

An active IDS (intrusion prevention system) can respond automatically to the perceived threat by blocking incoming IP addresses, blocking specific applications from transmitting data, blocking potentially malicious changes to the system, and even by preventing code from running.


WinPatrol has been protecting computers for over a decade, and has just received an overhaul for Windows 7. Although the commercial version has some very useful facilities, the free one is perfectly good for protecting computers on a home network.

After downloading, run the installation executable and click 'Next'. That's all there is to it. At the end, click 'Finish' to run the application and the user interface will appear. If you have audio enabled you'll hear a 'woof' sound.

The main user interface is packed with three rows of tabs, though some are only accessible in the Plus (paid) version of the software. Click the 'Startup programs' tab and you'll see a list of all the programs that start when Windows does.

Although Windows 7 is blindingly fast to boot up compared to earlier versions of the operating system, it can be slowed by this extra load. By selecting a program and clicking 'Remove' or 'Disable', you can temporarily suspend auto-startup of that program, or if it proves to be the one increasing your system boot up time, remove it from the list.

Removal doesn't uninstall the program. If there's anything in this list that you don't recognise, select it and press the 'Info' button. If you're still not convinced that it's benign based on the information, disable it and reboot. If nothing untoward happens, remove it from the list.

The next tab, 'Delayed start', enables you to stagger the startup times of different applications. If you always use a browser first when you boot up and log in, you can add it to the 'Delayed start' tab to make sure that there are no resource contentions, and that the rest of the operating system is up and running before the browser tries to connect to the internet.

Click 'Add', then navigate to the executable for the application. Select it and click 'OK'. Select whether you want the application to start for all users or just you then click 'OK'. Now click the 'Delay options' button. Enter a title for the startup job and a time to wait from bootup to running the application. If the program needs any command line options passing to it, enter these in the 'Parameters' box.

Finally, select the way you want the program to appear – maximised, in a window or minimised to the task bar. Click 'OK' and the name of the delayed startup job changes to the one you entered. Reboot and WinPatrol should implement your changes.

Many people refuse to upgrade to the latest version of Internet Explorer, which means it's the target of all kinds of malicious and potentially malicious browser helper objects (BHOs). These extend the functionality of IE and are loaded when you run the browser. They can also increase the browser's startup time.

They often can't be uninstalled or even seen by normal users – perfect for installing adware and spyware.

Cleaning up IE

Click on the 'IE Helpers' tab in WinPatrol and you'll see a long list of these, plus the browser's toolbar add-ons. If you're irritated by installation programs insisting that you install the Yahoo Search bar, for example, you can remove it here.

The amount of on-screen space taken up by IE's normal toolbars is substantial, without having it further reduced by something you don't want. Select a BHO or toolbar from the list and click 'Info' to learn more. If you don't like what you see, click 'Remove' to delete it from IE and the system.

You'll be asked to confirm your choice before deletion takes place. Malware can also pose as or hijack legitimate scheduled tasks. To inspect these, click the 'Scheduled tasks' tab. Again, click 'Remove' to take any unnecessary or dodgy tasks out of the list.

This and the other two startup tabs are also a great way to clean up a new PC that annoys you with nagware. Now we can move on to the meat of host-based intrusion detection: detecting changes to the system that may indicate the presence of malware, spyware, or adware.

Click the 'Options' tab to configure WinPatrol for detection. Homepage hijacking is finding increasingly sophisticated roles in online crime. With 'Detect Changes to Internet Explorer home and search pages' selected, you'll be notified of any changes to the browser or its configuration.

Detecting changes

The HOSTS file is a throwback to the days before DNS, but it's also the first port of call for any internet-aware program trying to resolve domain names into IP addresses. These programs will use the domain/IP address mappings in the HOSTS file without question, so if this file is changed it can make you believe you're accessing legitimate websites when in fact you're being redirected to malicious ones.


HOSTS FILE: If malware makes changes to the HOSTS file on your computer, it can redirect you to anywhere on the internet without your knowledge

The 'Warn if changes are made to my internet HOSTS and critical system files' option will keep you safe from this form of attack. You can also view the 'HOSTS' file with the appropriate button; Notepad pops up to display it.

The 'HOSTS' file contains a few examples of mappings between DNS names and the associated IP addresses. If you see one without a hash ('#') symbol before it, indicating that the line is edited out, and you didn't put it there, place a hash at the start of the line, save the file and reboot to see if it breaks anything. If not, malware may well be trying to redirect you to a malicious page.

As WinPatrol runs, it creates a log file of events that you can view with the 'WinPatrol log' button. The resulting HTML page gives information about everything that happens on your PC. Pressing the 'Spreadsheet report' button will create a spreadsheet containing the same data. This is written to 'BillP\WinPatrol' in the 'Program Files' folder of your C:\ drive.

One last useful option on this tab is 'Lock file types'. If you've ever been frustrated by legitimate programs changing your carefully modified file associations even when you asked them not to, this option is for you. It prevents such changes from happening.


First published in PC Plus Issue 304

Liked this? Then check out 25 internet security tips

Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at

Follow TechRadar on Twitter * Find us on Facebook

Article continues below